Blue Coat Home Page Choose a PacketGuide version   

 Feedback

 Search

 Index

What's New?



 Overviews

 Recommendations

   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   

 Blue Coat Sky Tasks

 PolicyCenter Tasks

 Reference

 Product Information
 



 

Adjust System Variables

PacketWise's default settings are appropriate for most configurations. However, you can adjust the system variables if your situation warrants it. Use discretion when modifying these variables.

Note: To perform this task from PolicyCenter, you must first select a unit or draft configuration draft in the Configurations window. Then select the Setup tab from the right pane of this window, and proceed to step 2 of the procedure below.

To change a system variable:

1. Click the Setup tab.

2. From the Choose Setup Page list, select system variables. The system variable settings appear on the Setup screen.  show screen

3. Change one or more of the system variable settings (see table below).

Tip: When you place the mouse pointer on a variable name, pertinent information about that variable appears.

4. Click apply changes.

5. If necessary, reboot the unit. (Some changes don't take effect until the unit is reset.)

Variable/
Description
Default Value
Min.
Value
Max.
Value
Packet Engine

Header Overhead (bytes)
Number of bytes that are added to each packet to account for WAN protocol header overhead

0
0
256

Link Overhead (ppt)
Number of parts per thousand* by which packet sizes are increased to account for link overhead. This adjustment is useful for links that do bit stuffing. (Bit stuffing is the practice of adding bits to a stream of data. Bit stuffing is required by many network and communications protocols, for example to prevent data from being interpreted as control information.)

* to be more precise, it’s actually parts per 1024

35
(3.5%)
0
1024

Small MSS Link Speed
Link speeds slower than this value will force the use of smaller MSS (maximum segment size)
Prevents PacketWise from changing the MSS on large WAN links

384000
bps
0
512000

Maximum Segment Size (Inbound)
Maximum segment size of TCP packets on Inbound flows. This setting can help avoid packet fragmentation when using VPN and not being able to support 1500-byte packets (the default size) through the VPN tunnel.

1460 bytes
0
65535

Maximum Segment Size (Outbound)
Maximum segment size of TCP packets on Outbound flows

1460 bytes
0
65535

Clamp Early Retransmission (Inbound)
Number of milliseconds delay for clamping early retransmission time-out on Inbound packets. Puts a maximum on retransmit time.

1600
0
(disable)
3000
(3 sec)

Clamp Early Retransmission (Outbound)
Number of milliseconds delay for clamping early retransmission time-out on Outbound packets

1600
0
(disable)
3000
(3 sec)

Asymmetric Flows Only
By turning on this setting, PacketWise will automatically assume all flows are asymmetric and stop TCP Rate Control. In topologies where there are a large percentage of asymmetric flows, this may be more efficient than attempting to apply regular rate control. In addition to disabling rate control, turning on this setting disables all layer 7 classification activities. (PacketWise must see traffic in both directions in order to classify layer 7.)

off
-
-

Bridge PassThru
With Bridge PassThru enabled, the PacketShaper forwards packets that have a source and destination MAC address on the same side of the unit. When Bridge PassThru is disabled and traffic shaping is enabled, the PacketShaper drop packets that have source and destination MAC addresses on the same side.

on
-
-

Caching of IP address-based classes
Cache IP address-based classes on the inside or outside of the PacketShaper. Change this setting to outside to increase performance of classification if the majority of IP addresses in manually created classes are on the outside, rather than the inside.

inside
-
-

Display "503 - Service unavailable" Messages
Control the display of the "503 - Service unavailable" server error message when a connection is refused because of admission control (such as a never-admit policy). When set to off, the "503 - Service unavailable" message will be customized with the text "This message is sent by Blue Coat PacketShaper." When set to on, PacketWise will perform a TCP reset and drop the HTTP request; the error message will likely be "The attempt to load http://... failed."

off
-
-

Enable Support for LFN
When enabled, this setting improves performance on Long Fat Networks (LFN) which require larger TCP window sizes. An LFN is a long distance network with large bandwidth and long delay; for example, high-capacity satellite channels are LFNs.

off
-
-

Policy flow limits for all classes
Enables/disables the policy flow limit feature. When enabled, PacketWise will enforce all policy flow limits that have been set on traffic classes. When disabled, all policy flow limits will be ignored. Disabled is the appropriate setting for PacketShapers deployed in proxy or NAT environments. For additional information, see policy flowlimits.

off
-
-

Clip Initial Window Size
When this variable is enabled, the PacketShaper will always reduce the initial TCP window size to 1x MSS (maximum segment size).

When this variable is disabled, new flows will ramp up faster but enforcement of small rate policies and/or partitions may not work at the begininng of flows.

on
-
-

Use PacketShaper MAC for WCCP
This variable determines which source MAC address will be used for packets that are rejected by the cache device in WCCP redirection mode. When this variable is enabled, the MAC address of the PacketShaper will be used as the source. When the variable is disabled, the MAC address of the paired cache device will be used.

This variable should be disabled when the cache device and the clients are on different subnets in a VLAN topology. Other supported topologies should use the default setting (on).

Note: This variable is not available via PolicyCenter.

on
-
-
Auto-discovery

Non-IP Flows
The number of new non-IP connections of a given type that must be identified within a one-minute time frame before PacketWise creates a class

2
1
1000000

Identifiable Services
The number of new connections of an identifiable service to a port less than or equal to 1024 that must be identified within a one-minute time frame before PacketWise creates a class

1
1
1000000

URL Categories
The number of new flows belonging to a particular URL category that must be identified within a one-minute time frame before PacketWise creates a class for the category

1
1
1000000

Dynamic Ports
The number of new connections of an identifiable service to a port greater than 1024 that must be identified within a one-minute time frame before PacketWise creates a class

2
1
1000000

Static Ports
The number of new connections to a static port within a one-minute time frame before PacketWise creates a Port_#### class in the DiscoveredPorts folder

It may be necessary to increase this value on Internet link deployments to prevent excessive number of DiscoveredPorts classes being created. If you don’t want any Port_#### classes discovered, set this variable to its maximum value.

100
1
1000000

Create SameSide Class
When this variable is enabled, the SameSide class is created automatically. When disabled, the SameSide class will not be auto-created. You may want to disable this variable if traffic is being misclassified into the SameSide class.

on
-
-
Dynamic Partitions

Active
The number of seconds a dynamic partition will be retained after an established flow has sent packets. (Flow is not terminated/completed but hasn't had any recent activity.)

Note: If no other user needs a dynamic partition, the partition will be retained indefinitely.

300
(5 min)
10
7200
(2 hrs)

Idle
The number of seconds a dynamic partition will be retained after all flows in the partition have been terminated/completed.

Note: If no other user needs a dynamic partition, the partition will be retained indefinitely.

30
10
7200
(2 hrs)

Reserved for Static
The number of partitions reserved for static partitions; all other partitions can be used for dynamic or static partitions

3
0
99
Xpress Tunnels

Host Entries
The maximum number of hosts and partners that can be defined to use the Xpress tunneling facility

* 0 indicates that the default system limit will be used; the system limit depends on the amount of memory installed in the unit

0*
0
99999

Tunnel shutdown threshold
The maximum consecutive retransmissions of a packet before an Xpress tunnel is shut down

5
0
99

Allow/Exclude inside hosts on list
Tunnel hosts are designated with the tunnel discovery host command. By default, the specified hosts are the ones allowed to use Xpress tunnels. If you want the specified hosts to be the ones excluded from tunnels, you can change the setting of the Allow/Exclude inside hosts on list variable.

If allow is selected, only listed inside hosts are eligible for Xpress tunnels. If exclude is selected, inbound traffic destined to the listed hosts is not sent through the tunnel, but all other inside hosts are eligible for tunneling.

allow
-
-

Allow/Exclude outside hosts on list
Tunnel hosts are designated with the tunnel discovery host command. By default, the specified hosts are the ones allowed to use Xpress tunnels. If you want the specified hosts to be the ones excluded from tunnels, you can change the setting of the Allow/Exclude ouside hosts on list variable.

