ADC CLI Commands

ssl-dtlsProfile

The following operations can be performed on “ssl-dtlsProfile”:

add show set unset rm

add ssl dtlsProfile

Create a new DTLS profile on the Citrix ADC.

Synopsis

add ssl dtlsProfile [-pmtuDiscovery ( ENABLED | DISABLED )] [-maxRecordSize ] [-maxRetryTime ] [-helloVerifyRequest ( ENABLED | DISABLED )] [-terminateSession ( ENABLED | DISABLED )] [-maxPacketSize ] [-maxHoldQLen ] [-maxBadmacIgnorecount ]

Arguments

name Name for the DTLS profile. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@),equals sign (=), and hyphen (-) characters. Cannot be changed after the profile is created.

pmtuDiscovery Source for the maximum record size value. If ENABLED, the value is taken from the PMTU table. If DISABLED, the value is taken from the profile.

Possible values: ENABLED, DISABLED Default value: DISABLED

maxRecordSize Maximum size of records that can be sent if PMTU is disabled. Default value: 1459 Minimum value: 250 Maximum value: 1459

maxRetryTime Wait for the specified time, in seconds, before resending the request. Default value: 3 Minimum value: 0

helloVerifyRequest Send a Hello Verify request to validate the client.

Possible values: ENABLED, DISABLED Default value: ENABLED

terminateSession Terminate the session if the message authentication code (MAC) of the client and server do not match.

Possible values: ENABLED, DISABLED Default value: DISABLED

maxPacketSize Maximum number of packets to reassemble. This value helps protect against a fragmented packet attack. Default value: 120 Minimum value: 0 Maximum value: 86400

maxHoldQLen Maximum number of datagrams that can be queued at DTLS layer for processing Default value: 32 Minimum value: 32 Maximum value: 65535

maxBadmacIgnorecount Maximum number of bad MAC errors to ignore for a connection prior disconnect. Disabling parameter terminateSession terminates session immediately when bad MAC is detected in the connection. Default value: 100 Minimum value: 1 Maximum value: 65535

Example

add dtlsProfile dtls1 -helloVerifyRequest ENABLED -maxRetryTime 4

show ssl dtlsProfile

Display all the configured DTLS profiles in the system. If a name is specified, then only that profile is shown.

Synopsis

show ssl dtlsProfile []

Arguments

name Name of the DTLS profile.

Output

pmtuDiscovery PMTU Discovery

maxRecordSize Maximum record size

maxRetryTime Maximum retry time

helloVerifyRequest Hello Verify Request

terminateSession Terminate Session

maxPacketSize Maximum Packet Size

maxHoldQLen Maximum number of datagrams that can be queued at DTLS layer for processing

maxBadmacIgnorecount Maximum number of bad MAC errors to ignore for a connection prior disconnect. Disabling parameter terminateSession terminates session immediately when bad MAC is detected in the connection.

builtin Flag to determine whether dtls profile is built-in or not

feature The feature to be checked while applying this config

devno count stateflag

Example

show dtls profile [profile name]

set ssl dtlsProfile

Set/modify DTLS profile values

Synopsis

set ssl dtlsProfile [-pmtuDiscovery ( ENABLED | DISABLED )] [-maxRecordSize ] [-maxRetryTime ] [-helloVerifyRequest ( ENABLED | DISABLED )] [-terminateSession ( ENABLED | DISABLED )] [-maxPacketSize ] [-maxHoldQLen ] [-maxBadmacIgnorecount ]

Arguments

name Name for the DTLS profile. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@),equals sign (=), and hyphen (-) characters. Cannot be changed after the profile is created.

pmtuDiscovery Source for the maximum record size value. If ENABLED, the value is taken from the PMTU table. If DISABLED, the value is taken from the profile.

Possible values: ENABLED, DISABLED Default value: DISABLED

maxRecordSize Maximum size of records that can be sent if PMTU is disabled. Default value: 1459 Minimum value: 250 Maximum value: 1459

maxRetryTime Wait for the specified time, in seconds, before resending the request. Default value: 3 Minimum value: 0

helloVerifyRequest Send a Hello Verify request to validate the client.

Possible values: ENABLED, DISABLED Default value: ENABLED

terminateSession Terminate the session if the message authentication code (MAC) of the client and server do not match.

Possible values: ENABLED, DISABLED Default value: DISABLED

maxPacketSize Maximum number of packets to reassemble. This value helps protect against a fragmented packet attack. Default value: 120 Minimum value: 0 Maximum value: 86400

maxHoldQLen Maximum number of datagrams that can be queued at DTLS layer for processing Default value: 32 Minimum value: 32 Maximum value: 65535

maxBadmacIgnorecount Maximum number of bad MAC errors to ignore for a connection prior disconnect. Disabling parameter terminateSession terminates session immediately when bad MAC is detected in the connection. Default value: 100 Minimum value: 1 Maximum value: 65535

Example

set dtlsprofile -dropInvalReqs ON -markHttp09Inval ON

unset ssl dtlsProfile

Use this command to remove ssl dtlsProfile settings.Refer to the set ssl dtlsProfile command for meanings of the arguments.

Synopsis

unset ssl dtlsProfile [-pmtuDiscovery] [-maxRecordSize] [-maxRetryTime] [-helloVerifyRequest] [-terminateSession] [-maxPacketSize] [-maxHoldQLen] [-maxBadmacIgnorecount]

rm ssl dtlsProfile

Remove a DTLS profile on the Citrix ADC

Synopsis

rm ssl dtlsProfile

Arguments

name Name of the DTLS profile

Example

rm dtlsprofile

ssl-dtlsProfile