CSS - SSL CPU Saturation Issues

Answered Question
Apr 12th, 2007
User Badges:

Hello,


During stress testing in our lab, I am experiencing 100% CPU utilization on my SSL module and am trying to find some definitive information regarding exactly what the SSL module capabilities are with regard to simultaneous connections, maximum traffic capabilities, etc... I have seen a few references to this type of information in these forums, but no detailed information, like a link to supporting documentation on Cisco's website.


What we have is a 11506 running WebNS software version sg0750105s and during our load testing, we have found that when approaching 1,000 simultaneous SSL connections, the SSL CPU is reaches 100%. I am attaching our test script and resulting stats. As you can see, as our load test ramps from 200 to 400 to 600 to 800 and finally to 1,000 connections, until the SSL CPU finally reaches 99% and we then begin to experience dropped connections.


Any ideas on how we can configure the CSS in software to better handle the required SSL connections? Our test requirements are actually for 1,500 simultaneous connections... which we have yet to accomplish.


Any help is greatly appreciated.


Thanks!


-Adam



Correct Answer by Syed Iftekhar Ahmed about 10 years 3 months ago

Adam~


Around 18 months ago, I opened a case with TAC on SSL performance and following numbers were given to me in reply


"Transactions per second: 1000 per module (4 modules max)

RSA operations per second: 4,000 per module

Concurrent sessions: 40,000 per module

Bulk encryption performance: 256 Mbps per module


The SSL peformance is bound to the limitation of the card and not the code."


Some one from Cisco can verify these numbers.


Syed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Syed Iftekhar Ahmed Thu, 04/12/2007 - 09:49
User Badges:
  • Blue, 1500 points or more

CSS 11500 supports 1000 transactions per second per module. If you are looking for more than these then the obvious solution would be to introduce another SSL module in the chasis.


Syed Iftekhar Ahmed

a.veschak Thu, 04/12/2007 - 10:16
User Badges:

Syed,


Thanks for the reply. The 1,000 transactions info is something I have read here previously... but can you direct me to any supporting documentation? I have not been able to find this info on Cisco's website.


Also, are there any software configs that can be implemented to help lighten the load on the SSL module while processing such large transactions?


Thanks for your help!


-Adam

Correct Answer
Syed Iftekhar Ahmed Thu, 04/12/2007 - 10:53
User Badges:
  • Blue, 1500 points or more

Adam~


Around 18 months ago, I opened a case with TAC on SSL performance and following numbers were given to me in reply


"Transactions per second: 1000 per module (4 modules max)

RSA operations per second: 4,000 per module

Concurrent sessions: 40,000 per module

Bulk encryption performance: 256 Mbps per module


The SSL peformance is bound to the limitation of the card and not the code."


Some one from Cisco can verify these numbers.


Syed

a.veschak Thu, 04/12/2007 - 12:35
User Badges:

Syed,


What commands would I use to monitor the performance numbers you provided? And what output from the commands do I need to be looking at to verify the stated performance metrics?


Forgive me if I sound remedial here... I'm still trying to learn these things. :)


Thanks again!


-Adam

a.veschak Thu, 04/12/2007 - 12:36
User Badges:

Anyone from Cisco out there who can validate these SSL performance metrics and/or direct me to some supporting documentation?

Actions

This Discussion