ltm profile tcp(1) BIG-IP TMSH Manual ltm profile tcp(1)
NAME
tcp - Configures a Transmission Control Protocol (TCP) profile.
MODULE
ltm profile
SYNTAX
Configure the tcp component within the ltm profile module using the syntax shown in the following sections.
CREATE/MODIFY
create tcp [name]
modify tcp [name]
options:
abc [disabled | enabled]
ack-on-push [disabled | enabled]
app-service [[string] | none]
auto-proxy-buffer-size [disabled | enabled]
auto-receive-window-size [disabled | enabled]
auto-send-buffer-size [disabled | enabled]
close-wait-timeout [integer]
cmetrics-cache [disabled | enabled]
cmetrics-cache-timeout [integer]
congestion-control [high-speed | new-reno | none | reno | scalable |
vegas | illinois | woodside | chd | cdg | cubic | westwood | bbr]
defaults-from [ [name] | none]
deferred-accept [disabled | enabled]
delay-window-control [disabled | enabled]
delayed-acks [disabled | enabled]
delay-window-control [disabled | enabled]
description [string]
dsack [disabled | enabled]
early-retransmit [disabled | enabled]
ecn [disabled | enabled]
enhanced-loss-recovery [disabled | enabled]
fast-open [disabled | enabled]
fast-open-cookie-expiration [integer]
fin-wait-timeout [integer]
fin-wait-2-timeout [integer]
hardware-syn-cookie [disabled | enabled]
idle-timeout [integer]
init-cwnd [integer]
init-rwnd [integer]
ip-tos-to-client [integer]
keep-alive-interval [integer]
limited-transmit [disabled | enabled]
link-qos-to-client [integer]
max-retrans [integer]
max-segment-size [integer]
md5-signature [disabled | enabled]
md5-signature-passphrase [none | [string] ]
minimum-rto [integer]
mptcp [disabled | enabled | passthrough ]
mptcp-csum [disabled | enabled]
mptcp-csum-verify [disabled | enabled]
mptcp-debug [disabled | enabled]
mptcp-fallback [reset | retransmit | active-accept | accept]
mptcp-join-max [integer]
mptcp-nojoindssack [disabled | enabled]
mptcp-rtomax [integer]
mptcp-rxmitmin [integer]
mptcp-subflowmax [integer]
mptcp-makeafterbreak [disabled | enabled]
mptcp-timeout [integer]
mptcp-fastjoin [disabled | enabled]
nagle [disabled | enabled | auto]
pkt-loss-ignore-rate [integer]
pkt-loss-ignore-burst [integer]
proxy-buffer-high [integer]
proxy-buffer-low [integer]
proxy-mss [disabled | enabled]
proxy-options [disabled | enabled]
push-flag [default | none | one | auto]
ip-df-mode [preserve | set | clear]
ip-ttl-mode [proxy | preserve | decrement | set]
ip-ttl-value [integer]
rate-pace [disabled | enabled]
rate-pace-max-rate [integer]
receive-window-size [integer]
reset-on-timeout [disabled | enabled]
rexmt-thresh [integer]
selective-acks [disabled | enabled]
selective-nack [disabled | enabled]
send-buffer-size [integer]
slow-start [disabled | enabled]
syn-cookie-enable [disabled | enabled]
syn-cookie-whitelist [disabled | enabled]
syn-max-retrans [integer]
syn-rto-base [integer]
tail-loss-probe [disabled | enabled]
time-wait-recycle [disabled | enabled]
time-wait-timeout [integer]
timestamps [disabled | enabled]
verified-accept [disabled | enabled]
zero-window-timeout [integer]
edit tcp [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
reset-stats tcp
reset-stats tcp [ [ [name] | [glob] | [regex] ] ... ]
DISPLAY
list tcp
list tcp [ [ [name] | [glob] | [regex] ] ... ]
show running-config tcp
show running-config tcp
[ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show tcp
show tcp [ [ [name] | [glob] | [regex] ] ... ]
options:
(default | exa | gig | kil | meg | peta | raw | tera | yotta | zetta)
field-fmt
global
DELETE
delete tcp [name]
DESCRIPTION
You can use the tcp component to manage TCP network traffic. Many of the options are standard SYSCTL-types of
options, while others are unique to the traffic management system. For most of the options, the default values
usually meet your needs. The specific options that you might want to change are: reset-on-timeout, idle-
timeout, ip-tos-to-client, and link-qos-to-client.
