Is it normal for F5 LTM CPU to hike 10% extra with iRule implementation?

Question

Hi All,&nbsp;
I have two questions regarding below iRule;&nbsp;
when HTTP_REQUEST priority 1 {&nbsp;
set static::maxActiveClients "[class search -all -value datagroup_selfridges_waitingroom starts_with "max_active_clients"]"&nbsp;
set subtableName "sessionLimit"&nbsp;
set sessionCookieName "[class search -all -value datagroup_selfridges_waitingroom starts_with "session_cookie_prefix"]"&nbsp;
set holdingPage "[class search -all -value datagroup_selfridges_waitingroom starts_with "holding_page_url"]"&nbsp;
set static::sessionTimeout "[class search -all -value datagroup_selfridges_waitingroom starts_with "session_timeout"]"&nbsp;
set need_cookie 0&nbsp;
if {[HTTP::cookie exists $sessionCookieName]} {&nbsp;
set client_id [HTTP::cookie $sessionCookieName]&nbsp;
set sessiondata [table lookup -subtable $subtableName $client_id]&nbsp;
if { $sessiondata != "" } {&nbsp;
log local0. "Valid session $client_id - continuing"
return&nbsp;
}&nbsp;
}&nbsp;
log local0. "No session. Checking for free slot (Max $static::maxActiveClients)"
set sessionCount [table keys -subtable $subtableName -count]&nbsp;
log local0. "No session. Checking for free slot (Current $sessionCount)"
if {$sessionCount &lt; $static::maxActiveClients} {&nbsp;
set need_cookie 1&nbsp;
set client_id [format "%08d" [expr { int(1000000000 * rand()) }]]&nbsp;
set sessionValue [IP::client_addr]&nbsp;
table add -subtable $subtableName $client_id $sessionValue $static::sessionTimeout&nbsp;
log local0. "New Session ($client_id) added value $sessionValue Timeout static::sessionTimeout"
} else {&nbsp;
HTTP::redirect $holdingPage&nbsp;
}&nbsp;
}&nbsp;
when HTTP_RESPONSE priority 1 {&nbsp;
if {$need_cookie == 1} {&nbsp;
HTTP::cookie insert name $sessionCookieName value $client_id path "/"&nbsp;
}&nbsp;
}&nbsp;
1 - Is it normal for F5 LTM CPU to hike 10% extra with an iRule implementation? We were sending 20000 requests simulated by 4 users. In simple words is this the normal practice with F5 LTM or should it be less processor intensive, if yes is there any thing I can improve in the logic?&nbsp;
2 - How can we change the sessioncount to consider tcp connections rather than session? &nbsp;

arnaud_lemaire · Answer

irules could be CPU intensive depending on commands you are using. Subtables could impact performances.&nbsp;
Could you check with show ltm virtual  if cmp is still enable on your vs?&nbsp;
the following line set client_id [format "%08d" [expr { int(1000000000 * rand()) }]] is requiring resources outside of tmm and cost a lot, even more as you are doing it per request.&nbsp;
if you want to count sessions you should move you logic outside http_request to TCP events, but in this case no more cookie usage.&nbsp;
could you describe a little bit what you are trying to achieve ?&nbsp;

absarkhan_15403 · Answer

Hi Arnaud,&nbsp;
Thanks for your input. I am trying to access a waiting room page via this iRulesonce the website reaches a max number of connections. There is a separate data-group from which this iRule is fetching different values.&nbsp;
Yes CMP is enabled on the vs. &nbsp;
So there is no way I can put the logic to check the TCP connections rather than sessions? &nbsp;
Regards,&nbsp;

hooleylist · Answer

You can save a bit of CPU cycles by not doing the data group lookups on each HTTP request.  You could do this once at config load time by moving the lookups to RULE_INIT:
when RULE_INIT {
    set static::maxActiveClients "[class search -all -value datagroup_selfridges_waitingroom starts_with "max_active_clients"]"
    set static::subtableName "sessionLimit"
    set static::sessionCookieName "[class search -all -value datagroup_selfridges_waitingroom starts_with "session_cookie_prefix"]"
    set static::holdingPage "[class search -all -value datagroup_selfridges_waitingroom starts_with "holding_page_url"]"
    set static::sessionTimeout "[class search -all -value datagroup_selfridges_waitingroom starts_with "session_timeout"]"
}

If you want some/all of these lookups done more frequently, you could move them to the CLIENT_ACCEPTED event instead.  Maybe the timeout and max_active_clients?
You can check if the cookie value isn't null in one step like this:
Current:
if {[HTTP::cookie exists $sessionCookieName]}{   set client_id [HTTP::cookie $sessionCookieName]`

Suggested:
if {[set client_id [HTTP::cookie $sessionCookieName]] ne ""}{
You can save a bit of CPU by using ne instead of != for text comparisons:
Current:
if { $sessiondata != "" } {
Suggested:
if { $sessiondata ne "" } {
Aaron

nathe · Answer

Just a thought (Aaron you may be able to advise on this one). With 20000 requests might the local logging be a factor in the CPU performance? Might it be better to log off box or implement HSL in the iRule instead?&nbsp;
Perhaps rem out the log local0 lines to see if this helps at all.&nbsp;
N&nbsp;

absarkhan_15403 · Answer

Thank Nathan/Hoolio. What is the method I turn off the logging just for this iRule? I will remove the log statements anyway. &nbsp;
Secondly customer wants the waiting room to be kicked in when a certain number of TCP connections is reached and not sessions. Is there a way to implement it with in this iRule?&nbsp;
Thanks in advance&nbsp;

Forum Discussion

Is it normal for F5 LTM CPU to hike 10% extra with iRule implementation?

5 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

CORS implementation

Implementing basic OAuth with F5 BIG-IP APM

API Security: How to implement API Access Control with F5

Implementing SSL Orchestrator with OPSWAT MetaDefender

Implementing Data Guard