ltm profile tcp(1) BIG-IP TMSH Manual ltm profile tcp(1)
NAME
tcp - Configures a Transmission Control Protocol (TCP) profile.
MODULE
ltm profile
SYNTAX
Configure the tcp component within the ltm profile module using the
syntax shown in the following sections.
CREATE/MODIFY
create tcp [name]
modify tcp [name]
options:
abc [disabled | enabled]
ack-on-push [disabled | enabled]
app-service [[string] | none]
auto-proxy-buffer-size [disabled | enabled]
auto-receive-window-size [disabled | enabled]
auto-send-buffer-size [disabled | enabled]
close-wait-timeout [integer]
cmetrics-cache [disabled | enabled]
cmetrics-cache-timeout [integer]
congestion-control [high-speed | new-reno | none | reno | scalable |
vegas | illinois | woodside | chd | cdg | cubic | westwood]
defaults-from [ [name] | none]
deferred-accept [disabled | enabled]
delay-window-control [disabled | enabled]
delayed-acks [disabled | enabled]
delay-window-control [disabled | enabled]
description [string]
dsack [disabled | enabled]
early-retransmit [disabled | enabled]
ecn [disabled | enabled]
enhanced-loss-recovery [disabled | enabled]
fast-open [disabled | enabled]
fast-open-cookie-expiration [integer]
fin-wait-timeout [integer]
fin-wait-2-timeout [integer]
hardware-syn-cookie [disabled | enabled]
idle-timeout [integer]
init-cwnd [integer]
init-rwnd [integer]
ip-tos-to-client [integer]
keep-alive-interval [integer]
limited-transmit [disabled | enabled]
link-qos-to-client [integer]
max-retrans [integer]
md5-signature [disabled | enabled]
md5-signature-passphrase [none | [string] ]
minimum-rto [integer]
mptcp [disabled | enabled | passthrough ]
mptcp-csum [disabled | enabled]
mptcp-csum-verify [disabled | enabled]
mptcp-debug [disabled | enabled]
mptcp-fallback [reset | retransmit | active-accept | accept]
mptcp-join-max [integer]
mptcp-nojoindssack [disabled | enabled]
mptcp-rtomax [integer]
mptcp-rxmitmin [integer]
mptcp-subflowmax [integer]
mptcp-makeafterbreak [disabled | enabled]
mptcp-timeout [integer]
mptcp-fastjoin [disabled | enabled]
nagle [disabled | enabled | auto]
pkt-loss-ignore-rate [integer]
pkt-loss-ignore-burst [integer]
proxy-buffer-high [integer]
proxy-buffer-low [integer]
proxy-mss [disabled | enabled]
proxy-options [disabled | enabled]
ip-df-mode [preserve | set | clear]
ip-ttl-mode [proxy | preserve | decrement | set]
ip-ttl-value [integer]
rate-pace [disabled | enabled]
rate-pace-max-rate [integer]
receive-window-size [integer]
reset-on-timeout [disabled | enabled]
rexmt-thresh [integer]
selective-acks [disabled | enabled]
selective-nack [disabled | enabled]
send-buffer-size [integer]
slow-start [disabled | enabled]
syn-cookie-enable [disabled | enabled]
syn-cookie-whitelist [disabled | enabled]
syn-max-retrans [integer]
syn-rto-base [integer]
tail-loss-probe [disabled | enabled]
time-wait-recycle [disabled | enabled]
time-wait-timeout [integer]
timestamps [disabled | enabled]
verified-accept [disabled | enabled]
zero-window-timeout [integer]
edit tcp [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
reset-stats tcp
reset-stats tcp [ [ [name] | [glob] | [regex] ] ... ]
DISPLAY
list tcp
list tcp [ [ [name] | [glob] | [regex] ] ... ]
show running-config tcp
show running-config tcp
[ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show tcp
show tcp [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
field-fmt
global
DELETE
delete tcp [name]
DESCRIPTION
You can use the tcp component to manage TCP network traffic. Many of
the options are standard SYSCTL-types of options, while others are
unique to the traffic management system. For most of the options, the
default values usually meet your needs. The specific options that you
might want to change are: reset-on-timeout, idle-timeout, ip-tos-to-
client, and link-qos-to-client.
The system installation includes these default TCP-type profiles: tc,
tcp-cell-optimized, tcp-lan-optimized, and tcp-wan-optimized. You can
modify the settings of these profiles, or create new TCP-type profiles
using any of these existing profiles as parent profiles.
EXAMPLES
create tcp my_tcp_profile defaults-from tcp
Creates a custom TCP profile named my_tcp_profile that inherits its
settings from the system default tcp profile.
list tcp all-properties
Displays all properties for all TCP profiles
OPTIONS
abc When enabled, increases the congestion window by basing the
increase amount on the number of previously unacknowledged bytes
that each acknowledgement code (ACK) includes. The default value
is enabled.
ack-on-push
When enabled, significantly improves performance to Microsoft(r)
Windows(r) and MacOS peers, who are writing out on a very small
send buffer. The default value is enabled.
app-service
Specifies the name of the application service to which the profile
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the profile. Only the application
service can modify or delete the profile.
auto-proxy-buffer-size
Specifies, when enabled, that the system uses the network
measurements to set the optimal proxy buffer size. The default
value is disabled.
auto-receive-window-size
Specifies, when enabled, that the system uses the network
measurements to set the optimal receive window size. The default
value is disabled.
auto-send-buffer-size
Specifies, when enabled, that the system uses the network
measurements to set the optimal send buffer size. The default
value is disabled.
close-wait-timeout
Specifies the number of seconds that a connection remains in a
LAST-ACK (last acknowledgement code) state before quitting. A
value of 0 (zero) represents a term of forever (or until the
maxrtx of the FIN state). The default value is 5 seconds.
cmetrics-cache
Specifies, when enabled, the default value, that the system uses a
cache for storing congestion metrics.
cmetrics-cache-timeout
Specifies the time, in seconds, for which entries in the
congestion metrics cache are valid. The default value is 0, which
defers to the sys db variable route.metrics.timeout.
congestion-control
Specifies the algorithm to use to share network resources among
competing users to reduce congestion. The default value is high-
speed.
The options are:
cdg Specifies that the system use a Caia Delay-Gradient
congestion control algorithm, where congestion inferences
are made based on a gradient of RTT over time. Improves
inferences made about packet loss and whether they are due
to congestion or other factors. The use of a shadow window
improves coexistence with loss-based TCP flows.
chd Specifies that the system use a Caia-Hamilton delay-based
congestion control algorithm, where delay-based congestion
window operations are performed only once per RTT.
Tolerates packet losses that are likely to be unrelated to
congestion. Uses a shadow window to help regain lost
transmission opportunities when competing with loss-based
TCP flows.
cubic Specifies that the system uses a component optimized for
high latency, high bandwidth connections as the TCP
congestion control algorithm.
high-speed
Specifies that the system uses a more aggressive, loss-
based algorithm.
illinois
Specifies that the system uses a hybrid of both delay and
loss as the TCP congestion control algorithm.
new-reno
Specifies that the system uses a modification to the Reno
algorithm that responds to partial acknowledgements when
SACKs are unavailable.
none Specifies that the system does not use a network-
congestion-control mechanism, even when congestion occurs.
reno Specifies that the system uses an implementation of the
TCP Fast Recovery algorithm, which is based on the
implementation in the BSD Reno release.
scalable
Specifies that the system uses a TCP algorithm
modification that adds a scalable, delay-based and loss-
based component into the Reno algorithm.
vegas Specifies that the system uses a delay-based component as
the TCP congestion control algorithm.
westwood
Specifies that the system uses the Westwood+ bandwidth
estimation component as the TCP congestion control
algorithm.
woodside
Specifies that the system uses a hybrid of both delay and
loss as the TCP congestion control algorithm.
defaults-from
Specifies the profile that you want to use as the parent profile.
Your new profile inherits all settings and values from the parent
profile. The default value is tcp.
deferred-accept
Specifies, when enabled, that the system defers allocation of the
connection chain context until the system has received the payload
from the client. This option is useful for dealing with 3-way
handshake denial-of-service (DOS) attacks. The default value is
disabled.
delay-window-control
When enabled, the system uses an estimate of queueing delay as a
measure of congestion, in addition to the normal loss-based
control, to control the amount of data sent. The default value is
disabled.
delayed-acks
Specifies, when enabled, the default value, that the traffic
management system allows coalescing of multiple acknowledgement
(ACK) responses.
description
User defined description.
dsack
When enabled, specifies the use of the SACK option to acknowledge
duplicate segments. The default is disabled.
early-retransmit
Specifies, when enabled, that the system uses early retransmit
recovery (as specified in RFC 5827) to reduce the recovery time
for connections that are receive-buffer or user-data limited. The
default value is disabled.
ecn Specifies, when enabled, that the system uses the TCP flags CWR
and ECE to notify its peer of congestion and congestion counter-
measures. The default value is disabled.
enhanced-loss-recovery
Specifies whether the system uses enhanced loss recovery to
recover from random packet losses more effectively. The default
value is disabled.
fast-open
Specifies, when enabled, that the system supports TCP Fast Open,
which allows a client to include the first packet of data with the
SYN to reduce latency. The default value is disabled.
fast-open-cookie-expiration
Specifies the number of seconds that a "Fast Open Cookie"
delivered to a client is valid for SYN packets from that client.
