F5BigTcpSetting

The F5BigTcpSetting Custom Resource (CR) provides many options to fine-tune how Traffic Management Microkernel (TMM) handles TCP connections. Once configured and installed, the F5BigTcpSetting CR can then be referenced by one of the CNF CRs listed in the Additional CRs section below.

This document guides you through understanding, configuring and installing a simple F5BigTcpSetting CR.

CR parameters

The table below describes the CR spec parameters:

Parameter Description
abc Enables increasing the congestion window by basing the increase amount on the number of previously unacknowledged bytes that each ACK covers: true (default) or false.
ackOnPush Enables performance improvement to Windows and MacOS peers who are writing out on a very small end buffer: true or false.
autoNagle Specifies how the system applies Nagle's algorithm to reduce the number of short segments on the network: auto (default), enabled, or disabled. When auto, the use of Nagle is based on network conditions.
autoProxyBufferSize When enabled, specifies that the system uses the network measurements to set the optimal proxy buffer size. The default is false.
autoReceiveWindowSize When enabled, specifies that the system uses the network measurements to set the optimal receive window size. The default is false.
autoSendBufferSize When enabled, specifies that the system uses the network measurements to set the optimal send buffer size. The default is false.
cmetricsCache Specifies, when enabled, that the system uses a cache for storing congestion metrics. The default is true.
cmetricsCacheTimeout Specifies the time, in seconds, for which entries in the congestion metrics cache are valid. The default value is 0, which defers to the sys db variable route.metrics.timeout.
congestionControl Specifies the algorithm to use to share network resources among competing users to reduce congestion: high-speed (default), bbr, cdg, chd, cubic, illinois, new-reno, reno, scalable, vegas, westwood, or woodside.
delayedAcks When enabled, the traffic management system allows coalescing of multiple ACK responses. The default value is true.
dsack Enables the Selective ACKs (SACK) option to acknowledge duplicate segments: true (default) or false.
earlyRetransmit When enabled, specifies that the system uses early fast retransmits (as specified in RFC 5827) to reduce the recovery time for connections that are receive-buffer or user-data limited. The default value is true.
ecn Enables the TCP flags CWR and ECE to notify its peer of congestion and congestion counter-measures: true (default) or false.
enhancedLossRecovery Enables enhanced loss recovery to recover from random packet losses more effectively: true (default) or false.
fastOpen When enabled, permits TCP Fast Open, allowing properly equipped TCP clients to send data with the SYN packet. The default value is true.
idleTimeout Specifies the number of seconds that a connection is idle before the connection is eligible for deletion. The default value is 300.
initCWND Specifies the initial congestion window size for connections to this destination. The actual window size is this value multiplied by the MSS (Maximal Segment Size) for the same connection: 0 to 64. The default value is 16.
initRWND Specifies the initial receive window size for connections to this destination. The actual window size is this value multiplied by the MSS (Maximal Segment Size) for the same connection: 0 to 64. The default value is 16.
ipDFMode Describe the Don't Fragment (DF) bit setting in the outgoing packet's IP Header. Available options: clear, pmtu (default), preserve, and set.
ipTTLMode Describe the outgoing packet's IP Header TTL value modes. Available options: decrement, preserve, proxy (default), and set.
ipTTLV4 Specifies the outgoing IPV4 Header TTL value for ip-ttl-mode 'set'. The default value is 255.
ipTTLV6 Specifies the outgoing IPV6 Header TTL value for ip-ttl-mode 'set'. The default value is 64.
limitedTransmit Enables limited transmit recovery revisions for fast retransmits to reduce the recovery time for connections on a lossy network: true (default) or false.
maxRetrans Specifies the maximum number of retransmissions of data segments that the system allows. The default value is 8.
maxSegmentSize Specifies the largest amount of data that the system can receive in a single TCP segment, not including the TCP and IP headers. If the value is 0 (zero), the system calculates the value from the MTU. The default value 1460.
md5SignaturePassphrase Enables a plaintext passphrase which may be between 1 and 80 characters in length, and is used in a shared-secret scheme to implement the spoof-prevention parts of RFC2385.
minimumRTO Specifies the minimum TCP retransmission timeout in milliseconds. The default value is 1000.
nagle Enables Nagle's algorithm to reduce the number of short segments on the network: true or false (default).
packetLossIgnoreBurst Specifies the probability of performing congestion control when multiple packets in a row are lost even if the pkt-loss-ignore-rate was not exceeded 0 to 32. The default value is 0, meaning that the system should perform congestion control if any packets are lost. Higher values decrease the chance of performing congestion control.
packetLossIgnoreRate Specifies the threshold of packets lost per million at which the system should perform congestion control: 0 to 1000000. The default value is 0.
proxyBufferHigh Specifies the highest level at which the receive window is closed: 0 to 4294967295. The default value is 16384.
proxyBufferLow Specifies the lowest level at which the receive window is closed: 0 to 4294967295. The default value is 4096.
proxyMSS Specifies, when enabled, that the system advertises the same mss to the server as was negotiated with the The default is false.
proxyOptions Specifies, when enabled, that the system advertises an option, such as a time-stamp to the server only if it was negotiated with the The default is false.
pushFlag When default, specifies that the system sets PUSH flag when sending the last segment in the send buffer. When none, specifies that the system never sets PUSH flag for TCP packets. When one, specifies that the system sets one PUSH flag for the FIN segment. When auto, specifies that the system sets PUSH flag based on the application/network conditions. Available options: auto, default (default), none, and one.
ratePace Enables rate pace TCP data transmission: true (default) or false.
ratePaceMaxRate If not 0, the maximum rate in bytes per second that TCP connections will be paced to 0 to 4294967295. The default value is 0.
receiveWindowSize Specifies the size of the receive window, in bytes. The default value is 65535.
resetOnTimeout Specifies whether to reset connections on timeout. The default is true.
retransmitThreshold Specifies the number of duplicate ACKs (retransmit threshold) to start fast recovery. Higher values decrease the likelihood of performing fast recovery in a network with high packet reordering: 3 to 255. The default is 3.
selectiveAcks Specifies, when enabled, that the system negotiates RFC2018-compliant Selective Acknowledgments with peers: true (default) or false.
selectiveNack Specifies whether Selective Negative Acknowledgment is enabled or not: true or false (default).
sendBufferSize Specifies the size of the buffer, in bytes. The default value is 131072.
slowStart Enables larger initial window sizes to help reduce round trip times: true (default) or false.
synCookieEnable Enables SYN Cookies: true (default) or false.
synMaxRetrans Specifies the maximum number of retransmissions of SYN segments that the system allows: 0 to 4294967295. The default value is 3.
synRTOBase Specifies the initial RTO (Retransmission TimeOut) base multiplier for SYN retransmission, in milliseconds. This value is modified by the exponential backoff table to select the interval for subsequent retransmissions: 0 to 5000. The default value is 3000.
tailLossProbe When enabled, specifies that the system uses tail loss probe to reduce the number of retransmission timeouts. The default is true.
verifiedAccept When enabled, a SYN-ACK will be sent only if the server port is open. Not compatible with iRules. The default is false.

