Applies To:
Show Versions
BIG-IP versions 1.x - 4.x
- 3.3.1 PTF-06, 3.3.1 PTF-05, 3.3.1 PTF-04, 3.3.1 PTF-03, 3.3.1 PTF-02, 3.3.1 PTF-01, 3.3.1, 3.3.0
6
BIG-IP System Control Variables
Setting BIG-IP system control variables
The BIG-IP Controller hardware and software boot up with a configuration specified, in part, by the system control variables stored in the /etc/rc.sysctl file. Most of these variables are standard BSD UNIX system control variables, while some are used exclusively by the BIG-IP Controller. In most cases, a variable is just toggled off (0) or on (1), but some variables may also store specific values, such as a port number.
You can use three methods to set system control variables affecting the BIG-IP Controller:
- The Configuration utility
Navigate to a system control variable and edit it in the browser with the Configuration utility. - sysctl command
Write system control variable values directly to /etc/rc.sysctl using this command line utility. - vi
- pico
Use a text editor, such as vi or pico, to edit /etc/rc.sysctl directly.Following are all the system control variables you will need.
sysctl
sysctl -a
sysctl <variable name>
sysctl -w <variable name>=<value>
Displaying current system control variable settings
To display the settings of all system control variables, use the following syntax:
sysctl -a
To display the current setting for an individual variable, use the following command syntax:
sysctl <variable name>
Setting a system control variable
Use the following syntax to write a value for a system control variable in /etc/rc.sysctl:
sysctl -w <variable name>=<value>
For example, the following command sets vipnoarp mode to on at boot:
sysctl -w bigip.vipnoarp=1
To turn vipnoarp mode off at boot, you would write the setting to /etc/rc.sysctl using the following command:
sysctl -w bigip.vipnoarp=0
bigip.bonfire_mode
Description
bigip.bonfire_mode=1
Sets the BIG-IP Controller to operate in Transparent Node mode, where it can perform load balancing on routers and router-like devices, such as transparent firewalls.
bigip.bonfire_mode=0
(Default) Transparent Node mode is off.
Note: With this version of the BIG-IP Controller, Transparent Node mode is no longer necessary. You do not need to set this variable. This variable only exists for backward compatibility. You can define a virtual server with address translation turned on or off at any time. For more information about address translation, see the BIG-IP Administrator Guide.
bigip.bonfire_compatibility_mode
Description
bigip.bonfire_compatibility_mode=1
Turns off port translation on the BIG-IP Controller. This is useful if a node port is only being used to specify a service check port.
bigip.bonfire_compatibility_mode=0
(Default) Port translation is on.
Note: With this version of the BIG-IP Controller, Transparent Node mode is no longer necessary. You do not need to set this variable. This variable only exists for backward compatibility. You can define a virtual server with port translation turned on or off at any time. For more information about port translation, see the BIG-IP Administrator Guide.
bigip.fastest_max_idle_time
Description
bigip.fastest_max_idle_time=<seconds>
Sets the number of seconds a node can be left idle by the fastest load balancing mode. This forces the BIG-IP Controller to send fewer connections to a node that is responding slowly. This allows the BIG-IP Controller to periodically recalculate the response time of the slow node.
bigip.fastpath_active
You can use this variable to control additional enhancements that speed packet flow for TCP connections when the packets are not fragmented. In most configurations these software enhancements are automatically turned on and do not require any additional configuration.
However, you may want to turn off these enhancements for individual virtual servers that use IPFW rate filters. With the speed enhancements on, IPFW only examines the first SYN packet in any given connection. If want to filter all packets, you should turn the speed enhancements off. To do this, you must first set the global state of the system on, and then you must turn the feature off for individual virtual servers that use IPFW rate filtering. You can change the settings for these enhancements from the command line or in the Configuration utility.
Setting software acceleration controls from the command line
There are three global states you can set with the sysctl variable bigip.fastpath_active. The default state is automatic, or a value of 1. The global states are:
0 = off
1 = automatic
2 = on
The additional speed enhancements are globally disabled if the sysctl variable bigip.fastpath_active is off (0) or if bigip.fastpath_active is set to automatic (1) and an IPFW rate filter exists in the configuration.
