Abstract: A network appliance is provided for establishing sessions between client devices and a network server(s) for exchanging network traffic therebetween. The network appliance may include a memory and a processor cooperating with the memory, with the processor being operable in a normal traffic mode and a forwarding traffic mode. The processor may be configured to establish new sessions for network traffic based upon new session requests from the client devices, and forward network traffic associated with prior existing sessions from the client devices to the network server(s). When in the forwarding traffic mode, the processor may forward network traffic not associated with a prior existing session or a new session request to the network server(s). When in the normal traffic mode, the processor may block network traffic not associated with a prior existing session or a new session request from reaching the network server(s).

Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device.

Abstract: The present disclosure relates to methods and systems for dynamically changing an advertised window for a transport layer connection. A device can receive data from a server destined for an application. The device identifies the size of the application buffer corresponding to the application and advertises the application buffer size as a window size to the server. The device stores the data in the device memory. The device then determines the memory usage by comparing the memory usage to one or more predetermined thresholds. If the device determines that the memory usage is below a first predetermined threshold, the device can implement an aggressive dynamic receive buffering policy in which the device increases the advertised window size by a first increment. If the device determines that the memory usage is above the first threshold and below a second threshold, the device executes a more conservative dynamic receive buffering policy.

Abstract: A network appliance is provided for establishing sessions between client devices and a network server(s) for exchanging network traffic therebetween. The network appliance may include a memory and a processor cooperating with the memory, with the processor being operable in a normal traffic mode and a forwarding traffic mode. The processor may be configured to establish new sessions for network traffic based upon new session requests from the client devices, and forward network traffic associated with prior existing sessions from the client devices to the network server(s). When in the forwarding traffic mode, the processor may forward network traffic not associated with a prior existing session or a new session request to the network server(s). When in the normal traffic mode, the processor may block network traffic not associated with a prior existing session or a new session request from reaching the network server(s).

Abstract: Systems and methods of providing fine grained control over MSS values of transport layer connections. A device intermediary to a plurality of clients and a plurality of servers can identify a first MSS value based on a MTU value of a VLAN interface responsive to a request to establish a transport layer connection. Device determines that a MSS value of the VLAN is less than the first MSS value. Device updates, responsive to the determination, the first MSS value to a second MSS value corresponding to the MSS value of the VLAN. Device determines that an MSS value specified by a profile configured for a virtual server of the device is less than the second MSS value. Device updates the second MSS value to the MSS value of the profile responsive to determining that the MSS value specified by the profile is less than the second MSS value.

Abstract: The systems and methods of the present solution are directed to collecting log information from multiple nodes in a multi-nodal cluster. Generally, a logging process runs to collect log information from multiple nodes in a multi-nodal cluster, e.g., a cluster of appliances. The logging process collects the log information and merges the collected log information to create a coherent unified log. The logging process may run on a node designated for the purpose. The designated node may be internal or external to the cluster. The logging process determines a topology for the cluster, establishes a communication channel with each active intermediary device identified in the topology, collects log entries from each active intermediary device, each log entry comprising information on network traffic traversing the respective intermediary device, and merges the collected log entries into a unified cluster log comprising information on network traffic traversing the cluster.

Abstract: The present disclosure is directed towards systems and methods for supporting Simple Network Management Protocol (SNMP) request operations over clustered networking devices. The system includes a cluster that includes a plurality of intermediary devices and an SNMP agent executing on a first intermediary device of the plurality of intermediary devices. The SNMP agent receives an SNMP GETNEXT request for an entity. Responsive to receipt of the SNMP GETNEXT request, the SNMP agent requests a next entity from each intermediary device of the plurality of intermediary devices of the cluster. To respond to the SNMP request, the SNMP agent selects a lexicographically minimum entity. The SNMP agent may select the lexicographically minimum entity from a plurality of next entities received via responses from each intermediary device of the plurality of intermediary devices.

Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device.

Abstract: This disclosure is directed generally to systems and methods for implementation of Jumbo frames in an existing network stack. In some embodiments, a connection handler of a device receives data having a size greater than an Ethernet frame size. That data includes header data and payload data. The device partitions the data into segments including a first segment and a second segment. The first segment includes the header data and a first portion of the payload data, while the second segment includes a second portion of the payload data. The device stores the first and second segments in first and second network buffers, respectively, of a pool of network buffers. The device forms a packet chain of the first and second network buffers having a size greater than the Ethernet frame size. The device transmits the packet chain via a network connection.

Abstract: The present invention is directed towards systems and methods for multipath transmission control protocol connection (MPTCP) management. A first device, intermediary between a second device and a third device, may establish a protocol control structure responsive to establishment of a MPTCP session between the first device and the second device. The first device may maintain, via the protocol control structure, an identification of a plurality of subflows comprising transmission control protocol (TCP) connections in the MPTCP session between the first device and the second device. The first device may convert or translate, via the protocol control structure, subflow-specific sequence identifiers of packets transmitted via each of the plurality of subflows, to sequence identifiers unique across the plurality of subflows and identifying related packets from each subflows to be processed at the third device.

Abstract: The present disclosure relates to methods and systems for dynamically changing an advertised window for a transport layer connection. A device can receive data from a server destined for an application. The device identifies the size of the application buffer corresponding to the application and advertises the application buffer size as a window size to the server. The device stores the data in the device memory. The device then determines the memory usage by comparing the memory usage to one or more predetermined thresholds. If the device determines that the memory usage is below a first predetermined threshold, the device can implement an aggressive dynamic receive buffering policy in which the device increases the advertised window size by a first increment. If the device determines that the memory usage is above the first threshold and below a second threshold, the device executes a more conservative dynamic receive buffering policy.

