We have a setup with a CSS 11503 including a SSL module load-balancing a lot of servers (about 70). For some of them, the CSS is terminating SSL and load-balancing in clear-text to the servers.
Somebody did a performance test with i think Microsoft Web Stress tool one time to one of the real servers (which can termiante ssl as well) and one time to the SSL service (VIP) on the CSS, and found out that the performance differs for about 100%, meaning the real server is much faster! Also loading one page with a lot of GIFs, Stylesheets and such stuff takes about 1,5 secs when loaded from the real server(s) and about 3 seconds when loaded over the VIP.
Now, of course i have to explain that "problem".
On the web i found the info that the SSL module can handle about 800 to 1000 "SSL transactions per second" but found no command for telling me, how much "transactions" we actually have here.
- The output of "sh system-ressources" shows a 50-70% CPU usage for the CSM and about 20% for the SSL module. Also i have some free memory (27 MB of 256 MB on CSM, 92 MB of 512 MB on the SSL module)
- The output of "sh ssl statistics" is nics, but doesn't answer any performance questions.
- "flow statistics" shows about 500 average TCP flows per second and a lot of free flows.
- Since both connections (ssl to css and ssl to server) are routed over the CSS, network connectivity/performance should not be the problem.
So, does anybody know some magical commands, maybe in llama mode, for finding out more about performance?
There are some parameters you can play with to improve performance of the ssl module.
configure the following :
ssl-server X ssl-queue-delay 0
ssl-server X tcp server ack-delay 0
ssl-server X tcp virtual ack-delay 0
If your cleartext traffic goes back to a L5/7 rule on the CSS [ie: arrowpoint cookie rule or url rule], there is also a 200msec delay introduced there.
You can suppress it with the command
"flow tcp-del-ack ..."
Finally, the CPU of the SSL module is not really fast. So if you compare 1 connection to the CSS vs 1 connection to a server there is a great chance that the server will perform faster.
However, the SSL cpu is designed to handle lots of connections, so if you do the same test with 1000 simultaneous clients, you will see your server going much slower while the CSS will keep more or less the same average speed.
the low memory is normal as the CSS allocates memory for Flow Control Block (FCB) at startup.
You have low memory but a lot of free FCB.
The CPU is indeed a concern if it stay at this level continously. However, this is most probably not traffic related but more due to some internal task - if you have a lof of probes, or are polling the CSS with SNMP.
You can check it out with the following procedure
symbol-table load SPRITZ
shell 1 1 spy
shell 1 1 spyReport
shell 1 1 spyReport
[you can repeat the last 2 steps to see if there is any variation over time]
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
Introduction Prepositioning is a powerful tools on the WAAS platform but
it is not always easy to figure out why your jobs are failing when
trying to retrieve the files.Here is a method that should help you to
figure out the reason why they are not succes...