APM Optimisation Script

Problem this snippet solves:

With the current Covid-19 lockdown, many workers are now working from home which is putting stress on existing APM VPN devices.

This script looks through the config and suggests some changes to be made to reduce CPU usage, based on https://support.f5.com/csp/article/K46161759


Matthieu Dierick has created a YouTube video showing how to use this at https://youtu.be/F0Z1AnM3L54


Let me know if you have any questions or requirements. Source code is held at https://github.com/pwhitef5/apm-vpn-optimisation/tree/master

How to use this snippet:

  • Copy the file to the /var/tmp directory as apm-optimisation
  • Give it permissions with `chmod +x /var/tmp/apm-optimisation`
  • Run with `/var/tmp/apm-optimisation`. Output is to stdout


Example:

[root@apm-1:Active:Standalone] ~ # ./apm-optimisation
APM Optimisation Visibility


CPU Usage
--------------------------------
Current Average Maximum
52%     30%     93%
--------------------------------


Compression
--------------------------------
Licensed        Hardware
unlimited       None
--------------------------------
 --- Partition /Common ---


Connectivity Profile Compression
--------------------------------
Profile Name            Status
--------------------------------
myConnectivity          Disabled
myConnectivity2         Disabled
--------------------------------


Network Access Profile Compression
-----------------------------------------------------------------------------------------------------------
 Name                   | Compression   | Split-Tunneling       | Client Traffic Classifier     | DTLS
-----------------------------------------------------------------------------------------------------------
networkAccess           | Enabled       | Enabled               | Disabled                      | Enabled
networkAccess2          | Disabled      | Enabled               | Disabled                      | Disabled
-----------------------------------------------------------------------------------------------------------


--- Optimisation Suggestions ---
 - CPU rate is LOW. Go down the Winchester and wait for it all to blow over
 - Hardware Compression is not included so consider turning off the feature


------- Partition /Common -------
 - To turn off compression in the connectivity profile, run the command 'tmsh modify apm profile connectivity /Common/myConnectivity compression disabled'
 - To turn off compression in the NA profile, run the command 'tmsh modify apm resource network-access /Common/networkAccess compression none'
 - To turn on Client Traffic Classifier, run the commands below:
tmsh create apm resource client-rate-class /Common/rate_class_2M { rate 2000000 }
tmsh create apm resource client-rate-class /Common/rate_class_1M { rate 1000000 }
tmsh create apm resource client-traffic-classifier /Common/client-traffic-classifier-1 { entries add { entry { client-rate-class rate_class_1M dst-ip any dst-mask any dst-port https src-ip any src-mask any } } }
tmsh modify apm resource network-access /Common/networkAccess client-traffic-classifier client-traffic-classifier-1
 - Network Access profile /Common/networkAccess is using SNAT automap. Consider using a SNAT pool
 - To turn on Client Traffic Classifier, run the commands below:
tmsh create apm resource client-rate-class /Common/rate_class_2M { rate 2000000 }
tmsh create apm resource client-rate-class /Common/rate_class_1M { rate 1000000 }
tmsh create apm resource client-traffic-classifier /Common/client-traffic-classifier-1 { entries add { entry { client-rate-class rate_class_1M dst-ip any dst-mask any dst-port https src-ip any src-mask any } } }
tmsh modify apm resource network-access /Common/networkAccess2 client-traffic-classifier client-traffic-classifier-1
 - To turn on DTLS, create a duplicate virtual server listening on UDP and enabled DTLS in the Network Access List Network Settings ( see https://devcentral.f5.com/s/articles/APM-DTLS-Virtual-Server-iApp )
 - Network Access profile /Common/networkAccess2 is using SNAT automap. Consider using a SNAT pool


-----------------------------------------------------------------------------------------------------------

Code :

#!/bin/bash

# Version 5 8/4/2020 P.White
# This is a script to check your APM system and give suggestions to reduce CPU usage
# Taken from suggestions at https://support.f5.com/csp/article/K46161759

# v2 - small typo fix line 119 create changed to modify
# v3 - updated classifier to only include https as it was causing an error
# v4 - loops through admin partitions and prints out for each
# v5 - added DTLS check and suggestion


suggestions="--- Optimisation Suggestions ---\n"

getLicensedCompression () {
    # Show the licensed compression
    comp=`tmsh -q show sys license detail|grep perf_http_compression|awk '{print $2}'|sed 's/\[\(.*\)\]/\1/g'`
    if [ x$comp != "x" ];then
        echo -n "$comp"
    else
        echo -n "Error!"
    fi
}

getHardwareCompression () {
    # Show hardware compression
    hcomp=`tmsh -q show sys license detail|grep "HTTP Hardware Compression"`
    if [ x$hcomp = "x" ];then
        # Hardware compression is not enabled
        echo -n "None"
    else
        echo -n "$hcomp"
    fi
}

clear
echo "APM Optimisation Visibility"
# CPU usage
cur=`tmsh -q show sys cpu |grep "Utilization"|awk '{print $2}'`
avg=`tmsh -q show sys cpu |grep "Utilization"|awk '{print $3}'`
max=`tmsh -q show sys cpu |grep "Utilization"|awk '{print $4}'`
if [ $avg -gt 90 ];then
        suggestions+=" - CPU rate is VERY HIGH! Turn off compression, implement split tunneling and consider more processing\n"
elif [ $avg -gt 60 ];then
        suggestions+=" - CPU rate is HIGH! Turn off compression and consider split tunneling for non-internal traffic\n"
elif [ $avg -gt 40 ];then
        suggestions+=" - CPU rate is MEDIUM. Consider turning off compression where required\n"
else
        suggestions+=" - CPU rate is LOW. Go down the Winchester and wait for it all to blow over\n"
fi

echo
echo "CPU Usage"
echo "--------------------------------"
echo -e "Current\tAverage\tMaximum"
echo -e "$cur%\t$avg%\t$max%"
echo "--------------------------------"
echo


# Compression
clic=`getLicensedCompression`
chw=`getHardwareCompression`

if [ $chw = "None" ];then
        suggestions+=" - Hardware Compression is not included so consider turning off the feature\n"
fi

echo "Compression"
echo "--------------------------------"
echo -e "Licensed\tHardware"
echo -e "$clic\t$chw"
echo "--------------------------------"

# loop through adminstrative partitions
for partition in `tmsh -q list auth partition one-line|awk '{print $3}'`;do
    suggestions+="\n------- Partition /$partition -------\n"

    echo " --- Partition /$partition ---"
    echo
    echo "Connectivity Profile Compression"
    echo "--------------------------------"
    echo -e "Profile Name\t\tStatus"
    echo "--------------------------------"
    for profile in `tmsh -q -c "cd /$partition;list apm profile connectivity one-line"|awk '{print $4}'`;do
            if [ $profile = "connectivity" ];then
                    continue
            fi
            if [ `tmsh -q -c "cd /$partition;list apm profile connectivity $profile one-line"|grep "compress-gzip-level 0"|wc -l` -gt 0 ];then
                    echo -e "$profile\t\tDisabled"
            else
                    suggestions+=" - To turn off compression in the connectivity profile, run the command 'tmsh modify apm profile connectivity /$partition/$profile compress-gzip-level 0'\n"
                    echo -e "$profile\t\tEnabled"
            fi
    done
    echo "--------------------------------"

    echo
    echo "Network Access Profile Compression"
    echo "-----------------------------------------------------------------------------------------------------------"
    echo -e " Name\t\t\t| Compression\t| Split-Tunneling\t| Client Traffic Classifier\t| DTLS"
    echo "-----------------------------------------------------------------------------------------------------------"
    for profile in `tmsh -q -c "cd /$partition;list apm resource network-access one-line"|awk '{print $4}'`;do
            # Compression
            if [ `tmsh -q -c "cd /$partition;list apm resource network-access $profile one-line"|grep "compression gzip"|wc -l` -gt 0 ];then
                    echo -en "$profile\t\t| Enabled"
                    suggestions+=" - To turn off compression in the NA profile, run the command 'tmsh modify apm resource network-access /$partition/$profile compression none'\n"
            else
                    echo -en "$profile\t\t| Disabled"
            fi

            if [ `tmsh -q -c "cd /$partition;list apm resource network-access $profile one-line"|grep "split-tunneling true"|wc -l` -gt 0 ];then
                    echo -en "\t| Enabled"
            else
                    echo -en "\t| Disabled"
                    suggestions+=" - To turn on split-tunneling, run the command 'tmsh modify apm resource network-access /$partition/$profile split-tunneling true'\n"
                    suggestions+=" - To configure split-tunneling exclude traffic by DNS name, run the command 'tmsh modify apm resource network-access /$partition/$profile address-space-exclude-dns-name add { office.com microsoftonline.com google.com gmail.com facebook.com }'\n"
                    suggestions+=" - To configure split-tunneling exclude traffic by IP address, run the command 'tmsh modify apm resource network-access /$partition/$profile address-space-include-subnet add { { subnet 10.0.0.0/8 } { subnet 172.16.0.0/16 } { subnet 192.168.0.0/16 } }'\n"
            fi

