How to Enable TCP Fast Open in NetScaler?

This article describes how to enable TCP Fast Open in NetScaler.


TCP Fast Open (TFO) is a mechanism in TCP connection establishment process, which helps to speed up the opening of the connections and data flow. It allows data to be carried during the initial TCP connection handshake, that is, in SYN and SYN-ACK packets and enables the data to be consumed by the receiving node during the connection establishment thus speeding up data transfer while the connection is being established.

Why TCP Fast Open?

Let us understand how TFO works and how it is useful under different use cases. The idea of TFO originated because of the increasing performance requirements of today’s applications.

TFO process saves up to one full round trip time commonly referred as RTT in TCP handshake when compared with the conventional TCP three way handshake. For applications that have short web transfers, this additional RTT makes a significant impact in overall latency in the network.

For example in Chrome browser, it is found out that on an average, one-third of the connections are new TCP connections and thus with TFO involved, it can provide substantial improvements in performance of the network.

Now what about the security of data that is transferred in the initial handshake? TFO makes the data exchange secure by using a TFO cookie, a cryptographic cookie which is sent from receiving node and gets stored on the client who initiated the connection. When the client tries connect to the same node again, it sends the TFO cookie along with the SYN packet during the handshake thus authenticating itself with the receiving node.

Up on successful authentication, the receiving node will send data to the client without receiving the final acknowledgement thereby saving one RTT to start data transmission. This reduces the overall network latency to a significant level when short lived connections are very high.

TCP TFO flow

1. Server

– Receives SYN + TFO cookie request

– Generates cookie by encrypting client IP

– Sends SYN-ACK + TFO cookie

2. Client

– Caches cookie for this server IP

3. Server

– Receives SYN + TFO cookie + data

– Validates client TFO cookie + accepts connection + data is made available to application

– Sends SYN + ACK for SYN+ Data in SYN packet

– Sends more data packets to client while handshake

User-added image


Leave a Reply