Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Slow download via SSL in a CSS 11501

Hello,

I have 2 CSS 11501 providing load-balancing rules and SSL termination.

When CSS is used for downloading through the rules of SSL, the rates I get are quite lower than those obtained when the download is done either directly on the machine or by using the rules of HTTP. Is it normal? Is there anything that canspeed up this process?

Can someone give me a hand?

Thanks,

Cláudio Soares

2 REPLIES
Community Member

Re: Slow download via SSL in a CSS 11501

Forgot to post CSS configuration.

Here it goes:

!*************************** OWNER ***************************

owner RULES

content HTTP-RULE

  vip address LAN2.147

  protocol tcp

  redundancy-l4-stateless

  port 80

  advanced-balance arrowpoint-cookie

  arrowpoint-cookie browser-expire

  balance weightedrr

  add service SERVER1-80 weight 4

  add service SERVER2-80 weight 5

  active

content SSL-RULE

  add service MODSSL

  vip address LAN2.147

  application ssl

  advanced-balance ssl

  redundancy-l4-stateless

  port 443

  protocol tcp

  url "/*"

  active

!************************** SERVICE **************************

service SERVER1-80

  ip address LAN1.66

  port 80

  keepalive type http

  keepalive port 80

  keepalive uri "/"

  active

service SERVER2-80

  ip address LAN1.48

  port 80

  keepalive type http

  keepalive port 80

  keepalive uri "/"

  active

service MODSSL

  slot 2

  type ssl-accel

  keepalive type none

  add ssl-proxy-list SPL1

  active

ssl-proxy-list ssl1

ssl-server 130 tcp server window 40960

ssl-server 130 tcp virtual window 40960

ssl-server 130 tcp virtual nagle disable

ssl-server 130 ssl-queue-delay 0

Thanks

Cisco Employee

Slow download via SSL in a CSS 11501

Hi Claudio,

You should not notice any performance impact when doing a connection through the CSS, so this is definitely something that should be investigated further. I would recommend opening a TAC service request for it.

Out of experience, I can already say that most of the times, SSL slowness is due to some bugs related to TCP window scaling that result in very small packets being used for the connection. You should be able to get rid of most of them by upgrading to the latest 8.20 release and adding the command "flow tcp-window-scale disabled" to your configuration.

I hope this helps

Daniel

780
Views
0
Helpful
2
Replies
CreatePlease to create content