tcp termination application note

Adaptive Private NetworkingTCP TerminationApplication Note

2

Talari APN TCP Termination Application Note

Talari Networks is a trademark of Talari Networks, Inc. in the United States and other countries.

All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

All specifications are subject to change without notice.

Products made or sold by Talari Networks or components thereof may be covered by one or more of the following patents that are owned by or licensed to Talari Networks: U.S. Patents pending.

Copyright © 2011, Talari Networks, Inc. All rights reserved.

The information in this document is current as of the date listed in the revision history.

Talari Networks assumes no responsibility for any inaccuracies in this document. Talari Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Talari Networks, Inc.550 S. Winchester Blvd., Suite 500

San Jose, CA 95128

Phone: 408.689.0400Fax: 408.864.2124

Web: www.talari.com

Last Update: 3/22/2011

3


Table of Contents

Introduction ............................................................................... 4About This Application Note ................................................................4

Introduction to TCP termination ..........................................................4

Functionality in Detail ................................................................ 6Configuration Commands ........................................................... 7Design Consideration ................................................................. 9Troubleshooting TCP Termination ............................................. 11Summary ................................................................................. 12

4


Introduction

About This Application NoteThe purpose of this application note is for the reader to understand the concept and operation of TCP termination within Adaptive Private Networking (APN). Configuration commands required to enable this capability will also be discussed in this document. The reader of this document is expected to be a network administrator or a network architect.

Introduction to TCP terminationWithout TCP termination, a single TCP connection would be established from Host-A to Host-B where the two hosts reside on separate network segments across the WAN network. Please see Figure 1 for details. TCP termination provides the ability to split a single TCP connection into three separate TCP connections all managed and maintained by the APN, as shown in Figure 2. TCP termination is only used for conduit traffic.

Host-A

TCP Connection End-to-End

Client SiteNCN Site

WAN

Figure 1

Host-B

NCN-RTR Client-RTR

In Figures 1 and 2, the diagrams indicate traffic flow from the NCN site to a Client site. Traffic flow could also be Client to Client traffic through a conduit. For diagram simplification, a typical two site Talari APN is depicted, one NCN and one Client site. The assumption in Figure 2 is that a Talari conduit between APNAs exists.

5


Host-A

TCP Connection End-to-End

Client SiteNCN Site

WAN

Figure 2

Host-B

NCN-RTR Client-RTR

Talari TCP Over Talari Conduit

APNA-A APNA-B

TCP 1 TCP 2

The three separate connections used for TCP termination would be defined as:

Host A to APNA-A APNA-A to APNA-B – conduit services APNA-B to Host B

Some of the benefits of TCP termination include the ability to increase throughput across the conduit/WAN. Significant performance improvements are seen when there is loss on the link and a high round trip time (RTT) across the WAN, or both. TCP termination provides maximum throughput through the Talari conduit while locally terminating the tcp session. Typically file transfer applications will yield the best TCP termination performance. With interactive applications the performance gains may not be as significant (ssh, scp). These additional benefits provide a compelling reason to enable TCP termination.

6


Functionality in DetailThe functionality as described above creates three TCP sessions. The initial TCP handshake is from Host A to Host-B. As Host-A communicates with Host-B; the APNAs monitor the TCP flow and support a modified end-to-end three way handshake creating three separate TCP connections. Once the separate TCP session are established, a data transfer can begin. The APNAs will then maintain a TCP session between the local Hosts and a third TCP session across the conduit between APNAs. These sessions will be established for any TCP flow that is identified as a TCP terminated flow.

For conduit traffic a separate Talari-TCP will be used. This Talari-TCP will identify each unique flow and allow the APNA’s to maintain multiple sessions across the conduit. This Talari-TCP is encapsulated in the conduit and not seen by the user. The APNAs also have built-in support for failure scenarios. In the event of a host or Talari failure, the TCP connections will be reset gracefully. If the conduit is down, the APNAs will terminate the TCP-terminated connection and the Hosts will have to re-establish their TCP session.

