ltm profile fastl4
ltm profile fastl4(1) BIG-IP TMSH Manual ltm profile fastl4(1)
NAME
fastl4 - Configures a Fast Layer 4 profile.
MODULE
ltm profile
SYNTAX
Configure the fastl4 component within the ltm profile module using the
syntax shown in the following sections.
CREATE/MODIFY
create fastl4 [name]
modify fastl4 [name]
options:
app-service [[string] | none]
defaults-from [ [name] | none]
description [string]
hardware-syn-cookie [disabled | enabled]
idle-timeout [immediate | indefinite | [integer] ]
ip-tos-to-client [ [integer] | pass-through]
ip-tos-to-server [ [integer] | pass-through]
keep-alive-interval [integer]
ip-df-mode [preserve | set | clear]
ip-ttl-mode [proxy | preserve | decrement | set]
ip-ttl-value [integer]
link-qos-to-client [ [integer] | pass-through]
link-qos-to-server [ [integer] | pass-through]
priority-to-client [ [integer] | pass-through]
priority-to-server [ [integer] | pass-through]
loose-close [disabled | enabled]
loose-initialization [disabled | enabled]
mss-override [integer]
pva-acceleration [full | none | partial | dedicated ]
pva-dynamic-client-packets [integer]
pva-dynamic-server-packets [integer]
pva-offload-dynamic [ enabled | disabled ]
pva-offload-state [embryonic | establish]
pva-offload-dynamic-priority [enable | disable]
pva-offload-initial-priority [low | medium | high]
pva-flow-aging [enabled | disabled]
pva-flow-evict [enabled | disabled]
tcp-pva-whento-offload [embryonic | establish]
tcp-pva-offload-direction [bidirectional | client-to-server-only | server-to-client-only]
other-pva-whento-offload [after-packets-per-direction | after-packets-both-direction]
other-pva-offload-direction [bidirectional | client-to-server-only | server-to-client-only]
other-pva-clientpkts-threshold [integer]
other-pva-serverpkts-threshold [integer]
reassemble-fragments [disabled | enabled]
reset-on-timeout [disabled | enabled]
rtt-from-client [disabled | enabled]
rtt-from-server [disabled | enabled]
server-sack [disabled | enabled]
server-timestamp [disabled | enabled]
receive-window-size [65535 - 2^31 bytes for window scale enabling]
software-syn-cookie [disabled | enabled]
syn-cookie-enable [disabled | enabled]
syn-cookie-mss [integer]
syn-cookie-whitelist [disabled | enabled]
tcp-close-timeout [immediate | indefinite | [integer] ]
tcp-generate-is [disabled | enabled]
tcp-handshake-timeout [immediate | indefinite | [integer] ]
tcp-strip-sack [disabled | enabled]
tcp-timestamp-mode [preserve | rewrite | strip]
tcp-time-wait-timeout [integer]
tcp-wscale-mode [preserve | rewrite | strip]
late-binding [enabled | disabled]
explicit-flow-migration [enabled | disabled]
client-timeout [integer]
timeout-recovery [ disconnect | fallback ]
mv fastl4 [ [[source-name] [destination-name]] | [[name] to-folder [folder-name]] | [[name...name] to-folder [folder-name]] ]
options:
to-folder
edit fastl4 [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
reset-stats fastl4
reset-stats fastl4 [ [ [name] | [glob] | [regex] ] ... ]
DISPLAY
list fastl4
list fastl4 [ [ [name] | [glob] | [regex] ] ... ]
show running-config fastl4
show running-config fastl4
[ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show fastl4
show fastl4 [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
field-fmt
global
DELETE
delete fastL4 [name]
DESCRIPTION
You can use this component to create, modify, display, or delete a Fast
Layer 4 profile. The Fast L4 profile is the default profile that the
system uses when you create a basic configuration for non-UDP (User
Datagram Protocol) traffic.
Any changes you make to an active Fast L4 profile (one that is in use
by a virtual server) take effect after the value of the idle-timeout
option has passed. That means new connections are affected by the
profile change immediately. However, for the new values to take effect,
old connections need to be either aged out or closed. =head1 EXAMPLES
create fastl4 my_fastl4_profile defaults-from fastl4
Creates a custom Fast Layer 4 profile named my_fastl4_profile that
inherits its settings from the system default Fast L4 profile.
mv fastl4 /Common/my_fastl4_profile to-folder /Common/my_folder
Moves a custom fastl4 profile named my_fastl4_profile to a folder named
my_folder, where my_folder has already been created and exists within
/Common.
