Forum Discussion

Deepsri's avatar
Deepsri
Icon for Altocumulus rankAltocumulus
May 26, 2023

Connection Rate Limit Mode - Per Source Address

We are trying to use the Connection Rate Limit Mode - Per Source Address option for one of our higly used VIP's. What the best way to configure this setting. We have tried this option without much success or no success. I am able to set a value for Connection limit and that seems to work but not the ableve mentioned option. Any inputs will be much appreciated

  • Are you actually seeing different IP addresses on the F5 BIG-IP? If you are source NATing on a firewall/proxy and the F5 BIG-IP doesn't see the real source IPs then this won't work for you.

    • Deepsri's avatar
      Deepsri
      Icon for Altocumulus rankAltocumulus

      The VIP is seeing different soure IP's, its not getting NAT'ed IP

  • Hi Deepsri , 

    It works per source address subnet masks which you as admin sets the mask on the virtual server optins. 
    This is a piece of info in bigip GUI : 
    "
    Connection Rate Limit Source Mask

    Specifies an IP address mask, in bits, to be applied to the source address as part of the rate limiting. The default is 0, which is equivalent to using the entire address, 32 in IPv4, or 128 in IPv6.
    "

    It should give you stable results based on subnet mask that you set. 

    Note that , Connection Limits have not allowness if the connections per source address subnet mask exceed the defined limits , so you have to properly set the mask value and the limit as well. 

    Also , 

    Have a look in the following article , you may hit in this BUG : https://my.f5.com/manage/s/article/K17082

     

    I hope this helps you

    • awan_m's avatar
      awan_m
      Icon for Cirrostratus rankCirrostratus

      Hi Mohamed_Ahmed_Kansoh 

      i am trying to implement Rate limit too - but i dont quiet understnd this part 
      "Specifies an IP address mask, in bits, to be applied to the source address as part of the rate limiting. The default is 0, which is equivalent to using the entire address, 32 in IPv4, or 128 in IPv6."

      as an example 

      1 have 2 Virtual servers sharing the same ip but different ports - and these are non http apps
      VS1 - 10.10.10.10 - port 4403 - rate limit 10 - Mode - Virtual server and source Address
      VS2 - 10.10.10.10 - port 4404 - rate limit 10 - Mode - Virtual server and source Address

      i have same client ips connecting to both 

      if a clinet IP - 20.20.20.20 reaches limit for VS1 - how would that impact its connections on VS2. meaning 

      if the clinets is on 11 connection on VS1 will that also block it on VS2 where it has 4 connections .

      and in the above scenario - what valuse should i specify for - Connection Rate Limit Source Mask ?

      thanks 

       

      • Hi awan_m , 
        For you query about both of Virtual server : 
        Each virtual server has it's own settings and connection limits , so VS1 shouldn't impact VS2 even if it has same ip , this is could be done by L4 firewall for example. 

        For suitable values of Connection Limits : 

        it depends on your environment and clients traffic patterns , you should ask the server owner , how many connections do you expect to recieve on this VS per source ip. 

        My Recommendation : 
        use >>> Connection Limit not Connection rate limit >>> to be able to set optimal values. 
        If you did this , enable your AVR module and monitor the Max Concurent connections ( For a week or month ) and take this value and set it to the VS Connection Limits ( Be careful , if this VS was under DoS attack within the monitoring period you have to reset your stats and re-monitor the traffic connections again ) this is not to put a very large limit that bigip sensed from the DoS ATTACK. 

        The way to get your Connection stats : 
        > Provision AVR First. 
        > Add this Virtual server into analytics profile > wait 10 mis and start monitoring. 
        > to moinitor your VS connections : 
        Go to Statistics >> Analystics >> Virtual servers >> Traffic Details >> Connections. 
        you will see all collected stats since you added this VS to AVR. 


        If you need to know how to enable AVR and Analytics profile : 
        use this web site https://clouddocs.f5.com/training/community/analytics/html/class1/class1.html
        Concentrate on >>> Task1 & Task2. 

        I hope you see my comment insightful ^^

  • Deepsri or awan_m - if either of you consider one (or more) of the answers provided as "solutions" please select *Accept As Solution*.
    This helps future readers find answers more quickly and confirms the efforts of those who helped.
    Thanks for being part of our community.
    Lief