- This document pulls together the fractured information from the Citrix site, emails and testing.
- TCPParameters are a global setting, affecting all the vservers and services on the device
- Custom NetScaler TCPProfiles are bound per vserver or service and override the global tcpParam settings
- When a TCPParam or TCPProfile change is made, the values only affect new connections. Existing sessions are not modified.
· Changes in tcpParam change the equivalent setting in the default Netscaler TCPProfile nstcp_default_profile
These settings have the potential to make a huge impact, both positive or negative on traffic and/or the device. Make sure you know what you are changing before touching production.
Make sure we are on the same page
- VIP - Load Balancing (LB) and Content Switching (CS) VServers
- Service | ServiceGroup - Backend connectivity to Real Hosts
- Outbound - Traffic outbound from the NetScaler VIP or Service
- Inbound - Traffic inbound towards the NetScaler VIP or Service
v10.5 - 11.1 TCPParam Variables
Variable |
Ver |
Default Value |
Min |
Max |
Suggested |
Description |
ackOnPush |
9 |
ENABLED |
--- |
--- |
ENABLED |
Send immediate positive acknowledgement (ACK) on receipt of TCP packets when doing Web 2.0 PUSH. |
connFlushIfNoMem |
10.5 |
NONE |
|
HALF_CLOSED_AND_IDLE FIFO NONE |
NONE
|
Flush an existing
connection if no memory can be obtained for new
connection. |
connFlushThres |
10.5 |
4294967295 |
1 |
|
|
Flush an existing connection (as configured through -connFlushIfNoMem FIFO) if the system has more than specified number of connections, and a new connection is to be established. Note: This value may be rounded down to be a whole multiple of the number of packet engines running. |
delayedAck |
9 |
300 |
10 |
300 |
50 |
The time-out for TCP delayed ACK, in milliseconds. delayedAck sets how long NS waits for 2nd packet before acknowledging the first TCP segment |
downStateRST |
9 |
DISABLED |
--- |
--- |
ENABLED |
By default, a vServer that is in a DOWN state would simply drop any incoming SYN packet. When ENABLED, the NetScaler sends a RST instead. By not sending a RST, the client has to send multiple syns, timing out between each syn. Sending a RST tells the other end that the port is down. |
initialCwnd |
9 |
4 |
2 |
44 |
6 |
The initial maximum upper limit on the number of TCP packets that can be outstanding on the TCP link to the server. |
learnVsvrMSS (2) |
10.5 |
DISABLED |
--- |
--- |
DISABLED |
enable/disable MSS learning for vservers |
limitedPersist |
9 |
ENABLED |
--- |
--- |
ENABLED |
If limitedPersist is
disabled, then NS will continuously send persist/zero window
probes when the peer advertises zero window and the connection
will only be closed due to idle timeout on NS or due to RESET from
peer. |
maxBurst |
9 |
6 |
2 |
255 |
6 |
The maximum number of TCP segments allowed in a burst. This pushes the traffic through the NetScaler faster. |
maxDynServerProbes (1) |
10.5 |
7 |
1 |
65535 |
7 |
This is relevant only in case of wildcard (IP/Port is “*”)) entities/vpn etc. where NetScaler learns the actual server-info by sending the probe to the backend/origin IP received from the client SYNs destination IP. This knob limits the number of probes each Packet Engine/core on NetScaler can send in 10 milliseconds. When this is exceeded, the incoming SYN are simply dropped. The client would generally retry and the connection should go through. |
maxPktPerMss |
9 |
0 |
0 |
1460 |
0 |
Not used anymore, please ignore. The maximum number of TCP packets allowed per maximum segment size (MSS). A value of 0 means that no maximum is set. |
maxSynAckRetx |
10.5 |
100 |
100 |
1048576 |
100 |
