[icall] kill oldest sessions when reaching xx% of the APM license limit

Problem this snippet solves:

When dealing with APM authentication, especially when the F5 device act as a SAML 2.0 IDP, the active sessions can increase considerably and easily reach the max access session limit of the license or the device.

The following icall script allows an administrator to guarantee that new users can still authenticate through APM IDP under heavy load. The script will kill oldest active access sessions based on the access session consumption.

This is a draft that need to be fine tuned.

Warning: when using APM Guest on a vCMP host, we are not able to guarantee that the appliance limit is not reached as we just have knowledge of the active sessions within the guest context only.

How to use this snippet:

TMSH command to create an icall script

create sys icall script apm_purge_sessions

Then copy/paste the content of the icall script and save it. By default, the command create a script named "apm_purge_sessions". You can easily change the name of the script by modifying "apm_purge_sessions" in the command line.

TMSH command to create the icall handler

The following command trigger the script every 60 seconds. It can be changed to increase the frequency of the execution of the script.

create sys icall handler periodic f5-apm-purge-session interval 60 script apm_purge_sessions

Interesting tcl commands used in the script

Retrieve the max_access_session variable in the license of the device:

[string trim [lindex [split [exec /usr/bin/tmsh show /sys license detail | grep access] " "] 1] "\[\]"]

retrieve the ordered list (oldest first) of active APM sessionIDs

catch {set output [exec /usr/bin/sessiondump --allkeys | grep starttime | sort -k3 | cut -c1-8]}

Use cases

  • kill oldest sessions when reaching xx% of the APM license limit

Evolution

  • trigger the icall script based on a specific event (snmptrap, log, ...)
  • sort APM sessions by Access Profile and kill sessions based on the criticity of each AP.

Code :

# retrieve the ordered list of active APM sessionIDs
catch {set output [exec /usr/bin/sessiondump --allkeys | grep starttime | sort -k3 | cut -c1-8]}

  if {$output != ""} {
    # move the output to a list of sessionID
    set output [split $output "\n"]
    set count [llength $output]

    # determine the max_access_session allowed for the running platform
    set max_access [string trim [lindex [split [exec /usr/bin/tmsh show /sys license detail | grep access] " "] 1] "\[\]"]

    # determine acceptable threshold before triggering 
    set access_threshold [expr round($max_access*0.85)]
    set diff [expr $count-$access_threshold]
  
    # kill oldest APM sessions until reaching 85% of active sessions in the APM device
    for {set i 0} {$i < $diff} {incr i} {
      catch { [exec /usr/bin/sessiondump --delete [lindex $output $i]] } 
    }
  }

Tested this on version:

11.6
Updated Jun 06, 2023
Version 2.0
application delivery
BIG-IP Access Policy Manager (APM)
iCall
security
No CommentsBe the first to comment