We have a network segment that has a perimeter pix 535 and behind it two 6500 switches, each has a CSM and a SSL module. We can only hit a max throughput of about 42Mbps when we run a loadrunner test going to one ssl module on https traffic. We add a second SSL module to the CSM loadbalancing and we were able to increase to another 41 Mbps totalling our throughput to about 82 Mbps overall.

We are running software version 2.1(4) on the SSL modules. I noticed the following in the ssl modules while the modules were taking in at about 22 Mbps:

dmzssl1.frsat#sh ssl-proxy status tcp

TCP cpu is alive!

TCP cpu utilization:

% process util : 7 % interrupt util : 0

proc cycles : 0xA93422B253E int cycles : 0xD916CBD43A

total cycles: 0x96016CBCDE38

% process util (5 sec) : 60 % interrupt util (5 sec) : 2

% process util (1 min) : 51 % interrupt util (1 min): 1

% process util (5 min) : 51 % interrupt util (5 min) : 1

dmzssl1.frsat#sh ssl-proxy status ssl

SSL cpu is alive!

SSL cpu utilization:

% process util : 0 % interrupt util : 0

proc cycles : 0xAA820CE45C int cycles : 0x278569E70

total cycles: 0x9602074A99C8

% process util (5 sec) : 3 % interrupt util (5 sec) : 0

% process util (1 min) : 3 % interrupt util (1 min): 0

% process util (5 min) : 3 % interrupt util (5 min) : 0

Not sure on how to read these, but does this mean that the tcp process is kind of struggling compared to the ssl process?

We are expecting the ssl modules to be able to handle more traffic than just 41 Mbps. It's not really close to what Cisco claims in their data sheets.

Is there something else I need to look at or some performance tuning I can do in the ssl module to support more bandwidth? Please help. thanks