TCP_Profile (object)

Configures a Transmission Control Protocol (TCP) profile

Properties (* = required):

name type(s) default allowed values description
abc boolean true true, false If true (default), AS3 adjusts the congestion window per rfc3465
ackOnPush boolean true true, false If true (default), the system immediately acknowledges segments with the PSH flag set
autoProxyBufferSize boolean true true, false If true (default), AS3 adjusts the proxy buffer size automatically to optimize throughput
autoReceiveWindowSize boolean true true, false If true (default), AS3 adjusts the receive window size automatically to optimize throughput
autoSendBufferSize boolean true true, false If true (default), AS3 adjusts the send buffer size automatically to optimize throughput
class* string   “TCP_Profile”  
closeWaitTimeout integer 5 -1 - 3600 Number of seconds (default 5) connection will remain in LAST-ACK state before exiting. Value -1 means indefinite, limited by maximum retransmission timeout
congestionControl string “woodside” “bbr”, “cdg”, “chd”, “cubic”, “high-speed”, “illinois”, “new-reno”, “none”, “reno”, “scalable”, “vegas”, “westwood”, “woodside” Selects TCP congestion-control algorithm (default ‘woodside’). Note: bbr is only supported in tmos version 14.1+.
congestionMetricsCache boolean true true, false If true (default), the system may cache congestion metrics to inform the congestion control algorithm
congestionMetricsCacheTimeout integer 0 0 - 1000 Number of seconds for which entries in the congestion metrics cache are valid (default 0 means use system default)
deferredAccept boolean false true, false If true, ADC will defer allocating resources to a connection until some payload data has arrived from the client (default false). This may help minimize the impact of certain DoS attacks but adds undesirable latency under normal conditions. Note: ‘deferredAccept’ is incompatible with server-speaks-first application protocols
delayedAcks boolean true true, false If true (default), the system may coalesce multiple adjacent ACK responses
delayWindowControl boolean false true, false If true, AS3 uses queueing delay as well as packet loss to estimate congestion (default false)
dsack boolean false true, false If true, AS3 uses rfc2883 duplicate selective-acknowledgements extension (default false). Do not enable this option unless you are certain all peers support D-SACK
earlyRetransmit boolean true true, false If true (default), AS3 uses rfc5827 Early Retransmit recovery
ecn boolean true true, false If true (default), AS3 may send explicit congestion notification (ECN) flags (CWR, ECE) to peers
enhancedLossRecovery boolean true true, false If true (default), AS3 uses Selective ACK data to increase throughput
fastOpen boolean true true, false If true (default), the system can use the TCP Fast Open protocol extension to reduce latency by sending payload data with initial SYN
fastOpenCookieExpiration integer 21600 1 - 1000000 Sets maximum lifetime in seconds (default 21600 = six hours) of TCP Fast Open cookies
finWait2Timeout integer 300 -1 - 3600 Number of seconds (default 300) connection will remain in LAST-ACK state before closing. Value -1 means indefinite, limited by maximum retransmission timeout
finWaitTimeout integer 5 -1 - 3600 Number of seconds (default 5) connection will remain in FIN-WAIT-1 or closing state before exiting. Value -1 means indefinite, limited by maximum retransmission timeout
idleTimeout integer 300 -∞ - -Infinity Number of seconds (default 300; may not be 0) connection may remain idle before it becomes eligible for deletion. Value -1 (not recommended) means infinite
initCwnd integer 16 0 - 64 Sets the initial congestion-window size (default 16) in multiples of MSS (not in octets)
initRwnd integer 16 0 - 64 Sets the initial receive-window size (default 16) in multiples of MSS (not in octets)
ipDfMode string “pmtu” “clear”, “pmtu”, “preserve”, “set” Controls DF (Don’t Fragment) flag in outgoing packets. Value ‘pmtu’ (default) sets DF based on IP PMTU value. Value ‘preserve’ copies DF from received packets. Value ‘set’ forces DF true in all outgoing packets. Value ‘clear’ forces DF false in all outgoing packets
ipTosToClient   0   Specifies the IP DSCP/TOS value in packets sent to clients (default 0). Numeric values in this property are decimal representations of eight-bit numbers, of which the leftmost six bits are the DSCP per rfc2474 (and the system uses the rightmost two bits for congestion signaling when ‘ecn’ is true). You may have to calculate the value of this property by multiplying a DSCP code, such as CS5+EF = 46, by four to obtain the proper ‘ipTosToClient’ value, such as 184. Value ‘pass-through’ sets DSCP from the initial server-side value. Value ‘mimic’ copies DSCP from the most-recently received server-side packet (allowing DSCP to vary during the life of a connection)
keepAliveInterval integer 1800 1 - 86400 Number of seconds (default 1800) between keep-alive probes
