For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

brad_11440's avatar
brad_11440
Icon for Nimbostratus rankNimbostratus
Jan 15, 2009
Solved

FastL4 vs Optimized TCP Profiles

We run active/standby 6400 (platform D63a) LTM's for our production applications. They are accessed via clients on a private network with an average latency around 80ms. Nearly all of our virtual se...
config
design
  • smp_86112's avatar
    smp_86112
    Jan 20, 2009
    Maybe it's about the right time to have you post your VIP config from the bigip.conf. It's possible you have other settings applied to the VIP which conflict with a FastL4 profile??? Also it might be helpful to paste the values of the TCP profile you have applied.

     

     

    Regarding the window size...the behavior you see was bothering me for a long time until it finally clicked in my brain. Yes, the TCP window size always starts at 4380. The trick is to understand whether the LTM is sending or receiving data. When the LTM is sending data, as in this case, there is no need for the LTM to increase its receive window - which is the parameter you refer to in the trace.

     

     

    When the LTM is receiving large amounts of data and you do a trace, you'll see that the LTM receive window starts out at 4380, and quickly increases to the value of the Receive Window as specified in the TCP profile that is applied.

     

     

    The LTM is smart - it starts out with a small window size so it does not need to allocate more memory than necessary for the TCP connection. If it needs to adjust the receive window (when it is receiving data), you'll see it go up.
brad_11440's avatar
brad_11440
Icon for Nimbostratus rankNimbostratus
Jan 20, 2009
Here is the config. Thanks for clarifying the window size issue. That makes perfect sense. 

 
 profile fastL4 fastL4 { 
     reset on timeout enable 
     reassemble fragments disable 
     idle timeout 300 
     max segment override 0 
     pva acceleration full 
 } 
  
 pool wmtis03ssl { 
    snat disable 
    nat disable 
    monitor all tcp 
    member 10.212.xxx.xxx:5553 session disable 
    member 10.212.xxx.xxx:40202 
    member 10.212.yyy.yyy:5553 session disable 
    member 10.212.yyy.yyy:40202 
 } 
  
 pool wmtis03ssl_SNAT { 
    monitor all tcp 
    member 10.212.xxx.xxx:5553 session disable 
    member 10.212.xxx.xxx:40202 
    member 10.212.yyy.yyy:5553 session disable 
    member 10.212.yyy.yyy:40202 monitor tcp 
 } 
  
 rule wmtis03ssl_Irule { 
    when CLIENT_ACCEPTED { 
    if { [IP::addr [IP::client_addr] equals 10.212.xxx.0/255.255.254.0] } { 
       pool wmtis03ssl_SNAT 
    } else { 
       pool wmtis03ssl   } 
 } 
 } 
  
 virtual wmtis03ssl_VIP { 
    destination 10.212.aaa.aaa:5553 
    ip protocol tcp 
    pool wmtis03ssl 
    rule wmtis03ssl_Irule 
 } 
  
 profile tcp tcp-lan-optimized { 
    defaults from tcp 
    slow start disable 
    bandwidth delay disable 
    nagle disable 
    proxy buffer low 98304 
    proxy buffer high 131072 
    send buffer 65535 
    recv window 65535 
 }