            if [ `tmsh -q -c "cd /$partition;list apm resource network-access $profile one-line"|grep "client-traffic-classifier "|wc -l` -gt 0 ];then
                    echo -en "\t\t| Enabled"
            else
                    echo -en "\t\t| Disabled"
                    suggestions+=" - To turn on Client Traffic Classifier, run the commands below:\n"
                    suggestions+="tmsh create apm resource client-rate-class /$partition/rate_class_2M { rate 2000000 }\n"
                    suggestions+="tmsh create apm resource client-rate-class /$partition/rate_class_1M { rate 1000000 }\n"
                    suggestions+="tmsh create apm resource client-traffic-classifier /$partition/client-traffic-classifier-1 { entries add { entry { client-rate-class rate_class_1M dst-ip any dst-mask any dst-port https src-ip any src-mask any } } }\n"
                    suggestions+="tmsh modify apm resource network-access /$partition/$profile client-traffic-classifier client-traffic-classifier-1\n"
            fi
            if [ `tmsh -q -c "cd /$partition;list apm resource network-access $profile one-line"|grep "dtls true"|wc -l` -gt 0 ];then
                    echo -en "\t\t\t| Enabled"
            else
                echo -en "\t\t\t| Disabled"
                suggestions+=" - To turn on DTLS, create a duplicate virtual server listening on UDP and enabled DTLS in the Network Access List Network Settings ( see https://devcentral.f5.com/s/articles/APM-DTLS-Virtual-Server-iApp )\n"
            fi
            # Check for SNAT automap
            if [ `tmsh -q -c "cd /$partition;list apm resource network-access $profile one-line all-properties"|grep "snat automap"|wc -l` -gt 0 ];then
                    suggestions+=" - Network Access profile /$partition/$profile is using SNAT automap. Consider using a SNAT pool\n"
            fi

            echo ""

    done
    echo "-----------------------------------------------------------------------------------------------------------"

    # Check VSs for mirroring

    for vs in `tmsh list ltm virtual one-line|awk '{print $3}'`;do
            if [ `tmsh -q -c "cd /$partition;list ltm virtual $vs mirror"|grep "mirror enabled"|wc -l` -gt 0 ];then
                    echo
                    echo "WARNING! Virtual Server /$partition/$vs has mirroring enabled\n"
                    echo
                    suggestions+="Consider disabling Connection Mirroring for virtual server /$partition/$vs with the command 'tmsh modify ltm virtual /$partition/$vs mirror disabled'\n"
            fi
    done
done


echo
echo -e "$suggestions"
echo "-----------------------------------------------------------------------------------------------------------"

Tested this on version:

13.0
Published Mar 19, 2020
Version 1.0
  • Hello Guys,

    many thanks to PeteWhite , is there a new script version for TMOS 17.X.X? I have some script error.

    Thanks a lot.

     

    APM Optimisation Visibility

    CPU Usage
    --------------------------------
    Current Average Maximum
    26%     19%     78%
    --------------------------------

    /var/tmp/apm-optimisation: line 18: [: too many arguments
    /var/tmp/apm-optimisation: line 28: [: too many arguments
    /var/tmp/apm-optimisation: line 65: [: too many arguments
    Compression
    --------------------------------
    Licensed        Hardware
    Error!      HTTP Hardware Compression
    --------------------------------
     --- Partition /Common ---

    Connectivity Profile Compression
    --------------------------------
    Profile Name            Status
    --------------------------------
    arpe2-coll_connect              Enabled
    extranet-edge-coll_certificate_cp               Enabled
    extranet-edge-coll_connect              Enabled
    extranet-vpn-coll-test          Enabled
    --------------------------------

    Network Access Profile Compression
    -----------------------------------------------------------------------------------------------------------
     Name                   | Compression   | Split-Tunneling       | Client Traffic Classifier     | DTLS
    -----------------------------------------------------------------------------------------------------------
    ArpeVpnTS               | Enabled       | Disabled              | Disabled                      | Disabled
    Extranet                | Enabled       | Disabled              | Disabled                      | Disabled
    IVASS           | Disabled      | Disabled              | Disabled                      | Disabled
    Reperibili              | Enabled       | Disabled              | Disabled                      | Disabled
    extranet-edge-coll_certificate_na_res           | Enabled       | Disabled              | Disabled                      | Disabled
    -----------------------------------------------------------------------------------------------------------

    STOP WITHOUT ANY SUGGESTIONS