Forum Discussion
Chris_Phillips
Nimbostratus
Nimbostratussubtable entry expiry
Howdy,
I've a rate limiting iRule that adds expiring entries to a subtable and blocks a request if the size of the subtable is over a certain limit. hopefully no more detail is actually required here...
What we've been seeing is that if we permit this rule to allow 200 requests per second what we actually experience is a throughput of 100, not 200. This appears to be because entries in a subtable are not actually removed until a second after the entry time out reaches zero.
it looks to us like the entries on a subtable are only removed (and maybe added??) once per second, on some sort of schedule, rather than entries gracefully removing at the millisecond that their timer expires.
Basically we've found that we need to factor in an extra second in our coding logic to get the desired behavior. So when we want to permit 1 request a second, we actually can specify 2 per second, (or 10 in 9 seconds) knowing that the extra second where the subtable entry sits there on zero seconds will be forced into the equation. We tried permitting 1 per zero seconds, however this resulted in nothing being permitted. This initially sounds pretty obvious, but seemed like a potential solution given this scheduling behavior, but here it looks as if the entry is added to the table and instantly removed, as if the same interrupt that removed the entry would also remove it.
So yeah, allowing 10 in 9 seconds gives 1TPS, 2 in 1 second gives 1TPS and this is totally down to the internals of the table expiration logic. And if someone can comment on that, that'd be good, as whilst this iRule worked perfectly in testing, slowly stepping through 10 requests in 60 seconds, now we want 200TPS, it's a very different story.
Thanks
Chris
nitassEmployee
there is new Connection Rate Limit setting under virtual server in 11.2.1. not sure whether it makes any difference.
2 Virtual Servers
http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-2-1/ltm_virtual.html1211957
Chris_PhillipsNo, we're on 10.2 for a long time. Any idea about the removal of the subtable entries?- The session table only uses second granularity for times, not millisecond, yes. Does that answer your question?
- Chris_Phillipsno, I know that much, but an entry that's timed to expire after n seconds will be in the table for n+1 seconds.
- Chris_PhillipsHi, anyone able to comment on this?
- I can probably answer your question, I'm just not sure what it is. :)
Could you please try to ask it again in a different way? - Chris_PhillipsIn the shortest way possible... entries in a subtable take an extra second to actually be removed after they expire. right?
Mohamed_LrhaziAltocumulus
I think you're asking about an implementation detail that is not documented. You should open a case with Support and ask for the answer, then share with us.
Thanks,
Mohamed.- The best answer I have to that is "no, not really". When a session table entry is touched (and creating it counts as touching it), the timestamp (in seconds) is recorded. When the current timestamp - the touch timestamp *exceeds* the timeout (not "matches or exceeds"), the entry is expired.
- Chris_PhillipsBut how often is it checked? My tests really seem fairly conclusive. an entry with a 1 second timeout will be removed 2 seconds after being added.