Forum Discussion
NimbostratusF5 Exchange performance - SSL?
Hi
Before we used a Microsoft load balancer and recently moved to a BIG IP 1600 v11.3 load balancer. The Microsoft software based LB has its limitations but was a lot faster. Looking at monitoring data, I could download the Outlook Web App base page in .4 seconds when using Microsoft NLB and using the F5 it takes ~2.5 - ~3.5 seconds on average! I am pretty sure encryption is the cause of the problem and definitely not load. 1500 concurrent connections and the F5 is idling 🙂
The Web based performance is really quite poor when going through the F5, we are NOT doing SSL offloading. If I were to offload SSL to the load balancers the performance is almost as good as when going to one of the nodes directly.
A test was performed using http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html and found the the SSL keys are NOT reusable, surely this must have a performance hit?
Below is output from another PERL script, the first scan is to the F5 VIP and the second scan is to the pool member node direct:
[root@localhost sslyze-release-0.6] ./sslyze.py --regular outlook.companyX.com:443
REGISTERING AVAILABLE PLUGINS
PluginCertInfo
PluginOpenSSLCipherSuites
PluginSessionRenegotiation
PluginCompression
PluginSessionResumption
CHECKING HOST(S) AVAILABILITY
outlook.companyX.com:443 => 10.187.62.21:443
SCAN RESULTS FOR OUTLOOK.companyX.COM:443 - 10.187.62.21:443
Unhandled exception when processing --tlsv1_2:
utils.ctSSL.errors.ctSSLFeatureNotAvailable - TLS 1.2 is not supported by the version of the OpenSSL library that was loaded. Upgrade to 1.0.1 or later.
Unhandled exception when processing --tlsv1_1:
utils.ctSSL.errors.ctSSLFeatureNotAvailable - TLS 1.1 is not supported by the version of the OpenSSL library that was loaded. Upgrade to 1.0.1 or later.
* Compression :
Compression Support: Disabled
* Certificate :
Validation w/ Mozilla's CA Store: Certificate is Trusted
Hostname Validation: OK - Common Name Matches
SHA1 Fingerprint: DC0F0D189E56150EA5B004EF254355D190A8B7DA
Common Name: *.companyX.com
Issuer: /C=US/O=Thawte, Inc./CN=Thawte SSL CA
Serial Number: 38E16DE9D0A6E51EF7A087528E269042
Not Before: Aug 25 00:00:00 2011 GMT
Not After: Oct 10 23:59:59 2013 GMT
Signature Algorithm: sha1WithRSAEncryption
Key Size: 2048
* Session Renegotiation :
Client-initiated Renegotiations: Honored
Secure Renegotiation: Supported
* Session Resumption :
With Session IDs: Partially supported (1 successful, 4 failed, 0 errors, 5 total attempts). Try --resum_rate.
With TLS Session Tickets: Not Supported - TLS ticket not assigned.
* SSLV2 Cipher Suites :
Rejected Cipher Suite(s): Hidden
Preferred Cipher Suite: None
Accepted Cipher Suite(s): None
Undefined - An unexpected error happened: None
* TLSV1 Cipher Suites :
Rejected Cipher Suite(s): Hidden
Preferred Cipher Suite:
RC4-SHA 128 bits HTTP 401 Unauthorized
Accepted Cipher Suite(s):
AES256-SHA 256 bits HTTP 401 Unauthorized
DES-CBC3-SHA 168 bits HTTP 401 Unauthorized
RC4-SHA 128 bits HTTP 401 Unauthorized
AES128-SHA 128 bits HTTP 401 Unauthorized
Undefined - An unexpected error happened: None
* SSLV3 Cipher Suites :
Rejected Cipher Suite(s): Hidden
Preferred Cipher Suite:
RC4-SHA 128 bits HTTP 401 Unauthorized
Accepted Cipher Suite(s):
AES256-SHA 256 bits HTTP 401 Unauthorized
DES-CBC3-SHA 168 bits HTTP 401 Unauthorized
RC4-SHA 128 bits HTTP 401 Unauthorized
AES128-SHA 128 bits HTTP 401 Unauthorized
Undefined - An unexpected error happened: None
SCAN COMPLETED IN 0.91 S
* * *
* * *
* * *
*****TEST FROM TO THE NODE DIRECT**
root@localhost sslyze-release-0.6] ./sslyze.py --regular 10.186.168.250:443
REGISTERING AVAILABLE PLUGINS
PluginCertInfo
PluginOpenSSLCipherSuites
PluginCompression
PluginSessionResumption
PluginSessionRenegotiation
CHECKING HOST(S) AVAILABILITY
10.186.168.250:443 => 10.186.168.250:443
SCAN RESULTS FOR 10.186.168.250:443 - 10.186.168.250:443
Unhandled exception when processing --tlsv1_1:
utils.ctSSL.errors.ctSSLFeatureNotAvailable - TLS 1.1 is not supported by the version of the OpenSSL library that was loaded. Upgrade to 1.0.1 or later.