The default value is 21600 seconds (6 hours). A value of 0 (zero)
means use the default. The maximum value is 1000000 seconds.
fin-wait-timeout
Specifies the number of seconds that a connection is in the
FIN-WAIT-1 or closing state before quitting. The default value is
5 seconds. A value of 0 (zero) represents a term of forever (or
until the maxrtx of the FIN state).
fin-wait-2-timeout
Specifies the number of seconds that a connection is in the
FIN-WAIT-2 state before quitting. The default value is 300
seconds. A value of 0 (zero) represents a term of forever (or
until the maxrtx of the FIN state).
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
hardware-syn-cookie
This option is deprecated in version 13.0.0 and is replaced by
syn-cookie-enable. Specifies whether or not to use hardware SYN
Cookie when cross system limit. The default value is disabled.
idle-timeout
Specifies the number of seconds that a connection is idle before
the connection is eligible for deletion. The default value is 300
seconds.
init-cwnd
Specifies the initial congestion window size for connections to
this destination. The actual window size is this value multiplied
by the MSS (Maximum Segment Size) for the same connection. The
default value is 3. The range is from 0 to 64.
init-rwnd
Specifies the initial receive window size for connections to this
destination. The actual window size is this value multiplied by
the MSS (Maximum Segment Size) for the same connection. The
default value is 3. The range is from 0 to 64.
ip-df-mode
Describe the IP Header Don't Fragment (DF) bit setting in the
outgoing TCP packet. The available settings are: Pmtu: Set the
outgoing IP Header DF bit based on IP pmtu
setting(tm.pathmtudiscovery). Preserve: Set the outgoing Packet's
IP Header DF bit to be same as incoming IP Header DF bit. Set:
Set the outgoing packet's IP Header DF bit. Clear: Clear the
outgoing packet's IP Header DF bit. The default setting is
Preserve.
ip-ttl-mode
Describe the outgoing TCP packet's IP Header TTL mode. The
available Modes are: Proxy: Set the outgoing IP Header TTL value
to 255/64 for ipv4/ipv6 respectively. Preserve: Set the outgoing
IP Header TTL value to be same as the incoming IP Header TTL
value. Decrement: Set the outgoing IP Header TTL value to be one
less than the incoming TTL value. Set: Set the outgoing IP Header
TTL value to a specific value(as specified by ip-ttl-v[4|6]). The
default mode is Proxy.
ip-ttl-v4
Specify the outgoing packet's IP Header TTL value for IPv4
traffic. Maximum TTL value that can be specified is 255. The
default is 255.
ip-ttl-v6
Specify the outgoing packet's IP Header TTL value for IPv6
traffic. Maximum TTL value that can be specified is 255. The
default is 64.
ip-tos-to-client
Specifies the Type of Service (ToS) level that the traffic
management system assigns to TCP packets when sending them to
clients. The default value is 0 (zero).
keep-alive-interval
Specifies the keep-alive probe interval, in seconds. The default
value is 1800 seconds.
limited-transmit
Specifies, when enabled, the default value, that the system uses
limited transmit recovery revisions for fast retransmits (as
specified in RFC 3042) to reduce the recovery time for connections
on a lossy network.
link-qos-to-client
Specifies the Link Quality of Service (QoS) level that the system
assigns to TCP packets when sending them to clients. The default
value is 0 (zero).
max-retrans
Specifies the maximum number of retransmissions of data segments
that the system allows. The default value is 8.
md5-signature
Specifies, when enabled, that the system uses RFC2385 TCP-MD5
signatures to protect TCP traffic against intermediate tampering.
The default value is disabled.
md5-signature-passphrase
Specifies a plain text passphrase which may be between 1 and 80
characters in length, and is used in a shared-secret scheme to
implement the spoof-prevention parts of RFC2385. The default value
is none.
minimum-rto
Specifies the minimum TCP retransmission timeout in milliseconds.
The default value is 1000 milliseconds.
mptcp
Specifies, when enabled, that the system will accept MPTCP
connections. When passthrough MPTCP connections are not terminated
by this virtual.The default value is disabled.
mptcp-csum
Specifies, when enabled, that the system will calculate the
checksum for MPTCP connections. The default value is disabled.
mptcp-csum-verify
Specifies, when enabled, that the system verifies checksum for
MPTCP connections. The default value is disabled.
mptcp-debug
This option is DEPRECATED v12.0.0 onwards and is maintained here
for backward compatibility reasons. Specifies, when enabled, that
the system provides debug logs and statistics for MPTCP
connections. The default value is disabled.
mptcp-fallback
Specifies, MPTCP fallback mode. The default value is reset.
The options are:
accept
Specifies accept on fallback.
active-accept
Specifies active accept on fallback.
reset
Specifies that the connection is reset on fallback.
retransmit
Specifies retransmit on fallback.
mptcp-join-max
Specifies the max number of MPTCP connections that can join to
given one. The default value is 5.
mptcp-nojoindssack
Specifies, when enabled, no DSS option is sent on the JOIN ACK.
