Expected SSL throughput rates for a single transaction

Question

Hello, &nbsp;
We have built an 'application' that terminates client ssl, then via irules extracts certain certificate fields of user information, determines the correct pool of servers to send them to and does so, encrypting on the backend as well. Both front and back use 2048-bit certs. We are doing this on C2400 Viprion with two 2100 blades. The guest in question has 2 cores per slot and is active on both slots.&nbsp;
Removing all irules and doing just a client and server ssl profile, we can only achieve a max of 47Mb/s (6MB/s) of throughput on a good day. We have a 40G uplink trunk that isn't congested at all, so this appears to be strictly limited to the SSL engine performance.&nbsp;
I know the glossy states 9.0Gb/s aggregate performance per blade, but engineering will not give me expected rates for a single SSL flow through the box. I've had to report to my customers that the most I can guarantee them is 8MB/s per flow and no one is happy.&nbsp;
I know performance/L4 virtual server types perform better, but you cannot assign ssl profiles to them or irules with http events - which makes that type unusable for SSL offload.&nbsp;
Has anyone tested the throughput of a single SSL offload flow? What rates have you been able to achieve? This is a low TPS function, with a high bulk transfer (15-70G files). Think medical imagery..&nbsp;
Thanks,
Chad&nbsp;

pete_71470 · Answer

We see sustained 2Gbps (2048 bit certs) with both client and server ssl profiles attached on Standard virtual using a few trivial irules without any issues at all (single B2100, no virtualization)...

chad_14652 · Answer

Wow. I'm curious what application you used for the transfer? &nbsp;
In your setup, are you routing, SNAT'ing, bridging?&nbsp;

pete_71470 · Answer

I'm wondering if the issue you're seeing is really related to guest configuration?  We don't use virtualization on Viprion (much cheaper to buy a 10G HA pair than to license modules for the chassis).

The configuration here is client -&gt; VIP/client-ssl -&gt; Automap SNAT -&gt; Node/server-ssl.  Except for some higher volume nPath setups, it's all L3 to  and from Nodes.  The iRules simply add X-Forwarded-For (deleting existing headers first) and w3c-style logging.

The application is Xythos file sharing (behemoth Tomcat app).

nitass · Answer

chad, what version are you running? is it 11.4.0?&nbsp;

nitass_89166 · Answer

chad, what version are you running? is it 11.4.0?&nbsp;

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Expected SSL throughput rates for a single transaction

7 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

can't access on prem dns when using F5LTM as a gateway

Issue with TLS Version 1.1 Deprecated Protocol

Service discovery is not happening in AS3

Load balanced RDP VIP use in APM

Deleting an AS3 Tenant

Related Content

vCMP logical interfaces throughput

BIG-IP VE: 40G Throughput from 4x10G physical NICs

BIG-IP SSL orchestrator Throughput vs platform Throughput

Example Expect Script

Demystifying iControl REST Part 7 - Understanding Transactions

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS