Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
0
Helpful
3
Replies

Active SSL flows high water mark

cliff.bowles
Level 1
Level 1

‎02-15-2005 11:01 AM

We have a pair of CSS11503s with two SSL modules in each chassis. We balanced our numerous SSL VIPs across them based on CPU. In other words, we put some VIPs on one module, some on the other until we had both CPUs about 70% utilization at peak hours. (show sys)

We have noticed recently that the available memory on module2 depletes badly during high traffic and never recovers. Theoretically, we are guessing this is becuase the SSL table size increases. Recently, the available memory was dangerously low. I flipped to the redundant box and it showed the same behavior, so it's not hardware. When we did a "show ssl stat", we saw that the "active ssl flows high water mark" indicated 27,905 flows.

I know these modules are rated (in Cisco's white papers) as 20,000 concurrent sessions and 1,000 new sessions per second. What we are wondering is if the 27,905 flows indicates concurrent connections or is the "flows" different from "sessions" or "connections".

We could reallocate a bunch of our SSL VIPs from one module to the other, but then we risk pushing the CPU well past 70% utilization on that module. I'm also not certain going from 384MB available to 12MB available on the busier SSL module should be expected behavior.

The only pattern I can find is that the afflicted module happens to have the ONLY content rules that require a urlrewrite in their associated ssl-server entries. I recall that there were bugs with urlrewrites in previous versions. (we have 7.4.105s now)

Just thought I'd toss this out - it's bizarre and alarming behavior on these CSSes.

CWB

Labels:
0 Helpful
3 Replies 3

pradeepde
Level 5
Level 5

‎02-21-2005 11:36 AM

I am not aware of your problem, but you can try by use the clear ssl statistics command to clear the SSL statistics counters for all SSL modules in the CSS chassis. The reset statistics appear as 0 in the show ssl statistics display.

To clear SSL statistics counters for a specific module, use the clear ssl statistics command and specify the slot number following the command. The valid slot entries are 2 and 3 (CSS 11503) or 2 to 6 (CSS 11506).

To clear the SSL statistics counter, enter:

# clear ssl statistics

0 Helpful

cliff.bowles
Level 1
Level 1
In response to pradeepde

‎02-23-2005 08:31 AM

Actually, this appears to be a memory leak issue with the 7.4.105s code. We regressed back to 7.3.108s and we do not have this problem any longer.

I am still wondering if the SSL FLOWS HIGHWATER MARK means connections (as in number of users) or something else. The number seems to be higher than our expected user base, but possibly we have that many more students this time of year.

CWB

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to cliff.bowles

‎02-24-2005 05:30 AM

There is indeed a memory leak in 105s and 106s.

This should be fixed in 107s.

The bug for the leak is CSCeg85854 .

The high water mark is the maximum number of concurrent connections.

One use can have multiple connections open at the same time, so you can't tell the amount of users from this number.

Regards,

Gilles.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card