The system installation includes these default TCP-type profiles: tc, tcp-cell-optimized, tcp-lan-optimized,
and tcp-wan-optimized. You can modify the settings of these profiles, or create new TCP-type profiles using
any of these existing profiles as parent profiles.
EXAMPLES
create tcp my_tcp_profile defaults-from tcp
Creates a custom TCP profile named my_tcp_profile that inherits its settings from the system default tcp
profile.
list tcp all-properties
Displays all properties for all TCP profiles
OPTIONS
abc When enabled, increases the congestion window by basing the increase amount on the number of previously
unacknowledged bytes that each acknowledgement code (ACK) includes. The default value is enabled.
ack-on-push
When enabled, significantly improves performance to Microsoft(r) Windows(r) and MacOS peers, who are
writing out on a very small send buffer. The default value is enabled.
app-service
Specifies the name of the application service to which the profile belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the profile. Only the application service can modify or delete the profile.
auto-proxy-buffer-size
Specifies, when enabled, that the system uses the network measurements to set the optimal proxy buffer
size. The default value is disabled.
auto-receive-window-size
Specifies, when enabled, that the system uses the network measurements to set the optimal receive window
size. The default value is disabled.
auto-send-buffer-size
Specifies, when enabled, that the system uses the network measurements to set the optimal send buffer
size. The default value is disabled.
close-wait-timeout
Specifies the number of seconds that a connection remains in a LAST-ACK (last acknowledgement code) state
before quitting. A value of 0 (zero) represents a term of forever (or until the maxrtx of the FIN state).
The default value is 5 seconds.
cmetrics-cache
Specifies, when enabled, the default value, that the system uses a cache for storing congestion metrics.
cmetrics-cache-timeout
Specifies the time, in seconds, for which entries in the congestion metrics cache are valid. The default
value is 0, which defers to the sys db variable route.metrics.timeout.
congestion-control
Specifies the algorithm to use to share network resources among competing users to reduce congestion. The
default value is high-speed.
The options are:
bbr Specifies that the system uses an implementation of the BBR congestion control algorithm, which
uses connection's maximum delivery rate (bottleneck bandwidth) and minimum round trip time to
avoid growing buffers and path delay.
cdg Specifies that the system use a Caia Delay-Gradient congestion control algorithm, where
congestion inferences are made based on a gradient of RTT over time. Improves inferences made
about packet loss and whether they are due to congestion or other factors. The use of a shadow
window improves coexistence with loss-based TCP flows.
chd Specifies that the system use a Caia-Hamilton delay-based congestion control algorithm, where
delay-based congestion window operations are performed only once per RTT. Tolerates packet losses
that are likely to be unrelated to congestion. Uses a shadow window to help regain lost
transmission opportunities when competing with loss-based TCP flows.
cubic Specifies that the system uses a component optimized for high latency, high bandwidth connections
as the TCP congestion control algorithm.
high-speed
Specifies that the system uses a more aggressive, loss-based algorithm.
illinois
Specifies that the system uses a hybrid of both delay and loss as the TCP congestion control
algorithm.
new-reno
Specifies that the system uses a modification to the Reno algorithm that responds to partial
acknowledgements when SACKs are unavailable.
none Specifies that the system does not use a network-congestion-control mechanism, even when
congestion occurs.
reno Specifies that the system uses an implementation of the TCP Fast Recovery algorithm, which is
based on the implementation in the BSD Reno release.
scalable
Specifies that the system uses a TCP algorithm modification that adds a scalable, delay-based and
loss-based component into the Reno algorithm.
vegas Specifies that the system uses a delay-based component as the TCP congestion control algorithm.
westwood
Specifies that the system uses the Westwood+ bandwidth estimation component as the TCP congestion
control algorithm.