label string   “^[^x00-x1fx22#&*<>?x5b-x5d`x7f]*$” Optional friendly name for this object. Allows 0-64 chars, excluding a few likely to cause trouble with string searching, JS, TCL, or HTML
limitedTransmit boolean true true, false When true (default), the system can use rfc3042 limited transmit recovery scheme
linkQosToClient   0   Specifies the Layer-2 QOS code in packets sent to clients (default 0). Ethernet-type networks recognize codes from 0 to 7. Value ‘pass-through’ sets QOS from the initial server-side value
maxRetrans integer 8 0 - 12 Sets maximum number of times the system may retransmit a segment (default 8)
maxSegmentSize integer 0 -∞ - -Infinity Sets MSS advertised to peer. Value 0 (default) will set MSS automatically in proportion to interface MTU. Default 0 is usually the best choice
md5Signature boolean false true, false If true, the system signs TCP headers using MD5 per rfc2385 (default false)
md5SignaturePassphrase object     Passphrase from which the system derives the key for MD5 signatures (MACs) when ‘md5signature’ is true,A value: (a) in a cryptogram in this object; (b) in a cryptogram elsewhere in this declaration; or (c) available from a URL
minimumRto integer 1000 1 - 5000 Minimum retransmission timeout in milliseconds (default 1000)
mptcp string “disable” “disable”, “enable”, “passthrough” Value ‘disable’ (default) excludes use of Multipath TCP (MPTCP) through virtual server. Value ‘enable’ means virtual server will accept and participate in MPTCP connections. Value ‘passthrough’ means MPTCP packets may pass through virtual server
mptcpCsum boolean false true, false If true, the system calculates MPTCP checksums (default false)
mptcpCsumVerify boolean false true, false If true, the system verifies MPTCP checksums (default false)
mptcpFallback string “reset” “accept”, “active-accept”, “reset”, “retransmit” Selects action on fallback from MPTCP to ordinary TCP
mptcpFastJoin boolean false true, false If true, the system may send data with MP_JOIN SYN packet, reducing connection latency (default false)
mptcpIdleTimeout integer 300 1 - 86400 Number of seconds (default 300) connection may remain idle before it becomes eligible for deletion
mptcpJoinMax integer 5 1 - 20 Limit on number of subflows which the system may add to the MPTCP connection (default 5)
mptcpMakeAfterBreak boolean false true, false If true, the system can add additional subflows during the ‘mptcpTimeout’ period, even if the ADC is not currently handling an active connection (default false)
mptcpNoJoinDssAck boolean false true, false If true, no DSS option will sent with MP_JOIN ACK packet (default false)
mptcpRetransmitMin integer 1000 1 - 5000 Minimum value in milliseconds (default 1000) of MPTCP retransmission timer
mptcpRtoMax integer 5 1 - 20 Maximum number of retransmission timeouts which may occur before the system declares a subflow dead
mptcpSubflowMax integer 6 1 - 20 Maximum number of subflows per connection (default 6)
mptcpTimeout integer 3600 60 - 3600 Number of seconds (default 3600) after which the system may expunge an MPTCP session with no active flow
nagle string “auto” “disable”, “enable”, “auto” Value ‘enable’ means to use Nagle’s algorithm to minimize the transmission of short TCP segments (note: Nagle’s algorithm yields undesirable results with many application protocols). Value ‘auto’ (default) means the ADC will choose automatically whether to enable Nagle’s algorithm. Value ‘disable’ averts application of Nagle’s algorithm
pktLossIgnoreBurst integer 0 0 - 32 Modulates use of congestion control when losing multiple packets. Value 0 (default) means to perform congestion control if any packet loss occurs. Higher values increase tolerance for lost packets before signaling congestion
pktLossIgnoreRate integer 0 0 - 1000000 Sets threshold of packet loss rate (lost-packets/million-packets) above which the system performs congestion control. Value 0 (default) means to perform congestion control if any packet loss occurs. Higher values increase tolerance for lost packets before signaling congestion
proxyBufferHigh integer 262144 64 - 33554432 The system closes the receive window when the number of octets in proxy buffer rises above this value
proxyBufferLow integer 196608 64 - 33554432 The system opens the receive window when the number of octets in proxy buffer falls below this value
proxyMSS boolean true true, false If true (default), the MSS value advertised on the server side will match that negotiated with the client, if permitted by MTU and other constraints
proxyOptions boolean false true, false If true, TCP options such as timestamp advertised on the server side will match those negotiated with client (default false)
pushFlag string “auto” “auto”, “default”, “none”, “one” Controls when ADC sets PSH flag in outbound TCP segments. Limiting the sending of segments with PSH improves performance. Value ‘auto’ (recommended) sets PSH according to a system algorithm optimal in most cases. Value ‘default’ (not recommended) sets the PUSH flag in every segment which happens to empty the send buffer. Value ‘none’ prevents use of the PSH flag, and ‘one’ means the system sets PSH only when FIN is, at the end of a connection
