A TCP fast path profile does not proxy TCP connections. It directly connects clients to the destination server and translates the destination virtual service address of the client with the IP address of the chosen destination server. The source IP address of the client can be NATed to the IP address of the SE. The option for configuring this is available through settings in the SE group and other profiles.
On receiving a TCP SYN from the client, the Avi Load Balancer makes a load-balancing decision and forwards the SYN and all subsequent packets directly to the server. The client-to-server communication occurs over a single TCP connection, using the parameters, sequence numbers, and TCP options negotiated between the client and the server.
TCP Fast Path Profile
The options of a TCP proxy profile are not relevant in a TCP fast path configuration, because the TCP session is negotiated directly between the client and server, with the SE performing only NAT operations. The fast path profile type has the following settings:
Enable SYN Protection — When deactivated, the Avi Load Balancer performs load balancing based on the initial client SYN packet. The SYN is forwarded to the server. The Avi Load Balancer merely forwards the packets between the client and the server, leaving servers vulnerable to SYN flood attacks from spoofed IP addresses. With SYN protection enabled, the Avi Load Balancer proxies the initial TCP three-way handshake with the client to validate that the client is not a spoofed source IP address. Once the three-way handshake has been established, the Avi Load Balancer replays the handshake on the server side. After the client and server are connected, it drops back to the pass through (fast path) mode. This process is also called delayed binding.
Consider using TCP Proxy mode for maximum TCP security.
Session Idle Timeout — Idle flows terminate (time out) after the specified period. The Avi Load Balancer issues a TCP reset to both the client and the server.
