Ideas on how to measure performance hit of SSL on a VIP?
Running LTM 9.3.1, users complain of response time problems for websites through it, as compared to hitting the website bypassing the F5. Lots of places to look, I know, but we use a tool called HTTPWatch and it points out that on a web page load that might have 50 objects, some of them (always gifs and jpgs), the "time chart" or breakdown of where the time was spent to download that item shows an unusually long time in the TCP Connect portion of the Get. HTTPWatch help says "Connect is the time required to create a TCP connection to the web server (or proxy). If a secure HTTPS connection is being used this time includes the SSL handshake process. Keep-Alive connections are often used to avoid the overhead of repeatedly connecting to the web server."
SSL Overhead is one part of this slice of time, and when my testers go around the F5 they're not hitting the server using SSL (and time to load a page is cut in half or better). I set up a test VIP to try and prevent SSL Offload, however some of the redirects on the page still go to HTTPS for a subset of GIFs (I haven't gotten Redirect Rewrite to rewrite all the Redirects correctly). The thing I notice, which drives this question, is that it's pretty consistent when there's a "[1 to 3 second] delay" in grabbing an object on the webpage, it's always when that object is at HTTPS://.... and never when the object is just HTTP://...
So I'm wondering if you have any thoughts on how to measure just how much overhead/delay SSL processing adds. It's not consistently on the same objects for each repeat of the same page loading, but there's always at least one or two objects SSL protected on the page that throw out one of these relatively long delays. Changing our website to not use SSL is not an option, but if our LTM is the bottleneck in it's ability to handle the SSL TPS (which according to the onboard Performance graph is <=20), I'd like to know that. If you look at the screenshot attached to this post, the picture really is worth a thousand words.