Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
869
Views
0
Helpful
2
Replies

ACE SSL Proxy performance issue

Go to solution
Craig_Baum_2
Level 1
Level 1

‎07-22-2012 01:01 PM

Hi I've got an ACE module in a 6500 that is being used as an SSL Proxy For a web service.

So the configuration is fairly basic, matches a VIP which has been Nat'ed from the public IP address port 443 and load balances over a number of reservers with the server ports being set to 80.

The problem is the main web site is hosted elsewhere and so when they switch to checkout on a secure port the browser page requests multiple https:// files .

The users are seeing very slow page loads a considerable amount longer than equivalent on http and more than you'd expect. The ACE is no where near any throughout or transaction limits.

My concern is on how the session is tracked, would the ACE attempt to renegotiate with every https:// get? I've seen example configs for stickiness inserting cookies for normal end-end load balancing but not with an SSL proxy configuration.

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎07-23-2012 11:58 PM

Hi Craig,

The SSL negotiation/handshake will happen everytime a client opens a new TCP connection i.e comes with a different source port.

To make sure that ACE doesn't renegotiate you can try and use this command:

(config-parammap-ssl)# session-cache timeout . You can use 24 hours or anytime you think is suitable.

This is basically to enable SSL session reuse. A little explanation below for your reference:

When client connects to a server over SSL, the server creates a session for that connection. This session ID is sent as a part of the Server Hello message. This is to make things efficient, in case the client has any plans of closing the current connection and reconnect in the near future. Most of the servers have a time out for these sessions (I think 24 hours is a common value, unless pressed for space).

When the client connects to the same server again, it can send the same session ID as a part of the Client Hello. The server will first look up if it can find any sessions with that ID. If found, the same session will be reused. Thus the time spent in verifying the certs and negotiating the keys is saved. If the server cannot find a matching session, then it responds with a new session ID and its certificate in Server Hello message. The client knows that it has to verity the cert and negotiate the key again.

Considerable amount of time is spent in validating server certs. Reusing SSL session will save this time.

Having said that you need to check if the client is coming with a session ID which it got in previous handshake or not. If it doesn't and it is a new TCP connection then SSL handshake will happen. Please enable that command before testing.

Also, ensure that you have allocated proper SSL resources to your context. Lack of resources can also cause dropped connections and sluggish performance.

Regards,

Kanwal

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎07-23-2012 11:58 PM

Hi Craig,

The SSL negotiation/handshake will happen everytime a client opens a new TCP connection i.e comes with a different source port.

To make sure that ACE doesn't renegotiate you can try and use this command:

(config-parammap-ssl)# session-cache timeout . You can use 24 hours or anytime you think is suitable.

This is basically to enable SSL session reuse. A little explanation below for your reference:

When client connects to a server over SSL, the server creates a session for that connection. This session ID is sent as a part of the Server Hello message. This is to make things efficient, in case the client has any plans of closing the current connection and reconnect in the near future. Most of the servers have a time out for these sessions (I think 24 hours is a common value, unless pressed for space).

When the client connects to the same server again, it can send the same session ID as a part of the Client Hello. The server will first look up if it can find any sessions with that ID. If found, the same session will be reused. Thus the time spent in verifying the certs and negotiating the keys is saved. If the server cannot find a matching session, then it responds with a new session ID and its certificate in Server Hello message. The client knows that it has to verity the cert and negotiate the key again.

Considerable amount of time is spent in validating server certs. Reusing SSL session will save this time.

Having said that you need to check if the client is coming with a session ID which it got in previous handshake or not. If it doesn't and it is a new TCP connection then SSL handshake will happen. Please enable that command before testing.

Also, ensure that you have allocated proper SSL resources to your context. Lack of resources can also cause dropped connections and sluggish performance.

Regards,

Kanwal

0 Helpful

Go to solution
Craig_Baum_2
Level 1
Level 1
In response to Kanwaljeet Singh

‎07-31-2012 02:43 PM

Thanks for that. It seems to have improved

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents