iRule + profiles driving up resources

Hi Frank,

I didn't think you'd gain too much by removing the debug checks from the iRule. It was more a clean up suggestion.

The active/standby/active log event is definitely a cause for concern. This is possibly due to an issue with the load and/or configuration.

Do you have connection mirroring enabled (on a virtual server or SNAT)? Or do you have persistence mirroring enabled? Both will add load, but I think connection mirroring will add a lot more. If you have connection mirroring enabled, that would be the first thing I'd consider disabling (before OneConnect or other changes). Connection mirroring doesn't add much value for the relatively short lived TCP connections that HTTP uses.

If this is HTTP proxy traffic you could also consider using CARP which is stateless and requires no mirroring:

SOL11362: Overview of the CARP hash algorithm

http://support.f5.com/kb/en-us/solutions/public/11000/300/sol11362.html

Also, I'd suggest opening a case with F5 Support so you can get a detailed analysis done of the logs and configuration. This is most likely impacting production traffic, so troubleshooting via the forums might not be fast enough.

Lastly, you can optimize the iRule a little more by only performing the IP check once per TCP connection. Again, I don't think this will make a big difference, but it is more efficient.

when CLIENT_ACCEPTED {

    Only check once per TCP connection if the client IP is part of the datagroup
   if { [matchclass [IP::client_addr] equals Pilot_Subnets] } {
      set pilot 1
   } else {
       Assign the standard pool now
      set pilot 0
      pool HTTP-PROXY_80 
   }
}
when HTTP_REQUEST {

    Check if the client IP 
   if {$pilot == 1 }{
      if { [HTTP::header "User-Agent"] contains "mozycorp-windows/1.8" } {
         pool HTTP-PROXY_80 member 3.56.142.241 80
      } else {
         pool HTTP-PROXY-IRONPORT
      }
   }
}

Aaron