ltm profile fastl4
ltm profile fastl4(1) BIG-IP TMSH Manual ltm profile fastl4(1)
NAME
fastl4 - Configures a Fast Layer 4 profile.
MODULE
ltm profile
SYNTAX
Configure the fastl4 component within the ltm profile module using the syntax shown in the following sections.
CREATE/MODIFY
create fastl4 [name]
modify fastl4 [name]
options:
app-service [[string] | none]
defaults-from [ [name] | none]
description [string]
hardware-syn-cookie [disabled | enabled]
idle-timeout [immediate | indefinite | [integer] ]
ip-tos-to-client [ [integer] | pass-through]
ip-tos-to-server [ [integer] | pass-through]
keep-alive-interval [integer]
ip-df-mode [preserve | set | clear]
ip-ttl-mode [proxy | preserve | decrement | set]
ip-ttl-value [integer]
link-qos-to-client [ [integer] | pass-through]
link-qos-to-server [ [integer] | pass-through]
priority-to-client [ [integer] | pass-through]
priority-to-server [ [integer] | pass-through]
loose-close [disabled | enabled]
loose-initialization [disabled | enabled]
mss-override [integer]
pva-acceleration [full | none | partial | dedicated ]
pva-dynamic-client-packets [integer]
pva-dynamic-server-packets [integer]
pva-offload-dynamic [ enabled | disabled ]
pva-offload-state [embryonic | establish]
pva-offload-dynamic-priority [enable | disable]
pva-offload-initial-priority [low | medium | high]
pva-flow-aging [enabled | disabled]
pva-flow-evict [enabled | disabled]
tcp-pva-whento-offload [embryonic | establish]
tcp-pva-offload-direction [bidirectional | client-to-server-only | server-to-client-only]
other-pva-whento-offload [after-packets-per-direction | after-packets-both-direction]
other-pva-offload-direction [bidirectional | client-to-server-only | server-to-client-only]
other-pva-clientpkts-threshold [integer]
other-pva-serverpkts-threshold [integer]
reassemble-fragments [disabled | enabled]
reset-on-timeout [disabled | enabled]
rtt-from-client [disabled | enabled]
rtt-from-server [disabled | enabled]
server-sack [disabled | enabled]
server-timestamp [disabled | enabled]
receive-window-size [65535 - 2^31 bytes for window scale enabling]
software-syn-cookie [disabled | enabled]
syn-cookie-dsr-flow-reset-by [bigip | client | none]
syn-cookie-enable [disabled | enabled]
syn-cookie-mss [integer]
syn-cookie-whitelist [disabled | enabled]
tcp-close-timeout [immediate | indefinite | [integer] ]
tcp-generate-is [disabled | enabled]
tcp-handshake-timeout [immediate | indefinite | [integer] ]
tcp-strip-sack [disabled | enabled]
tcp-timestamp-mode [preserve | rewrite | strip]
tcp-time-wait-timeout [integer]
tcp-wscale-mode [preserve | rewrite | strip]
late-binding [enabled | disabled]
explicit-flow-migration [enabled | disabled]
client-timeout [integer]
timeout-recovery [ disconnect | fallback ]
mv fastl4 [ [[source-name] [destination-name]] | [[name] to-folder [folder-name]] | [[name...name] to-folder [folder-name]] ]
options:
to-folder
edit fastl4 [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
reset-stats fastl4
reset-stats fastl4 [ [ [name] | [glob] | [regex] ] ... ]
DISPLAY
list fastl4
list fastl4 [ [ [name] | [glob] | [regex] ] ... ]
show running-config fastl4
show running-config fastl4
[ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show fastl4
show fastl4 [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
field-fmt
global
DELETE
delete fastL4 [name]
DESCRIPTION
You can use this component to create, modify, display, or delete a Fast Layer 4 profile. The Fast L4 profile
is the default profile that the system uses when you create a basic configuration for non-UDP (User Datagram
Protocol) traffic.
Any changes you make to an active Fast L4 profile (one that is in use by a virtual server) take effect after
the value of the idle-timeout option has passed. That means new connections are affected by the profile change
immediately. However, for the new values to take effect, old connections need to be either aged out or closed.
=head1 EXAMPLES
create fastl4 my_fastl4_profile defaults-from fastl4
Creates a custom Fast Layer 4 profile named my_fastl4_profile that inherits its settings from the system
default Fast L4 profile.
mv fastl4 /Common/my_fastl4_profile to-folder /Common/my_folder
Moves a custom fastl4 profile named my_fastl4_profile to a folder named my_folder, where my_folder has already
been created and exists within /Common.
