SSL TPS

Question

Hi I'm in the middle of sizing a new pair of LB and tinkling about upgrading pairs in other DC after having decided to go https for a website.&nbsp;
Now i have 2 pairs of 6900 one pair of 5200 and one of 4200 , the TPS are slightly different here we go form 500 of the 6900 to the 20k of the 5200.&nbsp;
Fact is i do not really understand how to figure out what it is going to happen if i turn on https for the website:&nbsp;
here few numbers:&nbsp;
Max sessions on the http vip reached 64k
Max new sessions per second form other stats sources reached 600
Just simply browsing the site with a loop on netstat i see sessions open each second going form 4 to 8 depending on the page I'm browsing.&nbsp;
I have been reading of session identifier and ssl ticketing etc...&nbsp;
Question is what TPS is:&nbsp;
60k ( number of max concurrent https connections)
600 (new web session per second)
600 x 8 (new web s/s multiplied by the max number of connections to my website) 
of maybe 60k divided by 8 ?&nbsp;
Thanks
Paolo&nbsp;

hamish · Answer

TPS for ssl/tls are based on new connections. The licensed value is 1/100th of the advertised figure in a 10ms timeslot. &nbsp;
So if youre planning on 60k connections per second youll need to do something clever like offloading the ssl to separate devices... Is that figure (60k ) because you're perhaps not doing http keepalives? &nbsp;

brad_parker · Answer

I would think your 600 new sessions/server a second would be closer to what TPS numbers would be. 600*8 would be 4800. TPS is the number of new SSL sessions, so that number may even be less than 4800. As I look at our gear right now, I see ~32k+ connections and spikes up to 600 TPS. Its a slow day...

hamish · Answer

Sorry, but TPS is done on connections. Has been since v9. IIRC v4.5 and earlier used to make that distinction... It caught us by surprise after the upgrade too...&nbsp;
Sessions are almost irrelevant (For license). Except that the number does affect the SSL session cache size... You need to know the number of CONNECTIONS per second to work out your TPS requirements (Which is why http keep-alives make so much of a difference)&nbsp;
Hint: The required license value will normally be around 2x the peak number of SUSTAINED connections per second averaged over a 60 second period. i.e. if you see 10k connections per second averaged over 60 seconds (i.e. 600k connections in a minute), you'll need an SSL license of around 20k. [That assumes it's the kind of site that does reasonably steady traffic. Not one subject to massive sudden peaks]&nbsp;
H&nbsp;

paolo_125657 · Answer

So merging it all up if i read all the above correctly: &nbsp;
I do have 600 new web session per second which generate an average of 8 connections per second i do need to size TPS at 4800.&nbsp;
Btw we do use keep alives.&nbsp;
Cheers&nbsp;

hamish · Answer

Where did you get 8 connections per second from? Just watching netstat? That's not going to be accurate.&nbsp;
SSL TPS is connections per second... if you have 8 connections/second, it's 8 TPS... &nbsp;
However I very much doubt you get 600 new sessions/second from just 8 connections... Hence doubly^lots doubt your netstat conclusions above...&nbsp;
H&nbsp;

Forum Discussion

SSL TPS

9 Replies

Recent Discussions

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

SNMP OID for SSL TPS

SSl TPS calculation

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

SSL protocol mismatch

SSL Orchestrator Advanced Use Cases: Detecting Generative AI