CR Example

apiVersion: "k8s.f5net.com/v1"
kind: F5BigTcpSetting
metadata:
  name: "cnf-tcp-optimize"
  namespace: "cnf-gateway"
spec:
  proxyBufferHigh: 128000
  proxyBufferLow: 128000
  idleTimeout: 150
  receiveWindowSize: 128000
  resetOnTimeout: false

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigTcpSetting CR shortName is tcpset.

View CR instance:

kubectl get tcpset -n <namespace>

View CR configuration:

kubectl get tcpset -n <namespace> -o yaml

Default profile

After installing the BIG-IP Controller, a default F5BigTcpSetting CR is created in each new namespace. In this example, a default F5BigTcpSetting CR exists in the cnf-gateway namespace:

kubectl get f5-big-tcp-settings -n cnf-gateway
NAME         
sys-default-tcp 

Requirements

Ensure you have:

Installation

Use the steps below to install the F5BigTcpSetting CR.

  1. The example F5BigTcpSetting CR increases the proxyBuffer sizes, idleTimeout and receiveWindowSize to improve performance. Copy and paste the example into a YAML file:

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigTcpSetting
    metadata:
      name: "cnf-tcp-optimize"
      namespace: "cnf-gateway"
    spec:
      proxyBufferHigh: 128000
      proxyBufferLow: 128000
      idleTimeout: 150
      receiveWindowSize: 128000
      resetOnTimeout: false
    
  2. Install the F5BigTcpSetting CR:

    kubectl apply -f cnf-tcp-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigTcpSetting CR was added/updated:

    I0202 12:00:00.12349   1 event.go:282 Event(v1.ObjectReference{Kind:"F5TcpSetting",
    TcpSetting cnf-gateway/cnf-tcp-optimize was added/updated
    
  3. The example F5BigContextSecure CR listens for connections destined to IP addresses in the 2002::200:200:200:0/112 subnet, using the tcp protocol, and only on the subscriber-vlan interface. The CR also references the F5BigTcpsettings profile. Copy and paste the example into a YAML file:

    apiVersion: k8s.f5net.com/v1
    kind: F5BigContextSecure
    metadata:
      name: "cnf-context"
      namespace: "cnf-gateway"
    spec:
       ipv6destinationAddress: "2002::200:200:200:0/112"
       destinationPort: 0
       ipProtocol: "tcp"
       profile: "tcp"
       tcpSettings:
         clientSide: "cnf-tcp-optimize"
         serverSide: "cnf-tcp-optimize"
       vlans:
         vlanList:
           - "subscriber-vlan"
    
  4. Install the F5BigContextSecure CR:

    kubectl apply -f f5-cnf-context.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:

    I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext",
    SecureContext cnf-gateway/cnf-context was added/updated
    
  5. The TMM Proxy Pod can now process application traffic using the F5BigTcpSetting CR.

Additional CRs

The F5BigTcpSetting CR can be references by the CNF CRs listed below:

  • F5BigContextSecure - Full proxy TCP and UDP application layer gateway services.
  • F5BigAlgFtp - File Transfer Protocol (FTP) application layer gateway services.
  • F5BigDnsApp - High-performance DNS resolution, caching, and DNS64 translations.

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.