Table of Contents
LTM OneConnect Profile Fundamental
By default, for each request from the client to the BIG-IP virtual IP, a separate 3-way handshake TCP connection is created between BIG-IP and the internal server.
BIG-IP OneConnect test result
There is a test conducted by F5 that shows how much the number of connections between BIG-IP and internal web servers is reduced when we apply the OneConnect profile to a virtual server.
25,000 connection requests are generated from clients over 15 minutes. The number of connections from the client to BIG-IP and from BIG-IP to the internal servers will be the same if we do not apply a OneConnect profile to the virtual server.
In this figure, which does not use a OneConnect profile, the blue graph, the number of client requests and the pink color, the number of server connections are the same.
However, using OneConnect significantly reduces the number of server connections.
In this figure where we are using the OneConnect profile, the number of server connections shown in pink color is much less than the number of client requests shown in blue color.
OneConnect Profile Settings
When we configure the OneConnect profile, some parameters can be optionally configured.
The source mask specifies which clients are allowed to use an idle connection from a specific source.
For example, if a client with the IP address 10.10.10.10 made a request and opened a new connection and the source mask is configured as /16, all other clients with the IP address in the subnet 10.10.0.0/16 are allowed to use the idle connection.
Maximum Size setting represents maximum number of idle connections which is 10.000 by default.
Maximum Age specifies the maximum age of a connection, which is 24 hours by default.
Maximum Reuse specifies the maximum number of requests to be sent over a connection which is 1000 by default.
Idle Timeout Override specifies maximum time that idle connections are allowed to be open. By default it is disabled which means there is no limitation.
Limit type specifies how OneConnect enforces connection restriction when connection limits are reached.
- The default value is None, which means OneConnect does not enforce any restrictions.
- Idle means that the idle connection will be deleted when the connection limit is reached. This allows the new connections to be established.
- Strict means that no new connection will be accepted until idle connections are expired. This method is not recommended.
And finally “Share Pools”. When enabled, all virtual servers using the same OneConnect profile can share connections.
LTM OneConnect Profile Configuration Example
Now the question is how we can implement OneConnect.
Simply create a new OneConnect profile and assign it to the virtual server.
Before that, make sure that an HTTP profile is assigned to both client and server. Here I use the F5 default HTTP profile.
I also additionally applied the TCP profile to both the client and the server. Following the F5 recommendation, I applied “tcp-wan-optimized” to the clients and “tcp-lan-optimized” to servers, which are usually on the LAN side.
We then create a new OneConnect profile based on the existing OneConnect profile F5.
I don’t change any parameter. We have already discussed all the settings related to the F5 OneConnect profile.
and in the last step we apply OneConnect profile to the virtual server.
It is not easy for us to see the effect of the OneConnect profile, especially because we are not generating too many requests and our internal servers only supports HTTP version 1.0 and HTTP Keep alive is not enabled.
However, to check the result of OneConnect profile, you can check it by module statistics, local traffic, profile summary and then OneConnect profile.
Here you can see the number of idle connections, the maximum number of connections, how many connections are reused, and how many new connections are created.