When 'syncookie' is disabled in the TCP profile that is bound to the virtual server or service, and the number of TCP SYN+ACK retransmission by NetScaler for that virtual server or service crosses this threshold, the NetScaler appliance responds by using the TCP SYN-Cookie mechanism. |
maxSynhold (1) |
10.5 |
16384 |
256 |
65535 |
16384 |
Max number of client (assuming each SYN is a client) to hold onto, while waiting for Probe to complete, per Packet Engine while probing for backend services. Limit the number of client connections (SYN) waiting for status of probe system wide. Any new SYN packets will be dropped. |
maxSynholdPerprobe (1) |
10.5 |
128 |
1 |
256 |
128 |
Maximum number of Client/SYN to hold, that is waiting for a Single Probe/backend. Any new SYN packets will be dropped. |
maxTimeWaitConn |
10.5 |
7000 |
1 |
? |
7000 |
Maximum number of connections to hold in the TCP TIME_WAIT state on a packet engine. New connections entering TIME_WAIT state are proactively cleaned up. This helps when the traffic has mostly very short lived connections reducing Memory usage. |
minRTO |
9 |
1,000 |
10 |
64,000 |
100 |
Minimum re-transmission timeout, in milliseconds, specified in 10-millisecond increments (value must yield a whole number if divided by 10). |
mptcpChecksum |
10.5 |
ENABLED |
|
|
-- |
Use MPTCP DSS checksum |
mptcpCloseMptcpSessionOnLastSFClose |
10.5 |
DISABLED |
|
|
-- |
Allow to send DATA FIN or FAST CLOSE on mptcp connection while sending FIN or RST on the last subflow. |
mptcpConCloseOnPassiveSF |
10.5 |
4 |
0 |
4 |
-- |
Maximum number of subflow connections supported in pending join state per mptcp connection. |
mptcpImmediateSFCloseOnFIN |
10.5 |
DISABLED |
|
|
-- |
Allow subflows to close immediately on FIN before the DATA_FIN exchange is completed at mptcp level. |
mptcpMaxPendingSF |
10.5 |
4 |
0 |
4 |
-- |
Maximum number of subflow connections supported in pending join state per mptcp connection. |
mptcpMaxSF |
10.5 |
4 |
2 |
6 |
-- |
Maximum number of subflow connections supported in established state per mptcp connection. |
mptcpPendingJoinThreshold |
10.5 |
0 |
0 |
4294967294 |
-- |
Maximum system level pending join connections allowed. |
mptcpRTOsToSwitchSF |
10.5 |
2 |
1 |
6 |
-- |
Number of RTO's at subflow level, after which MPCTP should start using other subflow. |
mptcpSFReplaceTimeout |
10.5 |
10 |
|
31536000 |
-- |
The minimum idle time value in seconds for idle mptcp subflows after which the sublow is replaced by new incoming subflow if maximum subflow limit is reached. The priority for replacement is given to those subflow without any transaction |
mptcpSFtimeout |
10.5 |
0 |
|
31536000 |
-- |
The timeout value in seconds for idle mptcp subflows. If this timeout is not set, idle subflows are cleared after cltTimeout of vserver |
mptcpUseBackupOnDSS |
10.5 |
DISABLED |
|
|
-- |
When enabled, if NS receives a DSS on a backup subflow, NS will start using that subflow to send data. And if disabled, NS will continue to transmit on current chosen subflow. In case there is some error on a subflow (like RTO's/RST etc.) then NS can choose a backup subflow irrespective of this tunable. |
mssLearnDelay (2) |
10.5 |
360000 |
1 |
1048576 |
360000 |
Vserver MSS learning delay |
mssLearnInterval (2) |
10.5 |
18000 |
1 |
1048576 |
18000 |
Time period for which the backend service MSS are sampled for Vserver MSS learning |
nagle |
9 |
DISABLED |
--- |
--- |
DISABLED |
Enable or disable the Nagle algorithm on TCP connections. |
oooQSize |
9 |
64 |
0 |
65535 |
64 |
The maximum size of out-of-order packets queue. A value of 0 means infinite |
pktPerRetx |
9 |
1 |
1 |
100 |
4 |
The maximum limit on the number of packets that should be re-transmitted on receiving a partial ACK or SACK. If there are multiple packets outstanding, then send up to this number at the same time. |
recvBuffSize |
11 |
8190 |
8190 |
20,971,520 |
65535 |
TCP Receive buffer size. 8190 is just too small for apps that cannot support Window Scaling. With WS enabled, you need a smaller WSVal. |
SACK |
9 |
DISABLED |
--- |
--- |
ENABLED |
Enable or disable selective acknowledgement (SACK). This is a no-brainer. |
slowStartIncr |
9 |
2 |
1 |
100 |
4 |
The multiplier that determines the rate at which slow start increases the size of the TCP transmission window after each acknowledgement of successful transmission. |
synAttackDetection |
10.5 |
ENABLED |
|
|
ENABLED |
Detect TCP SYN packet flood and send an SNMP trap. Possible values: ENABLED, DISABLED |
synHoldFastGiveup (1) |
10.5 |
1024 |
256 |
65535 |
1024 |
Max threshold after which NetScaler reduces the number of retransmission/retry of TCP SYN for server probes from 7 to 3. |
tcpFastOpenCookieTimeout |
11.1 |
0 |
0 |
31536000 |
0 |
Used with tcpfastopen tcpprofile argument. Timeout in seconds after which a new TFO Key is computed for generating TFO Cookie. If zero, the same key is used always. If timeout is less than 120seconds, NS defaults to 120seconds timeout. |
TcpMaxRetries |
10.5 |
7 |
1 |
7 |
7 |
Number of RTO's after which a connection should be freed. |
WS |
9 |
DISABLED |
--- |
--- |
ENABLED |
Enable or disable window scaling. If Disabled, Window Scaling is disabled for both sides of the conversation |
WSVal |
9 |
4 |
0 |
8 |
3 |
The Scale Factor used to calculate the tcp window size. Use this number to find the Scale Multiplier Value. A value of 3 is fine with a recvBuffSize that is > 32768. |
(1)SynHold serves in case of wildcard configuration i.e. when the IP or Port or Both are defined as "*" and including VPN cases. In these cases, NetScaler will Probe (TCP 3-Way handshake) for the existence of the actual backend, based on the destination IP received from the client, and when the Probe is successful, will create an internal server for this destination and process the client.
(2) When enabled, MSS learning is used to propagate the MSS of the most used services to the corresponding LB/CS vserver. many cases, not all the bound services are used evenly and hence the algorithm looks for the number of connections landing to particular service. The algorithm tracks the Load balancing decisions after every mssLearnDelay seconds for mssLearnInterval seconds and determines the mss for the vserver based on the LB decisions during this mssLearnInterval. this will repeat again after mssLearnDelay seconds. for example if mssLearnDelay is set to 55 minutes and mssLearnInterval set to 5 minutes, NS will monitor the LB decisions for these 5 minutes after every 55 minutes to determine the MSS for the vserver.
TCPParam NSCLI Commands
All arguments are specified to prevent changes with future software upgrades.
Show all current values
sh ns tcpparam -format old -level verbose
or
sh ns tcpparam -level verbose
Set all values to default
set ns tcpParam -ackOnPush ENABLED -delayedAck 300 -downStateRST DISABLED -initialCwnd 4 -learnVsvrMSS DISABLED -limitedPersist ENABLED -maxBurst 6 -maxDynServerProbes 7 -maxPktPerMss 0 -maxSynhold 16384 -maxSynholdPerprobe 128 -maxTimeWaitConn 7000 -minRTO 1000 -mssLearnDelay 360000 -mssLearnInterval 18000 -nagle DISABLED -oooQSize 64 -pktPerRetx 1 -recvBuffSize 8190 -SACK DISABLED -slowStartIncr 2 -synHoldFastGiveup 1024 -WS Disabled -WSVal 4
Set FDC tcpParam
V10.5 & V11
set ns tcpParam -ackOnPush ENABLED -delayedAck 50 -downStateRST ENABLED -initialCwnd 6 -learnVsvrMSS DISABLED -limitedPersist ENABLED -maxBurst 6 -maxDynServerProbes 7 -maxPktPerMss 0 -maxSynhold 16384 -maxSynholdPerprobe 128 -maxTimeWaitConn 7000 -minRTO 100 -mssLearnDelay 360000 -mssLearnInterval 18000 -nagle DISABLED -oooQSize 64 -pktPerRetx 4 -recvBuffSize 65535 -SACK ENABLED -slowStartIncr 4 -synHoldFastGiveup 1024 -WS ENABLED -WSVal 3
Set a specific value
set ns tcpParam -WS enabled