Product Documentation

TCP Configurations

Jan 04, 2016

TCP configurations for a NetScaler appliance can be specified in an entity called a TCP profile, which is a collection of TCP settings. The TCP profile can then be associated with services or virtual servers that want to use these TCP configurations.

A default TCP profile can be configured to set the TCP configurations that will be applied by default, globally to all services and virtual servers.

Note: When a TCP parameter has different values for service, virtual server, and globally, the value of the most-specific entity (the service) is given the highest precedence.

The NetScaler appliance also provides other approaches for configuring TCP. Read on for more information.

The NetScaler appliance supports the following TCP capabilities:

  • Defending TCP against spoofing attacks. The NetScaler implementation of window attenuation is RFC 4953 compliant.
  • Explicit Congestion Notification (ECN), which sends notification of the network congestion status to the sender of the data and takes corrective measures for data congestion or data corruption. The NetScaler implementation of ECN is RFC 3168 compliant.
  • Round Trip Time Measurement (RTTM) using the TimeStamp option. For the TimeStamp option to work, at least one side of the connection (client or server) must support it. The NetScaler implementation of TimeStamp option is RFC 1323 compliant.
  • Detection of spurious retransmissions can be done using TCP duplicate selective acknowledgement (D-SACK) and forward RTO-Recovery (F-RTO). In case of spurious retransmissions, the congestion control configurations are reverted to their original state. The NetScaler implementation of D-SACK is RFC 2883 compliant, and F-RTO is RFC 5682 compliant.
  • Congestion control using New-Reno, BIC, CUBIC,, Nile and TCP Westwood algorithms.
  • Window scaling to increase the TCP receive window size beyond its maximum value of 65,535 bytes.
    Note: Before configuring window scaling, make sure that:
    • You do not set a high value for the scale factor, because this could have adverse effects on the appliance and the network.
    • You do not configure window scaling unless you clearly know why you want to change the window size.
    • Both hosts in the TCP connection send a window scale option during connection establishment. If only one side of a connection sets this option, window scaling is not used for the connection.
    • Each connection for same session is an independent window scaling session. For example, when a client's request and the server's response flow through the appliance, it is possible to have window scaling between the client and the appliance without window scaling between the appliance and the server.
  • TCP maximum congestion window size that is user configurable. The default value is 8190 bytes.
  • Selective acknowledgment (SACK), using which the data receiver (either a NetScaler appliance or a client) notifies the sender about all the segments that have been received successfully.
  • Forward acknowledgment (FACK) avoids TCP congestion by explicitly measuring the total number of data bytes outstanding in the network, and helping the sender (either a NetScaler ADC or a client) control the amount of data injected into the network during retransmission timeouts.
  • TCP connection multiplexing enables reuse of existing TCP connections. The NetScaler appliance stores established TCP connections to the reuse pool. Whenever a client request is received, appliance checks for an available connection in the reuse pool and serves the new client if the connection is available. If it is unavailable, the appliance creates a new connection for the client request and stores the connection to the reuse pool.

    NetScaler supports connection multiplexing for HTTP, SSL, and DataStream connection types.

  • Dynamic receive buffering allows the receive buffer to be adjusted dynamically based on memory and network conditions.
  • MPTCP connections between client and NetScaler. MPTCP connections are not supported between NetScaler and the backend server.

    The NetScaler implementation of MPTCP is RFC 6824 compliant.

    Note:
    • To establish an MPTCP connection, both the client and the Netscaler appliance must support the same MPTCP version. If you use the NetScaler appliance as an MPTCP gateway for your servers, the servers do not have to support MPTCP. When the client starts a new MPTCP connection, the appliance identifies the client’s MPTPC version from the MP_CAPABALE option in the SYN packet. If the client’s version is higher than the one supported on the appliance, the appliance indicates its highest version in the MP_CAPABALE option of the SYN-ACK packet. The client then falls back to a lower version and sends the version number in the MP_CAPABALE option of the ACK packet. If that version is supportable, the appliance continues the MPTCP connection. Otherwise, the appliance falls back to a regular TCP. 
    • The NetScaler appliance does not initiate subflows (MP_JOIN's). The appliance expects the client to initiate subflows.
  • TCP keep-alive to monitor the TCP connections to verify if the peers are up.
  • Extracting the TCP/IP path overlay option and inserting client-IP HTTP header. Extracting TCP/IP path overlay and inserting client-IP HTTP header. Data transport through overlay networks often uses connection termination or Network Address Translation (NAT), in which the IP address of the source client is lost. To avoid this, the Netscaler appliance extracts the TCP/IP path overlay option and inserts the source client’s IP address into the HTTP header. With the IP address in the header, the web server can identify the source client that made the connection. The extracted data is valid for lifetime of the TCP connection and therefore, this prevents the next hop host from having to interpret the option again. This option is applicable only for web services that have the client-IP insertion option enabled. 

Additionally, NetScaler provides configuration support for the following:

  • TCP segmentation offload.
  • Synchronizing cookie for TCP handshake with clients. Disabling this capability prevents SYN attack protection on the NetScaler appliance.
  • Learning MSS to enable MSS learning for all the virtual servers configured on the appliance.