If allow is selected, only listed outside hosts are eligible for Xpress tunnels. If exclude is selected, outbound traffic destined to the listed hosts is not sent through the tunnel but all other outside hosts are eligible for tunneling.

allow
-
-

Allow/Exclude PacketShapers on partner list
Tunnel partners are designated with the tunnel discovery partner command. By default, the specified partners are the ones allowed to use Xpress tunneling. If you want the specified partners to be the ones excluded from tunneling, you can use the Allow/Exclude PacketShapers on partner list to do so.

If allow is selected, Xpress creates tunnels only with the listed PacketShapers. If exclude is selected, Xpress does not establish tunnels with the listed PacketShapers; only PacketShapers not listed have tunnels established.

allow
-
-

Reapply TOS header value
Reapply network-modified TOS IP header values to decompressed packets. When this option is enabled, the decompressing Xpress unit will compare the original TOS value of the compressed packets to the TOS value in the IPComp packet’s IP header. If the network modified the TOS value of the IPComp packet, Xpress will apply this modified TOS value to the original packets as they are decompressed.

Note: The Differentiated Services Interoperability variable must also be enabled.

off
-
-

Local ARP Discovery
One of three mechanisms for discovering local hosts for Xpress tunnels. When Local ARP Discovery is enabled, Xpress extracts the source IP address from a valid ARP request or response and adds it as a local host for Xpress tunnels.

This mechanism is enabled by default but only operates when global host discovery is enabled (see Configure Global Xpress Settings). This variable can be disabled for troubleshooting host discovery on different network topologies.

Note: This variable is available in enhanced mode only.

on
-
-

Local IP Discovery
One of three mechanisms for discovering local hosts for Xpress tunnels. When Local IP Discovery is enabled, Xpress extracts the IP addresses of all inside hosts and adds them to the local host list for Xpress tunnels.

This mechanism is enabled by default but only operates when global host discovery is enabled (see Configure Global Xpress Settings). This variable can be disabled for troubleshooting host discovery on different network topologies.

Note: This variable is available in enhanced mode only.

on
-
-

Local OSPF Discovery
One of three mechanisms for discovering local hosts (subnets) for Xpress tunnels. When OSPF (Open Shortest Path First) routing protocol is configured on a router, the router will broadcast link-state advertisement (LSA) messages to its subnets. When Local OSPF Discovery is enabled, Xpress will examine these LSA messages, looking for any subnets that are local to the PacketShaper. These hosts will then be added to the local host list.

This mechanism will not work in a redundant topology and is disabled by default. In a non-redundant topology, you have the option of enabling this variable if you so chose.

Note: This variable is available in enhanced mode only.

off
-
-

Remote RSVP Discovery
A mechanism for discovering remote hosts for Xpress tunnels. When Remote RSVP Discovery is enabled, Xpress sends RSVP Path request messages and if another PacketShaper along the path recognizes the host (host being probed for) as a local host, it will respond with an RSVP Resv reply message. If an RSVP Resv reply message is received for a host, the host will be added to the list of remote hosts.

This mechanism is enabled by default but only operates when global host discovery is enabled (see Configure Global Xpress Settings). This variable can be disabled for troubleshooting host discovery on different network topologies.

Note: This variable is available in enhanced mode only.

on
-
-

Do not span packets
When packets are being packed into super packets, this variable determines whether a packet's contents will be spanned across two super packets. By default, packets are not spanned.

yes
-
-

TCP port used for tunneled intershaper traffic
The TCP port number that Xpress tunnels use for transport.

Notes:

  • Traffic from any user machine sourcing from this port will not be accelerated.
  • When you change the TCP port number, only new tunnels (those formed after the change) will use the new port. If there were any tunnels using the old port, be sure to delete them so that all tunnels use the same port.
64600
1
65535

Inherit inbound tunnel
Determines how Xpress selects an outbound tunnel when a destination host is reachable via multiple routes. When this variable is enabled, Xpress will choose the tunnel that first serviced the inbound flow. When this variable is disabled, Xpress will choose the tunnel it discovered first.

Note: This variable is not available via PolicyCenter.

off
-
-

Strict Host Check for Acceleration
When this variable is enabled, outbound TCP flows will be accelerated only if the source host is configured (or discovered) on the local device and the destination host is configured/discovered as a remote host via the outbound tunnel. Likewise, inbound accelerated flows will not be intercepted unless the source host is configured/discovered as a remote host via the inbound tunnel and the destination host is configured/discovered on the local device.

Certain topologies require this variable to be enabled in order for acceleration to work properly:

  • Multiple inline PacketShapers
  • Hub-and-spoke topologies in which traffic accelerated at the edge PacketShaper will pass through an intermediate PacketShaper at the central site

Notes:

  • Enabling this variable may result in a slight degradation of performance for XTP acceleration, since lookup and validation of local and remote hosts are done per packet. SCPS acceleration does not have this side effect.
  • If packets pass through the same PacketShaper multiple times, it may be necessary to restrict hosts (using the tunnel discovery host command), to manually provision hosts on a particular side (using the hostdb side manual command), or to disable host discovery (using the tunnel discovery command).
off
-
-
Legacy Compression

Enable packing
When packing is enabled, multiple packets are combined into a single "super packet," in order to save on overhead. Packing increases compression rates because less data is being sent out on the wire.

Note: On very busy links, packing doesn't cause much latency because the packets are bundled and sent off quickly. On less active links, Xpress may have to wait to get enough packets in a bundle, possibly creating application performance problems. If you are experiencing latency, try lowering the packing hold time or disabling it altogether.

off
-
-

Packing hold time
Maximum number of milliseconds packets will be held for packing. When PacketShaper receives a packet, it is held up to the maximum packing hold time (10ms by default), waiting to be combined with additional packets. After that time expires, Xpress compresses all the accumulated packets into a super packet and sends it out.

10
0
1024

Transparent trigger threshold
The number of consecutive retransmissions of a packet before Xpress disables the compression tunnel and sends packets in the clear (uncompressed). The tunnel will resume normal operation after it gets an acknowledgment for the retransmitted packets; if acknowledgment is not received before the Tunnel shutdown threshold is reached, the tunnel will be shut down.

2
0
99

Firewall Support
Enables/disables firewall support for the Xpress compression feature. If set to 0, Xpress firewall support is disabled; use this setting when there is not a firewall between partner units.

When there is a firewall between partner units, you should enable firewall support by selecting either 1 or 2:

  • 1: Firewall support is enabled only when compression is ON.
  • 2: Firewall support stays enabled for persistent flows even after disabling compression. When compression is turned off, any TCP flows already hidden from the firewall continue to be hidden (tunneled), but new TCP flows are not hidden.
0
0
2

Differentiated Services Interoperability
Preserve TOS (Type-of-Service) IP header values on compressed packets. When this option is enabled, TOS values will be preserved on IPComp packets. When it is disabled, TOS values will not be preserved on compressed packets.

off
-
-

Discard RSVP Packets
When this variable is disabled (the default), the PacketShaper will respond to an RSVP (Resource Reservation Protocol) message from another PacketShaper and continue to pass the original RSVP packet to the inside to any other PacketShapers that may be downstream.

When this variable is enabled, the PacketShaper will respond to the RSVP message but will not send the packet on. Note that the packet will be discarded only when compression is enabled and when the RSVP packet is moving inwards.

Note: This variable is applicable to legacy compression tunnels only.

off
-
-
Browser Interface

Graph Timeout
The maximum number of seconds a graph can take to generate in the browser interface; if the graph takes longer to generate than this value, a system time-out error message will appear.

Note: Increasing this setting can make the browser interface appear to "freeze" while PacketWise is generating some of the more complex graphs. Sometimes the browser will not display the page until all of the graphs are generated.

60
1
600
(10 min)

Default User Interface
The user interface that appears after logging in to the browser interface: Blue Coat Sky or the original (Advanced) user interface.

Sky
-
-
Session Management

Session Purge Timeout
This variable controls how many seconds it takes for an unauthenticated login session to get purged from the system. You might need to increase this value if the session times out before PacketShaper can authenticate a login password, for example, when there is latency on the network or they are using a RADIUS or TACACS implementation. Note that this variable does not apply to idle sessions that have already been authenticated—just new sessions that have not yet been authenticated. Introduced in PacketWise 9.2.2.

30
30
360
(6 min)
Events

Registered Events
The maximum number of events that can be registered

32
32
128
User-Defined Events
The maximum number of events that can be user-defined
32
32
128

Extended SNMP Version
Enable/disable the extended SNMP trap for user events. When this variable is turned on, there will be an additional field in the trap that indicates the type of situation that triggered the trap. The field indicates violated (when the threshold was exceeded) or rearm (when the re-arm value was crossed).

off
-
-
Flow Detail Records (FDR)

Intermediate FDR
Enable/disable the intermediate flow detail records feature. When this variable is enabled, PacketWise emits intermediate FDRs at the interval specified by the flowRecordsIntermediateTimeout variable.

Note: Enable the intermediate flow detail records feature only when using a suitably-instrumented collector, such as Cisco-based Netflow-5 collectors. Note that IntelligenceCenter ignores intermediate FDRs.

0
(off)
0
(off)
1
(on)

Intermediate FDR Timeout
Number of milliseconds between generation and sending of intermediate flow detail records when traffic is present

1500
1000
36000

Packeteer-P Packets
Enable/disable emission of Packeteer-P packets to Packeteer-1 or Packeteer-2 flow detail record collectors. Packeteer-P packets contain statistics that are not related to particular flows, but rather provide information about utilization on the PacketShaper at the time flows are recorded. If this variable is enabled, Packeteer-P records are sent after each UDP flow record packet is sent to Packeteer-1 or Packeteer-2 collectors (not more than once per minute).

0
(off)
0
(off)
1
(on)

Packeteer-P Timeout
Number of seconds between generation and sending of Packeteer-0 flow records.

3600
10
5000

Packeteer-0 Packets
Enable/disable emission of Packeteer-0 packets to Packeteer-1 or Packeteer-2 flow detail record collectors. Packeteer-0 packets are mapping messages that allow collectors to decipher PacketShaper-related information in the FDRs they receive. For example, in the FDR’s ClassID field, a value identifies the traffic class. In order for the collector to understand what class is actually associated with the ID, it uses the class map — a list that contains each traffic class on the unit along with the identifying number assigned to each class. If this variable is enabled, Packeteer-0 mappings are sent out approximately once each hour. Note that this variable needs to be enabled only if the collector does not know this information through other means.

0
(off)
0
(off)
1
(on)

Packeteer-0 Timeout
Number of seconds between generation and sending of Packeteer-0 flow records.

3600
10
5000

Reset Packeteer 1/2 Counters
Controls whether or not the counter fields in FDR packets are reset with each intermediate FDR sent

Note: This variable only affects Packeteer-1 and Packeteer-2 format FDRs: counter fields are always reset in the NetFlow-5 format.

1
(on)
0
(off)
1
(on)
Voip Metrics

Enable Latency Calculations
Enable/disable the calculation of latency for VoIP metrics. When this variable is enabled, PacketWise collects data that measure latency for VoIP flows.

Notes: Latency can only be measured between PacketShapers with latency calculations enabled (on).

off
off
on

Latency Probe Send Interval
Number of seconds between the issuance of VoIP latency probes that measure VoIP metrics, enabled by the enableLatency variable.

5
1
60

Discard Latency Probe
Allows the PacketShaper to be configured to discard VoIP latency probes after responding. If VoIP devices located on the Inside of the PacketShaper are sensitive to VoIP latency probes, enabling this variable will prevent potential VoIP call drops.

off
-
-
Users

Cache Timeout for IPs with User Mapping
The number of seconds an IP-user name mapping will be stored in the PacketShaper cache. By default, the user mappings are stored for one hour. Because querying the cache is faster than querying the BCAAA server, you can accelerate user name look ups by increasing the cache timeout. However, the tradeoff is that stale mappings could cause incorrect user name identification.

3600
300
86400

Cache Timeout for IPs with No User Mapping
The number of seconds an IP will be stored in the PacketShaper cache, when the IP lookup does not result in a user.

