Forum Discussion
hooleylist
Mar 31, 2011Cirrostratus
Chris,
This piqued my interest so I asked about it internally. A helpful developer pointed out an issue in pre-v11.0 where CPU cycle calculation with the timing command doesn't accurately account for the time not spent processing the iRule when suspend commands (like the session command) are used. He believes the increased CPU cycles in the live environment are a reporting issue--and not actually indicative of a drop in performance. This issue is described in BZ222913.
I've asked the NSE who has your case to contact you to explain this in greater details. As you're not comfortable posting your iRule, I'll send you some suggestions on optimizing the rest of the iRule. Generally, they are:
- Upgrade to 10.1 or higher (ideally 10.2.0HF2) to take advantage of the simpler client SSL cert handling. You could then remove the session add/lookup logic and access the cert directly throughout the lifetime of the SSL session.
http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnote_10_1_0_ltm.html
SSL::cert iRule commands (CR116806)
The following iRule commands now apply to the lifetime of the SSL session, and not only for the connection in which the system receives the client certificate:
SSL::cert GET_PEER_CERT
SSL::cert issuer GET_PEERCERTISSUER
SSL::cert count GET_PEER_CERTCOUNT
With this change, the system stores the received peer certificate in the SSL session, so that the certificate is available to the specified iRule commands as long as the SSL session is valid. In previous releases, the CLIENTSSL_CLIENTCERT iRule event retrieved the peer certificate; now the stored certificate can also be retrieved inside the HTTP_REQUEST event.
- Use the HTTP profile option to encrypt|decrypt cookies or manually encrypt and decrypt the cookie values using AES::encrypt|decrypt. Either of these methods is much more efficient than using the HTTP::cookie encrypt|decrypt commands in an iRule. This is due to the different ways encryption keys are generated.
- Avoid using regexes if you can use string or scan commands instead. Regexes can be 10x+ less efficient than similar string/scan commands.
- Once/if you're on a platform and OS version which supports CMP, try to avoid using global variables. In 9.x, you can change them to local variables set in CLIENT_ACCEPTED. In 10.x, you can use the static:: namespace for global variables whose values don't change during a connection. As you need to use the session command in 9.x, you won't be able to get the iRule CMP compatible. But on 10.x this would definitely improve performance (assuming you're on a CMP capable platform) as the iRule could run on all TMM instances instead of one.
http://devcentral.f5.com/wiki/default.aspx/iRules/cmpcompatibility
http://devcentral.f5.com/wiki/default.aspx/iRules/static
Aaron