Unhandled exception when processing --tlsv1_2:
utils.ctSSL.errors.ctSSLFeatureNotAvailable - TLS 1.2 is not supported by the version of the OpenSSL library that was loaded. Upgrade to 1.0.1 or later.
* Compression :
Compression Support: Disabled
* Session Renegotiation :
Client-initiated Renegotiations: Rejected
Secure Renegotiation: Supported
* Session Resumption :
With Session IDs: Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
With TLS Session Tickets: Not Supported - TLS ticket not assigned.
* Certificate :
Validation w/ Mozilla's CA Store: Certificate is Trusted
Hostname Validation: MISMATCH
SHA1 Fingerprint: DC0F0D189E56150EA5B004EF254355D190A8B7DA
Common Name: *.companyX.com
Issuer: /C=US/O=Thawte, Inc./CN=Thawte SSL CA
Serial Number: 38E16DE9D0A6E51EF7A087528E269042
Not Before: Aug 25 00:00:00 2011 GMT
Not After: Oct 10 23:59:59 2013 GMT
Signature Algorithm: sha1WithRSAEncryption
Key Size: 2048
* TLSV1 Cipher Suites :
Rejected Cipher Suite(s): Hidden
Preferred Cipher Suite:
AES128-SHA 128 bits HTTP 401 Unauthorized
Accepted Cipher Suite(s):
AES256-SHA 256 bits HTTP 401 Unauthorized
DES-CBC3-SHA 168 bits HTTP 401 Unauthorized
RC4-SHA 128 bits HTTP 401 Unauthorized
RC4-MD5 128 bits HTTP 401 Unauthorized
AES128-SHA 128 bits HTTP 401 Unauthorized
Undefined - An unexpected error happened: None
* SSLV3 Cipher Suites :
Rejected Cipher Suite(s): Hidden
Preferred Cipher Suite:
RC4-SHA 128 bits HTTP 401 Unauthorized
Accepted Cipher Suite(s):
DES-CBC3-SHA 168 bits HTTP 401 Unauthorized
RC4-SHA 128 bits HTTP 401 Unauthorized
RC4-MD5 128 bits HTTP 401 Unauthorized
Undefined - An unexpected error happened: None
* SSLV2 Cipher Suites :
Rejected Cipher Suite(s): Hidden
Preferred Cipher Suite: None
Accepted Cipher Suite(s): None
Undefined - An unexpected error happened:
RC4-MD5 socket.timeout - timed out
DES-CBC3-MD5 socket.timeout - timed out
SCAN COMPLETED IN 5.30 S
6 Replies
Michael_Koyfma1Cirrus
Are you doing SSL re-encryption on F5(in other words, are you decrypting and then re-encrypting back to CAS)? If so, this method will definitely be slower than going directly to CAS because of the extra workload. If you deployed Exchange using F5-provided iApp/Deployment Guide, then I am certain this is a big contributing factor to the delay you are seeing.
Additionally, F5 iApp by default setups most optimal TCP settings for WAN-based connections. Tuning TCP is a tricky thing, and settings optimized for WAN-performance hurt LAN-based access, and vice versa. Sounds like you are also testing on a LAN and WAN-focused TCP tuning is contributing to the numbers you are seeing. If you want to see the difference, switch out the TCP profile on the Exchange virtual server to the lan-optimized one, and your perl tests should show better results.
Rabbit23_116296We are doing SSL re-encryption, I could understand it taking twice as long but not 400-500% slower. We are using the latest (June 2012) version of the Exchange iApp template. I have optimized the TCP profile for LAN and not seeing the results.
- Michael_Koyfma1
Can you try to configure using the latest RC iApp here?
https://devcentral.f5.com/d/microsoft-exchange-2010-and-2013-iapp-template
There were a LOT of changes done to it since last June...
- Rabbit23_116296
Thanks - I think I need to raise a ticket with F5 support. I presume this is still RC?
FYI, the RC4 version of the template has been released to downloads.f5.com as an officially supported template. Please download iapps-1.0.0.61.0.zip and use the template named f5.microsoft_exchange_2010_2013_cas.v1.2.0.tmpl.
Mike
- JG
Cumulonimbus
Sounds like you do have some issues there, for I have a much better experience with our deployment here. I did the conf manually based on the Deployment Guide. And 1600 is pretty old hardware.
