Forum Discussion
sundogbrew
Altocumulus
AltocumulusSSL TPS limist
I have a question about SSL connection limits. I have a license for 1100 connections. I read a doc from F5 that says you can see if you are exceeding it by looking checking your /var/log/ltm file. My question is how can you tell exactly how many you do have if you aren't exceeding it. I have a pretty high use app on there and am adding another high use app. They both ebb and flow so I want to know where my usage is so I can tell if I am going to have a problem. Is there anyway to check this ongoing so you have a record of it for patterns or growth?
Thanks as always!
Joe
hoolioCirrostratus
Hi Joe,
This article should give you some options for starting:
SNMP: Capturing SSL Statistics per Virtual Server
http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=127
Aaron
HamishCirrocumulus
Ah... Also be aware that the SSL TPS calculations may not be performed as you expect. A 100TPS license won't necessarily give you 100 transactions over a 1 second period, especially if the load is peaky... Counts of transactions are groups over a 10ms period. If you exceed 1/100 of the limit in a 10ms period, you'll hit the limit and the next connection will be blocked.
There's an overview in
https://support.f5.com/kb/en-us/solutions/public/6000/400/sol6475.html
The net effect is that if you've had too many TPS's in the 10ms window, the SYN packet will be dropped... The connection will then stall until the SYN is retried. Hopefully succeeding (leading to slow performance).
A good measure of when to get nervous is around half (1/2) the licensed limit (If you see 50TPS over a 60 second window I'd get nervous with a 100TPS license).
H- HamishOh... Also ensure that your clients do HTTP keepalives... because in 9.x+ you get counted per connection... If your servers don't doit, then oneconnect with a 32-bit netmask is your friend here.
H