11-28-2011 03:20 AM
Hello,
I have 2 CSS 11501 providing load-balancing rules and SSL termination.
When CSS is used for downloading through the rules of SSL, the rates I get are quite lower than those obtained when the download is done either directly on the machine or by using the rules of HTTP. Is it normal? Is there anything that canspeed up this process?
Can someone give me a hand?
Thanks,
Cláudio Soares
11-28-2011 03:27 AM
Forgot to post CSS configuration.
Here it goes:
!*************************** OWNER ***************************
owner RULES
content HTTP-RULE
vip address LAN2.147
protocol tcp
redundancy-l4-stateless
port 80
advanced-balance arrowpoint-cookie
arrowpoint-cookie browser-expire
balance weightedrr
add service SERVER1-80 weight 4
add service SERVER2-80 weight 5
active
content SSL-RULE
add service MODSSL
vip address LAN2.147
application ssl
advanced-balance ssl
redundancy-l4-stateless
port 443
protocol tcp
url "/*"
active
!************************** SERVICE **************************
service SERVER1-80
ip address LAN1.66
port 80
keepalive type http
keepalive port 80
keepalive uri "/"
active
service SERVER2-80
ip address LAN1.48
port 80
keepalive type http
keepalive port 80
keepalive uri "/"
active
service MODSSL
slot 2
type ssl-accel
keepalive type none
add ssl-proxy-list SPL1
active
ssl-proxy-list ssl1
ssl-server 130 tcp server window 40960
ssl-server 130 tcp virtual window 40960
ssl-server 130 tcp virtual nagle disable
ssl-server 130 ssl-queue-delay 0
Thanks
12-02-2011 02:36 AM
Hi Claudio,
You should not notice any performance impact when doing a connection through the CSS, so this is definitely something that should be investigated further. I would recommend opening a TAC service request for it.
Out of experience, I can already say that most of the times, SSL slowness is due to some bugs related to TCP window scaling that result in very small packets being used for the connection. You should be able to get rid of most of them by upgrading to the latest 8.20 release and adding the command "flow tcp-window-scale disabled" to your configuration.
I hope this helps
Daniel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: