Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring TFO


In this topic, the three modes of TCP Fast Open (TFO) are described and examples given. The case of using NAT with TFO is also covered.

Three Modes for TFO

No configuration is required to use TFO. TFO is enabled by default. In default mode, all TFO packets are forwarded by the service PIC. Besides the default, there are two other modes for TFO that you configure through the CLI:

  • Drop TFO—If this mode is set, no TFO packets are forwarded.

  • Disable TFO—If this mode is set, any SYN or SYN ACK packet carrying TFO, data, or both, will be stripped of the TFO and the data before being forwarded.

The TFO option is enabled per service set. The service set can be either a next-hop service set or an interface-style service set. Following is an example interface-style service set configuration:

In this instance, TFO is enabled by default (no TFO configuration). The output for the show services service-sets statistics tcp command is as follows:

user@host> show services service-sets statistics tcp

If you drop TFO enabled packets, you have the following configuration and output:

user@host> show services service-sets statistics tcp

If you strip the TFO option, the configuration and output change accordingly:

user@host> show services service-sets statistics tcp

Using NAT and TFO

If NAT is configured in the service set and you are using TFO, you should configure address-pooling paired (APP). APP allows a private IP address to be mapped to the same public IP address from a NAT pool for all its sessions.

If you do not configure APP, NAT can give a different IP address to the client from the same NAT pool than the one it sent to the server before. The server does not recognize the IP address, drops the TFO option, and replies with SYN ACK and the data the client sent is not acknowledged. Therefore, even though the connection is successful and no packet is lost, the benefit of TFO is lost. But if client comes back with the same IP address, the server recognizes it and acknowledges the data. Therefore, always enable APP with a high mapping timeout value with TFO.

To configure APP:

  1. Configure APP:
  2. Configure a high mapping timeout value:

Related Documentation