woodside
Specifies that the system uses a hybrid of both delay and loss as the TCP congestion control
algorithm.
defaults-from
Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings
and values from the parent profile. The default value is tcp.
deferred-accept
Specifies, when enabled, that the system defers allocation of the connection chain context until the
system has received the payload from the client. This option is useful for dealing with 3-way handshake
denial-of-service (DOS) attacks. The default value is disabled.
delay-window-control
When enabled, the system uses an estimate of queueing delay as a measure of congestion, in addition to
the normal loss-based control, to control the amount of data sent. The default value is disabled.
delayed-acks
Specifies, when enabled, the default value, that the traffic management system allows coalescing of
multiple acknowledgement (ACK) responses.
description
User defined description.
dsack
When enabled, specifies the use of the SACK option to acknowledge duplicate segments. The default is
disabled.
early-retransmit
Specifies, when enabled, that the system uses early retransmit recovery (as specified in RFC 5827) to
reduce the recovery time for connections that are receive-buffer or user-data limited. The default value
is enabled.
ecn Specifies, when enabled, that the system uses the TCP flags CWR and ECE to notify its peer of congestion
and congestion counter-measures. The default value is enabled.
enhanced-loss-recovery
Specifies whether the system uses enhanced loss recovery to recover from random packet losses more
effectively. The default value is enabled.
fast-open
Specifies, when enabled, that the system supports TCP Fast Open, which allows a client to include the
first packet of data with the SYN to reduce latency. The default value is enabled. This option has no
effect on server-side TCP profiles.
fast-open-cookie-expiration
Specifies the number of seconds that a "Fast Open Cookie" delivered to a client is valid for SYN packets
from that client. The default value is 21600 seconds (6 hours). A value of 0 (zero) means use the
default. The maximum value is 1000000 seconds.
fin-wait-timeout
Specifies the number of seconds that a connection is in the FIN-WAIT-1 or closing state before quitting.
The default value is 5 seconds. A value of 0 (zero) represents a term of forever (or until the maxrtx of
the FIN state).
fin-wait-2-timeout
Specifies the number of seconds that a connection is in the FIN-WAIT-2 state before quitting. The default
value is 300 seconds. A value of 0 (zero) represents a term of forever (or until the maxrtx of the FIN
state).
glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.
hardware-syn-cookie
This option is deprecated in version 13.0.0 and is replaced by syn-cookie-enable. Specifies whether or
not to use hardware SYN Cookie when cross system limit. The default value is enabled.
idle-timeout
Specifies the number of seconds that a connection is idle before the connection is eligible for deletion.
The default value is 300 seconds.
init-cwnd
Specifies the initial congestion window size for connections to this destination. The actual window size
is this value multiplied by the MSS (Maximum Segment Size) for the same connection. The default value is
10. The range is from 0 to 64.
init-rwnd
Specifies the initial receive window size for connections to this destination. The actual window size is
this value multiplied by the MSS (Maximum Segment Size) for the same connection. The default value is 10.
The range is from 0 to 64.
ip-df-mode
Describe the IP Header Don't Fragment (DF) bit setting in the outgoing TCP packet. The available settings
are: Pmtu: Set the outgoing IP Header DF bit based on IP pmtu setting(tm.pathmtudiscovery). Preserve:
Set the outgoing Packet's IP Header DF bit to be same as incoming IP Header DF bit. Set: Set the
outgoing packet's IP Header DF bit. Clear: Clear the outgoing packet's IP Header DF bit. The default
setting is Pmtu.
ip-ttl-mode
Describe the outgoing TCP packet's IP Header TTL mode. The available Modes are: Proxy: Set the outgoing
IP Header TTL value to 255/64 for ipv4/ipv6 respectively. Preserve: Set the outgoing IP Header TTL value
to be same as the incoming IP Header TTL value. Decrement: Set the outgoing IP Header TTL value to be
one less than the incoming TTL value. Set: Set the outgoing IP Header TTL value to a specific value(as
specified by ip-ttl-v[4|6]). The default mode is Proxy.
ip-ttl-v4
Specify the outgoing packet's IP Header TTL value for IPv4 traffic. Maximum TTL value that can be
specified is 255. The default is 255.
