ASM causing high CPU on bigip 3600 ltm

Ryan,

 

Besides just the File Type, URL, and Parameter protection type stuff what other ASM protections do you have turned on in this policy.

If you search back far enough in this forum, you'll find at least a couple threads regarding the 3600 platform and high CPU with ASM. My 3600 which is rock solid with LTM, would core just downloading ASM attack signatures. I have no experience with version 11, but after going round a round with support for a couple weeks a support tech confided to me that it was a known issue and his words not mine "ASM should be running on it's own hardware". At that point I stopped trying. I've been an LTM admin for 6 years and it is rock solid. In my experience, add ASM on a 3600 and toss that reliability out the window. In frustration, I actually asked on the forum a couple years ago if anyone was running LTM+ASM reliably on a 3600. There wasn't a single response.

 

 

If you do get it stable, please update the thread. I'd love to finally get it implemented, but I'm not wasting anymore time on it until I know somebody else actually got it working.

 

 

Chris

Hmmm this is interesting I have not heard that in the past I am running 3900s and my are stand alone ASMs so these issues would not apply. However in the past we have had discussions about putting LTM licensing on the ASM but with the cost of LTM licensing we have always found other ways to accomplish what we needed. I will be keeping this in mind in the future though

 

 

Chris - Do you believe this is a restriction of the 3600 model or just a rule of thumb across hardware platforms?

Posted By Mike Maher on 03/01/2013 05:46 AM

 

 

Chris - Do you believe this is a restriction of the 3600 model or just a rule of thumb across hardware platforms?

 

The 3600 is the least powerful model approved to run LTM+ASM. I'd like to believe a more powerful model could handle it, but my experience has made me wary. Obviously F5 still thinks LTM+ ASM should be fine on a 3600. My cpu rarely goes above 10% running just LTM, so its not like my box is busy.

 

 

Chris

 

I tried posting to this site earlier but it kept saying the forum was unavailable ಠ_ಠ

 

* I have no session tracking or login enforcement enabled.

 

* No IP addresses are restricted.

 

* DoS protection is disabled.

 

I noticed that Data Gaurd was enabled. I disabled that and my CPU did drop considerably (from 70 to about 50%). The problem is what is the point of having ASM on if your not protecting you web appliation?

 

 

-Ryan

 

 

Mike,

 

Curious to know how much web traffic (req/sec) does your 3900 platform take? We thought about putting the 3900s in front of our 3600. But then again what is the point of doing that when you can just have one box, ie. 1 3900.

 

Also, how many security policies do you have on your 3900 that is taking live traffic?

 

-Ryan

 

Ryan,

 

So to your first post, I have heard that Data Guard is a performance hog not sure why and I have not been able to find anything in particular that discusses it but I have seen it somewhere that you will take a performance impact by having it on.

 

Now to the 2nd part of that post, turning off Data Guard does not invalidate ASM, it is one feature within the vast protection types that ASM offers. The majority of the protection comes from a soundly designed application policy by locking down input to the application/service through URLs, Parameter, and Parameter Value validation in conjunction with Attack Signatures. I personally do not use Data Guard and I run over 20 application policies, not because of the performance impact but I don't have a scenario where it is necessary, since it is essentially just an obfuscation technique.

 

 

In my opinion the nice thing about ASM is that it offers the ability to customize protection levels per application based upon the risk level of the application and the end user needs

 

 

I do run DoS protection on a few applications and have seen no significant performance hit for that.

 

 

So my 3900s are dedicated ASMs I do not run LTM on that device as I have them in front and behind the ASMs and they are much bigger boxes, was done mostly for separation of rights and duties not performance. So basically I have and LTM that load balances connection to one of two 3900 ASMs that then send traffic to the same or another LTM to LB to a server pool.

 

 

On each of those 3900 I see an average of 20 - 25mbps with spikes to about 40 occasionally 15 - 25% CPU and 45-50% memory usage again that is per 3900. I run 20 - 25 applications/services through these which equals to roughly 65 policies with varying degrees of security.

Thank you for that information, Mike.

 

 

What type of signatures do you have in place for your policies? I dropped Data Guard and the "suggested policies" from what the policy wizard thought would apply to my web application. Right now only have XSS sig in learning mode and CPU seems to be stable around 60%, when normally at this time it would be near 80%.

 

 

How do you go about tweaking what attack signatures you need for an enterprise environment? If I choose all the database and type of web servers I have, the amount of signatures the ASM checks is quite high. This could also account for the high CPU usage.

Hi,

 

 

we are runnning 3900s boxes (LTM+ASM).

 

If you don't need Data Guard by business, let it off. Same thing to all other settings. i.e. if you have a firewall in front with DOS protection, you don't need to turn it on in ASM. It depends on your network design.

 

...the reason for your high cpu...it depends ;-) There can be so many reasons. Do you run a lot of ssl traffic? Do you use big ssl keys (2048 and bigger)? How much traffic? Do you use a lot of xml traffic?

 

v11 needs a little bit more power than v10, but it needs much more memory - says f5.

 

Memory allocation is really importend and can result in high cpu of the system or swapping.

 

Does your system swap memory?

 

The problem is, if you are running LTM&ASM on one system, you can't see detailed informations about the memory allocation.

 

i.e. we have only about 70mb really free memory in our 3900. But if I calculate, I get much more free memory. :-)

 

I don't know the size of your environment, but the 3600 has only 4GB memory. Perhaps, you should think about a bigger system, like a 3900 (8GB) or better a 4000v (16gb).

 

If you have a lot of policies, you can think about a bigger system behind the 3600. So you only run LTM on 3600 and ASM on a 3900 or 4000v.

 

But again, it all depends on your network design!

 

 

Selection of policies: you should select all necessary policies :-)

 

i.e. you have java application running on a linux apache server, which use a mysql DB and there is a little bit xml traffic, you select Java, Linux, Mysql, xml signatures. A base signature set is allways selected.

 

You don't have to select all the DB you are running in your environment. Only the one, used by your application.

 

 

regards