F5BigTcpSetting¶
The F5BigTcpSetting Custom Resource (CR) provides many options to fine-tune how Traffic Management Microkernel (TMM) handles TCP connections. Once configured and installed, the F5BigTcpSetting CR can then be referenced by one of the CNF CRs listed in the Additional CRs section below.
This document guides you through understanding, configuring and installing a simple F5BigTcpSetting CR.
CR parameters¶
The table below describes the CR spec
parameters:
Parameter | Description |
---|---|
abc |
Enables increasing the congestion window by basing the increase amount on the number of previously unacknowledged bytes that each ACK covers: true (default) or false. |
ackOnPush |
Enables performance improvement to Windows and MacOS peers who are writing out on a very small end buffer: true or false. |
autoNagle |
Specifies how the system applies Nagle's algorithm to reduce the number of short segments on the network: auto (default), enabled, or disabled. When auto, the use of Nagle is based on network conditions. |
autoProxyBufferSize |
When enabled, specifies that the system uses the network measurements to set the optimal proxy buffer size. The default is false. |
autoReceiveWindowSize |
When enabled, specifies that the system uses the network measurements to set the optimal receive window size. The default is false. |
autoSendBufferSize |
When enabled, specifies that the system uses the network measurements to set the optimal send buffer size. The default is false. |
cmetricsCache |
Specifies, when enabled, that the system uses a cache for storing congestion metrics. The default is true. |
cmetricsCacheTimeout |
Specifies the time, in seconds, for which entries in the congestion metrics cache are valid. The default value is 0, which defers to the sys db variable route.metrics.timeout. |
congestionControl |
Specifies the algorithm to use to share network resources among competing users to reduce congestion: high-speed (default), bbr, cdg, chd, cubic, illinois, new-reno, reno, scalable, vegas, westwood, or woodside. |
delayedAcks |
When enabled, the traffic management system allows coalescing of multiple ACK responses. The default value is true. |
dsack |
Enables the Selective ACKs (SACK) option to acknowledge duplicate segments: true (default) or false. |
earlyRetransmit |
When enabled, specifies that the system uses early fast retransmits (as specified in RFC 5827) to reduce the recovery time for connections that are receive-buffer or user-data limited. The default value is true. |
ecn |
Enables the TCP flags CWR and ECE to notify its peer of congestion and congestion counter-measures: true (default) or false. |
enhancedLossRecovery |
Enables enhanced loss recovery to recover from random packet losses more effectively: true (default) or false. |
fastOpen |
When enabled, permits TCP Fast Open, allowing properly equipped TCP clients to send data with the SYN packet. The default value is true. |
idleTimeout |
Specifies the number of seconds that a connection is idle before the connection is eligible for deletion. The default value is 300. |
initCWND |
Specifies the initial congestion window size for connections to this destination. The actual window size is this value multiplied by the MSS (Maximal Segment Size) for the same connection: 0 to 64. The default value is 16. |
initRWND |
Specifies the initial receive window size for connections to this destination. The actual window size is this value multiplied by the MSS (Maximal Segment Size) for the same connection: 0 to 64. The default value is 16. |
ipDFMode |
Describe the Don't Fragment (DF) bit setting in the outgoing packet's IP Header. Available options: clear, pmtu (default), preserve, and set. |
ipTTLMode |
Describe the outgoing packet's IP Header TTL value modes. Available options: decrement, preserve, proxy (default), and set. |
ipTTLV4 |
Specifies the outgoing IPV4 Header TTL value for ip-ttl-mode 'set'. The default value is 255. |
ipTTLV6 |
Specifies the outgoing IPV6 Header TTL value for ip-ttl-mode 'set'. The default value is 64. |
limitedTransmit |
Enables limited transmit recovery revisions for fast retransmits to reduce the recovery time for connections on a lossy network: true (default) or false. |
maxRetrans |
Specifies the maximum number of retransmissions of data segments that the system allows. The default value is 8. |
maxSegmentSize |
Specifies the largest amount of data that the system can receive in a single TCP segment, not including the TCP and IP headers. If the value is 0 (zero), the system calculates the value from the MTU. The default value 1460. |
md5SignaturePassphrase |
Enables a plaintext passphrase which may be between 1 and 80 characters in length, and is used in a shared-secret scheme to implement the spoof-prevention parts of RFC2385. |
minimumRTO |
Specifies the minimum TCP retransmission timeout in milliseconds. The default value is 1000. |
nagle |
Enables Nagle's algorithm to reduce the number of short segments on the network: true or false (default). |
packetLossIgnoreBurst |
Specifies the probability of performing congestion control when multiple packets in a row are lost even if the pkt-loss-ignore-rate was not exceeded 0 to 32. The default value is 0, meaning that the system should perform congestion control if any packets are lost. Higher values decrease the chance of performing congestion control. |
packetLossIgnoreRate |
Specifies the threshold of packets lost per million at which the system should perform congestion control: 0 to 1000000. The default value is 0. |
proxyBufferHigh |
