Dec 08, 2015

iRule killing BIG-IP



I have huge issue with iRule obviously killing BIG-IP 2000. In tests iRule logic works OK, but under load BIG-IP is overloaded.




  • BIG-IP no iRule, 30 to 40k concurrent connections - CPU usage 40-50%
  • Same number of concurrent connections with iRule attached to VS - CPU usage skyrocketing to almost 100%

I am looking for directions what to check first. iRule is quite complicated and not optimized for sure - lack of knowledge and time on my side. Still it looks for me as not so much complicated - so I am puzzled.


What to look for first and how?


It's HTTP intensive iRule in first place - most of the logic in HTTP_REQUEST event.


I wonder what load could be caused by inactive debug statements like:


if {0} (log local0. "something"} - of course 0 is some global static variable like $static::debug


I have something around 40 of those


Then I have nested if - around 8, mostly using HTTP::cookie value $cookie name in if and subtable lookups.


Then of course some set/add keys to subtables - one main with around 5000 keys, other just single key in main table.


One switch without -global and five conditions resulting in HTTP::response - either 403 or 302 with Location and Set-Cookie


So what is first candidate for closer investigation? Should I use timing on (seems that above 11.5.0 it's enabled by default so no need to set in iRule?)


Any advises/ideas will be appreciated a lot, I am running out of options here :-(




  • Try to not use subtables if possible.


    "Manipulating entries in subtables has higher overhead than manipulating an entry not in a subtable. Each subtable itself also takes up memory. All of the entries in a given subtable are on the same processor. So if you put all of your entries (or the vast majority of them) into the same subtable, then one CPU will take a disproportionate amount of memory and load. Which you probably don't want."