Forum Discussion
CirrusApply a connection rate limit on Virtual Server
regarding F5 support, the connection rate limit on a virtual server which has SSL profile configured, is applied after the defined number of successful connections (SSL) has reached. My customers service got hammered really hard with SSL handshakes. As the viprion was overloaded within moments (tmm memory exhaustion, most of it consumed by ssl related stuff), this connection rate limit was never enforced as just few connections where successful.
Any ideas about implementing a TCP based connection rate limit? I was thinking about hoolio's iRule: https://devcentral.f5.com/wiki/iRules.virtual_server_connection_rate_limit_with_tables.ashx
I'm using TMOS 11.3.0
Any other ideas?
Thanks, Rolf
2 Replies
- nitass
Employee
i think if the issue is about too many new ssl connection (i.e. not too many renegotiation), the irule should be fine.
just my 2 cents.
Hi Rolf, I wonder what "ssl related stuff"? Would be nice to know. One item to consider is the SSL cache. The cache size is 262,144 records and the cache timeout is set to one hour. These figures could be cut down significantly (say half) and the only impact would be; established clients renegotiating more frequently. Pretty painless compared to significant memory exhaustion which affects the device as a whole. Consider; is a 30 minute SSL session (without renegotiation) perhaps with only 130,000 entries too short / small?
Session Cache:
http://support.f5.com/kb/en-us/solutions/public/6000/700/sol6767.html
http://support.f5.com/kb/en-us/solutions/public/11000/100/sol11170.html
More info on SSL profile:
http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14783.html
Kevin
