Forum Discussion
problem migrate cert rule from version 4 to 9
- the idle values are local to the BIG-IP, and are used to determine when certain entries can be removed from the connection table. they depend from TCP profile settings and -since F5 is a full proxy- can be different for client- and server- side.
- this behavior can change, depending on configuration. in the Virtual Server configuration, you can set up which TCP profile should be use for each connection, and in current BIGIP versions "server-side TCP profle" usually defaults to "use the same as client-side". so if you configured your VS to use the same TCP profile for both client- and server- side connection, yes they will be the same
- yes, this is most likely a RST sent by BIG-IP to close client connection, as default idle timer for TCP profile is 300s
- Feb 07, 2023
Hello,
The settings related to the connection limit can prevent DoS attacks as you mentioned, but I believe that it must be adjusted very carefully and with coordination with the application team to know the exact threshold you should apply on each pool member or node.
Also, you must think of doing a stress test on the backend server to see how many requests the server can actually receive per second.
Regarding the differences between the two options "Connection Limit" and "Connection Rate Limit", you can check the below clarification:
- Connection Limit: a number that specifies the maximum number of concurrent open connections.
- Connection Rate Limit: a number that specifies the number of new connections accepted per second for the virtual server.
Thank you for the reply,
So, Connection limit will hold the number of conncurrent open connections, is it from the same Source IP or mixture of all connections?
Like 192.x.x.x is trying 50+ more connections and its a ddos attack Connection limit so it will drop only 192.x.x.x the source. or is this something need to define under Connection rate limit?
also, need to know more how stress test works 😄 appreciate the help 🙂
- Feb 07, 2023
Hello,
It is not mentioned in the article that these limitations are for specific IPs, so think it is a generic one for all connections regardless of the source.
Regarding stress tests, it allows you to measure your web application’s reliability beyond normal load. Stress can be different based on the service running. For example, if we are talking about an HTTP web application, it can be sending many requests more than the server can handle to know the exact threshold that the server can receive and process under extreme conditions.
There are many tools that can be used, you will need to search on that topic to find the best fit.
Thanks,
Mohamed Salah
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com