11501 w/SSLM speed/throughput issues

Unanswered Question
May 29th, 2007
User Badges:

Hi there...I have implemented an 11501 w/SSLM in our environment, and when the app teams are doing their testing, they are telling me thet the performance and speed is degraded when they are testing against the VIP versus against the actual backend host. I have done as much troubleshooting as I can and there is nothing out of the ordinary that I can see....below is a copy and paste of the relevant config portions.....maybe someone else can see something there that would explain this abnormal behavior...their testing took about 8 mins when they went straight to the host, and about 20 mins when they tested against the VIP...


Thanks in advance,


Sandeep


ssl-proxy-list my_secure_site

ssl-server 1

ssl-server 1 cipher rsa-with-rc4-128-md5 161.19.55.81 81

backend-server 10

backend-server 10 port 81

backend-server 10 server-ip 161.19.55.74

backend-server 20

backend-server 20 port 81

backend-server 20 server-ip 161.19.55.75

ssl-server 1 vip address 161.19.55.13

backend-server 10 ip address 161.19.55.74

backend-server 20 ip address 161.19.55.75

backend-server 10 cipher rsa-with-rc4-128-md5

backend-server 20 cipher rsa-with-rc4-128-md5

ssl-server 1 rsakey services-sys_key1

ssl-server 1 rsacert services-sys

backend-server 5

backend-server 5 ip address 161.19.65.51

backend-server 5 server-ip 161.19.65.51

backend-server 5 cipher rsa-with-rc4-128-md5

active



service backend1

ip address 161.19.55.74

type ssl-accel-backend

port 81

add ssl-proxy-list my_secure_site

keepalive port 443

keepalive type ssl

protocol tcp

active


service backend2

ip address 161.19.55.75

type ssl-accel-backend

port 81

keepalive port 443

keepalive type ssl

protocol tcp

add ssl-proxy-list my_secure_site

active


service backend5

ip address 161.19.65.51

type ssl-accel-backend

port 81

add ssl-proxy-list my_secure_site

keepalive port 443

keepalive type ssl

protocol tcp

active


service ssl_front

slot 2

type ssl-accel

keepalive type none

add ssl-proxy-list my_secure_site

active



owner my_secure_site


content back

vip address 161.19.55.81

add service backend1

add service backend2

advanced-balance sticky-srcip

protocol tcp

port 81

url "/*"

active


content front

vip address 161.19.55.13

application ssl

add service ssl_front

protocol tcp

port 443

active


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Wed, 05/30/2007 - 06:21
User Badges:
  • Cisco Employee,

for better performance, you want to use the following commands



ssl-server 1 tcp virtual nagle disable

ssl-server 1 tcp server nagle disable

ssl-server 1 tcp virtual ack-delay 0

ssl-server 1 tcp server ack-delay 0

ssl-server 1 ssl-queue-delay 0


If that does not improve the situation, get a sniffer trace of the best performance[ w/o css] and the worst performance [w/ css] and compare the 2.


There are other possible connection tuning.


Gilles.

Actions

This Discussion