Setting Global TCP Parameters

The NetScaler appliance allows you to specify values for TCP parameters that are applicable to all NetScaler services and virtual servers. This can be done using:

  • Default TCP profile
  • Global TCP command
  • TCP buffering feature
Note: The recvBuffSize parameter of the set ns tcpParam command is deprecated from release 9.2 onwards. In later releases, set the buffer size by using the bufferSize parameter of the set ns tcpProfile command. If you upgrade to a release where the recvBuffSize parameter is deprecated, the bufferSize parameter is set to its default value.

Default TCP profile

A TCP profile, named as nstcp_default_profile, is used to specify TCP configurations that will used if no TCP configurations are provided at the service or virtual server level.

Note:
  • Not all TCP parameters can be configured through the default TCP profile. Some settings have to be performed by using the global TCP command (see section below).
  • The default profile does not have to be explicitly bound to a service or virtual server.

To configure the default TCP profile

  • Using the command line interface, at the command prompt enter:

    set ns tcpProfile nstcp_default_profile …

  • On the configuration utility, navigate to System > Profiles, click TCP Profiles and update nstcp_default_profile.

Global TCP command

Another approach you can use to configure global TCP parameters is the global TCP command. In addition to some unique parameters, this command duplicates some parameters that can be set by using a TCP profile. Any update made to these duplicate parameters is reflected in the corresponding parameter in the default TCP profile.

For example, if the SACK parameter is updated using this approach, the value is reflected in the SACK parameter of the default TCP profile (nstcp_default_profile).

Note: Citrix recommends that you use this approach only for TCP parameters that are not available in the default TCP profile.

To configure the global TCP command

  • Using the command line interface, at the command prompt enter:

    set ns tcpParam

  • On the configuration utility, navigate to System > Settings, click Change TCP parameters and update the required TCP parameters.

TCP buffering feature

NetScaler provides a feature called TCP buffering that you can use to specify the TCP buffer size. The feature can be enabled globally or at service level.

Note: The buffer size can also be configured in the default TCP profile. If the buffer size has different values in the TCP buffering feature and the default TCP profile, the greater value is applied.

To configure the TCP buffering feature globally

  • At the command prompt enter:

    enable ns mode TCPB

    set ns tcpbufParam -size <positiveInteger> -memLimit <positiveInteger>

  • On the configuration utility, navigate to System > Settings, click Configure Modes and select TCP Buffering.

    And, navigate to System > Settings, click Change TCP parameters and specify the values for Buffer size and Memory usage limit.

Setting Service or Virtual Server Specific TCP Parameters

Using TCP profiles, you can specify TCP parameters for services and virtual servers. You must define a TCP profile (or use a built-in TCP profile) and associate the profile with the appropriate service and virtual server.

Note:
  • You can also modify the TCP parameters of default profiles as per your requirements. For more information on built-in TCP profiles, see Built-in TCP Profiles.
  • You can specify the TCP buffer size at service level using the parameters specified by the TCP buffering feature.

To specify service or virtual server level TCP configurations by using the command line interface

At the command prompt, perform the following:

  1. Configure the TCP profile.

    set ns tcpProfile <profile-name>...

  2. Bind the TCP profile to the service or virtual server.

    To bind the TCP profile to the service:

    set service <name> ....

    Example:
    > set service service1 -tcpProfileName profile1
    

    To bind the TCP profile to the virtual server:

    set lb vserver <name> ....

    Example:
    > set lb vserver lbvserver1 -tcpProfileName profile1
    

To specify service or virtual server level TCP configurations by using the configuration utility

At the configuration utility, perform the following:

  1. Configure the TCP profile.

    Navigate to System > Profiles > TCP Profiles, and create the TCP profile.

  2. Bind the TCP profile to the service or virtual server.

    Navigate to Traffic Management > Load Balancing > Services/Virtual Servers, and create the TCP profile, which should be bound to the service or virtual server.

Built-in TCP Profiles

For convenience of configuration, the NetScaler provides some built-in TCP profiles. Review the built-in profiles listed below and select a profile and use it as it is or modify it to meet your requirements. You can bind these profiles to your required services or virtual servers.

Table 1. Built-in TCP Profiles

Built-in profile

Description

nstcp_default_profile

Represents the default global TCP settings on the appliance.

nstcp_default_tcp_lan

Useful for back-end server connections, where these servers reside on the same LAN as the appliance.

nstcp_default_tcp_lan_thin_stream

Similar to the nstcp_default_tcp_lan profile; however, the settings are tuned to small size packet flows.

nstcp_default_tcp_interactive_stream

Similar to the nstcp_default_tcp_lan profile; however, it has a reduced delayed ACK timer and ACK on PUSH packet settings.

nstcp_default_tcp_lfp

Useful for long fat pipe networks (WAN) on the client side. Long fat pipe networks have long delay, high bandwidth lines with minimal packet drops.

nstcp_default_tcp_lfp_thin_stream

Similar to the nstcp_default_tcp_lfp profile; however, the settings are tuned for small size packet flows.

nstcp_default_tcp_lnp

Useful for long narrow pipe networks (WAN) on the client side. Long narrow pipe networks have considerable packet loss once in a while.

nstcp_default_tcp_lnp_thin_stream

Similar to the nstcp_default_tcp_lnp profile; however, the settings are tuned for small size packet flows.

nstcp_internal_apps

Useful for internal applications on the appliance (for example, GSLB sitesyncing). This contains tuned window scaling and SACK options for the desired applications. This profile should not be bound to applications other than internal applications.

nstcp_default_Mobile_profile

Useful for mobile devices.

nstcp_default_XA_XD_profile

Useful for a XenApp or XenDesktop deployment.

Sample TCP Configurations

Sample command line interface examples for configuring the following:

  • Defending TCP against spoofing attacks
  • Explicit Congestion Notification (ECN)
  • Selective ACKnowledgment (SACK)
  • Forward ACKnowledgment (FACK)
  • Window Scaling (WS)
  • Maximum Segment Size (MSS)
  • NetScaler to learn the MSS of a virtual server
  • TCP keep-alive
  • Buffer size - using TCP profile
  • Buffer size - using TCP buffering feature
  • MPTCP
  • Congestion control
  • Dynamic receive buffering

Defending TCP against spoofing attacks

Enable the NetScaler to defend TCP against spoof attacks.

> set ns tcpProfile profile1 -rstWindowAttenuate ENABLED -spoofSynDrop ENABLED 
 Done 
> set lb vserver lbvserver1 -tcpProfileName profile1 
 Done

Explicit Congestion Notification (ECN)

Enable ECN on the required TCP profile.

> set ns tcpProfile profile1 -ECN ENABLED 
 Done 
> set lb vserver lbvserver1 -tcpProfileName profile1 
 Done

Selective ACKnowledgment (SACK)

Enable SACK on the required TCP profile.

> set ns tcpProfile profile1 -SACK ENABLED 
 Done 
> set lb vserver lbvserver1 -tcpProfileName profile1 
 Done

Forward ACKnowledgment (FACK)

Enable FACK on the required TCP profile.

> set ns tcpProfile profile1 -FACK ENABLED 
 Done 
> set lb vserver lbvserver1 -tcpProfileName profile1 
 Done 

Window Scaling (WS)

Enable window scaling and set the window scaling factor on the required TCP profile.

> set ns tcpProfile profile1 –WS ENABLED –WSVal 9 
 Done 
> set lb vserver lbvserver1 -tcpProfileName profile1 
 Done

Maximum Segment Size (MSS)

Update the MSS related configurations.

> set ns tcpProfile profile1 –mss 1460 - maxPktPerMss 512 
 Done 
> set lb vserver lbvserver1 -tcpProfileName profile1 
 Done

NetScaler to learn the MSS of a virtual server

Enable the NetScaler to learn the VSS and update other related configurations.

> set ns tcpParam -learnVsvrMSS ENABLED –mssLearnInterval 180 -mssLearnDelay 3600 
 Done

TCP keep-alive

Enable TCP keep-alive and update other related configurations.

> set ns tcpProfile profile1 –KA ENABLED –KaprobeUpdateLastactivity ENABLED -KAconnIdleTime 900 -KAmaxProbes 3 -KaprobeInterval 75 
 Done 
> set lb vserver lbvserver1 -tcpProfileName profile1 
 Done

Buffer size - using TCP profile

Specify the buffer size.

> set ns tcpProfile profile1 –bufferSize 8190 
 Done 
> set lb vserver lbvserver1 -tcpProfileName profile1 
 Done

Buffer size - using TCP buffering feature

Enable the TCP buffering feature (globally or for a service) and then specify the buffer size and the memory limit.

> enable ns feature TCPB 
 Done 
> set ns tcpbufParam -size 64 -memLimit 64 
 Done

MPTCP

Enable MPTCP and then set the optional MPTCP configurations.

> set ns tcpProfile profile1 -mptcp ENABLED 
 Done 
> set ns tcpProfile profile1 -mptcpDropDataOnPreEstSF ENABLED -mptcpFastOpen ENABLED -mptcpSessionTimeout 7200 
 Done 
> set ns tcpparam -mptcpConCloseOnPassiveSF ENABLED -mptcpChecksum ENABLED -mptcpSFtimeout 0 -mptcpSFReplaceTimeout 10  
-mptcpMaxSF 4 -mptcpMaxPendingSF 4 -mptcpPendingJoinThreshold 0 -mptcpRTOsToSwitchSF 2 -mptcpUseBackupOnDSS ENABLED 
 Done

Congestion control

Set the required TCP congestion control algorithm.

> set ns tcpProfile profile1 -flavor Westwood 
Done 
> set lb vserver lbvserver1 -tcpProfileName profile1 
Done

Dynamic receive buffering

Enable dynamic receive buffering on the required TCP profile.

> set ns tcpProfile profile1 -dynamicReceiveBuffering ENABLED 
Done 
> set lb vserver lbvserver1 -tcpProfileName profile1 
Done