Forum Discussion

Sumanta_88744's avatar
Sumanta_88744
Icon for Cirrus rankCirrus
Jul 22, 2016
Solved

Connection rate limit not working in F5

Hi Experts

 

During a recent test scenario on F5 LTM 2000, we tried rate limiting the virtual server based on (1) only source address and (2) virtual server and source address. I had set rate limit to 20K, but during testing, the connection overshot this limit and reached 25K.

 

Can anyone assist? Do I need to raise a TAC case for this? The virtual server type is performance L4.

 

Regards, Sumanta.

 

application delivery
BIG-IP
LTM
security
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Jul 22, 2016

    Hi,

     

    The rate limit just limit the number of new connections per second. It's not the number of concurrent connections.

     

7 Replies

Sort By
  • tatmotiv's avatar
    tatmotiv
    Icon for Cirrostratus rankCirrostratus
    Jul 22, 2016

    Are we talking about "connection limits" or "connection rate limits"? See https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-6-0/35.html for differences:

    When you specify a connection limit, the system prevents the total number of concurrent connections to the virtual server, pool member, or node from exceeding the specified number.

When you specify a connection rate limit, the system controls the number of allowed new connections per second, thus providing a manageable increase in connections without compromising availability.

    So, when talking about connection RATE limits, it is legit to have more than 20k connections established, as long as they are not being established in the same second.

    If we are talking about connection limits on the other hand, that connection count would not be legit, with one exception: if you have a persistence profile on the virtual, the "override connection limit" option might (as the name suggests) override the connection limit.

    HTH

    Martin

  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Jul 22, 2016

    Hi,

     

    The rate limit just limit the number of new connections per second. It's not the number of concurrent connections.

     

    • Sumanta_88744's avatar
      Sumanta_88744
      Icon for Cirrus rankCirrus
      Jul 22, 2016

      Hi All

       

      Thanks. In that case, how do we limit 20K concurrent connections from a single source IP?

       

    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      Jul 22, 2016

      Unfortunately,

       

      If you want a connection limit by source IP, you should switch to irules. Connection Limit and Connection Rate Limit are settings that apply to connections for the Virtual Server.

       

      You may also try using Bandwidth controller or rate class to limit by bandwidth usage per ip address.

       

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jul 22, 2016

    Hi,

     

    The rate limit just limit the number of new connections per second. It's not the number of concurrent connections.

     

    • Sumanta_88744's avatar
      Sumanta_88744
      Icon for Cirrus rankCirrus
      Jul 22, 2016

      Hi All

       

      Thanks. In that case, how do we limit 20K concurrent connections from a single source IP?

       

    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      Jul 22, 2016

      Unfortunately,

       

      If you want a connection limit by source IP, you should switch to irules. Connection Limit and Connection Rate Limit are settings that apply to connections for the Virtual Server.

       

      You may also try using Bandwidth controller or rate class to limit by bandwidth usage per ip address.