Please refer to the mv manual page for examples on how to use the mv
command.
show fastl4
Displays statistics for all Fast Layer 4 profiles.
OPTIONS
app-service
Specifies the name of the application service to which the profile
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the profile. Only the application
service can modify or delete the profile.
defaults-from
Specifies the profile that you want to use as the parent profile.
Your new profile inherits all settings and values from the parent
profile specified. The default value is fastl4.
description
User defined description.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
hardware-syn-cookie
This option is deprecated in version 13.0.0 and is replaced by
syn-cookie-enable. Enables or disables hardware SYN cookie
support when PVA10 is present on the system. The default value is
disabled.
Note that when you set the hardware-syn-cookie option to enabled,
you may also want to set the following bigdb database variables
using the db component, based on your requirements:
pva.SynCookies.Full.ConnectionThreshold (default: 500000)
pva.SynCookies.Assist.ConnectionThreshold (default: 500000)
pva.SynCookies.ClientWindow (default: 0)
idle-timeout
Specifies the number of seconds that a connection is idle before
the connection is eligible for deletion. The default value is 300
seconds. You can also specify immediate or indefinite.
When you specify an idle-timeout for the Fast L4 profile, for the
profile to work properly, the value needs to be greater than the
bigdb database variable Pva.Scrub_time_in_msec.
ip-tos-to-client
Specifies an IP Type of Service (ToS) number for the client-side.
This option specifies the ToS level that the traffic management
system assigns to IP packets when sending them to clients. The
default value is 65535, which indicates, do not modify.
ip-tos-to-server
Specifies an IP ToS number for the server side. This option
specifies the ToS level that the traffic management system assigns
to IP packets when sending them to servers. The default value is
65535, which indicates, do not modify.
keep-alive-interval
Specifies the keep-alive probe interval, in seconds. The default
value is disabled (0 seconds).
ip-df-mode
Describe the Don't Fragment (DF) bit setting in the IP Header of
the outgoing TCP packet. The available settings are: Pmtu: Set the
outgoing IP Header DF bit based on IP pmtu
setting(tm.pathmtudiscovery). Preserve: Set the outgoing Packet's
IP Header DF bit to be same as incoming IP Header DF bit. Set:
Set the outgoing packet's IP Header DF bit. Clear: Clear the
outgoing packet's IP Header DF bit. The default setting is
Preserve.
ip-ttl-mode
Describe the outgoing TCP packet's IP Header TTL mode. The
available Modes are: Proxy: Set the outgoing IP Header TTL value
to 255/64 for ipv4/ipv6 respectively. Preserve: Set the outgoing
IP Header TTL value to be same as the incoming IP Header TTL
value. Decrement: Set the outgoing IP Header TTL value to be one
less than the incoming TTL value. Set: Set the outgoing IP Header
TTL value to a specific value(as specified by ip-ttl-v[4|6]). The
default mode is Proxy.
ip-ttl-v4
Specify the outgoing packet's IP Header TTL value for IPv4
traffic. Maximum TTL value that can be specified is 255. The
default is 255.
ip-ttl-v6
Specify the outgoing packet's IP Header TTL value for IPv6
traffic. Maximum TTL value that can be specified is 255. The
default is 64.
link-qos-to-client
Specifies a Link Quality of Service (QoS) (VLAN priority) number
for the client side. This option specifies the QoS level that the
system assigns to packets when sending them to clients. The
default value is 65535, which indicates, do not modify.
link-qos-to-server
Specifies a Link QoS (VLAN priority) number for the server side.
This option specifies the QoS level that the system assigns to
packets when sending them to servers. The default value is 65535,
which indicates, do not modify.
priority-to-client
Specifies internal packet priority for the client side. This
option specifies the internal packet priority that the system
assigns to packets when sending them to clients. The default value
is 65535, which indicates, do not modify.
priority-to-server
Specifies internal packet priority for the server side. This
option specifies the internal packet priority that the system
assigns to packets when sending them to servers. The default value
is 65535, which indicates, do not modify.
loose-close
Specifies that the system closes a loosely-initiated connection
when the system receives the first FIN packet from either the
client or the server. The default value is disabled.
loose-initialization
Specifies that the system initializes a connection when it
receives any Transmission Control Protocol (TCP) packet, rather
than requiring a SYN packet for connection initiation. The default
value is disabled.
mss-override
Specifies a maximum segment size (MSS) override for server
connections. Note that this is also the MSS advertised to a client
when a client first connects.
