With a significant increase in the number of remote workers (for example COVID-19), you may see an increase in the number of SSL VPN connections as well as increased CPU usage. This article covers techniques, from the F5 Sales and Support organizations, designed to optimize SSL VPN connections in order to help mitigate CPU performance issues.
This guidance is made available, and maintained, on our ASK F5 (Support) website.
This article provides best practices and recommendations to decrease CPU for SSL VPN architectures and related content from ASKF5 around optimizing the CPU usage.
The same sort of thing but in an iApp which creates an iCall to run every 5 minutes and change the settings. I have tested that this works but not in a production platform.
When I try to run the client-traffic-classifier tmsh commands it errors out with this:
tmsh create apm resource client-traffic-classifier client-traffic-classifier-1 { entries add { entry { client-rate-class rate_class_1M dst-ip any dst-mask any dst-port https src-ip any src-mask any } entry0 { client-rate-class rate_class_2M dst-ip any dst-mask any dst-port any src-ip any src-mask any } } }
01071278:3: The client traffic classifier (/Common/client-traffic-classifier-1) has conflict entries ("entry0" rate "/Common/rate_class_2M" from any:0 to any:0 via vpn, "entry" rate "/Common/rate_class_1M" from any:0 to any:443 via vpn).
Thanks for the comment – I think this was a typo. Unfortunately I can’t update the DC script at the moment as the login page is not working but I’ll do so when I can.
In the meantime, the command should be:
tmsh create apm resource client-traffic-classifier client-traffic-classifier-1 { entries add { entry { client-rate-class rate_class_1M dst-ip any dst-mask any dst-port https src-ip any src-mask any } } }
I've updated it to only rate limit HTTPS. The iApp adds more classes and adds the ports for Skype as well. Let me know if you would like further changes.
