TCP_Profile (object)¶
Configures a Transmission Control Protocol (TCP) profile
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| abc | boolean | true | true, false | If true (default), BIG-IP AS3 adjusts the congestion window per rfc3465 |
| ackOnPush | boolean | true | true, false | If true (default), the system immediately acknowledges segments with the PSH flag set |
| autoProxyBufferSize | boolean | true | true, false | If true (default), BIG-IP AS3 adjusts the proxy buffer size automatically to optimize throughput |
| autoReceiveWindowSize | boolean | true | true, false | If true (default), BIG-IP AS3 adjusts the receive window size automatically to optimize throughput |
| autoSendBufferSize | boolean | true | true, false | If true (default), BIG-IP AS3 adjusts the send buffer size automatically to optimize throughput |
| class* | string | “TCP_Profile” | ||
| closeWaitTimeout | integer | 5 | -1 - 3600 | Number of seconds (default 5) connection will remain in LAST-ACK state before exiting. Value -1 means indefinite, limited by maximum retransmission timeout |
| congestionControl | string | “woodside” | “bbr”, “cdg”, “chd”, “cubic”, “high-speed”, “illinois”, “new-reno”, “none”, “reno”, “scalable”, “vegas”, “westwood”, “woodside” | Selects TCP congestion-control algorithm (default ‘woodside’). The bbr option is available on BIGIP 14.1 and above. |
| congestionMetricsCache | boolean | true | true, false | If true (default), the system may cache congestion metrics to inform the congestion control algorithm |
| congestionMetricsCacheTimeout | integer | 0 | 0 - 1000 | Number of seconds for which entries in the congestion metrics cache are valid (default 0 means use system default) |
| deferredAccept | boolean | false | true, false | If true, ADC will defer allocating resources to a connection until some payload data has arrived from the client (default false). This may help minimize the impact of certain DoS attacks but adds undesirable latency under normal conditions. Note: ‘deferredAccept’ is incompatible with server-speaks-first application protocols |
| delayedAcks | boolean | true | true, false | If true (default), the system may coalesce multiple adjacent ACK responses |
| delayWindowControl | boolean | false | true, false | If true, BIG-IP AS3 uses queueing delay as well as packet loss to estimate congestion (default false) |
| dsack | boolean | false | true, false | If true, BIG-IP AS3 uses rfc2883 duplicate selective-acknowledgements extension (default false). Do not enable this option unless you are certain all peers support D-SACK |
| earlyRetransmit | boolean | true | true, false | If true (default), BIG-IP AS3 uses rfc5827 Early Retransmit recovery |
| ecn | boolean | true | true, false | If true (default), BIG-IP AS3 may send explicit congestion notification (ECN) flags (CWR, ECE) to peers |
| enhancedLossRecovery | boolean | true | true, false | If true (default), BIG-IP AS3 uses Selective ACK data to increase throughput |
| fastOpen | boolean | true | true, false | If true (default), the system can use the TCP Fast Open protocol extension to reduce latency by sending payload data with initial SYN |
| fastOpenCookieExpiration | integer | 21600 | 1 - 1000000 | Sets maximum lifetime in seconds (default 21600 = six hours) of TCP Fast Open cookies |
| finWait2Timeout | integer | 300 | -1 - 3600 | Number of seconds (default 300) connection will remain in LAST-ACK state before closing. Value -1 means indefinite, limited by maximum retransmission timeout |
| finWaitTimeout | integer | 5 | -1 - 3600 | Number of seconds (default 5) connection will remain in FIN-WAIT-1 or closing state before exiting. Value -1 means indefinite, limited by maximum retransmission timeout |
| idleTimeout | integer | 300 | -∞ - -Infinity | Number of seconds (default 300; may not be 0) connection may remain idle before it becomes eligible for deletion. Value -1 (not recommended) means infinite |
| initCwnd | integer | 16 | 0 - 64 | Sets the initial congestion-window size (default 16) in multiples of MSS (not in octets) |
| initRwnd | integer | 16 | 0 - 64 | Sets the initial receive-window size (default 16) in multiples of MSS (not in octets) |
| ipDfMode | string | “pmtu” | “clear”, “pmtu”, “preserve”, “set” | Controls DF (Don’t Fragment) flag in outgoing packets. Value ‘pmtu’ (default) sets DF based on IP PMTU value. Value ‘preserve’ copies DF from received packets. Value ‘set’ forces DF true in all outgoing packets. Value ‘clear’ forces DF false in all outgoing packets |
| ipTosToClient | 0 | Specifies the IP DSCP/TOS value in packets sent to clients (default 0). Numeric values in this property are decimal representations of eight-bit numbers, of which the leftmost six bits are the DSCP per rfc2474 (and the system uses the rightmost two bits for congestion signaling when ‘ecn’ is true). You may have to calculate the value of this property by multiplying a DSCP code, such as CS5+EF = 46, by four to obtain the proper ‘ipTosToClient’ value, such as 184. Value ‘pass-through’ sets DSCP from the initial server-side value. Value ‘mimic’ copies DSCP from the most-recently received server-side packet (allowing DSCP to vary during the life of a connection) | ||
