How to optimize SSL VPN connections when BIG-IP is reaching 100% CPU

With a significant increase in the number of remote workers (for example COVID-19), you may see an increase in the number of SSL VPN connections as well as increased CPU usage. This article covers techniques, from the F5 Sales and Support organizations, designed to optimize SSL VPN connections in order to help mitigate CPU performance issues.


Knowledge Article : https://support.f5.com/csp/article/K46161759


  • This guidance is made available, and maintained, on our ASK F5 (Support) website.
  • This article provides best practices and recommendations to decrease CPU for SSL VPN architectures and related content from ASKF5 around optimizing the CPU usage.


Pete White created a script analysing the BIG-IP configuration and making optimization suggestions : https://devcentral.f5.com/s/articles/APM-Optimisation-Script


To make it more real, I did a video demonstrating the script : https://youtu.be/F0Z1AnM3L54



Published Mar 18, 2020
Version 1.0
APM
security
TMOS

Was this article helpful?

6 Comments

Sort By
  • lnxgeek's avatar
    lnxgeek
    Icon for MVP rankMVP
    Mar 23, 2020

    When I try to run the client-traffic-classifier tmsh commands it errors out with this:

     tmsh create apm resource client-traffic-classifier client-traffic-classifier-1 { entries add { entry { client-rate-class rate_class_1M dst-ip any dst-mask any dst-port https src-ip any src-mask any } entry0 { client-rate-class rate_class_2M dst-ip any dst-mask any dst-port any src-ip any src-mask any } } }
 
 
01071278:3: The client traffic classifier (/Common/client-traffic-classifier-1) has conflict entries ("entry0"  rate "/Common/rate_class_2M" from any:0 to any:0 via vpn, "entry"  rate "/Common/rate_class_1M" from any:0 to any:443 via vpn).

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Mar 23, 2020
    Thanks for the comment – I think this was a typo. Unfortunately I can’t update the DC script at the moment as the login page is not working but I’ll do so when I can. In the meantime, the command should be: tmsh create apm resource client-traffic-classifier client-traffic-classifier-1 { entries add { entry { client-rate-class rate_class_1M dst-ip any dst-mask any dst-port https src-ip any src-mask any } } }
  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Mar 24, 2020

    I've updated it to only rate limit HTTPS. The iApp adds more classes and adds the ports for Skype as well. Let me know if you would like further changes.