Forum Discussion

Michael_Harpe's avatar
Icon for Altostratus rankAltostratus
Nov 23, 2022

APM TCP connection limit K38157145

I encountered this issue today when trying to troubleshoot a problem that presented as TCP ACK/RSTs being sent from a VS using APM. I found the problem while getting data together for a ticket. Erro...
  • Kai_Wilke's avatar
    Nov 24, 2022

    Hi Michael,

    you may check the landing URI's of such in-progress sessions. It happens very often that APM timed out browser session still performing certain API calls which are starting lots of new APM sessions.   

    I regulary use a black-list of URI's which should not create a new APM session to avoid exhaustion of the Per-IP limits. 

    when HTTP_REQUEST {
    	#log "Unset all Temporary and HTTP-Request variables (if exists) on each received HTTP request."
    	unset -nocomplain req temp
    when ACCESS_SESSION_STARTED priority 170 {
    	#log "Fetch the landing URI from APM session."
    	set temp(landinguri) [ACCESS::session data get "session.server.landinguri"]
    	#log "Checking if the landing URI is eliglible to start a new APM session."
    	switch -glob -- $temp(landinguri) {
    		"/api.jsp" -
    		"/some-other-api.jsp" -
    		"/some-api-related-path*" {
    			#log "The landing URI is not eliglible to start a new APM session. Redirecting the user to the APM hangup page."
    			ACCESS::respond 302 \
    							noserver \
    							"Location" "/vdesk/hangup.php3"
    			#log "Marking the APM session to get killed during HTTP_RESPONSE_RELEASE event."
    			set req(kill_apm_session_on_http_response_release) 1
    	if { [info exists req(kill_apm_session_on_http_response_release)] } then {
    		#log "Passing the ongoing HTTP response to client while killing the APM user session."
    		ACCESS::session remove

    Beside of killing those automated session creations as soon as they start a new APM session, you may also check if certain IPs of Proxy Servers are exhausting the limits regulary. In this case you may take a look to an iRule snipped I used in the past to enforce relaxed APM Per-IP session limits for well-known high traffic sources.

    Enforcing individual APM Policy "In Progress Sessi... - DevCentral (

    Cheers, Kai