The system has a dynamic capability which can be used to disable TCP termination if system resources are getting low. In this scenario, the APNA notifies all other APNAs to which it has conduits that it is low on resources, and directs them to disable TCP termination for that immediate time frame. Once system resources become available on the APNA, the TCP termination functionality will then be re-enabled and communicated to all other APNAs within the network. This function is an internal component of the TCP termination capability, and protects the system from potential catastrophic events.

Commands to enable TCP Termination are described in the next section.

7


Configuration CommandsThere are a number of commands required to enable the TCP termination capability. These commands are available in the APN Configuration Editor or can be added to the configuration file with a text editor. For information on the APN Configuration Editor, including command line options, please see the 2.2 APN Configuration Editor Users Guide at www.talari.com/support.

The first requirement is that TCP termination is enabled; this is done under the conduit section of the configuration. The default rule for the conduit will perform TCP termination on all conduit traffic that is TCP traffic. To enable TCP termination for a specific conduit, use the following command:

add conduit_service remote_site_name=text { [set conduit_properties] [tracking_ip_addr=x.x.x.x] [reverse_also={yes | no}] [default_set_name=text]; [set rule_default] [tcp_resequence_holdtime_ms=n] [discard_late_tcp_resequence_packets={yes | no}] [non_tcp_resequence_holdtime_ms=n] [discard_late_non_tcp_resequence_packets={yes | no}] [packet_duplication_holdtime_ms=n] [tcp_class_id=n] [tcp_class_name=text] [udp_class_id=n] [udp_class_name=text] [other_class_id=n] [other_class_name=text] [enable_tcp_termination={yes | no}];

}

“enable_tcp_termination = no” (indicating TCP termination is disabled), is the default value for the enable_tcp_termination command. This is not a required command.

Additionally, TCP termination can be configured with more granularity under Conduit - Rule – Properties section of the configuration file. This allows a user to configure more specific rules for certain traffic types. For example, FTP could have a specific rule defined for TCP termination. When using this option, you can also specify a minimum percentage to this rule. A detailed example of minimum percentage will be presented in the Design Consideration section of this Application Note.

[set traffic_optimization_properties] [enable_tcp_termination={yes | no}] [tcp_termination_min_resource_pct=p];

“tcp_termination_enable = no” (indicating TCP termination is disabled), is the default value for enabling or disabling the TCP termination feature for this (TCP-based) rule.

The “tcp_termination_min_resrc_pct = p” parameter specifies the minimum resource

http://www.talari.com/support



8


allocation percentage for TCP termination traffic on this rule. Specify the minimum amount of resources used by TCP terminated traffic. More detail regarding this command may be found in the Design consideration section of this document.

When configuring TCP termination it is not required to configure it for the conduit. A user could just configure the capability to match a specific rule only. When used in this manner, TCP termination is only used for the specific rule and no other conduit traffic.

No other commands are required when enabling TCP termination. There are a number of Design Consideration to be aware of when implementing TCP termination, these are described in the next section.

9


Design ConsiderationThere are a number of design consideration to be aware of when implementing TCP termination, including:

• When enabled will use the maximum allowable resources per platform (defined below).

• Use Rules to guarantee TCP termination is not starved out of the conduit , should be used with TCP_ACK Class (see note below).

• Total TCP flow numbers are based on Inbound and outbound flows per platform.• Supports High Availability (HA) configuration (sessions not maintained across HA

failure).

Note: If only the default bulk class is defined, TCP-terminated traffic could use all available bandwidth and starve out any potential new TCP-terminated flows. The recommendation is to define a specific rule and class for TCP-terminated traffic.

Additionally, TCP termination is currently not supported with Riverbed implementations.

Talari TCP termination has a limit to the number of TCP-terminated flows that may be supported based on the APN appliance used. These limits are listed below and are based on the hardware capabilities of the individual platform. Once the supply of flows has been exceeded, any new flows will not be TCP-terminated until pre-existing flows end and TCP termination resources are freed. The platform numbers for TCP termination are as follows:

The T200 APNA supports a maximum of 500 TCP flows. The T700 APNA supports a maximum of 4000 TCP flows. The T730 APNA supports a maximum of 4000 TCP flows. The T750 APNA supports a maximum of 8000 TCP flows. The T3000 APNA supports a maximum of 16000 TCP flows.

For example, the APN T730 appliance supports a total of 4000 terminated flows. If a rule is defined for ssh using TCP termination, with a set minimum resource usage of ten percent. In this case, at least 400 ssh sessions can be used for TCP termination. The remaining TCP termination sessions (3600) would be used for any other TCP session sourced or destined for the same conduit.

When the Talari APNA has multiple conduits defined, TCP termination must allocate resources for each conduit. The method TCP termination uses to allocate resources to a specific conduit is:

10


• Determine if a conduit has TCP termination enabled (default rule).• Determine if there is any rule defined for TCP termination.• Allocate resources based on minimum allocation defined per rule for a conduit (if

rule applies to two sites the min_resrc_pct is divided by two) See note below.• Any remaining resources are allocated on a first come first server basis until

platform resources are depleted.

Note: When a rule is added for the TCP termination capability, a site should be defined for each rule. If 20% is defined for the “min_resrc_pct” and “*” is selected for the from site, the Compiler will add in two rules: one for the NCN and one for the Client site. These two rules will divide the 20% by two impacting resources on a site basis. When using the “*” for site the user needs to be aware of the impact, since it will use resources on both appliances. If there are more than two APNAs in the network, all APNAs would have the rule applied if the “*” option is used in the rule, reducing the minimum resources per site.

11


Troubleshooting TCP TerminationThe APNA can provide useful information regarding TCP terminated flows. This information can be viewed from the appliance Web Console, by selecting Monitor and then Flows from the drop-down menu. Next, click the TCP Termination check box. All conduit flows that are using TCP termination will be displayed on this page. The page will include relevant information on a per flow basis. Figure 3 below illustrates typical screen displaying TCP-terminated flows.

Figure 3

Additionally, TCP termination will add entries into the APN_common.log file. An example shown below indicates that there has been a reset sent from the client host-A to the remote Host-B that the connection has been reset. The local APNA instructing the remote APNA to tear down or reset the TCP connection.

tcp_do_segment@forward/tcp_input.c:1813 tp:0x29aeabfc 10.30.10.21:445 -->10.10.10.21:49330 got reset, close the connection.

These are logged to assist the user in monitoring the state of the terminated flows. The TCP-terminated flows are conduit flows only, and consist solely for traffic between APN sites. This can simplify the troubleshooting process. Any other issues related to troubleshooting TCP termination would require Talari Support personnel to assist. Prior to contacting them, it is recommended to collect a diagnostic log file from the APNAs in question, using the APNA web console Diagnose pull-down menu. A diagnostic data capture tool will collect log files as well as low level debug information from the APNA and save it to a file, which can be forwarded to your Talari representative for review.

12


SummaryThe addition of TCP termination to the Talari product line provides additional throughput based on the WAN link RTT and any potential circuit loss. This capability can increase throughput multiple times over existing throughput, depending on circuit characteristics. TCP termination is easily configured and maintained within the Talari APNA. For additional questions, please contact your local Talari representative.

Adaptive Private NetworkingTCP Termination Application Note

Thank you for choosing Talari Adaptive Private Networking appliances.

Talari Networks, Inc.550 S. Winchester Blvd., Suite 500San Jose, CA 95128(408) 689-0400(408) 864-2124 faxwww.talari.com

Talari Networks, Inc. reserves the right to make changes to its products or to discontinue any product or service without notice.

Talari Networks is a trademark of Talari Networks, Inc.

Copyright © 2006-2011 Talari Networks, Inc.All Rights Reserved.

Swift and Sure

tcp termination application note

Documents