Ideas on how to measure performance hit of SSL on a VIP?

I suspect you're not doing HTTP keepalives on your website.

 

 

From your description, you're opening a new TCP connection (And thus a new SSL negotiation) for every object being hit on the web page, making one request and then closing it.

 

 

To fix this, either enable HTTP keepalives in the webservers behind the F5, or if that's not possible, enable one connect and set a netmask of 255.255.255.255 on the oneconnect profile used (Make a custom one).

 

 

Also make sure that you haven't limited the 'Maximum Requests' in the HTTP profile to 1... (Default is 0 == don't limit). And that your HTTP profile has one connect enabled (If you have to use it).

 

 

Also, I'd suggest doing a manual GET against the web server with either CURL or openssl (That's really manual) and taking a tcpdump of the traffic at the time to determine where there's any lag in responses to the SSL negotiation (SSL negotiation is a sequence of several packets. Any delays in here would have an adverse affect on your performance too). Wireshark is a good tool for taking the tcpdump output and presenting it in a nice format for you to view. When you do take the tcpdump make sure you use a suitable filter so you don't have to try & find your connection in a sea of millions...

 

 

H