Please refer to the mv manual page for examples on how to use the mv command.
show fastl4
Displays statistics for all Fast Layer 4 profiles.
OPTIONS
app-service
Specifies the name of the application service to which the profile belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the profile. Only the application service can modify or delete the profile.
defaults-from
Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings
and values from the parent profile specified. The default value is fastl4.
description
User defined description.
glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.
hardware-syn-cookie
This option is deprecated in version 13.0.0 and is replaced by syn-cookie-enable. Enables or disables
hardware SYN cookie support when PVA10 is present on the system. The default value is disabled.
Note that when you set the hardware-syn-cookie option to enabled, you may also want to set the following
bigdb database variables using the db component, based on your requirements:
pva.SynCookies.Full.ConnectionThreshold (default: 500000)
pva.SynCookies.Assist.ConnectionThreshold (default: 500000)
pva.SynCookies.ClientWindow (default: 0)
idle-timeout
Specifies the number of seconds that a connection is idle before the connection is eligible for deletion.
The default value is 300 seconds. You can also specify immediate or indefinite.
When you specify an idle-timeout for the Fast L4 profile, for the profile to work properly, the value
needs to be greater than the bigdb database variable Pva.Scrub_time_in_msec.
ip-tos-to-client
Specifies an IP Type of Service (ToS) number for the client-side. This option specifies the ToS level
that the traffic management system assigns to IP packets when sending them to clients. The default value
is 65535, which indicates, do not modify.
ip-tos-to-server
Specifies an IP ToS number for the server side. This option specifies the ToS level that the traffic
management system assigns to IP packets when sending them to servers. The default value is 65535, which
indicates, do not modify.
keep-alive-interval
Specifies the keep-alive probe interval, in seconds. The default value is disabled (0 seconds).
ip-df-mode
Describe the Don't Fragment (DF) bit setting in the IP Header of the outgoing TCP packet. The available
settings are: Pmtu: Set the outgoing IP Header DF bit based on IP pmtu setting(tm.pathmtudiscovery).
Preserve: Set the outgoing Packet's IP Header DF bit to be same as incoming IP Header DF bit. Set: Set
the outgoing packet's IP Header DF bit. Clear: Clear the outgoing packet's IP Header DF bit. The
default setting is Preserve.
ip-ttl-mode
Describe the outgoing TCP packet's IP Header TTL mode. The available Modes are: Proxy: Set the outgoing
IP Header TTL value to 255/64 for ipv4/ipv6 respectively. Preserve: Set the outgoing IP Header TTL value
to be same as the incoming IP Header TTL value. Decrement: Set the outgoing IP Header TTL value to be
one less than the incoming TTL value. Set: Set the outgoing IP Header TTL value to a specific value(as
specified by ip-ttl-v[4|6]). The default mode is Decrement.
ip-ttl-v4
Specify the outgoing packet's IP Header TTL value for IPv4 traffic. Maximum TTL value that can be
specified is 255. The default is 255.
ip-ttl-v6
Specify the outgoing packet's IP Header TTL value for IPv6 traffic. Maximum TTL value that can be
specified is 255. The default is 64.
link-qos-to-client
Specifies a Link Quality of Service (QoS) (VLAN priority) number for the client side. This option
specifies the QoS level that the system assigns to packets when sending them to clients. The default
value is 65535, which indicates, do not modify.
link-qos-to-server
Specifies a Link QoS (VLAN priority) number for the server side. This option specifies the QoS level that
the system assigns to packets when sending them to servers. The default value is 65535, which indicates,
do not modify.
priority-to-client
Specifies internal packet priority for the client side. This option specifies the internal packet
priority that the system assigns to packets when sending them to clients. The default value is 65535,
which indicates, do not modify.
priority-to-server
Specifies internal packet priority for the server side. This option specifies the internal packet
priority that the system assigns to packets when sending them to servers. The default value is 65535,
which indicates, do not modify.
loose-close
Specifies that the system closes a loosely-initiated connection when the system receives the first FIN
packet from either the client or the server. The default value is disabled.
loose-initialization
Specifies that the system initializes a connection when it receives any Transmission Control Protocol
(TCP) packet, rather than requiring a SYN packet for connection initiation. The default value is
disabled.
mss-override
Specifies a maximum segment size (MSS) override for server connections. Note that this is also the MSS
advertised to a client when a client first connects.
