TCP optimization fine-tunes the processing of TCP data traffic to decrease round-trip latency and improve throughput. You can optimize TCP traffic in service-side VPNs on vEdge routers. Optimizing TCP traffic is especially useful for improving TCP traffic performance on long-latency links, such as transcontinental links and the high-latency transport links used by VSAT satellite communications systems. TCP optimization can also improve the performance of SaaS applications.
TCP optimization is available on vEdge 1000 and vEdge 2000 hardware routers.
With TCP optimization, a vEdge router acts as a TCP proxy between a client that is initiating a TCP flow and a server that is listening for a TCP flow, as illustrated in the following figure:
This figure shows two vEdge routers acting as proxies. vEdge-1 is the proxy for the client, and is called the client proxy. vEdge-2 is the proxy for the server, called the server proxy. Without TCP optimization, the client establishes a TCP connection directly to the server. When you enable TCP optimization on the two routers, vEdge-1 terminates the TCP connection from client and establishes a TCP connection with vEdge-2. The vEdge-2 router then establishes a TCP connection to the server. The two vEdge routers cache the TCP traffic in their buffers to ensure that the traffic from the client reaches the server without the TCP connection timing out.
It is recommended that you configure TCP optimization on both the vEdge routers, the router closer to the client and the router closer to the server. This configuration is sometimes referred to as a dual-ended proxy. While it is possible to configure TCP optimization only on the vEdge router closer to the client, called single-ended proxy, this configuration is not recommended because the TCP optimization process is compromised. TCP is a bidirectional protocol and operates only when connection-initiation messages (SYNs) are acknowledged by ACK messages in a timely fashion.
If both the client and the server are connected to the same vEdge router, no TCP optimization is performed.
To use TCP optimization, you first enable the feature on the vEdge router. Then you define which TCP traffic to optimize.
Enable TCP Optimization
To use TCP optimization on a vEdge router, you must enable it:
On vEdge 1000 and vEdge 2000 routers, enabling TCP optimization carves out a separate CPU core to use for performing TCP optimization, which is a CPU-intensive process.
Optimize TCP in a VPN
To enable TCP optimization for all TCP traffic in a VPN, include the following command when configuring service-side VPNs on a vEdge router:
For example, to enable TCP optimization in VPN 1:
vEdge# show running-config vpn 1 vpn 1 interface ge0/4.1 ip address 10.20.24.15/24 no shutdown ! tcp-optimization !
To display information about the TCP flows that the vEdge router is optimizing, use the show app tcp-opt active-flows command to view flows that are currently active and the show app tcp-opt expired-flows command to view flows that were active but have expired.
Optimize TCP for a Flow
To enable TCP optimization for a specific flow of TCP traffic in a VPN, create a centralized data policy that includes the tcp-optimization action. Use the match conditions in the data policy to define the VPN in which to optimize the TCP traffic and the traffic properties to match.
The TCP optimization feature is enabled based on the data policy. The data policy match needs to be created for the TCP flows in both directions. For example, if the TCP flow is from 10.20.24.17:30000 -> 10.20.25.18:5001, the data policy to enable TCP optimization must be created to match the reverse direction also. That is from 10.20.25.18:5001 -> 10.20.24.17:30000.
The following example enables TCP optimization on all TCP traffic destined to port 22, which is used for SSH sessions:
vSmart# show running-config policy data-policy tcp_optimization_data_policy policy data-policy tcp_optimization_data_policy vpn-list vpn_2 sequence 100 match destination-port 22 ! action accept count sample_count tcp-optimization ! ! default-action accept ! ! ! vSmart# show running-config apply-policy apply-policy site-list tcp_optimization_sites data-policy tcp_optimization_data_policy all