When load testing (or very high traffic to) an API call which uses the Rate Limit assertion set by an API Plan or Account Plan in the CA API Developer Portal ("Portal"), the following error may be encountered even when traffic is well underneath the value set for the Rate Limit assertion:
API Plan Limit Exceeded
If there is a high traffic load (i.e. a load test running), and there is an expectation that it still be handled as it is viewed as under the Maximum Requests Per Second value, then it is recommended to enable the Spread Limit Over X Sec Window function on the Rate Limit assertion. The Spread Limit Over X Sec Window function allows for bursts of traffic, which includes traffic coming in under the buffer that is set by the value for Maximum Requests Per Second which is often the case with load tests. The Gateway product documentation (more details found in the Additional Information section below) explains the following for the Spread Limit Over X Sec Window function on the Rate Limit assertion:
The recommended resolution is to enable the Spread Limit Over X Sec Window function on the Rate Limit assertion, typically with a value of 60 seconds or higher. The gotcha is that the Portal does not automatically enable that function, however it can be configured to after a couple of file changes and a restart of the Portal service. This can be achieved by following the steps below on the Portal:
After the changes above, all new API Plans or Account Plans will also have that automatically applied. This is a useful resolution if the Spread Limit Over X Sec Window function is required in the environment, particularly if developers do not have access to Policy Manager to make the changes manually.
*** The above is for portal 3.5, for portal 4.x there is a schedule task "portal sync account plan".
On "portal sync account plan" policy window, search by "hardlimit" to find the "set context variable rateLimitXml" assertion.
Open this assertion and change the
<l7:HardLimit>true</l7:HardLimit>
to
<l7:HardLimit>false</l7:HardLimit>
"Save and Activate" the policy, make some changes on current account plan, after next sync, open the "Account Plans Fragment" policy, search with "rate limit", the "Apply rate limit" assertion should now have option "Spread limit over 60 sec windows" checked,
As soon as this option is checked, it should resolve the problem.
Details on creating an API Plan with a Rate Limit set is here: https://docops.ca.com/ca-api-developer-portal/3-5/en/manage-the-api-portal/manage-apis/use-the-policy-manager-to-publish-apis