ratePace boolean true true, false If true (default), system will automatically pace rate of data transmission to optimize throughput
ratePaceMaxRate integer 0 0 - 4294967295 Limit maximum data-transmission rate in octets/second to this value when ‘ratePace’ is true. Default 0 means choose maximum rate automatically
receiveWindowSize integer 131072 64 - 33554432 Maximum size of receive window (octets, default 131072)
remark string   “^[^x00-x1fx22x5cx7f]*$” Arbitrary (brief) text pertaining to this object. Allows 0-64 chars, excluding only control characters, double-quote, and backslash. This is permissive enough that you should worry about XSS attacks
resetOnTimeout boolean true true, false If true (default), connections which time out will be reset (that is, the system will send an RST packet to the peer) before the system expunges them. Value false is not recommended
retransmitThreshold integer 3 0 - 12 Specifies the number of duplicate ACKs to start fast recovery
selectiveAcks boolean true true, false If true (default), the system negotiates rfc2018 Selective Acknowledgements with peers
selectiveNack boolean false true, false If true, the system negotiates Selective Negative Acknowledgements with peers (default false)
sendBufferSize integer 262144 64 - 33554432 Maximum size of send buffer (octets, default 262144)
slowStart boolean true true, false If true (default), AS3 adjusts the initial window size per rfc3390. This generally makes connections start more quickly, NOT more slowly
synCookieAllowlist boolean   true, false If true, after a client responds successfully to a SYN cookie challenge, the system accepts additional connection requests from that client without challenge for 30 seconds.
synCookieEnable boolean true true, false If true (default), the system may use SYN cookies to avert connection-table overflow (for example, from DoS attacks)
synCookieWhitelist boolean false true, false Deprecated. Replaced with functionally equivalent synCookieAllowlist. If true, after a client responds successfully to a SYN cookie challenge, the system accepts additional connection requests from that client without challenge for 30 seconds.
synMaxRetrans integer 3 0 - 12 Maximum number of times the system retransmits a SYN when it does not receive a SYN+ACK (default 3)
synRtoBase integer 3000 0 - 5000 Number of milliseconds (default 3000) to which the system initially sets the SYN retransmission timer. The system adjusts the timer after each retransmission to implement binary-exponential-backoff
tailLossProbe boolean true true, false If true (default), the system uses the Tail Loss Probe scheme to reduce retransmission timeouts
tcpOptions array     Selects which TCP Option values the system captures for reference by iRules
timestamps boolean true true, false If true (default and recommended), AS3 enables rfc1323 timestamps
timeWaitRecycle boolean true true, false If true (default), the system reuses connection resources immediately when it receives a SYN during the TIME-WAIT period
timeWaitTimeout integer 2000 -1 - 600000 Number of milliseconds (default 2,000) connection will remain in TIME-WAIT state before closing. Value -1 means indefinite
ttlIPv4 integer 255 1 - 255 TTL the system sets in outgoing IPv4 packets
ttlIPv6 integer 64 1 - 255 TTL the system sets in outgoing IPv6 packets
ttlMode string “proxy” “decrement”, “preserve”, “proxy”, “set” Controls IP TTL in outgoing packets. Value ‘set’ forces TTL to value of property ‘ttlIPv4’ or ‘ttlIPv6’ as appropriate. Value ‘proxy’ (default) forces TTL to the default value for IPv4 or IPv6 as appropriate. Value ‘preserve’ copies TTL from received packet. Value ‘decrement’ sets TTL to one less than received packet’s TTL
verifiedAccept boolean false true, false If true, the system must establish a server-side connection before a it accepts a corresponding client-side connection (default false). Value ‘true’ is incompatible with iRules
zeroWindowTimeout integer 20000 -1 - 86400000 Number of milliseconds (default 20,000) connection will persist with window-size of zero (effective timeout is value rounded up to the nearest multiple of 5000). Value -1 means indefinite

TCP_Profile.md5SignaturePassphrase (object)

Passphrase from which the system derives the key for MD5 signatures (MACs) when ‘md5signature’ is true A value: (a) in a cryptogram in this object; (b) in a cryptogram elsewhere in this declaration; or (c) available from a URL

Properties (* = required):

name type(s) default allowed values description
/*/        
allowReuse boolean   true, false If true, other declaration objects may reuse this value
reuseFrom string     AS3 pointer to another JWE cryptogram in this declaration to copy
url       URL from which secret should be fetched,Describes the URL to remote resource and optional parameters