Applies To:

Show Versions Show Versions

Manual Chapter: Configuration Guide for BIG-IP® Local Traffic Management: 5 - Understanding Profiles
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


5

Understanding Profiles


Introducing profiles

The BIG-IP® local traffic management (LTM) system can manage application-specific network traffic in a variety of ways, depending on the protocols and services being used. For example, you can configure the LTM system to compress HTTP response data, or you can configure the system to authenticate SSL client certificates before passing requests on to a target server.

For each type of traffic that you want to manage, the LTM system contains configuration tools that you can use to intelligently control the behavior of that traffic. These tools are called profiles. A profile is a system-supplied configuration tool that enhances your capabilities for managing application-specific traffic. More specifically, a profile is an object that contains user-configurable settings, with default values, for controlling the behavior of a particular type of network traffic, such as HTTP connections. After configuring a profile, you associate the profile with a virtual server. The virtual server then processes traffic according to the values specified in the profile. Using profiles enhances your control over managing network traffic, and makes traffic-management tasks easier and more efficient.

You can associate multiple profiles with a single virtual server. For example, you can associate a TCP profile, an SSL profile, and an HTTP profile with the same virtual server.

Profile types

The LTM system provides several types of profiles. While some profile types correspond to specific protocols, such as HTTP, SSL, and FTP, other profiles pertain to traffic behaviors applicable to multiple protocols. Examples of these are connection persistence profiles and authentication profiles. Table 5.1 lists the available profile types, with descriptions.

Table 5.1 Available profiles in the LTM system
Profile Type
Description
Protocol profiles
Fast L4
Defines the behavior of Layer 4 IP traffic.
Fast HTTP
Improves the speed at which a virtual server processes traffic.
TCP
Defines the behavior of TCP traffic.
UDP
Defines the behavior of UDP traffic.
Services profiles
HTTP
Defines the behavior of HTTP traffic.
FTP
Defines the behavior of FTP traffic.
SSL profiles
Client SSL
Defines the behavior of client-side SSL traffic. See also Persistence Profiles.
Server SSL
Defines the behavior of server-side SSL traffic. See also Persistence Profiles.
Persistence profiles
Cookie
Implements session persistence using HTTP cookies.
Destination Address
Implements session persistence based on the destination IP address specified in the header of a client request. Also known as sticky persistence.
Hash
Implements session persistence in a way similar to universal persistence, except that the LTM system uses a hash for finding a persistence entry.
MSRDP
Implements session persistence for Microsoft Remote Desktop Protocol sessions.
SIP
Implements session persistence for connections using Session Initiation Protocol Call-ID.
Source Address
Implements session persistence based on the source IP address specified in the header of a client request. Also known as simple persistence.
SSL
Implements session persistence for non-terminated SSL sessions, using the session ID.
Universal
Implements session persistence using the LTM system's Universal Inspection Engine (UIE).
Authentication profiles
LDAP
Allows the LTM system to authenticate traffic based on authentication data stored on a remote Lightweight Directory Access Protocol (LDAP) server.
RADIUS
Allows the LTM system to authenticate traffic based on authentication data stored on a remote RADIUS server.
TACACS+
Allows the LTM system to authenticate traffic based on authentication data stored on a remote TACACS+ server.
SSL Client Certificate LDAP
Allows the LTM system to control a client's access to server resources based on data stored on a remote LDAP server. Client authorization credentials are based on SSL certificates, as well as defined user groups and roles.
SSL OCSP
Allows the LTM system to check on the revocation status of a client certificate using data stored on a remote Online Certificate Status Protocol (OCSP) server. Client credentials are based on SSL certificates.
Other profiles
OneConnect
Enables client requests to reuse server-side connections. The ability for the LTM system to reuse server-side connections is known as Connection PoolingTM.
Stream
Defines the behavior of Real-Time Streaming Protocol (RTSP) traffic.

 

Default profiles

The LTM system includes a default profile for each profile type listed in Table 5.1 . A default profile is a system-supplied profile that contains default values for its settings. An example of a default profile is the http default profile. You can use a default profile as is, or you can create a custom profile based on the default profile.

You can use a default profile in several ways:

  • You can use a default profile as is.
    You simply configure your virtual server to reference the default profile.
  • You can modify the default profile settings (not recommended).
    When you modify a default profile, you lose the original default profile settings. Thus, any custom profiles you create in the future that are based on that default profile inherit the modified settings.
  • You can create a custom profile, based on the default profile (recommended).
    This allows you to preserve the default profile, and instead configure personalized settings in the custom profile. Custom profiles inherit some of the setting values of a parent profile that you specify. After creating a custom profile, you can configure your virtual server to reference the custom profile instead of the default profile. For more information on custom profiles, see Custom and parent profiles , following.
Note

You can modify a default profile, but you cannot create or delete a default profile.
Warning

Once you modify a default profile, the only way to restore the settings to their original values is to manually configure the profile to specify those values.

Custom and parent profiles

A custom profile is a profile that you create. When you create a profile, one of the settings that you specify is the Parent Profile setting. A parent profile is a profile from which your custom profile inherits its settings and their default values.

In general, a custom profile automatically inherits the settings and values of its parent profile. Thus, instead of having to configure every individual setting when you create a custom profile, you simply specify a parent profile, which causes the LTM system to automatically assign values to its settings. The values that it assigns are those of the parent profile.

Note

If you do not specify a parent profile when you create a custom profile, the LTM system automatically assigns the corresponding default profile as the parent profile.

Using the default profile as the parent profile

A typical profile that you can specify as a parent profile when you create a custom profile is a default profile. For example, if you create a custom HTTP-type profile called my_http_profile, you can specify the default profile http as the parent profile. In this case, the LTM system automatically creates the profile my_http_profile so that it contains the same settings and default values as the profile http. The new child profile thus inherits its settings and values from its parent profile.

An exception to this automatic inheritance feature occurs when you modify the settings of a child profile. In this case, the child profile does not inherit parent values for any of the modified settings. This behavior is designed to prevent the LTM system from overwriting any settings that you have modified in a child profile.

For all settings in a child profile that you do not modify, however, the child profile continues to inherit those values from the parent profile.

Using a custom profile as the parent profile

When creating a custom profile, you can specify another custom profile, rather than the default profile, as the parent profile. The only restriction is that the custom profile that you specify as the parent must be of the same profile type as the child. Once you have created the child profile, its settings and default values are automatically those of the custom profile that you specified as the parent.

For example, if you create a profile called my_http_profile2, you can specify the custom profile my_http_profile as its parent. The result is that the default setting values of profile my_http_profile2 are those of its parent profile my_http_profile.

If you subsequently modify the settings of the parent profile, the LTM system automatically propagates those changes to the child profile. For example, if you create the custom profile my_http_profile and use it as a parent profile to create the custom profile my_http_profile2, any changes you make later to profile my_http_profile are automatically propagated to profile my_http_profile2. Again, the exception to this is when you modify any of the settings in the child profile. For those modified settings, the child profile does not inherit the values of its parent.

Summarizing profiles

Profiles are a configuration tool that you can use to affect the behavior of certain types of network traffic. By default, the LTM system provides you with a set of profiles that you can use as is. These profiles contain various settings that define the behavior of FastL4, TCP, UDP, RSTP, HTTP, FTP, and SSL traffic. Profiles also give you a way to enable connection and session persistence, and to manage client application authentication. Once you have assigned a profile to a virtual server, the LTM system manages any traffic that corresponds to that profile type according to the settings defined in that profile.

There are two possible types of profiles: default profiles, which the LTM system supplies, and custom profiles, which you create. Default profiles are useful when the values contained in them are sufficient for your needs. Custom profiles are useful when you want your values to differ from those contained in the default profile. To ease your task of configuring and maintaining profiles, the LTM system ensures that a custom profile automatically inherits settings and values from a parent profile.

When you create profiles to manage a type of network traffic, you can use them in the following ways:

  • You do not need to take any action to use the default profiles that are enabled by default. The LTM system uses them to automatically direct the corresponding traffic types according to the values specified in the those profiles.
  • You can create a custom profile, using the default profile as the parent profile, modifying some or all of the values defined in that profile.
  • You can create a custom profile to use as a parent profile for other custom profiles.

Creating and modifying profiles

As described in the previous section, profiles are a configuration tool to help you manage your application traffic. To make use of profiles, you can either use the default profiles that the LTM system provides, or you can create your own custom profiles. You can also modify existing profiles as needed.

More specifically, you can:

  • Use a default profile as is.
  • Modify a default profile.
  • Create a custom profile.
  • Modify a custom profile.

The following sections contain the procedures for creating and modifying profiles. To understand individual profile settings and their effect on different types of traffic, see either the remainder of this chapter, or one of the following chapters:

For background information on default and custom profiles, see Introducing profiles .

Using a default profile as is

The LTM system provides a default profile that you can use as is for each type of traffic. A default profile includes default values for any of the properties and settings related to managing that type of traffic. To implement a default profile, you simply assign the profile to a virtual server, using the Configuration utility. You are not required to configure the setting values. For more information, see Implementing a profile .

For information on creating or modifying a virtual server, see Chapter 2, Configuring Virtual Servers .

Modifying a default profile

Using the Configuration utility, you can modify the values of a default profile. We do not recommend this. Although modifying a default profile appears to be simpler and quicker than creating a custom profile, be aware that in so doing, you lose the original values. If you want to reset the profile back to its original state, you must do this manually by modifying the settings of the default profile again to specify the original values. (To find the original default values, see the relevant profile chapter in this guide, or see the online help.)

Modifying and implementing a default profile is a two-step process:

  • First, you must modify the settings of the default profile, using the Configuration utility. For more information, see To modify a default profile , following.
  • Second, you must associate that profile with a virtual server. For information on associating a profile with a virtual server, see Implementing a profile .

To modify a default profile

  1. On the Main tab, expand Local Traffic.
  2. Click Profiles.
    The HTTP Profiles screen opens.
  3. Select the default profile that you want to modify:
    • If you are modifying the http profile, click the name http.
      This displays the properties and settings of the default http profile.
    • If you are modifying a default profile other than the http profile, click the appropriate profile menu on the menu bar and choose a profile type. Then click a profile name.
      This displays the properties and settings of that default profile.
  4. Modify the settings to suit your needs.
  5. Click Update.

Creating a custom profile

If you do not want to use a default profile as is or change its settings, you can create a custom profile. Creating a custom profile and associating it with a virtual server allows you to implement your own specific set of traffic-management policies.

When you create a custom profile, the profile is a child profile and automatically inherits the setting values of a parent profile that you specify. However, you can change any of the values in the child profile to better suit your needs. For background information on custom profiles and inheritance of setting values, see Custom and parent profiles .

If you do not specify a parent profile, the LTM system uses the default profile that matches the type of profile you are creating.

Implementing a custom profile is a two-step process:

  • First, you must create the custom profile, using the Configuration utility. For more information, see To create a custom profile , following.
  • Second, you must associate that profile with a virtual server. For information on associating a profile with a virtual server, see Implementing a profile .
Important

Within the Configuration utility, each profile creation screen contains a check box to the right of each profile setting. When you check a box for a setting and then specify a value for that setting, the profile then retains that value, even if you change the corresponding value in the parent profile later. Thus, checking the box for a setting ensures that the parent profile never overwrites that value through inheritance.

To create a custom profile

  1. On the Main tab, expand Local Traffic.
  2. Click Profiles.
    The Profiles screen opens and, by default, displays a list of any existing HTTP profiles.
  3. Select the type of profile you want to create:
    • If you are creating an HTTP type of profile, proceed to Step 4.
    • If you are creating another type of profile, click a profile category on the menu bar and choose a profile type.
  4. On the right side of the screen, click Create.
    This displays the screen to create a new profile.
  5. In the Name box, type a unique name for your profile.
  6. For the Parent Profile setting, select a profile from the list.
    You can select either the default profile or another custom profile.
  7. Specify, modify, or retain values for all settings:
    • If you want to specify or modify a value, locate the setting, click the box in the Custom column on the right side of the screen, and then type or modify a value.
    • If you want to retain a value inherited from the parent profile, leave the setting as is. Do not check the box in the Custom column.
  8. Click Finished.

Tip


An alternative way to access the New Profile screen is to expand Local Traffic On the Main tab, click the Create button next to the Profiles menu item, and select a profile type.

Modifying a custom profile

Once you have created a custom profile, you can use the Configuration utility to adjust the settings of your custom profile later if necessary. If you have already associated the profile with a virtual server, you do not need to perform that task again.

Important

Within the Configuration utility, each profile creation screen contains a check box to the right of each profile setting. When you check a box for a setting and then specify a value for that setting, the profile then retains that value, even if you change the corresponding value in the parent profile later. Thus, checking the box for a setting ensures that the parent profile never overwrites that value through inheritance.

To modify custom profile settings

  1. On the Main tab, expand Local Traffic.
  2. Click Profiles.
    The HTTP Profiles screen opens.
  3. Point to the menu for the type of profile you want to modify (Services, Persistence, Protocols, SSL, or Authentication) and choose a profile type.
    This displays a list of existing profiles of that type.
  4. In the Name column, click the name of the profile you want to modify.
    This displays the settings and values for that profile.
  5. Modify or retain values for all settings:
    • If you want to modify a value, locate the setting, click the box in the Custom column on the right side of the screen, and then modify the value.
    • If you want to retain a value inherited from the parent profile, leave the setting as is. Do not check the box in the Custom column.
    • If you want to reset a value back to the parent profile value, clear the check box in the Custom column on the right side of the screen.
  6. Click the Update button.

Implementing a profile

Once you have created a profile for a specific type of traffic, you implement the profile by associating that profile with one or more virtual servers.

You associate a profile with a virtual server by configuring the virtual server to reference the profile. Whenever the virtual server receives that type of traffic, the LTM system applies the profile settings to that traffic, thereby controlling its behavior. Thus, profiles not only define capabilities per network traffic type, but also ensure that those capabilities are available for a virtual server.

To assign a profile to a virtual server

  1. On the Main tab, expand Local Traffic.
  2. Click Virtual Servers.
    This displays a list of existing virtual servers.
  3. Click a virtual server name.
    This displays the properties and settings for that virtual server.
  4. Locate the setting for the type of profile you want to assign and select the name of a default or custom profile.
  5. At the bottom of the screen, click Update.
Note

You can also assign a profile to a virtual server at the time that you create the virtual server.

Because certain kinds of traffic use multiple protocols and services, users often create multiple profiles and associate them with a single virtual server.

For example, a client application might use the TCP, SSL, and HTTP protocols and services to send a request. This type of traffic would therefore require three profiles, based on the three profile types TCP, Client SSL, and HTTP.

Each virtual server lists the names of the profiles currently associated with that virtual server. You can add or remove profiles from the profile list, using the Configuration utility.

The LTM system has specific requirements regarding the combinations of profile types allowed for a given virtual server. Table 5.2 shows the specific combinations of profile types that you can configure on a virtual server.

 

Table 5.2 Profile combinations that the LTM system allows and disallows
Profile Type
Prerequisite
Profiles
Incompatible Profiles
Protocol profiles
Fast L4
None
All
Fast HTTP
None
All
TCP
None
UDP, Fast L4, Fast L7
UDP
None
TCP, Fast L4, Fast L7
Services profiles
HTTP
TCP
FTP
FTP
TCP
HTTP, CLient SSL or Server SSL
SSL profiles
Client SSL
TCP
FTP
Server SSL
TCP
FTP
Persistence profiles
Cookie
HTTP
N/A
Destination Address Affinity
Any
None
Hash
Fast L4, TCP, UDP
N/A
MSRDP
TCP
N/A
SIP
TCP or UDP
FTP
Source Address Affinity
Any
None
SSL
TCP
FTP
Universal
None
N/A
Authentication profiles
LDAP
TCP
N/A
RADIUS
TCP
N/A
TACACS+
TCP
N/A
SSL Client Certificate LDAP
TCP
N/A
OCSP
TCP
N/A
Other profiles
OneConnect
TCP
N/A
Statistics
TCP
N/A
Stream
TCP
Fast L4, UDP

 

In directing traffic, if a virtual server requires a specific type of profile that does not appear in its profile list, the LTM system uses the relevant default profile, automatically adding the profile to the profile list. For example, if a client application sends traffic over TCP, SSL, and HTTP, and you have assigned SSL and HTTP profiles only, the LTM system automatically adds the default profile tcp to its profile list.

At a minimum, a virtual server must reference a profile, and that profile must be associated with a UDP, FastL4, Fast HTTP, or TCP profile type. Thus, if you have not associated a profile with the virtual server, the LTM system adds a UDP, FastL4, Fast HTTP, or TCP default profile to the profile list.

The default profile that the LTM system chooses depends on the configuration of the virtual server's protocol setting. If the protocol setting is set to UDP, the LTM system adds the udp profile to its profile list. If the protocol setting is set to anything other than UDP, the LTM system adds the FastL4 profile to its profile list.

Configuring protocol-type profiles

Some of the profiles that you can configure are known as Protocol profiles. The Protocol profiles types are:

  • Fast L4
  • Fast HTTP
  • TCP
  • UDP

For each Protocol profile type, the LTM system provides a pre-configured profile with default settings. In most cases, you can use these default profiles as is. If you want to change these settings, you can configure protocol profile settings when you create a profile, or after profile creation by modifying the profile's settings.

The remainder of this section lists the traffic-management settings contained in the Fast L4, Fast HTTP, TCP, and UDP profiles. For information on configuring other types of profiles, see the following:

The Fast L4 profile type

The purpose of a Fast L4 profile is to help you manage Layer 4 traffic more efficiently. When you assign a Fast L4 profile to a virtual server, the Packet Velocity ASIC® (PVA) hardware acceleration within the BIG-IP system can process some or all of the Layer 4 traffic passing through the system. By offloading Layer 4 processing to the PVA hardware acceleration, the BIG-IP system can increase performance and throughput for basic routing functions (Layer 4) and application switching (Layer 7).

You can use a Fast L4 profile with these types of virtual servers-- Performance (Layer 4), Forwarding (Layer 2), and Forwarding (IP). Therefore, you can use a Fast L4 profile when you do not need the following traffic management features:

  • HTTP optimizations
  • TCP optimizations
  • OneConnectTM
  • iRulesTM for non-Layer 4 events
  • Session persistence types other than source address affinity or destination address affinity persistence
  • HTTP data compression
  • Remote authentication
  • HTTP pipelining

For your typical needs, most of the Fast L4 profile settings suffice. The specific settings that you might want to change are Reset on Timeout and Idle Timeout.

Note

Any changes you make to an existing Fast L4 profile take effect on a connection only after the Idle Timeout value has expired or the connection is closed.

Table 5.3 lists and describes the settings of the Fast L4 profile type.

Table 5.3 Settings of a Fast L4 profile
Setting
Description
Default Value
Name
This setting specifies a unique name for the profile.
No default value
Parent Profile
This setting specifies the profile that you want to use as the parent profile. Your new profile inherits all non-custom settings and values from the parent profile specified.
fastL4
Reset on Timeout
If this setting is enabled and a TCP connection exceeds the timeout value for idle connections, the LTM system sends a reset in addition to deleting the connection.
Enable
Reassemble IP Fragments
If this setting is enabled, the LTM system reassembles IP fragments.
Disable
Idle Timeout
This setting specifies the number of seconds that a connection is idle before the connection is eligible for deletion.
300
Max Segment Size Override
If set to a non-zero value, this setting overrides the maximum segment size of 1460.
0
PVA Acceleration
This setting specifies the maximum acceleration mode that you prefer the system to use. Note that depending on the virtual server configuration, the system might or might not accelerate traffic in this mode. Possible values are Full, Assisted, or None. Additional information on this setting follows this table.
Full
IP ToS to Client
This setting specifies the Type of Service level that the LTM system assigns to UDP packets when sending them to clients.
65535
IP ToS to Server
This setting specifies the Type of Service level that the LTM system assigns to UDP packets when sending them to servers
65535
Link QoS to Client
This setting specifies the Quality of Service level that the LTM system assigns to UDP packets when sending them to clients.
65535
Link QoS to Server
This setting specifies the Quality of Service level that the LTM system assigns to UDP packets when sending them to servers.
65535
TCP Timestamp Mode
Specifies the action that the LTM system should take on TCP timestamps. Possible values are: Preserve, Strip, and Rewrite.
Preserve
TCP Window Scale Mode
Specifies the action that the LTM system should take on TCP windows. Possible values are: Preserve, Strip, and Rewrite.
Preserve
Generate Internal Sequence Numbers
Enables the LTM system to generate its own sequence numbers for SYN packets, according to RFC 1948. When enabled, this setting allows timestamp recycling.
Disabled
Strip Sack OK
Enables the LTM system to block a TCP SackOK option from passing to the server on an initiating SYN.
Disabled
RTT from Client
Specifies that the LTM system should use TCP timestamp options to measure the round-trip time to the client.
Disabled
RTT from Server
Specifies that the LTM system should use TCP timestamp options to measure the round-trip time to the server.
Disabled

 

Once you implement a Fast L4 profile, the BIG-IP system automatically selects the most efficient PVA hardware acceleration mode for Layer 4 traffic. Possible modes are Full, Assisted, and None.

The particular hardware acceleration mode that the BIG-IP system selects depends on these factors:

  • The Fast L4 profile settings
    The mode that the BIG-IP selects is influenced by the way that you configure the settings of the Fast L4 profile.
  • The virtual server configuration
    The mode that the BIG-IP system selects is influenced by the specific features that you assigned to the virtual server (such as pools, SNAT pools, and iRules).
  • The value of the PVA Acceleration setting
    The PVA Acceleration setting in the Fast L4 profile defines the maximum amount of hardware acceleration that you want to allow, for Layer 4 traffic passing through the virtual server. Therefore, if you set the value to:
    • Full (the default value)--The system can set hardware acceleration to any of the three modes, depending on the virtual server configuration.
    • Assisted--The system can set hardware acceleration to either Assisted or None mode, depending on the virtual server configuration.
    • None--The system does not perform hardware acceleration.

One reason that you might want to set the maximum hardware acceleration mode to less than Full is for viewing connections with the bigpipe conn show command. This command only shows Layer 4 connections when the hardware acceleration mode is set to Assisted or None. If the mode is set to Full, the bigpipe conn show command shows no Layer 4 connections.

Depending on the current mode to which hardware acceleration is automatically set, the BIG-IP system accelerates Layer 4 traffic as described in Table 5.4 .

Table 5.4 Effect of PVA hardware acceleration mode on Layer 4 traffic
Hardware Acceleration Mode
Result
Full
The hardware acceleration processes all Layer 4 traffic. Layer 4 traffic is not managed through the use of BIG-IP software features. In this case, the BIG-IP system treats client-side and server-side packets as part of the same connection.
An example of using hardware acceleration in Full mode is when you want to load balance Layer 4 traffic to two servers, using the Round Robin load balancing method, with no session persistence or iRules.
Assisted
The BIG-IP system load balances all SYN packets, while the hardware acceleration assists with the remaining packets, including the tearing down of connections.
An example of using hardware acceleration in Assisted mode is when you want to load balance Layer 4 traffic using a dynamic load balancing method, or using a simple iRule that examines the IP addresses contained in the packets.
Note: When the BIG-IP system sets the hardware acceleration mode to Assisted, a Fast L4 profile is compatible with SNATs and SNAT pools, as well as with source address affinity persistence.
None
The hardware acceleration does not process any Layer 4 traffic. The BIG-IP application manages all Layer 4 traffic. In this case, the BIG-IP system treats client-side and server-side packets as separate connections.
An example of using hardware acceleration in None mode is when you want to load balance traffic using an HTTP profile, as well as an iRule that performs delayed binding and cookie session persistence.

 

The Fast HTTP profile type

The Fast HTTP profile is a configuration tool designed to speed up certain types of HTTP connections. This profile combines selected features from the TCP, HTTP, and OneConnect profiles into a single profile that is optimized for the best possible network performance. When you associate this profile with a virtual server, the virtual server processes traffic packet-by-packet, and at a significantly higher speed.

You might consider using a Fast HTTP profile when:

  • You do not need features such as session persistence, remote server authentication, SSL traffic management, and TCP optimizations, nor HTTP features such as data compression, pipelining, and RAM Cache.
  • You do not need to maintain source IP addresses.
  • You want to reduce the number of connections that are opened to the destination servers.
  • The destination servers support connection persistence, that is, HTTP/1.1, or HTTP/1.0 with Keep-Alive headers. Note that IIS servers support connection persistence by default.
  • You need basic iRule support only (such as limited Layer 4 support and limited HTTP header operations). For example, you can use the iRule events CLIENT_ACCEPTED, SERVER_CONNECTED, and HTTP_REQUEST.

A significant benefit of using a Fast HTTP profile is the way in which the profile supports connection persistence. Using a Fast HTTP profile ensures that for client requests, the BIG-IP system can transform or add an HTTP Connection header to keep connections open. Using the profile also ensures that the BIG-IP system pools any open server-side connections. This support for connection persistence can greatly reduce the load on destination servers by removing much of the overhead caused by the opening and closing of connections. For more information on HTTP header transformation, see Chapter 6, Managing HTTP and FTP Traffic . For more information on the pooling of server-side connections, see The OneConnect profile type .

Note

The Fast HTTP profile is incompatible with all other profile types. Also, you cannot use this profile type in conjunction with VLAN groups, or with the IPv6 address format.