The default value is 0 (zero), which disables this option. You can
specify an integer from 256 to 9162.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
partition
Displays the administrative partition within which the component
resides.
pva-acceleration
Specifies the Packet Velocity(r) ASIC acceleration policy. The
default value is full. In 12.1, dedicated mode is the new low
latency policy which replaces guaranteed. The full and partial
mode has same effect for ePVA platforms.
pva-dynamic-client-packets
Specifies the number of client packets before dynamic ePVA
hardware re-offloading occurs. The valid value is 0~10. The
default value is 2.
pva-dynamic-server-packets
Specifies the number of server packets before dynamic ePVA
hardware re-offloading occurs. The valid value is 0~10. The
default value is 2.
pva-offload-dynamic
Specifies whether PVA flow dynamic offloading is enabled or not.
The default is enabled.
For a flow or flow(s) in a connection to be offloaded to ePVA
hardware, both the client (pva-dynamic-client-packets) and server
(pva-dynamic-server-packets) flow packets setting need to be
satisfied. If only one direction packets need to be taken into
consideration, the other direction packets should set to zero.
pva-offload-initial-priority
Specifies the initial epva offload priority of a flow. Priority
can be low, medium or high. The default value is medium
pva-offload-dynamic-priority
Specifies if dynamic adjustment of epva offload flow priority is
turned on or not. Default value is disabled.
pva-offload-state
This option is deprecated in version 14.1.0 and is replaced by
tcp-pva-whento-offload and other-pva-whento-offload. Specifies at
what stage the ePVA performs hardware offload. The default value
is embryonic and implies at TCP CSYN or the first client UDP
packet. establish implies TCP 3WAY handshaking or UDP CS round
trip are confirmed.
pva-flow-aging
Specifies if automatic aging from ePVA flow cache upon inactive
and idle for a period, default to enabled.
pva-flow-evict
Specifies if this flow can be evicted upon hash collision with a
new flow learn snoop request, defaults to enabled.
tcp-pva-whento-offload
Specifies at what stage the ePVA performs hardware offload for TCP
traffic. The default value is embryonic and implies at TCP SYN
packet. establish implies TCP 3WAY handshaking.
tcp-pva-offload-direction
For tcp protocol traffic only, specifies which side of the traffic
can ePVA perform hardware offload for. The default value is
bidirectional which implies both side is permitted to offload if
threshold exceeds. client-to-server-only implies only the traffic
from client to server is allowed to be offloaded. Even if the
traffic from server to client exceeds the threshold, it will not
be offloaded. Vice versa, server-to-client-only implies only the
traffic from server to client is allowed to be offloaded.
other-pva-whento-offload
Specifies when the ePVA performs hardware offload for stateless
protocol traffic. The default value is after-packets-per-direction
and implies the client and server traffic is offloaded
independently after exceeding their own thresholds. after-packets-
both-direction implies both client and server traffic thresholds
need to be exceeded, then can both sides get offloaded.
other-pva-offload-direction
For stateless protocol traffic only, specifies which side of the
traffic can ePVA perform hardware offload for. The default value
is bidirectional which implies both side is permitted to offload
if threshold exceeds. client-to-server-only implies only the
traffic from client to server is allowed to be offloaded. Even if
the traffic from server to client exceeds the threshold, it will
not be offloaded. Vice versa, server-to-client-only implies only
the traffic from server to client is allowed to be offloaded.
other-pva-clientpkts-threshold
Specifies the number of client packets before ePVA hardware
offloading occurs for stateless protocol traffic. The valid value
is 0~255. The default value is 2.
other-pva-serverpkts-threshold
Specifies the number of server packets before ePVA hardware
offloading occurs for stateless protocol traffic. The valid value
is 0~255. The default value is 1.
reassemble-fragments
Specifies whether to reassemble fragments. The default value is
disabled.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
reset-on-timeout
Specifies whether you want to reset connections on timeout. The
default value is enabled.
