05-22-2006 12:15 AM
Hello!
We have a setup with a CSS 11503 including a SSL module load-balancing a lot of servers (about 70). For some of them, the CSS is terminating SSL and load-balancing in clear-text to the servers.
Somebody did a performance test with i think Microsoft Web Stress tool one time to one of the real servers (which can termiante ssl as well) and one time to the SSL service (VIP) on the CSS, and found out that the performance differs for about 100%, meaning the real server is much faster! Also loading one page with a lot of GIFs, Stylesheets and such stuff takes about 1,5 secs when loaded from the real server(s) and about 3 seconds when loaded over the VIP.
Now, of course i have to explain that "problem".
On the web i found the info that the SSL module can handle about 800 to 1000 "SSL transactions per second" but found no command for telling me, how much "transactions" we actually have here.
Some facts:
- The output of "sh system-ressources" shows a 50-70% CPU usage for the CSM and about 20% for the SSL module. Also i have some free memory (27 MB of 256 MB on CSM, 92 MB of 512 MB on the SSL module)
- The output of "sh ssl statistics" is nics, but doesn't answer any performance questions.
- "flow statistics" shows about 500 average TCP flows per second and a lot of free flows.
- Since both connections (ssl to css and ssl to server) are routed over the CSS, network connectivity/performance should not be the problem.
So, does anybody know some magical commands, maybe in llama mode, for finding out more about performance?
Any help would be much appreciated.
Greetings
Andreas Lamprecht
05-22-2006 03:32 AM
There are some parameters you can play with to improve performance of the ssl module.
configure the following :
ssl-server X ssl-queue-delay 0
ssl-server X tcp server ack-delay 0
ssl-server X tcp virtual ack-delay 0
If your cleartext traffic goes back to a L5/7 rule on the CSS [ie: arrowpoint cookie rule or url rule], there is also a 200msec delay introduced there.
You can suppress it with the command
"flow tcp-del-ack ..."
Finally, the CPU of the SSL module is not really fast. So if you compare 1 connection to the CSS vs 1 connection to a server there is a great chance that the server will perform faster.
However, the SSL cpu is designed to handle lots of connections, so if you do the same test with 1000 simultaneous clients, you will see your server going much slower while the CSS will keep more or less the same average speed.
Gilles.
05-22-2006 07:18 AM
Thank you very much for your help!
I'll try to use that parameters.
But i still wonder if the 70% CPU usage of the CSM-module might be too much. What is your opinion?
We have a box-to-box redundancy setup here and i would like to try to change that to a virtual router/redundant VIP setup so i could divide the load over the two CSSes.
Greetings
Andreas
05-22-2006 07:52 AM
Andreas,
the low memory is normal as the CSS allocates memory for Flow Control Block (FCB) at startup.
You have low memory but a lot of free FCB.
The CPU is indeed a concern if it stay at this level continously. However, this is most probably not traffic related but more due to some internal task - if you have a lof of probes, or are polling the CSS with SNMP.
You can check it out with the following procedure
llama
symbol-table load SPRITZ
shell 1 1 spy
shell 1 1 spyReport
shell 1 1 spyReport
[you can repeat the last 2 steps to see if there is any variation over time]
shell 1 1 spyStop
symbol-table unload SPRITZ
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide