Forum Discussion

CX_280703's avatar
CX_280703
Icon for Nimbostratus rankNimbostratus
Dec 08, 2016
Solved

APM Policy Size Recomandations and Spiking CPU

I just wanted to ask a couple of quick questions around an APM Access Policy.

 

Are there maximum size recommendations for an access policy? how big can you go before you would start seeing performance issues. e.g. how many items/marcos in the policy.

 

Secondly does anyone have the issue where if you copy a large policy the CPU spikes to 100% for 5-10 minutes after the copy causing some SAML/idP connections to be dropped? Then once the CPU calms down again it goes back to normal?

 

APM
BIG-IP
security
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Dec 08, 2016

    Copy/Export/Import operations operate outside of the normal management (gui/mcpd) process. I'd suggest to open a support ticket. Management ops shouldn't cause any kind of service disruption unless you're on an already oversubscribed virtual host.

     

2 Replies

Sort By
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Dec 08, 2016

    Copy/Export/Import operations operate outside of the normal management (gui/mcpd) process. I'd suggest to open a support ticket. Management ops shouldn't cause any kind of service disruption unless you're on an already oversubscribed virtual host.

     

  • CX_280703's avatar
    CX_280703
    Icon for Nimbostratus rankNimbostratus
    Jan 16, 2017

    For those interested, the following was received from Support:

     

    K15003: Data plane and control plane tasks use separate logical cores when the BIG-IP system CPU uses Hyper-Threading Technology

     

    The even-numbered hyper-threads (0, 2, 4, etc.) are dedicated to TMM as a high-priority process to service data plane tasks. The odd-numbered hyper-threads (1, 3, 5, etc.) process control plane tasks at a normal priority level

     

    Per K15003, odd-numbered cores are dedicated to control plane tasks while even-numbered cores are dedicated for data plane (TMM). Therefore, you are likely not noticing any sort of traffic impact (as that's handled by TMM and is part of the data plane) but seeing high CPU usage due to other control plane processes on core 1 and 3.

     

    Also

     

    To copy a certain policy in the same unit with different name means to add huge configuration (depend on how complicate), it would impact the system in a certain degree.

     

    We would recommend you to run "export" option rather than "copy". Export the policy base on existing policy configuration this will lighten the system performance and resource usage.

     

    The above recommendations significantly reduced the CPU usage and have sped up our whole process.