Forum Discussion

rolf's avatar
rolf
Icon for Cirrus rankCirrus
May 28, 2014

Apply a connection rate limit on Virtual Server

regarding F5 support, the connection rate limit on a virtual server which has SSL profile configured, is applied after the defined number of successful connections (SSL) has reached. My customers service got hammered really hard with SSL handshakes. As the viprion was overloaded within moments (tmm memory exhaustion, most of it consumed by ssl related stuff), this connection rate limit was never enforced as just few connections where successful.

 

Any ideas about implementing a TCP based connection rate limit? I was thinking about hoolio's iRule: https://devcentral.f5.com/wiki/iRules.virtual_server_connection_rate_limit_with_tables.ashx

 

I'm using TMOS 11.3.0

 

Any other ideas?

 

Thanks, Rolf

 

application delivery
design
devops
iRules
performance
security
TMOS

2 Replies

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    May 28, 2014

    i think if the issue is about too many new ssl connection (i.e. not too many renegotiation), the irule should be fine.

     

    just my 2 cents.

     

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    May 28, 2014

    Hi Rolf, I wonder what "ssl related stuff"? Would be nice to know. One item to consider is the SSL cache. The cache size is 262,144 records and the cache timeout is set to one hour. These figures could be cut down significantly (say half) and the only impact would be; established clients renegotiating more frequently. Pretty painless compared to significant memory exhaustion which affects the device as a whole. Consider; is a 30 minute SSL session (without renegotiation) perhaps with only 130,000 entries too short / small?

     

    Session Cache:

     

    http://support.f5.com/kb/en-us/solutions/public/6000/700/sol6767.html

     

    http://support.f5.com/kb/en-us/solutions/public/11000/100/sol11170.html

     

    More info on SSL profile:

     

    http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14783.html

     

    Kevin