To provide the benefits of software acceleration for virtual servers that do not use rate filtering and turn off software acceleration for virtual servers that use IPFW rate filtering, you can set the sysctl variable bigip.fastpath_active to on (2) with the following command:
sysctl -w bigip.fastpath_active=2
After you set the sysctl variable, use the following bigpipe command to disable software acceleration for virtual servers that use IPFW rate filtering:
bigpipe vip <ip>:<port> accelerate disable
bigip.forwarding_vip_overrides_default_snat
bigip.forwarding_vip_overrides_default_snat=1
Setting this variable to 1 turns off SNAT for forwarding virtual servers. The result is that the default SNAT ignores a new connection with a destination that matches a forwarding virtual server. This causes outbound connections to use either a forwarding virtual server or the default SNAT depending on the destination of the packet that initiates the connection. The default setting for this variable is 1.
bigip.forwarding_vip_overrides_default_snat=0
Setting this variable to 0 leaves SNAT on for forwarding virtual servers. The result is that both a SNAT and a virtual server connection need to be created by an outbound packet initiating a connection to the destination specified by a forwarding virtual server.
bigip.halt_reboot_timeout
Description
bigip.halt_reboot_timeout=2
This value is the number of seconds the BIG-IP Controller can stop during boot up before the watchdog card hard reboots the controller. The default value for this setting is 2 seconds.
bigip.improved_fastest
bigip.improved_fastest=1
To use the improved Fastest, Observed, and Predictive load balancing modes, this variable must be set to 1. The default value for this variable is 1.
bigip.improved_fastest=0
If you do not want to use the improved fastest modes, set this variable to 0. You might want to do this in a case where all connections to a node address are sequential and the application response is variable, slow, and unrelated to transport protocol response.
bigip.max_sticky_entries
Description
bigip.max_sticky_entries=2048
This is the maximum number of sticky entries allowed to accumulate on the BIG-IP Controller when using destination address affinity (sticky persistence). When the maximum value is reached, the BIG-IP Controller stops accumulating sticky entries. The default value for this entry is 2048.
bigip.memory_reboot_percent
Description
bigip.memory_reboot_percent=0
The default value for this variable is 0, which is disabled. The minimum value for this variable is 80, or 80 percent of the total physical memory on the controller. The value you type, 80 or higher, is the percentage of memory that is in use before the BIG-IP Controller automatically reboots.
bigip.open_3dns_lockdown_ports
Description
bigip.open_3dns_lockdown_ports=0
(Default) This variable is only required when running a 3-DNS Controller. This variable is set to 0 on the BIG-IP Controller when the 3-DNS Controller is not present in the network configuration. (See the 3-DNS Administrator Guide for more information.)
bigip.open_telnet_port
Description
bigip.open_telnet_port=1
Opens the Telnet port (23) to allow administrative Telnet connections. (Useful for an international BIG-IP Controller, or for a controller that needs to communicate with non-crypto 3-DNS Controllers.)
bigip.open_telnet_port=0
Opens the Telnet port to allow administrative Telnet connections (useful for non-crypto BIG-IP Controllers).
bigip.open_ftp_ports
Description
bigip.open_ftp_ports=1
Opens the FTP ports (20 and 21) to allow administrative FTP connections (useful for international BIG-IP Controllers).
bigip.open_ftp_ports=0
The default setting for this variable is 0. The FTP port does not allow administrative FTP connections.
bigip.open_ssh_port
Description
bigip.open_ssh_port=1
Opens the SSH port (22) to allow administrative connections (useful only for US BIG-IP Controllers).
bigip.open_ssh_port=0
The default setting for this variable is 0. The SSH port does not allow administrative connections.
bigip.open_rsh_ports
Description
bigip.open_rsh_ports=1
Opens the RSH ports (512, 513, and 514) to allow RSH connections (useful for international BIG-IP Controllers, or on US controllers that need to communicate with international 3-DNS Controllers).
bigip.open_rsh_ports=0
The default setting for this variable is 0. The RSH port does not allow RSH connections.
bigip.persist_map_proxies
bigip.persist_map_proxies=1
The default setting for the map proxies for the persistence variable is on. The AOL proxy addresses are hard-coded in this release. This enables you to use client IP address persistence with a simple persist mask, but forces all AOL clients to persist to the same server. All AOL clients will persist to the node that was picked for the first AOL client connection received.