Table 5.5 lists and describes the settings of a Fast HTTP profile type

Table 5.5 Settings of a Fast HTTP profile
Setting
Description
Default Value
Name
This setting specifies a unique name for the profile.
No default value
Parent Profile
This setting specifies the profile that you want to use as the parent profile. Your new profile inherits all non-custom settings and values from the parent profile specified.
fasthttp
Reset on Timeout
Specifies, when checked (enabled), that the system sends a TCP RESET packet when a connection times out, and deletes the connection.
Enabled (checked)
Idle timeout
This setting specifies the number of seconds that a connection is idle before the connection flow is eligible for deletion because it has no traffic. Possible values are: Specify, Immediate, and Indefinite. For more information, see the online help.
300
Maximum Segment Size Override
Specifies a maximum segment size (MSS) override for server-side connections. The default setting is 0, which corresponds to an MSS of 1460. You can specify any integer between 536 and 1460.
0
Client Close Timeout
Specifies the number of seconds after which the system closes a client connection, when the system either receives a client FIN packet or sends a FIN packet to the client. This setting overrides the Idle Timeout setting. Possible values are: Specify, Immediate, and Indefinite. For more information, see the online help.
5
Server Close Timeout
Specifies the number of seconds after which the system closes a client connection, when the system either receives a server FIN packet or sends a FIN packet to the server. This setting overrides the Idle Timeout setting. Possible values are: Specify, Immediate, and Indefinite. For more information, see the online help.
5
Unclean Shutdown
Specifies how the system handles closing connections. Possible values are: Disabled, Enabled, and Fast. For more information, see the online help.
Disabled
Force HTTP 1.0 Response
Specifies, when checked (enabled), that the server sends responses to clients in the HTTP/1.0 format. This effectively disables client chunking and pipelining.
Disabled (unchecked)
Maximum Pool Size
Specifies the maximum number of connections a load balancing pool can accept. A setting of 0 specifies that a pool can accept an unlimited number of connections.
2048
Minimum Pool Size
Specifies the minimum number of connections that a load balancing pool can accept. A setting of 0 specifies that there is no minimum.
0
Ramp-Up Increment
Specifies the increment in which the system makes additional connections available, when all available connections are in use.
4
Maximum Reuse
Specifies the maximum number of times that the system can re-use a current connection.
0
Idle Timeout Override
Specifies the number of seconds after which a server-side connection in a pool is eligible for deletion, when the connection has no traffic. This setting overrides the Idle Timeout setting. Possible values are: Specify, Disabled, and Indefinite. For more information, see the online help.
Disabled
Replenish
Specifies whether the LTM system should maintain a steady-state maximum number of back-end connections. If you disable this setting, the system does not keep a steady-state maximum of connections to the back end, unless the number of connections to the pool drops below the value specified in the Minimum Pool Size setting.
Enabled (checked)
Parse Requests
Specifies, when checked (enabled), that the system parses the HTTP data in the connection stream. Note that if you are using a Fast HTTP profile for non-HTTP traffic, you should disable this setting to shield against dynamic denial-of-service (DDOS) attacks.
Enabled (checked)
Maximum Header Size
Specifies the maximum amount of HTTP header data that the system buffers before making a load balancing decision.
32768
Maximum Requests
Specifies the maximum number of requests that the system allows for a single client-side connection. When the specified limit is reached, the final response contains a Connection: close header is followed by the closing of the connection. The default setting of 0 means that the system allows an infinite number of requests per client-side connection.
0
Insert XForwarded For
Specifies whether the system inserts the XForwarded For: header in an HTTP request with the client IP address, to use with connection pooling. Possible settings are Enabled and Disabled. For more information, see the online help.
Disabled
Header Insert
Specifies a string that the system inserts as a header in an HTTP request. If the header exists already, the system does not replace it.
No default value

.

When writing iRulesTM, you can specify a number of events and commands that the Fast HTTP profile supports. The iRule events that the Fast HTTP profile supports are:

  • CLIENT_ACCEPTED
  • SERVER_CONNECTED
  • HTTP_REQUEST

The iRule commands that the Fast HTTP profile supports are:

  • HTTP::method
  • HTTP::uri
  • HTTP::version
  • HTTP::header exists
  • HTTP::header value
  • HTTP::header insert

For more information about these iRule events and commands, see Chapter 13, Writing iRules .

The TCP profile type

The TCP profile is a configuration tool for managing TCP network traffic. Many of the TCP profile settings are standard SYSCTL types of settings, while others are unique to the LTM system.

A TCP profile is important because it is required for implementing certain types of other profiles. For example, by implementing the TCP and HTTP profiles, along with a persistence profile and a remote authentication profile, you can take advantage of these traffic management features:

  • Content spooling to reduce server load
  • OneConnect, which pools server-side connections
  • Layer 7 session persistence, such as hash or cookie persistence
  • iRules for managing HTTP traffic
  • HTTP RamCache
  • HTTP data compression
  • HTTP pipelining
  • Application authentication using a remote server
  • Rewriting of HTTP redirections

Table 5.6 lists and describes the settings of a TCP profile type.

