cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
531
Views
0
Helpful
5
Replies

CSS - SSL CPU Saturation Issues

a.veschak
Level 1
Level 1

Hello,

During stress testing in our lab, I am experiencing 100% CPU utilization on my SSL module and am trying to find some definitive information regarding exactly what the SSL module capabilities are with regard to simultaneous connections, maximum traffic capabilities, etc... I have seen a few references to this type of information in these forums, but no detailed information, like a link to supporting documentation on Cisco's website.

What we have is a 11506 running WebNS software version sg0750105s and during our load testing, we have found that when approaching 1,000 simultaneous SSL connections, the SSL CPU is reaches 100%. I am attaching our test script and resulting stats. As you can see, as our load test ramps from 200 to 400 to 600 to 800 and finally to 1,000 connections, until the SSL CPU finally reaches 99% and we then begin to experience dropped connections.

Any ideas on how we can configure the CSS in software to better handle the required SSL connections? Our test requirements are actually for 1,500 simultaneous connections... which we have yet to accomplish.

Any help is greatly appreciated.

Thanks!

-Adam

1 Accepted Solution

Accepted Solutions

Adam~

Around 18 months ago, I opened a case with TAC on SSL performance and following numbers were given to me in reply

"Transactions per second: 1000 per module (4 modules max)

RSA operations per second: 4,000 per module

Concurrent sessions: 40,000 per module

Bulk encryption performance: 256 Mbps per module

The SSL peformance is bound to the limitation of the card and not the code."

Some one from Cisco can verify these numbers.

Syed

View solution in original post

5 Replies 5

CSS 11500 supports 1000 transactions per second per module. If you are looking for more than these then the obvious solution would be to introduce another SSL module in the chasis.

Syed Iftekhar Ahmed

Syed,

Thanks for the reply. The 1,000 transactions info is something I have read here previously... but can you direct me to any supporting documentation? I have not been able to find this info on Cisco's website.

Also, are there any software configs that can be implemented to help lighten the load on the SSL module while processing such large transactions?

Thanks for your help!

-Adam

Adam~

Around 18 months ago, I opened a case with TAC on SSL performance and following numbers were given to me in reply

"Transactions per second: 1000 per module (4 modules max)

RSA operations per second: 4,000 per module

Concurrent sessions: 40,000 per module

Bulk encryption performance: 256 Mbps per module

The SSL peformance is bound to the limitation of the card and not the code."

Some one from Cisco can verify these numbers.

Syed

Syed,

What commands would I use to monitor the performance numbers you provided? And what output from the commands do I need to be looking at to verify the stated performance metrics?

Forgive me if I sound remedial here... I'm still trying to learn these things. :)

Thanks again!

-Adam

Anyone from Cisco out there who can validate these SSL performance metrics and/or direct me to some supporting documentation?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: