Expected SSL throughput rates for a single transaction

Question

Hello, &nbsp;
We have built an 'application' that terminates client ssl, then via irules extracts certain certificate fields of user information, determines the correct pool of servers to send them to and does so, encrypting on the backend as well. Both front and back use 2048-bit certs. We are doing this on C2400 Viprion with two 2100 blades. The guest in question has 2 cores per slot and is active on both slots.&nbsp;
Removing all irules and doing just a client and server ssl profile, we can only achieve a max of 47Mb/s (6MB/s) of throughput on a good day. We have a 40G uplink trunk that isn't congested at all, so this appears to be strictly limited to the SSL engine performance.&nbsp;
I know the glossy states 9.0Gb/s aggregate performance per blade, but engineering will not give me expected rates for a single SSL flow through the box. I've had to report to my customers that the most I can guarantee them is 8MB/s per flow and no one is happy.&nbsp;
I know performance/L4 virtual server types perform better, but you cannot assign ssl profiles to them or irules with http events - which makes that type unusable for SSL offload.&nbsp;
Has anyone tested the throughput of a single SSL offload flow? What rates have you been able to achieve? This is a low TPS function, with a high bulk transfer (15-70G files). Think medical imagery..&nbsp;
Thanks,
Chad&nbsp;

pete_71470 · Answer

We see sustained 2Gbps (2048 bit certs) with both client and server ssl profiles attached on Standard virtual using a few trivial irules without any issues at all (single B2100, no virtualization)...

chad_14652 · Answer

Wow. I'm curious what application you used for the transfer? &nbsp;
In your setup, are you routing, SNAT'ing, bridging?&nbsp;

pete_71470 · Answer

I'm wondering if the issue you're seeing is really related to guest configuration?  We don't use virtualization on Viprion (much cheaper to buy a 10G HA pair than to license modules for the chassis).

The configuration here is client -&gt; VIP/client-ssl -&gt; Automap SNAT -&gt; Node/server-ssl.  Except for some higher volume nPath setups, it's all L3 to  and from Nodes.  The iRules simply add X-Forwarded-For (deleting existing headers first) and w3c-style logging.

The application is Xythos file sharing (behemoth Tomcat app).

nitass · Answer

chad, what version are you running? is it 11.4.0?&nbsp;

nitass_89166 · Answer

chad, what version are you running? is it 11.4.0?&nbsp;

Forum Discussion

Expected SSL throughput rates for a single transaction

7 Replies

Recent Discussions

Need help on i-rule to specific uri path

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

Reverse Proxy Not Behaving

F5 terminal - help to run commands - disk space full

google autenticator broken barcode

Related Content

vCMP logical interfaces throughput

BIG-IP SSL orchestrator Throughput vs platform Throughput

F5 SMTP Fast Template - SNAT Not working as expected

Lightboard Lessons: SSL Transactions Per Second

Demystifying iControl REST Part 7 - Understanding Transactions