Forum Discussion

williamcs's avatar
williamcs
Icon for Nimbostratus rankNimbostratus
Jul 02, 2023

source address persistence maximum session timeout

Understand that the source address persistence session timeout will start once the session goes idle (no traffic).

1.What is the maximum timeout setting?

2.The default value is 180s, any possible impact if we increase the timeout value to 4 hours?

 

  • williamcs The following are the answers to your questions.

    1. Based on F5 documentation the value can be within range 1 and 2,147,483,647.

    2. The only real downside I see to increasing the timeout value higher than the default is if you have a high connection virtual server you could theoretically reach a very large persistence table which would cause performance degredation.

  • Hello,

    Generally speaking on the source address persistence, LTM creates a new persistence record as netmask is /32 which makes a new record for each request. As the number of sources increases, the number of records created and saved locally in the persistence table increases which might be an issue. So such a large list of persistence records can become a resource issue for LTM.

    To avoid this issue, you can create a custom source address persistence profile and change the mask to (for example: /24) to avoid creating many entries. but you will face another issue, and more users will be identified as coming from the same source.

    So based on the above, if you increased the timeout, the entries will be saved for a longer time, and the table will become very large which might be resource intensive based on the number of requests.

    I'm not seeing any articles mentioning performance issues when increasing the timeout, but it logically might have an issue because these entries are saved locally on F5, and the more sources access the service with (a long timeout) the more entries will be saved on F5 without clearing the old ones.

    Thanks,

     

  • 1. you can set it to 'undefinite' and the persistence entry will not time out (I'm not aware of any use case of this)

    2. No but.. There is no impact because 180s is often unsufficient and we often set it to 30mn to 12 hours or more, but theoretically if you have a huge number of users, the persistence table will get extremely large and this is bad for performance. In this case, you can use cookie persistence or if you have to use source persistence you can specify a shorter prefix length

    • williamcs's avatar
      williamcs
      Icon for Nimbostratus rankNimbostratus

      Hi Amine_Kadimi ,

      Yes, I'm thinking to change to either SSL or cookie persistence. Which would be recommended if the vs is mainly for https web browser?

      • Amine_Kadimi's avatar
        Amine_Kadimi
        Icon for MVP rankMVP

        SSL persistence uses persitence table too, but cookie persistence does not. The latter works in majority of the cases but in some few cases it doesn't work as expected. If your app is 100% browser based then it should work without problem (supposing you are using a clientssl profile).

         

  • williamcs The following are the answers to your questions.

    1. Based on F5 documentation the value can be within range 1 and 2,147,483,647.

    2. The only real downside I see to increasing the timeout value higher than the default is if you have a high connection virtual server you could theoretically reach a very large persistence table which would cause performance degredation.

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP

        williamcs Sadly I am not able to find the documentation that I am referencing because it was some obscure page. I logged into one of my F5 devices and it seems as though the timeout can be a specified large range or you can change "specify" to "Indefinite" which means the persistence entry would last forever if you picked the "Indefinite" option. I would say setting this value would also have the same result as my answer for question number 2 above but to a much greater extreme. I do not see any instance other than for testing purposes where you should ever set your persistence timeout to "Indefinite" because of this.