ip-ttl-v6
Specify the outgoing packet's IP Header TTL value for IPv6 traffic. Maximum TTL value that can be
specified is 255. The default is 64.
ip-tos-to-client
Specifies the Type of Service (ToS) level that the traffic management system assigns to TCP packets when
sending them to clients. The default value is 0 (zero).
keep-alive-interval
Specifies the keep-alive probe interval, in seconds. The default value is 1800 seconds.
limited-transmit
Specifies, when enabled, the default value, that the system uses limited transmit recovery revisions for
fast retransmits (as specified in RFC 3042) to reduce the recovery time for connections on a lossy
network.
link-qos-to-client
Specifies the Link Quality of Service (QoS) level that the system assigns to TCP packets when sending
them to clients. The default value is 0 (zero).
max-retrans
Specifies the maximum number of retransmissions of data segments that the system allows. The default
value is 8.
max-segment-size
Specifies the largest amount of data that the system can receive in a single TCP segment, not including
the TCP and IP headers. If the value is 0 (zero), the system calculates the value from the MTU. The
default value is 1460 bytes.
md5-signature
Specifies, when enabled, that the system uses RFC2385 TCP-MD5 signatures to protect TCP traffic against
intermediate tampering. The default value is disabled.
md5-signature-passphrase
Specifies a plain text passphrase which may be between 1 and 80 characters in length, and is used in a
shared-secret scheme to implement the spoof-prevention parts of RFC2385. The default value is none.
minimum-rto
Specifies the minimum TCP retransmission timeout in milliseconds. The default value is 1000 milliseconds.
mptcp
Specifies, when enabled, that the system will accept MPTCP connections. When passthrough MPTCP
connections are not terminated by this virtual.The default value is disabled.
mptcp-csum
Specifies, when enabled, that the system will calculate the checksum for MPTCP connections. The default
value is disabled.
mptcp-csum-verify
Specifies, when enabled, that the system verifies checksum for MPTCP connections. The default value is
disabled.
mptcp-debug
This option is DEPRECATED v12.0.0 onwards and is maintained here for backward compatibility reasons.
Specifies, when enabled, that the system provides debug logs and statistics for MPTCP connections. The
default value is disabled.
mptcp-fallback
Specifies, MPTCP fallback mode. The default value is reset.
The options are:
accept
Specifies accept on fallback.
active-accept
Specifies active accept on fallback.
reset
Specifies that the connection is reset on fallback.
retransmit
Specifies retransmit on fallback.
mptcp-join-max
Specifies the max number of MPTCP connections that can join to given one. The default value is 5.
mptcp-nojoindssack
Specifies, when enabled, no DSS option is sent on the JOIN ACK. The default value is disabled.
mptcp-rtomax
Specifies, the number of RTOs before declaring subflow dead. The default value is 5.
mptcp-rxmitmin
Specifies the minimum value (in msec) of the retransmission timer for these MPTCP flows. The default
value is 1000.
mptcp-subflowmax
Specifies the maximum number of MPTCP subflows for a single flow. The default value is 6.
mptcp-makeafterbreak
Specifies, when enabled, that make-after-break functionality is supported, allowing for long-lived MPTCP
sessions. The default value is disabled.
mptcp-timeout
Specifies, the timeout value to discard long-lived sessions that do not have an active flow, in seconds.
The default value is 3600.
mptcp-fastjoin
Specifies, when enabled, FAST join, allowing data to be sent on the MP_JOIN SYN, which can allow a server
response to occur in parallel with the JOIN. The default value is disabled.
nagle
Specifies, when enabled, that the system applies Nagle's algorithm to reduce the number of short segments
on the network. The default value is disabled. When auto, the use of Nagle's algorithm is decided based
on network conditions.