rtt-from-client
Enables or disables the TCP timestamp options to measure the round
trip time to the client. The default value is disabled.
rtt-from-server
Enables or disables the TCP timestamp options to measure the round
trip time to the server. The default value is disabled.
server-sack
Specifies whether to support server sack option in cookie response
by default. The default value is disabled.
server-timestamp
Specifies whether to support server timestamp option in cookie
response by default. The default value is disabled.
receive-window-size
Specifies the window size to use, minimum and default to 65535
bytes, the maximum is 2^31 for window scale enabling.
software-syn-cookie
This option is deprecated in version 13.0.0 and is replaced by
syn-cookie-enable. Enables or disables software SYN cookie
support when PVA10 is not present on the system. The default value
is disabled.
syn-cookie-enable
Enables syn-cookies capability on this virtual server. For the
details on the threshold at which syn-cookies are triggered please
see default-vs-syn-challenge-threshold and global-syn-challenge-
threshold or the tcp-half-open vector in the DoS profile. The
default is enabled.
syn-cookie-mss
Specifies a maximum segment size (MSS) for server connections when
SYN Cookie is enabled. Note that this is also the MSS advertised
to a client when a client first connects.
The default value is 0 (zero), which disables this option. You can
specify an integer from 256 to 9162.
syn-cookie-whitelist
Specifies whether or not to use a SYN Cookie WhiteList when doing
software SYN Cookies. This means not doing a SYN Cookie for the
same src IP address if it has been done already in the previous
tm.flowstate.timeout (30) seconds. The default value is disabled.
tcp-close-timeout
Specifies a TCP close timeout in seconds. You can also specify
immediate or indefinite. The default value is 5 seconds.
tcp-generate-isn
Specifies whether you want to generate TCP sequence numbers on all
SYNs that conform with RFC1948, and allow timestamp recycling. The
default value is disabled.
tcp-handshake-timeout
Specifies a TCP handshake timeout in seconds. You can also specify
immediate or indefinite. The default value is 5 seconds.
tcp-time-wait-timeout
Specifies a TCP time_wait timeout in milliseconds. The default
value is 0 milliseconds.
tcp-strip-sack
Specifies whether you want to block the TCP SackOK option from
passing to the server on an initiating SYN. The default value is
disabled.
tcp-timestamp-mode
Specifies how you want to handle the TCP timestamp. The default
value is preserve.
tcp-wscale-mode
Specifies how you want to handle the TCP window scale. The default
value is preserve.
late-binding
Specifies whether to enable or disable intelligent selection of a
back-end server pool. The default value is disabled. With this
option enabled, an iRule can read a Layer 7 (FIX) packet to select
a server pool, and then can send the FIX stream down to the ePVA.
The ePVA then manages the FIX stream at a low latency, for as long
as the stream persists. To keep the latency low, the BIG-IP
software does not examine any more Layer-7 data in that FIX
stream.
If you enable this option, you also need a FIX profile in the
Performance FastL4 Virtual Server configuration.
explicit-flow-migration
Specifies whether to have the iRule code determine exactly when
the FIX stream drops down to the ePVA hardware. The default value
is disabled.
The explicit flow migration state indicates whether connections
are automatically migrated into the ePVA hardware (disabled), or
the iRule must explicitly migrate them with the
BIGTCP::release_flow command (enabled).
client-timeout
Specifies late binding client timeout in seconds. This is the
number of seconds allowed for a client to transmit enough data to
select a server pool. If this timeout expires, the timeout-
recovery option dictates whether to drop the connection or
fallback to the normal FastL4 load-balancing method to pick a
server pool. The default timeout is 30 seconds.
timeout-recovery
Specifies late binding timeout recovery mode. This is the action
to take when late binding timeout occurs on a connection. This
could be disconnect if only the L7 iRule actions are acceptable to
pick a server or fallback if the normal FastL4 load-balancing
methods are acceptable to pick a server. The default action is to
disconnect.
to-folder
fastl4 profiles can be moved to any folder under /Common, but
configuration dependencies may restrict moving the profile out of
/Common.
SEE ALSO
create, delete, edit, glob, list, ltm virtual, modify, mv, regex,
reset-stats, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2013, 2015-2016. All rights
reserved.
BIG-IP 2018-10-18 ltm profile fastl4(1)