cancel
Showing results for 
Search instead for 
Did you mean: 
Matthieu_Dieric
F5 Employee
F5 Employee

With a significant increase in the number of remote workers (for example COVID-19), you may see an increase in the number of SSL VPN connections as well as increased CPU usage. This article covers techniques, from the F5 Sales and Support organizations, designed to optimize SSL VPN connections in order to help mitigate CPU performance issues.


Knowledge Article : https://support.f5.com/csp/article/K46161759


  • This guidance is made available, and maintained, on our ASK F5 (Support) website.
  • This article provides best practices and recommendations to decrease CPU for SSL VPN architectures and related content from ASKF5 around optimizing the CPU usage.


Pete White created a script analysing the BIG-IP configuration and making optimization suggestions : https://devcentral.f5.com/s/articles/APM-Optimisation-Script


To make it more real, I did a video demonstrating the script : https://youtu.be/F0Z1AnM3L54



Comments
PeteWhite
F5 Employee
F5 Employee

I've added a simple script to help with APM optimisation

https://devcentral.f5.com/s/articles/APM-Optimisation-Script

Matthieu_Dieric
F5 Employee
F5 Employee

Video available here : https://youtu.be/F0Z1AnM3L54

PeteWhite
F5 Employee
F5 Employee

The same sort of thing but in an iApp which creates an iCall to run every 5 minutes and change the settings. I have tested that this works but not in a production platform.

 

https://devcentral.f5.com/s/articles/APM-VPN-Optimisation-iApp

lnxgeek
Cirrostratus
Cirrostratus

When I try to run the client-traffic-classifier tmsh commands it errors out with this:

tmsh create apm resource client-traffic-classifier client-traffic-classifier-1 { entries add { entry { client-rate-class rate_class_1M dst-ip any dst-mask any dst-port https src-ip any src-mask any } entry0 { client-rate-class rate_class_2M dst-ip any dst-mask any dst-port any src-ip any src-mask any } } }     01071278:3: The client traffic classifier (/Common/client-traffic-classifier-1) has conflict entries ("entry0" rate "/Common/rate_class_2M" from any:0 to any:0 via vpn, "entry" rate "/Common/rate_class_1M" from any:0 to any:443 via vpn).

PeteWhite
F5 Employee
F5 Employee
Thanks for the comment – I think this was a typo. Unfortunately I can’t update the DC script at the moment as the login page is not working but I’ll do so when I can. In the meantime, the command should be: tmsh create apm resource client-traffic-classifier client-traffic-classifier-1 { entries add { entry { client-rate-class rate_class_1M dst-ip any dst-mask any dst-port https src-ip any src-mask any } } }
PeteWhite
F5 Employee
F5 Employee

I've updated it to only rate limit HTTPS. The iApp adds more classes and adds the ports for Skype as well. Let me know if you would like further changes.

Version history
Last update:
‎18-Mar-2020 12:32
Updated by:
Contributors