The default value is 0 (zero), which disables this option. You can specify an integer from 256 to 9162.
name Specifies a unique name for the component. This option is required for the commands create, delete, and
modify.
partition
Displays the administrative partition within which the component resides.
pva-acceleration
Specifies the Packet Velocity(r) ASIC acceleration policy. The default value is full. In 12.1, dedicated
mode is the new low latency policy which replaces guaranteed. The full and partial mode has same effect
for ePVA platforms.
pva-dynamic-client-packets
Specifies the number of client packets before dynamic ePVA hardware re-offloading occurs. The valid value
is 0~10. The default value is 2.
pva-dynamic-server-packets
Specifies the number of server packets before dynamic ePVA hardware re-offloading occurs. The valid value
is 0~10. The default value is 2.
pva-offload-dynamic
Specifies whether PVA flow dynamic offloading is enabled or not. The default is enabled.
For a flow or flow(s) in a connection to be offloaded to ePVA hardware, both the client (pva-dynamic-
client-packets) and server (pva-dynamic-server-packets) flow packets setting need to be satisfied. If
only one direction packets need to be taken into consideration, the other direction packets should set to
zero.
pva-offload-initial-priority
Specifies the initial epva offload priority of a flow. Priority can be low, medium or high. The default
value is medium
pva-offload-dynamic-priority
Specifies if dynamic adjustment of epva offload flow priority is turned on or not. Default value is
disabled.
pva-offload-state
This option is deprecated in version 14.1.0 and is replaced by tcp-pva-whento-offload and other-pva-
whento-offload. Specifies at what stage the ePVA performs hardware offload. The default value is
embryonic and implies at TCP CSYN or the first client UDP packet. establish implies TCP 3WAY handshaking
or UDP CS round trip are confirmed.
pva-flow-aging
Specifies if automatic aging from ePVA flow cache upon inactive and idle for a period, default to
enabled.
pva-flow-evict
Specifies if this flow can be evicted upon hash collision with a new flow learn snoop request, defaults
to enabled.
tcp-pva-whento-offload
Specifies at what stage the ePVA performs hardware offload for TCP traffic. The default value is
embryonic and implies at TCP SYN packet. establish implies TCP 3WAY handshaking.
tcp-pva-offload-direction
For tcp protocol traffic only, specifies which side of the traffic can ePVA perform hardware offload for.
The default value is bidirectional which implies both side is permitted to offload if threshold exceeds.
client-to-server-only implies only the traffic from client to server is allowed to be offloaded. Even if
the traffic from server to client exceeds the threshold, it will not be offloaded. Vice versa, server-to-
client-only implies only the traffic from server to client is allowed to be offloaded.
other-pva-whento-offload
Specifies when the ePVA performs hardware offload for stateless protocol traffic. The default value is
after-packets-per-direction and implies the client and server traffic is offloaded independently after
exceeding their own thresholds. after-packets-both-direction implies both client and server traffic
thresholds need to be exceeded, then can both sides get offloaded.
other-pva-offload-direction
For stateless protocol traffic only, specifies which side of the traffic can ePVA perform hardware
offload for. The default value is bidirectional which implies both side is permitted to offload if
threshold exceeds. client-to-server-only implies only the traffic from client to server is allowed to be
offloaded. Even if the traffic from server to client exceeds the threshold, it will not be offloaded.
Vice versa, server-to-client-only implies only the traffic from server to client is allowed to be
offloaded.
other-pva-clientpkts-threshold
Specifies the number of client packets before ePVA hardware offloading occurs for stateless protocol
traffic. The valid value is 0~255. The default value is 2.
other-pva-serverpkts-threshold
Specifies the number of server packets before ePVA hardware offloading occurs for stateless protocol
traffic. The valid value is 0~255. The default value is 1.
reassemble-fragments
Specifies whether to reassemble fragments. The default value is disabled.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at
sign (@[regular expression]) to indicate that the identifier is a regular expression. See help regex for
a description of regular expression syntax.
reset-on-timeout
Specifies whether you want to reset connections on timeout. The default value is enabled.
rtt-from-client
Enables or disables the TCP timestamp options to measure the round trip time to the client. The default
value is disabled.