The class B networks, 195.93 and 205.188, are mapped to 152.163 for persistence. For example, client 195.93.3.4 would map to 152.63.3.4 for persistence records only. This mapping is done prior to applying the persist mask. Use bigpipe vip persist dump to verify that the mapping is working.
We recommend that in addition to setting this sysctl variable, you set a persist mask of 255.255.0.0 so that all the AOL addresses map to a common address. For example, Table 6.1 is an example of how setting this variable and a persist mask of 255.255.0.0 would map a sample set of client addresses.
bigip.persist_map_proxies=0
Set this variable to 0 to turn this variable off.
bigip.persist_time_used_as_limit
Description
bigip.persist_time_used_as_limit=0
(Default) Forces the persistent connection timer to reset on each packet for persistent sessions.
bigip.persist_time_used_as_limit=1
Resets timer only when the persistent connection is initiated.
Note: For SSL persistence, the timer is always reset on each packet.
bigip.persist_on_any_vip
Description
bigip.persist_on_any_vip=1
All simple persistent connections from the same client IP address are sent to the same node (matches the client IP address but not the virtual address or virtual port the client is using).
bigip.persist_on_any_vip=0
The default setting for this variable is off.
bigip.persist_on_any_port_same_vip
Description
bigip.persist_on_any_port_same_vip=1
All simple persistence connections from a client IP address that go to the same virtual address also go to the same node (matches the client address and the virtual IP address but not the virtual port).
bigip.persist_on_any_port_same_vip=0 The default setting for this variable is off.
bigip.tcphps_mss_override
Description
bigip.tcphps_mss_override=(<1460)
Allows you to decrease the default maximum segment size (MSS) from 1460 to a smaller value. The defined value is the value announced to clients by the TCP server proxy on the BIG-IP Controller in the SYN/ACK packet.
bigip.tcphps_mss_override=0
(Default) The BIG-IP Controller requests the MSS from the node when negotiating connections on the node's behalf.
bigip.verbose_log_level
Description
bigip.verbose_log_level=0
Turns port denial logging off. No messages are logged.
bigip.verbose_log_level=1
Turns UDP port denial logging on. This logs UDP port denials to the BIG-IP Controller address.
bigip.verbose_log_level=2
Turns TCP port denial logging on. This logs TCP port denials to the BIG-IP Controller address.
bigip.verbose_log_level=4
Turns virtual UDP port denial logging on. This logs UDP port denials to the virtual server address.
bigip.verbose_log_level=8
Turns virtual TCP port denial logging on. This logs TCP port denials to the virtual server address.
bigip.verbose_log_level=15
Turns TCP and UDP port denial logging on. This logs TCP and UDP port denials to the virtual server address and the BIG-IP Controller address. Setting this variable to 15 turns on logging levels 1, 2, 4, and 8.
bigip.vipnoarp
Description
bigip.vipnoarp=1
Prevents the BIG-IP Controller from issuing ARP requests when rebooted. This is useful for configurations that contain 1,000 or more virtual servers. This setting also prevents you from configuring virtual servers as IP addresses on the BIG-IP Controller external interface.
bigip.vipnoarp=0
The default setting for this variable is 0. The BIG-IP Controller issues ARP requests on reboot.
bigip.webadmin_port
Description
bigip.webadmin_port=443
Specifies the port number used for administrative web access. The default port for web administration is port 443.
net.inet.ip.forwarding
Description
net.inet.ip.forwarding=1
Exposes node IP addresses on the internal network, allowing clients to connect directly to nodes, and also allows nodes to initiate connections with computers external to the BIG-IP Controller. Typically, this setting is used only on systems that cannot use NATs (for example, a network that uses CORBA or the NT Domain).
net.inet.ip.forwarding=0
(Default) IP forwarding is off.
net.inet.ip.sourcecheck
Description
net.inet.ip.sourcecheck=1
This setting enables the BIG-IP Controller to check the source IP address of incoming packets before it checks the packet for other information (for example, the virtual server).
Source checking tries to allocate a route back to the source of the packet, and if the route cannot be found, or if the route of the interface is on an interface different from the interface from which the packet was received, the packet is discarded. Each time a packet is discarded, the bad source interface counter is incremented.
net.inet.ip.sourcecheck=0
The default setting for this variable is IP source checking is 0 (off).