Table 5.6 Settings of a TCP profile
Setting
Description
Default Value
Name
This setting specifies a unique name for the profile.
No default value
Parent Profile
This setting specifies the profile that you want to use as the parent profile. Your new profile inherits all non-custom settings and values from the parent profile specified.
tcp
Reset on Timeout
If this setting is enabled and a TCP connection exceeds the timeout value for idle connections, the LTM system sends a reset in addition to deleting the connection.
Enabled
Time Wait Cycle
This setting recycles the connection when a SYN packet is received in a TIME-WAIT state.
Enabled
Delayed ACKs
If this setting is enabled, the LTM system allows coalescing of multiple acknowledgement (ACK) responses.
Enabled
Proxy Maximum Segment
Advertises the same maximum segment to the server as was negotiated with the client.
Enabled
Proxy Options
Advertises an option (such as timestamps) to the server only if it was negotiated with the client.
Disabled
Proxy Buffer Low
Specifies the proxy buffer level at which the receive window was opened.
4096
Proxy Buffer High
Specifies the proxy buffer level at which the receive window was closed.
16384
Idle Timeout
This setting specifies the number of seconds that a connection is idle before the connection is eligible for deletion.
300
Time Wait
This setting specifies the number of milliseconds that a connection is in a TIME-WAIT state before entering the CLOSED state.
2000
FIN Wait
This setting specifies the number of seconds that a connection is in the FIN-WAIT or CLOSING state before quitting. A value of 0 represents a term of forever (or until the metrics of the FIN state).
5
Close Wait
This setting specifies the number of seconds that a connection remains in a LAST-ACK state before quitting. A value of 0 represents a term of forever (or until the metrics of the FIN state).
5
Send Buffer
This setting causes the LTM system to send the buffer size, in bytes.
8192
Receive Window
This setting causes the LTM system to receive the window size, in bytes.
32768
Keep Alive Interval
This setting causes the LTM system to keep alive the probe interval, in milliseconds.
1800
Maximum SYN Retransmissions
This setting specifies the maximum number of retransmissions of SYN segments that the LTM system allows.
4
Maximum Segment Retransmissions
This setting specifies the maximum number of retransmissions of data segments that the LTM system allows.
8
IP ToS
This setting specifies the Type of Service level that the LTM system assigns to TCP packets when sending them to clients.
0
Link QoS
This setting specifies the Quality of Service level that the LTM system assigns to TCP packets when sending them to clients.
0
Selected ACKs
This setting specifies, when checked (enabled), that the system processes data using selective ACKs whenever possible, to improve system performance.
Enabled (checked)
Extended Congestion Notification
This setting specifies, when checked (enabled), that the system uses the TCP flags CWR and ECE to notify its peer of congestion and congestion counter-measures.
Disabled (unchecked)
Extensions for High Performance (RFC 1323)
This setting specifies, when checked (enabled), that the system uses the timestamp and window scaling extensions for TCP (as specified in RFC 1323) to enhance high-speed network performance.
Enabled (checked)
Limited Transmit Recovery
This setting specifies, when checked (enabled), that the system uses limited transmit recovery revisions for fast retransmits (as specified in RFC 3042) to reduce the recovery time for connections on a lossy network.
Enabled (checked)
Slow Start
This setting specifies, when checked (enabled), that the system uses larger initial window sizes (as specified in RFC 3390) to help reduce round trip times.
Enabled (checked)
Deferred Accept
This setting specifies, when checked (enabled), that the system defers allocation of the connection chain context until the system has received the payload from the client. Enabling this setting is useful in dealing with 3-way handshake denial-of-service attacks.
Disabled (unchecked)
Bandwidth Delay
This setting specifies, when checked (enabled), that the system attempts to calculate the optimal bandwidth to use to the client, based on throughput and round-trip time, without exceeding the available bandwidth.
Enabled (checked)
Nagle's Algorithm
Specifies, when checked (enabled), that the system applies Nagle's algorithm to reduce the number of short segments on the network. The default setting is disabled. Note that enabling this setting for interactive protocols such as telnet may cause degradation on high-latency networks.
Enabled (checked)

 

For most of the TCP profile settings, the default values usually meet your needs. However, if the link that clients are using to access the virtual server is slow, or if server response time exceeds the request time of clients, you can increase the content spooling settings of the profile:

  • Proxy Buffer Low
  • Proxy Buffer High
  • Send Buffer
  • Receive Window

Increasing the byte values of the these settings increases the amount of data that the BIG-IP system can buffer while waiting for a specific connection to accept that data.

Note

If you are using a TCP profile in a test environment, you can improve performance by disabling the Slow Start, Bandwidth Delay, and Nagle's Algorithm settings.

The UDP profile type

The UDP profile is a configuration tool for managing UDP network traffic. Table 5.7 lists and describes the settings of a UDP profile type

Table 5.7 Settings of a UDP profile
Setting
Description
Default Value
Name
This setting specifies a unique name for the profile.
No default value
Parent Profile
This setting specifies the profile that you want to use as the parent profile. Your new profile inherits all non-custom settings and values from the parent profile specified.
udp
Idle timeout
This setting specifies the number of seconds that a connection is idle before the connection flow is eligible for deletion.
60
IP ToS
This setting specifies the Type of Service level that the LTM system assigns to UDP packets when sending them to clients.
0
Link QoS
This setting specifies the Quality of Service level that the LTM system assigns to UDP packets when sending them to clients.
0
Datagram LB
This setting specifies, when checked (enabled), that the system load balances UDP traffic packet-by-packet.
Disabled (unchecked)

.

Configuring other types of profiles

Some of the other profile types that you can configure are:

  • OneConnect
  • Statistics
  • Stream

For each Protocol profile type, the LTM system provides a pre-configured profile with default settings. In most cases, you can use these default profiles as is. If you want to change these settings, you can configure protocol profile settings when you create a profile, or after profile creation by modifying the profile's settings.

The following sections list the traffic-management settings contained in OneConnect, Statistics, and Stream profiles. For information on configuring other types of profiles, see the following:

The OneConnect profile type

The OneConnectTM profile is a configuration tool for enabling connection pooling on an LTM system. Connection pooling optimizes the way that the LTM system handles connections. When connection pooling is enabled on an LTM system, client requests can utilize existing, server-side connections, thus reducing the number of server-side connections that a server must open to service those requests.

The LTM system can pool connections from multiple virtual servers if those virtual servers reference the same OneConnect profile and the same pool. Table 5.8 lists and describes the settings of a OneConnect profile type.

Tip


You can also enable a related feature known as the OneConnect Transformations feature. You enable this feature from within an HTTP profile. The OneConnect Transformations HTTP profile setting applies to HTTP/1.0 connections, and when enabled, causes the system to transform the value of the Connection header in an HTTP request to Keep-Alive, to keep a connection open. This feature, together with a OneConnect profile, optimizes connection persistence.

