How to optimize SSL VPN connections when BIG-IP is reaching 100% CPU
With a significant increase in the number of remote workers (for example COVID-19), you may see an increase in the number of SSL VPN connections as well as increased CPU usage. This article covers techniques, from the F5 Sales and Support organizations, designed to optimize SSL VPN connections in order to help mitigate CPU performance issues.
Knowledge Article : https://support.f5.com/csp/article/K46161759
- This guidance is made available, and maintained, on our ASK F5 (Support) website.
- This article provides best practices and recommendations to decrease CPU for SSL VPN architectures and related content from ASKF5 around optimizing the CPU usage.
Pete White created a script analysing the BIG-IP configuration and making optimization suggestions : https://devcentral.f5.com/s/articles/APM-Optimisation-Script
To make it more real, I did a video demonstrating the script : https://youtu.be/F0Z1AnM3L54
Published Mar 18, 2020
Version 1.0
Matt_Dierick
Employee
EmployeeMatt_DierickEmployee
Employee
PeteWhiteI've added a simple script to help with APM optimisation
https://devcentral.f5.com/s/articles/APM-Optimisation-Script
- Matt_Dierick
Video available here : https://youtu.be/F0Z1AnM3L54
- PeteWhite
The same sort of thing but in an iApp which creates an iCall to run every 5 minutes and change the settings. I have tested that this works but not in a production platform.
https://devcentral.f5.com/s/articles/APM-VPN-Optimisation-iApp
- lnxgeek
MVP
When I try to run the client-traffic-classifier tmsh commands it errors out with this:
tmsh create apm resource client-traffic-classifier client-traffic-classifier-1 { entries add { entry { client-rate-class rate_class_1M dst-ip any dst-mask any dst-port https src-ip any src-mask any } entry0 { client-rate-class rate_class_2M dst-ip any dst-mask any dst-port any src-ip any src-mask any } } } 01071278:3: The client traffic classifier (/Common/client-traffic-classifier-1) has conflict entries ("entry0" rate "/Common/rate_class_2M" from any:0 to any:0 via vpn, "entry" rate "/Common/rate_class_1M" from any:0 to any:443 via vpn). - PeteWhiteThanks for the comment – I think this was a typo. Unfortunately I can’t update the DC script at the moment as the login page is not working but I’ll do so when I can. In the meantime, the command should be: tmsh create apm resource client-traffic-classifier client-traffic-classifier-1 { entries add { entry { client-rate-class rate_class_1M dst-ip any dst-mask any dst-port https src-ip any src-mask any } } }
- PeteWhite
I've updated it to only rate limit HTTPS. The iApp adds more classes and adds the ports for Skype as well. Let me know if you would like further changes.