Abstract: The systems and methods of the present solution are directed to providing Entity Tag persistency by a device intermediary to a client and a plurality of servers. An intermediary device between a client and one or more back-end servers can receive an entity requested by the client from an origin server that provides the requested content. The intermediary device can encode the back-end server information onto an ETag of the entity, cache the entity with the encoded ETag and serve the entity with the encoded ETag to the client. In this way, when the client attempts to validate the entity by sending a request including the encoded ETag to the intermediary device, the intermediary device decodes the encoded ETag to extract the identity of the backend server and sends the request to validate the entity to the identified server that originally sent the entity that included the requested content.

Abstract: The present disclosure relates to methods and systems for dynamically changing an advertised window for a transport layer connection. A device can receive data from a server destined for an application. The device identifies the size of the application buffer corresponding to the application and advertises the application buffer size as a window size to the server. The device stores the data in the device memory. The device then determines the memory usage by comparing the memory usage to one or more predetermined thresholds. If the device determines that the memory usage is below a first predetermined threshold, the device can implement an aggressive dynamic receive buffering policy in which the device increases the advertised window size by a first increment. If the device determines that the memory usage is above the first threshold and below a second threshold, the device executes a more conservative dynamic receive buffering policy.

Abstract: Systems and methods of providing fine grained control over MSS values of transport layer connections. A device intermediary to a plurality of clients and a plurality of servers can identify a first MSS value based on a MTU value of a VLAN interface responsive to a request to establish a transport layer connection. Device determines that a MSS value of the VLAN is less than the first MSS value. Device updates, responsive to the determination, the first MSS value to a second MSS value corresponding to the MSS value of the VLAN. Device determines that an MSS value specified by a profile configured for a virtual server of the device is less than the second MSS value. Device updates the second MSS value to the MSS value of the profile responsive to determining that the MSS value specified by the profile is less than the second MSS value.

Abstract: The present disclosure is directed towards systems and methods for application performance measurement. A device may receive a first document for transmission to a client, comprising instructions for the client to transmit a request for an embedded object. A flow monitor executed the device may generate a unique identification associated with the first document, the unique identification identifying a first access of the first document, and transmit the first document and unique identification to the client. The device may receive, from the client, a request for the embedded object comprising the unique identification, and transmit, to a server, the request for the embedded object at a transmit time. The device may receive, from the server, the embedded object at a receipt time, and may transmit a performance record comprising an identification of the object, the server, the transmit time, the receipt time, and the unique identification to a data collector.

Abstract: Systems and methods for reducing file sizes for files delivered over a network are disclosed. A method comprises receiving a first file comprising sequences of data; creating a hash table having entries corresponding to overlapping sequences of data; receiving a second file comprising sequences of data; comparing each of the sequences of data in the second file to the sequences of data in the hash table to determine sequences of data present in both the first and second files; and creating a third file comprising sequences of data from the second file and representations of locations and lengths of said sequences of data present in both the first and second files.

Abstract: Systems and methods of providing fine grained control over MSS values of transport layer connections. A device intermediary to a plurality of clients and a plurality of servers can identify a first MSS value based on a MTU value of a VLAN interface responsive to a request to establish a transport layer connection. Device determines that a MSS value of the VLAN is less than the first MSS value. Device updates, responsive to the determination, the first MSS value to a second MSS value corresponding to the MSS value of the VLAN. Device determines that an MSS value specified by a profile configured for a virtual server of the device is less than the second MSS value. Device updates the second MSS value to the MSS value of the profile responsive to determining that the MSS value specified by the profile is less than the second MSS value.

Abstract: The present disclosure is directed towards tracking application layer flow via a multi-connection intermediary. Transaction level or application layer information may be tracked via the intermediary, including one or more of: (i) the request method; (ii) response codes; (iii) URLs; (iv) HTTP cookies; (v) RTT of both ends of the transaction in a quad flow arrangement; (vi) server time to provide first byte of a communication; (vii) server time to provide the last byte of a communication; (viii) flow flags; or any other type and form of transaction level data may be captured, exported, and analyzed. The application layer flow or transaction level information may be provided in an IPFIX-compliant data record. This may be done to provide template-based data record definition, as well as providing data on an application or transaction level of granularity.

Abstract: A packet quota value, which indicates a maximum number of network packets that a network appliance processes before switching to a different task, is modified. Log data, which includes multiple log entries spanning a time interval, is accessed. Each log entry includes a processing time that indicates how much time the network appliance spent performing network traffic tasks before switching to the different task. The log data is analyzed. Responsive to the analysis indicating that a current state of network traffic is heavier than a maximum state of network traffic that was observed during the time interval, the packet quota value is increased. Responsive to the analysis indicating that the current state of network traffic is lighter than a minimum state of network traffic that was observed during the time interval, the packet quota value is decreased.

Abstract: The present disclosure is directed towards methods and systems for caching packet steering sessions for steering data packets between intermediary devices of a cluster of intermediary devices intermediary to a client and a plurality of servers. A first intermediary device receives a first data packet and determines, from a hash of a tuple of the first packet, a second intermediary device to which to steer the first packet. The first device stores, to a session for storing packet steering information, the identity of the second device and the tuple. The first device receives a second packet having a corresponding tuple that matches the tuple of the first packet and determines, based on a lookup for the session using the tuple of the second packet, that the second device is the intermediary device to which to steer the second packet. The first device steers the second packet to the second device.