Note that for interactive protocols such as Telnet, rlogin, or SSH, F5 Networks recommends disabling this
setting on high-latency networks, to improve application responsiveness.
name Specifies a unique name for the component. This option is required for the commands create, delete, and
modify.
partition
Displays the administrative partition within which the profile resides.
pkt-loss-ignore-burst
Specifies the probability of performing congestion control when multiple packets in a row are lost, even
if the pkt-loss-ignore-rate was not exceeded. Valid values are 0 (zero) through 32. The default value is
0 (zero), which means that the system performs congestion control, if any packets are lost. Higher values
decrease the chance of performing congestion control.
pkt-loss-ignore-rate
Specifies the threshold of packets lost per million at which the system should perform congestion
control. Valid values are 0 (zero) through 1,000,000. The default value is 0 (zero), which means that the
system performs congestion control, if any packet loss occurs. If you set the ignore rate to 10 and
packet loss for a TCP connection is greater than 10 per million, congestion control occurs.
proxy-buffer-high
Specifies the highest level at which the receive window is closed. The default value is 131072.
proxy-buffer-low
Specifies the lowest level at which the receive window is closed. The default value is 98304.
proxy-mss
Specifies, when enabled, that the system advertises the same TCP maximum segment size to the server as
was negotiated with the client. The setting is ignored when MRF routing (e.g., httprouter, siprouter,
diameterrouter, mqttrouter, messagerouter) is used. The default value is enabled.
proxy-options
Specifies, when enabled, that the system advertises an option, such as a time-stamp to the server only if
it was negotiated with the client. The setting is ignored when MRF routing (e.g., httprouter, siprouter,
diameterrouter, mqttrouter, messagerouter) is used. The default value is disabled.
push-flag
When default, specifies that the system sets PUSH flag when sending the last segment in the send buffer.
When none, specifies that the system never sets PUSH flag for TCP packets. When one, specifies that the
system sets one PUSH flag for the FIN segment. When auto, specifies that the system sets PUSH flag based
on the application/network conditions. The default value is default.
rate-pace
Specifies, when enabled, that the system will rate pace TCP data transmissions. The default value is
enabled.
rate-pace-max-rate
If not 0, sets the maximum rate in bytes per second that TCP data transmission will be paced to. If set
to 0, no maximum is enforced. The default value is 0.
receive-window-size
Specifies the size of the receive window, in bytes. The default value is 65535 bytes.
regex
Displays the items that match the regular expression. The regular expression must be preceded by an at
sign (@[regular expression]) to indicate that the identifier is a regular expression. See help regex for
a description of regular expression syntax.
reset-on-timeout
Specifies whether to reset connections on timeout. The default value is enabled.
rexmt-thresh
Specifies the number of duplicate ACKs (retransmit threshold) to start fast recovery. The default value
is 3. The range is from 3 to 255.
selective-acks
Specifies, when enabled, the default value, that the system negotiates RFC2018-compliant Selective
Acknowledgements with peers.
selective-nack
Specifies whether Selective Negative Acknowledgment is enabled or disabled. The default value is
disabled.
send-buffer-size
Specifies the size of the buffer, in bytes. The default value is 131072 bytes.
slow-start
Specifies, when enabled, the default value, that the system uses larger initial window sizes (as
specified in RFC 3390) to help reduce round trip times. Note that disabling this attribute causes the
setting for cmetrics-cache to be ignored.
syn-cookie-enable
Specifies the default (if no DoS profile is associated) number of embryonic connections that are allowed
on any virtual server, before SYN Cookie challenges are enabled for that virtual server. The default is
enabled.
syn-cookie-whitelist
Specifies whether or not to use a SYN Cookie WhiteList when doing software SYN Cookies. This means not
doing a SYN Cookie for the same src IP address if it has been done already in the previous
tm.flowstate.timeout (30) seconds. The default value is disabled.
syn-max-retrans
Specifies the maximum number of retransmissions of SYN segments that the system allows. The default value
is 3.
syn-rto-base
Specifies the initial RTO (Retransmission TimeOut) base multiplier for SYN retransmission, in
milliseconds. This value is modified by the exponential backoff table to select the interval for
subsequent retransmissions. The default value is 3000.
tail-loss-probe
Specifies whether the system uses tail loss probe to reduce the number of retransmission timeouts. The
default value is enabled.
tcp-options
Specifies the option numbers that will be accessible from iRules (TCP::option) for the flow. The format
of each entry should be: "{