| keepAliveInterval | integer | 1800 | 1 - 86400 | Number of seconds (default 1800) between keep-alive probes |
| label | string | “^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$” | Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML | |
| limitedTransmit | boolean | true | true, false | When true (default), the system can use rfc3042 limited transmit recovery scheme |
| linkQosToClient | 0 | Specifies the Layer-2 QOS code in packets sent to clients (default 0). Ethernet-type networks recognize codes from 0 to 7. Value ‘pass-through’ sets QOS from the initial server-side value | ||
| maxRetrans | integer | 8 | 0 - 12 | Sets maximum number of times the system may retransmit a segment (default 8) |
| maxSegmentSize | integer | 0 | -∞ - -Infinity | Sets MSS advertised to peer. Value 0 (default) will set MSS automatically in proportion to interface MTU. Default 0 is usually the best choice |
| md5Signature | boolean | false | true, false | If true, the system signs TCP headers using MD5 per rfc2385 (default false) |
| md5SignaturePassphrase | object | Passphrase from which the system derives the key for MD5 signatures (MACs) when ‘md5signature’ is true,A value: (a) in a cryptogram in this object; (b) in a cryptogram elsewhere in this declaration; or (c) available from a URL | ||
| minimumRto | integer | 1000 | 1 - 5000 | Minimum retransmission timeout in milliseconds (default 1000) |
| mptcp | string | “disable” | “disable”, “enable”, “passthrough” | Value ‘disable’ (default) excludes use of Multipath TCP (MPTCP) through virtual server. Value ‘enable’ means virtual server will accept and participate in MPTCP connections. Value ‘passthrough’ means MPTCP packets may pass through virtual server |
| mptcpCsum | boolean | false | true, false | If true, the system calculates MPTCP checksums (default false) |
| mptcpCsumVerify | boolean | false | true, false | If true, the system verifies MPTCP checksums (default false) |
| mptcpFallback | string | “reset” | “accept”, “active-accept”, “reset”, “retransmit” | Selects action on fallback from MPTCP to ordinary TCP |
| mptcpFastJoin | boolean | false | true, false | If true, the system may send data with MP_JOIN SYN packet, reducing connection latency (default false) |
| mptcpIdleTimeout | integer | 300 | 1 - 86400 | Number of seconds (default 300) connection may remain idle before it becomes eligible for deletion |
| mptcpJoinMax | integer | 5 | 1 - 20 | Limit on number of subflows which the system may add to the MPTCP connection (default 5) |
| mptcpMakeAfterBreak | boolean | false | true, false | If true, the system can add additional subflows during the ‘mptcpTimeout’ period, even if the ADC is not currently handling an active connection (default false) |
| mptcpNoJoinDssAck | boolean | false | true, false | If true, no DSS option will sent with MP_JOIN ACK packet (default false) |
| mptcpRetransmitMin | integer | 1000 | 1 - 5000 | Minimum value in milliseconds (default 1000) of MPTCP retransmission timer |
| mptcpRtoMax | integer | 5 | 1 - 20 | Maximum number of retransmission timeouts which may occur before the system declares a subflow dead |
| mptcpSubflowMax | integer | 6 | 1 - 20 | Maximum number of subflows per connection (default 6) |
| mptcpTimeout | integer | 3600 | 60 - 3600 | Number of seconds (default 3600) after which the system may expunge an MPTCP session with no active flow |
| nagle | string | “auto” | “disable”, “enable”, “auto” | Value ‘enable’ means to use Nagle’s algorithm to minimize the transmission of short TCP segments (note: Nagle’s algorithm yields undesirable results with many application protocols). Value ‘auto’ (default) means the ADC will choose automatically whether to enable Nagle’s algorithm. Value ‘disable’ averts application of Nagle’s algorithm |
| pktLossIgnoreBurst | integer | 0 | 0 - 32 | Modulates use of congestion control when losing multiple packets. Value 0 (default) means to perform congestion control if any packet loss occurs. Higher values increase tolerance for lost packets before signaling congestion |
| pktLossIgnoreRate | integer | 0 | 0 - 1000000 | Sets threshold of packet loss rate (lost-packets/million-packets) above which the system performs congestion control. Value 0 (default) means to perform congestion control if any packet loss occurs. Higher values increase tolerance for lost packets before signaling congestion |
| proxyBufferHigh | integer | 262144 | 64 - 33554432 | The system closes the receive window when the number of octets in proxy buffer rises above this value |
| proxyBufferLow | integer | 196608 | 64 - 33554432 | The system opens the receive window when the number of octets in proxy buffer falls below this value |
| proxyMSS | boolean | true | true, false | If true (default), the MSS value advertised on the server side will match that negotiated with the client, if permitted by MTU and other constraints |
| proxyOptions | boolean | false | true, false | If true, TCP options such as timestamp advertised on the server side will match those negotiated with client (default false) |
