CSS 11500 SSL performance

alamp · ‎05-22-2006

Hello!

We have a setup with a CSS 11503 including a SSL module load-balancing a lot of servers (about 70). For some of them, the CSS is terminating SSL and load-balancing in clear-text to the servers.

Somebody did a performance test with i think Microsoft Web Stress tool one time to one of the real servers (which can termiante ssl as well) and one time to the SSL service (VIP) on the CSS, and found out that the performance differs for about 100%, meaning the real server is much faster! Also loading one page with a lot of GIFs, Stylesheets and such stuff takes about 1,5 secs when loaded from the real server(s) and about 3 seconds when loaded over the VIP.

Now, of course i have to explain that "problem".

On the web i found the info that the SSL module can handle about 800 to 1000 "SSL transactions per second" but found no command for telling me, how much "transactions" we actually have here.

Some facts:

- The output of "sh system-ressources" shows a 50-70% CPU usage for the CSM and about 20% for the SSL module. Also i have some free memory (27 MB of 256 MB on CSM, 92 MB of 512 MB on the SSL module)

- The output of "sh ssl statistics" is nics, but doesn't answer any performance questions.

- "flow statistics" shows about 500 average TCP flows per second and a lot of free flows.

- Since both connections (ssl to css and ssl to server) are routed over the CSS, network connectivity/performance should not be the problem.

So, does anybody know some magical commands, maybe in llama mode, for finding out more about performance?

Any help would be much appreciated.

Greetings

Andreas Lamprecht

Gilles Dufour · ‎05-22-2006

There are some parameters you can play with to improve performance of the ssl module.

configure the following :

ssl-server X ssl-queue-delay 0

ssl-server X tcp server ack-delay 0

ssl-server X tcp virtual ack-delay 0

If your cleartext traffic goes back to a L5/7 rule on the CSS [ie: arrowpoint cookie rule or url rule], there is also a 200msec delay introduced there.

You can suppress it with the command

"flow tcp-del-ack ..."

Finally, the CPU of the SSL module is not really fast. So if you compare 1 connection to the CSS vs 1 connection to a server there is a great chance that the server will perform faster.

However, the SSL cpu is designed to handle lots of connections, so if you do the same test with 1000 simultaneous clients, you will see your server going much slower while the CSS will keep more or less the same average speed.

Gilles.

alamp · ‎05-22-2006

Thank you very much for your help!

I'll try to use that parameters.

But i still wonder if the 70% CPU usage of the CSM-module might be too much. What is your opinion?

We have a box-to-box redundancy setup here and i would like to try to change that to a virtual router/redundant VIP setup so i could divide the load over the two CSSes.

Greetings

Andreas

Gilles Dufour · ‎05-22-2006

Andreas,

the low memory is normal as the CSS allocates memory for Flow Control Block (FCB) at startup.

You have low memory but a lot of free FCB.

The CPU is indeed a concern if it stay at this level continously. However, this is most probably not traffic related but more due to some internal task - if you have a lof of probes, or are polling the CSS with SNMP.

You can check it out with the following procedure

llama

symbol-table load SPRITZ

shell 1 1 spy

shell 1 1 spyReport

[you can repeat the last 2 steps to see if there is any variation over time]

shell 1 1 spyStop

symbol-table unload SPRITZ

Gilles.