 

Table 5.8 Settings of a OneConnect profile
Setting
Description
Default Value
Name
This setting specifies a unique name for the profile.
No default value
Parent Profile
This setting specifies the profile that you want to use as the parent profile. Your new profile inherits all non-custom settings and values from the parent profile specified.
oneconnect
Source Mask
The LTM system applies the value of this setting to the source address to determine its eligibility for reuse. A mask of 0 causes the LTM system to share reused connections across all clients. A host mask (that is, all 1 values in binary), causes the LTM system to share only those reused connections originating from the same client IP address.
0.0.0.0
Max Size
The setting defines the maximum number of connections that the LTM system holds in the connection reuse pool. If the pool is already full, then a server-side connection closes after the response is completed.
10000
Max Age
This setting defines the maximum number of seconds allowed for a connection in the connection reuse pool. For any connection with an age higher than this value, the LTM system removes that connection from the resue pool.
86400
Max Reuse
This setting specifies the maximum number of times that a server-side connection can be reused.
1000
Idle Timeout Override
This setting specifies the number of seconds that a connection is idle before the connection flow is eligible for deletion. You can use this setting to increase the timeout value for connections once they are pooled for re-use. Possible values are Disabled, Indefinite, or a numeric value that you specify.
Disabled

 

The Statistics profile type

The Statistics profile provides user-defined statistical counters. Each profile contains 32 settings (Field1 through Field32), which define named counters. Using a Tcl-based iRule command, you can use the names to manipulate the counters while processing traffic.

For example, you can assign the counters tot_users, cur_users, and max_users to the Statistics profile settings Field1, Field2, and Field3 respectively, and then write an iRule as shown in Figure 5.1 :

 

Figure 5.1 Example of Statistics profile counters used in an iRule
rule track_users {
when CLIENT_ACCEPTED {
  STATS::incr tot_users
  STATS::setmax users max_users [STATS:incr users cur_users]
  }
  when CLIENT_CLOSED {
  STATS::incr users tot_users -1
  }
  }
  virtual users_tcp {
  profile tcp users
  rule users
  ...
  }

 

In this example, the counter tot_users counts the total number of connections, the counter cur_users counts the current number of connections, and the counter max_users retains the largest value of the counter cur_users.

For information on iRules STATS commands, see Chapter 13, Writing iRules .

The Stream profile type

You can use the Stream profile to search and replace strings within a data stream, such as a TCP connection. Table 5.9 lists and describes the settings of a Stream profile type.

Table 5.9 Settings of a Stream profile
Setting
Description
Default Value
Name
This setting specifies a unique name for the profile.
No default value
Parent Profile
This setting specifies the profile that you want to use as the parent profile. Your new profile inherits all non-custom settings and values from the parent profile specified.
stream
Source
Specifies the source string for which to search.
No default value
Target
Specifies the target string to replace.
No default value

 

Managing profiles

Using the Configuration utility, you can not only create and implement profiles, but also:

  • View the settings of an existing profile
  • Delete a profile
  • View or reset profile statistics

Viewing profiles

You can view profile settings and values, using the Configuration utility.

To view profile settings

  1. On the Main tab, expand Local Traffic.
  2. Click Profiles.
    The Profiles screen opens.
  3. Point to the menu for the type of profile you want to view (Services, Persistence, Protocol, SSL, or Authentication) and choose a profile type.
    This displays a list of existing profiles of that type.
  4. In the Name column, click the name of the profile you want to view.
    This displays the settings and values for that profile.

Tip


When listing existing profiles, you can use the Search box that appears directly above the profile list. With the Search box, you can specify a string to filter the list, thereby showing only those objects that match the string. The default setting is an asterisk (*), which means show all objects.

Deleting profiles

You can delete an existing profile, using the Configuration utility, as long as the profile is not referenced by a virtual server.

To delete a profile

  1. On the Main tab, expand Local Traffic.
  2. Click Profiles.
    The Profiles screen opens.
  3. Point to the menu for the type of profile you want to view (Services, Persistence, Protocol, SSL, or Authentication) and choose a profile type.
    This displays a list of existing profiles of that type.
  4. In the Select column, check one or more boxes next to the names of the profiles you want to delete.
  5. Click the Delete button.
    This displays the Delete Confirmation screen.
  6. Verify that all check boxes in the list are checked, and click the Delete button to permanently delete those profiles.

Using profiles with iRules

In some cases, the best way to manage a particular type of connection is to create an iRule. A good example is when you want to insert a header into an HTTP request and then direct the request based on the information in that header.

An iRule is a user-written script that manages a particular traffic connection when the connection meets certain criteria. For example, you can write an iRule that states that if a header in an HTTP request contains a certain string, the LTM system should send that request to the pool http_pool. An iRule is triggered when an event occurs that is specified within that iRule. iRule events are categorized into specific types, such as TCP, SSL, and HTTP.

When an iRule event occurs, the LTM system cannot actually trigger the iRule unless the virtual server has a profile in its profile list that corresponds to that event type. For example, if an iRule specifies an HTTP event, the virtual server must reference a profile that is based on the HTTP profile type.

The following list shows the possible types of iRule events and their profile requirements.

  • IP events
    No profile requirement
  • UDP events
    Requires a UDP- or FastL4-based profile
  • TCP events
    Requires a TCP- or FastL4-based profile
  • FTP events
    Requires an FTP-based profile
  • HTTP events
    Requires an HTTP- and a TCP-based profile
  • SSL events
    Requires either a Client SSL- or Server SSL-based profile, depending on the iRule context
  • AUTH events
    Requires an authentication profile

For more information on iRule events, see Chapter 13, Writing iRules .




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)