| pushFlag | string | “auto” | “auto”, “default”, “none”, “one” | Controls when ADC sets PSH flag in outbound TCP segments. Limiting the sending of segments with PSH improves performance. Value ‘auto’ (recommended) sets PSH according to a system algorithm optimal in most cases. Value ‘default’ (not recommended) sets the PUSH flag in every segment which happens to empty the send buffer. Value ‘none’ prevents use of the PSH flag, and ‘one’ means the system sets PSH only when FIN is, at the end of a connection |
| ratePace | boolean | true | true, false | If true (default), system will automatically pace rate of data transmission to optimize throughput |
| ratePaceMaxRate | integer | 0 | 0 - 4294967295 | Limit maximum data-transmission rate in octets/second to this value when ‘ratePace’ is true. Default 0 means choose maximum rate automatically |
| receiveWindowSize | integer | 131072 | 64 - 33554432 | Maximum size of receive window (octets, default 131072) |
| remark | string | “^[^x00-x1fx22x5cx7f]*$” | Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks | |
| resetOnTimeout | boolean | true | true, false | If true (default), connections which time out will be reset (that is, the system will send an RST packet to the peer) before the system expunges them. Value false is not recommended |
| retransmitThreshold | integer | 3 | 0 - 12 | Specifies the number of duplicate ACKs to start fast recovery |
| selectiveAcks | boolean | true | true, false | If true (default), the system negotiates rfc2018 Selective Acknowledgements with peers |
| selectiveNack | boolean | false | true, false | If true, the system negotiates Selective Negative Acknowledgements with peers (default false) |
| sendBufferSize | integer | 262144 | 64 - 33554432 | Maximum size of send buffer (octets, default 262144) |
| slowStart | boolean | true | true, false | If true (default), BIG-IP AS3 adjusts the initial window size per rfc3390. This generally makes connections start more quickly, NOT more slowly |
| synCookieAllowlist | boolean | true, false | If true, after a client responds successfully to a SYN cookie challenge, the system accepts additional connection requests from that client without challenge for 30 seconds. | |
| synCookieEnable | boolean | true | true, false | If true (default), the system may use SYN cookies to avert connection-table overflow (for example, from DoS attacks) |
| synCookieWhitelist | boolean | false | true, false | Deprecated. Replaced with functionally equivalent synCookieAllowlist. If true, after a client responds successfully to a SYN cookie challenge, the system accepts additional connection requests from that client without challenge for 30 seconds. |
| synMaxRetrans | integer | 3 | 0 - 12 | Maximum number of times the system retransmits a SYN when it does not receive a SYN+ACK (default 3) |
| synRtoBase | integer | 3000 | 0 - 5000 | Number of milliseconds (default 3000) to which the system initially sets the SYN retransmission timer. The system adjusts the timer after each retransmission to implement binary-exponential-backoff |
| tailLossProbe | boolean | true | true, false | If true (default), the system uses the Tail Loss Probe scheme to reduce retransmission timeouts |
| tcpOptions | array | Selects which TCP Option values the system captures for reference by iRules | ||
| timestamps | boolean | true | true, false | If true (default and recommended), BIG-IP AS3 enables rfc1323 timestamps |
| timeWaitRecycle | boolean | true | true, false | If true (default), the system reuses connection resources immediately when it receives a SYN during the TIME-WAIT period |
| timeWaitTimeout | integer | 2000 | -1 - 600000 | Number of milliseconds (default 2,000) connection will remain in TIME-WAIT state before closing. Value -1 means indefinite |
| ttlIPv4 | integer | 255 | 1 - 255 | TTL the system sets in outgoing IPv4 packets |
| ttlIPv6 | integer | 64 | 1 - 255 | TTL the system sets in outgoing IPv6 packets |
| ttlMode | string | “proxy” | “decrement”, “preserve”, “proxy”, “set” | Controls IP TTL in outgoing packets. Value ‘set’ forces TTL to value of property ‘ttlIPv4’ or ‘ttlIPv6’ as appropriate. Value ‘proxy’ (default) forces TTL to the default value for IPv4 or IPv6 as appropriate. Value ‘preserve’ copies TTL from received packet. Value ‘decrement’ sets TTL to one less than received packet’s TTL |
| verifiedAccept | boolean | false | true, false | If true, the system must establish a server-side connection before a it accepts a corresponding client-side connection (default false). Value ‘true’ is incompatible with iRules |
| zeroWindowTimeout | integer | 20000 | -1 - 86400000 | Number of milliseconds (default 20,000) connection will persist with window-size of zero (effective timeout is value rounded up to the nearest multiple of 5000). Value -1 means indefinite |
TCP_Profile.md5SignaturePassphrase (object)¶
Passphrase from which the system derives the key for MD5 signatures (MACs) when ‘md5signature’ is true A value: (a) in a cryptogram in this object; (b) in a cryptogram elsewhere in this declaration; or (c) available from a URL
Properties (* = required):
| name | type(s) | default | allowed values | description |
|---|---|---|---|---|
| /*/ | ||||
| allowReuse | boolean | false | true, false | If true, other declaration objects may reuse this value |