Specifies the highest level at which the receive window is closed: 0 to 4294967295. The default value is 16384. |
proxyBufferLow |
Specifies the lowest level at which the receive window is closed: 0 to 4294967295. The default value is 4096. |
proxyMSS |
Specifies, when enabled, that the system advertises the same mss to the server as was negotiated with the The default is false. |
proxyOptions |
Specifies, when enabled, that the system advertises an option, such as a time-stamp to the server only if it was negotiated with the The default is false. |
pushFlag |
When default, specifies that the system sets PUSH flag when sending the last segment in the send buffer. When none, specifies that the system never sets PUSH flag for TCP packets. When one, specifies that the system sets one PUSH flag for the FIN segment. When auto, specifies that the system sets PUSH flag based on the application/network conditions. Available options: auto, default (default), none, and one. |
ratePace |
Enables rate pace TCP data transmission: true (default) or false. |
ratePaceMaxRate |
If not 0, the maximum rate in bytes per second that TCP connections will be paced to 0 to 4294967295. The default value is 0. |
receiveWindowSize |
Specifies the size of the receive window, in bytes. The default value is 65535. |
resetOnTimeout |
Specifies whether to reset connections on timeout. The default is true. |
retransmitThreshold |
Specifies the number of duplicate ACKs (retransmit threshold) to start fast recovery. Higher values decrease the likelihood of performing fast recovery in a network with high packet reordering: 3 to 255. The default is 3. |
selectiveAcks |
Specifies, when enabled, that the system negotiates RFC2018-compliant Selective Acknowledgments with peers: true (default) or false. |
selectiveNack |
Specifies whether Selective Negative Acknowledgment is enabled or not: true or false (default). |
sendBufferSize |
Specifies the size of the buffer, in bytes. The default value is 131072. |
slowStart |
Enables larger initial window sizes to help reduce round trip times: true (default) or false. |
synCookieEnable |
Enables SYN Cookies: true (default) or false. |
synMaxRetrans |
Specifies the maximum number of retransmissions of SYN segments that the system allows: 0 to 4294967295. The default value is 3. |
synRTOBase |
Specifies the initial RTO (Retransmission TimeOut) base multiplier for SYN retransmission, in milliseconds. This value is modified by the exponential backoff table to select the interval for subsequent retransmissions: 0 to 5000. The default value is 3000. |
tailLossProbe |
When enabled, specifies that the system uses tail loss probe to reduce the number of retransmission timeouts. The default is true. |
verifiedAccept |
When enabled, a SYN-ACK will be sent only if the server port is open. Not compatible with iRules. The default is false. |
CR Example¶
apiVersion: "k8s.f5net.com/v1"
kind: F5BigTcpSetting
metadata:
name: "cnf-tcp-optimize"
namespace: "cnf-gateway"
spec:
proxyBufferHigh: 128000
proxyBufferLow: 128000
idleTimeout: 150
receiveWindowSize: 128000
resetOnTimeout: false
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigTcpSetting CR shortName is tcpset.
View CR instance:
kubectl get tcpset -n <namespace>
View CR configuration:
kubectl get tcpset -n <namespace> -o yaml
Default profile¶
After installing the BIG-IP Controller, a default F5BigTcpSetting CR is created in each new namespace. In this example, a default F5BigTcpSetting CR exists in the cnf-gateway namespace:
kubectl get f5-big-tcp-settings -n cnf-gateway
NAME
sys-default-tcp
Installation¶
Use the steps below to install the F5BigTcpSetting CR.
The example F5BigTcpSetting CR increases the proxyBuffer sizes, idleTimeout and receiveWindowSize to improve performance. Copy and paste the example into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigTcpSetting metadata: name: "cnf-tcp-optimize" namespace: "cnf-gateway" spec: proxyBufferHigh: 128000 proxyBufferLow: 128000 idleTimeout: 150 receiveWindowSize: 128000 resetOnTimeout: false
Install the F5BigTcpSetting CR:
kubectl apply -f cnf-tcp-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigTcpSetting CR was added/updated:
I0202 12:00:00.12349 1 event.go:282 Event(v1.ObjectReference{Kind:"F5TcpSetting", TcpSetting cnf-gateway/cnf-tcp-optimize was added/updated
The example F5BigContextSecure CR listens for connections destined to IP addresses in the 2002::200:200:200:0/112 subnet, using the tcp protocol, and only on the subscriber-vlan interface. The CR also references the F5BigTcpsettings profile. Copy and paste the example into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigContextSecure metadata: name: "cnf-context" namespace: "cnf-gateway" spec: ipv6destinationAddress: "2002::200:200:200:0/112" destinationPort: 0 ipProtocol: "tcp" profile: "tcp" tcpSettings: clientSide: "cnf-tcp-optimize" serverSide: "cnf-tcp-optimize" vlans: vlanList: - "subscriber-vlan"
Install the F5BigContextSecure CR:
kubectl apply -f f5-cnf-context.yaml
In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:
I0202 12:00:00:12350 1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", SecureContext cnf-gateway/cnf-context was added/updated
The TMM Proxy Pod can now process application traffic using the F5BigTcpSetting CR.
Additional CRs¶
The F5BigTcpSetting CR can be references by the CNF CRs listed below:
- F5BigContextSecure - Full proxy TCP and UDP application layer gateway services.
- F5BigAlgFtp - File Transfer Protocol (FTP) application layer gateway services.
- F5BigDnsApp - High-performance DNS resolution, caching, and DNS64 translations.
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.