The default value is disabled.
mptcp-rtomax
Specifies, the number of RTOs before declaring subflow dead. The
default value is 5.
mptcp-rxmitmin
Specifies the minimum value (in msec) of the retransmission timer
for these MPTCP flows. The default value is 1000.
mptcp-subflowmax
Specifies the maximum number of MPTCP subflows for a single flow.
The default value is 6.
mptcp-makeafterbreak
Specifies, when enabled, that make-after-break functionality is
supported, allowing for long-lived MPTCP sessions. The default
value is disabled.
mptcp-timeout
Specifies, the timeout value to discard long-lived sessions that
do not have an active flow, in seconds. The default value is 3600.
mptcp-fastjoin
Specifies, when enabled, FAST join, allowing data to be sent on
the MP_JOIN SYN, which can allow a server response to occur in
parallel with the JOIN. The default value is disabled.
nagle
Specifies, when enabled, that the system applies Nagle's algorithm
to reduce the number of short segments on the network. The default
value is disabled. When auto, the use of Nagle's algorithm is
decided based on network conditions.
Note that for interactive protocols such as Telnet, rlogin, or
SSH, F5 Networks recommends disabling this setting on high-latency
networks, to improve application responsiveness.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
partition
Displays the administrative partition within which the profile
resides.
pkt-loss-ignore-burst
Specifies the probability of performing congestion control when
multiple packets in a row are lost, even if the pkt-loss-ignore-
rate was not exceeded. Valid values are 0 (zero) through 32. The
default value is 0 (zero), which means that the system performs
congestion control, if any packets are lost. Higher values
decrease the chance of performing congestion control.
pkt-loss-ignore-rate
Specifies the threshold of packets lost per million at which the
system should perform congestion control. Valid values are 0
(zero) through 1,000,000. The default value is 0 (zero), which
means that the system performs congestion control, if any packet
loss occurs. If you set the ignore rate to 10 and packet loss for
a TCP connection is greater than 10 per million, congestion
control occurs.
proxy-buffer-high
Specifies the highest level at which the receive window is closed.
The default value is 49152.
proxy-buffer-low
Specifies the lowest level at which the receive window is closed.
The default value is 32768.
proxy-mss
Specifies, when enabled, that the system advertises the same mss
to the server as was negotiated with the client. The default value
is enabled.
proxy-options
Specifies, when enabled, that the system advertises an option,
such as a time-stamp to the server only if it was negotiated with
the client. The default value is enabled.
rate-pace
Specifies, when enabled, that the system will rate pace TCP data
transmissions. The default value is disabled.
rate-pace-max-rate
If not 0, sets the maximum rate in bytes per second that TCP data
transmission will be paced to. If set to 0, no maximum is
enforced. The default value is 0.
receive-window-size
Specifies the size of the receive window, in bytes. The default
value is 65535 bytes.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
reset-on-timeout
Specifies whether to reset connections on timeout. The default
value is enabled.
rexmt-thresh
Specifies the number of duplicate ACKs (retransmit threshold) to
start fast recovery. The default value is 3. The range is from 3
to 255.
selective-acks
Specifies, when enabled, the default value, that the system
negotiates RFC2018-compliant Selective Acknowledgements with
peers.
selective-nack
Specifies whether Selective Negative Acknowledgment is enabled or
disabled. The default value is enabled.
send-buffer-size
Specifies the size of the buffer, in bytes. The default value is
65535 bytes.
slow-start
Specifies, when enabled, the default value, that the system uses
larger initial window sizes (as specified in RFC 3390) to help
reduce round trip times. Note that disabling this attribute causes
the setting for cmetrics-cache to be ignored.
syn-cookie-enable
Specifies the default (if no DoS profile is associated) number of
embryonic connections that are allowed on any virtual server,
before SYN Cookie challenges are enabled for that virtual server.
The default is enabled.
syn-cookie-whitelist
Specifies whether or not to use a SYN Cookie WhiteList when doing
software SYN Cookies. This means not doing a SYN Cookie for the
same src IP address if it has been done already in the previous
tm.flowstate.timeout (30) seconds. The default value is disabled.
syn-max-retrans
Specifies the maximum number of retransmissions of SYN segments
that the system allows. The default value is 3.
syn-rto-base
Specifies the initial RTO (Retransmission TimeOut) base multiplier
for SYN retransmission, in milliseconds. This value is modified by
the exponential backoff table to select the interval for
subsequent retransmissions. The default value is 3000.
tail-loss-probe
Specifies whether the system uses tail loss probe to reduce the
number of retransmission timeouts. The default value is disabled.
tcp-options
Specifies the option numbers that will be accessible from iRules
(TCP::option) for the flow. The format of each entry should be:
"{