rtt-from-server
Enables or disables the TCP timestamp options to measure the round trip time to the server. The default
value is disabled.
server-sack
Specifies whether to support server sack option in cookie response by default. The default value is
disabled.
server-timestamp
Specifies whether to support server timestamp option in cookie response by default. The default value is
disabled.
receive-window-size
Specifies the window size to use, minimum and default to 65535 bytes, the maximum is 2^31 for window
scale enabling.
software-syn-cookie
This option is deprecated in version 13.0.0 and is replaced by syn-cookie-enable. Enables or disables
software SYN cookie support when PVA10 is not present on the system. The default value is disabled.
syn-cookie-dsr-flow-reset-by
Specifies how TCP SYN Flood is handled when syn-cookie-whitelist is enabled and the attack is detected in
Direct Server Return(DSR) mode. The default value is none, which is backward-compatible with syn-cookie-
whitelist feature in non-DSR mode.
syn-cookie-enable
Enables syn-cookies capability on this virtual server. For the details on the threshold at which syn-
cookies are triggered please see default-vs-syn-challenge-threshold and global-syn-challenge-threshold or
the tcp-half-open vector in the DoS profile. The default is enabled.
syn-cookie-mss
Specifies a maximum segment size (MSS) for server connections when SYN Cookie is enabled. Note that this
is also the MSS advertised to a client when a client first connects.
The default value is 0 (zero), which disables this option. You can specify an integer from 256 to 9162.
syn-cookie-whitelist
Specifies whether or not to use a SYN Cookie WhiteList when doing software SYN Cookies. This means not
doing a SYN Cookie for the same src IP address if it has been done already in the previous
tm.flowstate.timeout (30) seconds. The default value is disabled.
tcp-close-timeout
Specifies a TCP close timeout in seconds. You can also specify immediate or indefinite. The default value
is 5 seconds.
tcp-generate-isn
Specifies whether you want to generate TCP sequence numbers on all SYNs that conform with RFC1948, and
allow timestamp recycling. The default value is disabled.
tcp-handshake-timeout
Specifies a TCP handshake timeout in seconds. You can also specify immediate or indefinite. The default
value is 5 seconds.
tcp-time-wait-timeout
Specifies a TCP time_wait timeout in milliseconds. The default value is 0 milliseconds.
tcp-strip-sack
Specifies whether you want to block the TCP SackOK option from passing to the server on an initiating
SYN. The default value is disabled.
tcp-timestamp-mode
Specifies how you want to handle the TCP timestamp. The default value is preserve.
tcp-wscale-mode
Specifies how you want to handle the TCP window scale. The default value is preserve.
late-binding
Specifies whether to enable or disable intelligent selection of a back-end server pool. The default value
is disabled. With this option enabled, an iRule can read a Layer 7 (FIX) packet to select a server pool,
and then can send the FIX stream down to the ePVA. The ePVA then manages the FIX stream at a low latency,
for as long as the stream persists. To keep the latency low, the BIG-IP software does not examine any
more Layer-7 data in that FIX stream.
If you enable this option, you also need a FIX profile in the Performance FastL4 Virtual Server
configuration.
explicit-flow-migration
Specifies whether to have the iRule code determine exactly when the FIX stream drops down to the ePVA
hardware. The default value is disabled.
The explicit flow migration state indicates whether connections are automatically migrated into the ePVA
hardware (disabled), or the iRule must explicitly migrate them with the BIGTCP::release_flow command
(enabled).
client-timeout
Specifies late binding client timeout in seconds. This is the number of seconds allowed for a client to
transmit enough data to select a server pool. If this timeout expires, the timeout-recovery option
dictates whether to drop the connection or fallback to the normal FastL4 load-balancing method to pick a
server pool. The default timeout is 30 seconds.
timeout-recovery
Specifies late binding timeout recovery mode. This is the action to take when late binding timeout occurs
on a connection. This could be disconnect if only the L7 iRule actions are acceptable to pick a server or
fallback if the normal FastL4 load-balancing methods are acceptable to pick a server. The default action
is to disconnect.
to-folder
fastl4 profiles can be moved to any folder under /Common, but configuration dependencies may restrict
moving the profile out of /Common.
SEE ALSO
create, delete, edit, glob, list, ltm virtual, modify, mv, regex, reset-stats, show, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2013, 2015-2016. All rights reserved.
BIG-IP 2020-02-12 ltm profile fastl4(1)