1800
300
86400
Security

TLS 1.0 Client
Enable/disable TLS 1.0 protocol for secure client connections. When this variable is disabled, TLS 1.0 client connections will not be allowed; only TLS 1.1 and 1.2 connections will be allowed. This variable is enabled by default. (TLS 1.0 is allowed.)

Note: This variable is available in PacketWise 9.2.11 and higher.

on
-
-

TLS 1.0 Server
Enable/disable TLS 1.0 protocol for secure server connections. When this variable is disabled, TLS 1.0 server connections will not be allowed; only TLS 1.1 and 1.2 connections will be allowed. This variable is enabled by default. (TLS 1.0 is allowed.)

Note: This variable is available in PacketWise 9.2.11 and higher.

on
-
-
Miscellaneous

Synthetic Transaction Timeout (Read)
Number of seconds after which a synthetic transaction will end when the response received is incomplete

Note: This variable is not available on PacketShaper ISP models.

5
1
1000

Synthetic Transaction Timeout (Write)
Number of seconds after which a synthetic transaction will be canceled if the server fails to respond to a request

Note: This variable is not available on PacketShaper ISP models.

60
10
5000

Maximum Frame Routes
The maximum number of route entries PacketWise can import from a FRAD or ATM routing table

300
25
2000

Link State Mirroring
Enable/disable link state mirroring. With link state mirroring, PacketWise will bring down the second port of a NIC pair if the first goes down. This feature allows each PacketShaper to sit between a WAN router and a switch without blocking detection of switch outages by the router. Link state mirroring is automatically enabled when direct standby is enabled.

Notes:

  • When direct standby is enabled and a LEM port is being used for the standby direct link, link state mirroring will be disabled on this LEM, but enabled on all other INSIDE/OUTSIDE pairs. If the built-in Standby port on the PS12000 is being used, link state mirroring will be enabled on all INSIDE/OUTSIDE pairs.
  • This variable is not available via PolicyCenter.
off
-
-

Estimate Packet Exchange Time
Enable/disable the calculation of packet exchange time. When this variable is disabled, the Pkt Exch column on the Monitor Traffic page will not appear, RTM will not be available, and the packet exchange time and RTM measurement variables will always have a value of 0.

After disabling the Estimate Packet Exchange Time variable, you should reset the unit.

on
-
-

Enable Winny Application Classification
Enable/disable classification of the Winny service. For optimal performance, enable only when management of Winny traffic is required.

Note: The Winny peer-to-peer application is used primarily in Japan.

off
-
-

Enable Support for SSHv1
Enable/disable support for Secure Shell version 1 (SSHv1) for secure access to the PacketShaper. When this variable is enabled, the PacketShaper can be accessed with SSHv1 and SSHv2 clients. When this variable is disabled, only SSH clients using the SSHv2 protocol version are supported.

Note that this variable doesn’t take effect until the PacketShaper is reset.

on
-
-

Override Diffserv class sort order
Controls the sort order of the traffic tree, with respect to Diffserv classes (those with DSCP marks). Three settings are available:

0 Diffserv classes are sorted below IP-address-based classes, but above port-based classes (the default).

1 Diffserv classes are sorted above IP-address-based classes.

2 Legacy sort order (Diffserv classes are sorted after IP-address-based classes, port-based classes, and auto-discovered classes.)

Note: The new sort order doesn't take effect until the unit is rebooted.

0
0
2

MPLS Additional Label
Specifies the stack position (1-5) of the MPLS label you want to classify.

By default, PacketWise classifies traffic by the first MPLS label only, but you can also classify packets based on MPLS stacked labels 2 to 5. See also Classify Traffic Based on MPLS.

1
1
5

Use Built-in Standby
Controls which interface is used for direct standby on a PacketShaper 12000. When enabled (on), the built-in 10/100/1000Base-T Standby port is used for direct standby. When disabled (off), the outside interface of the right-most bridge pair on an installed LEM is used for direct standby. This variable does not take effect until the PacketShaper is reset.

Note: This variable is applicable to the PacketShaper 12000 only.

on
-
-

See also:

Revert to Default System Variable Settings

 

PacketGuide™ for PacketWise® 9.2