Forum Discussion
Hi Kai ,
we are using a vcmp guest on a viprion 2400 platform . The tmm memory is fine for me , it's remaining below 20% usage of allocated tmm memory & I don't see spikes in usage. I think irules use tmm memory for storing variables & tables , correct? I didn't check the OS assigned memory.
We are removing the irule from our production environment . The irule is also present on our acceptance environment , so we are trying to simulate the issue over there .Traffic volume is rather high on production so I want to avoid doing traces there .
I agree that client is probably dropping connection. Loadbalancer setup is used for distributing traffic across reverse proxies.Those reverse proxies provide access to different websites of our company.
Issue of aborting connection is only seen for 1 url. (other urls are also accessed via reverse proxy and use same irule, but nothing seen there) That specific url is working for some people , but not for others . (50% of users are failing) I'm suspecting it's linked to client parameters ,but i'll need tcpdump for more info .
greetings , werner
- Kai_WilkeDec 22, 2015MVPYour iRule is performing some sort of a "sliding-window rate limit" and stores the requested URIs string twice for each [table] record in TMMs memory. So if someone is sending lof of long but bogus URI strings, the available TMM memory gots exhausted very quick. But if memory wasn't a problem in the past, then keep it and cross your fingers that noboby would exploit this functionality soon... :-) BTW: To consume just the half amount of memory for each tracked URI (without changing the functionality at all) you may want to ask your consultant to change the code to... table set -subtable $clientip_limitervar $get_count "1" indefinite $static::windowSecsProxy BTW2: In addition your counter mechanism includes some flaws which results in an to unaccurate tracking of rate limits. In the end the lovely (but very memory intensive) "sliding window" machnic is degrated to a rather simple "interval based counter" mechanic (wich would consume much less memory, but does not track that accurate). To get the sliding windows mechanic fixed, you may want to ask your consultant to change the code to... incr get_count 1 (remove this line or use a comment to disable) table set -subtable $clientip_limitervar [clock clicks] "1" indefinite $static::windowSecsProxy For further information on your sliding window flaw: https://devcentral.f5.com/questions/sliding-window-irule-block-too-many-requests Cheers, Kai