For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Derek_21893's avatar
Derek_21893
Icon for Nimbostratus rankNimbostratus
Feb 09, 2010

Question about pool statistics

Does anyone here know what the difference is between

 

 

STATISTIC_PVA_SERVER_SIDE_TOTAL_CONNECTIONS and STATISTIC_TOTAL_PVA_ASSISTED_CONNECTIONS ?

 

 

The API docs are not very clear:

 

 

STATISTIC_PVA_SERVER_SIDE_TOTAL_CONNECTIONS:

 

Total number of connections that are handled by PVA from the server-side of the object.

 

 

STATISTIC_TOTAL_PVA_ASSISTED_CONNECTIONS:

 

Total number of connections assisted by PVA.

 

 

Since these statistics are per-pool, I'm curious just what the difference is. I can guess that the STATISTIC_TOTAL_PVA_ASSISTED_CONNECTIONS may mean *all* connections handled by the PVA, total, across the system, but then why would this counter be lumped in with every pool? If this is indeed on a per-pool basis, then why would this counter be any different than STATISTIC_PVA_SERVER_SIDE_TOTAL_CONNECTIONS? Client side PVA assisted connections are found elsewhere, particularly in VIP statistics. Interestingly the same statistic STATISTIC_TOTAL_PVA_ASSISTED_CONNECTIONS are present in the VIP stats as well.

 

 

Any insight appreciated.

 

 

Thanks,

 

-Derek
dev
devops
iControl

2 Replies

  • Derek_21893's avatar
    Derek_21893
    Icon for Nimbostratus rankNimbostratus
    Feb 10, 2010
    So I opened a support case about this, and here's the answer. Now my question is, why on earth is there better documentation about what statistics mean in the MIB rather than the API documentation? I think that F5 should really go through these MIBs and update the API documentation where the MIB has a better description!

     

     

     

     

    STATISTIC_SSL_FULLY_HW_ACCELERATED_CONNECTIONS

     

    sysServersslStatFullyHwAcceleratedConns OBJECT-TYPE

     

    SYNTAX Counter64

     

    MAX-ACCESS read-only

     

    STATUS current

     

    DESCRIPTION

     

    "Fully hardware-accelerated implies usage of the Cavium

     

    Nitrox or similar hardware accelerator such that all

     

    significant cryptographic operations are offloaded,

     

    including but not limited to the SSL handshake (at least

     

    the RSA/DSA/DH operations) and record processing (at least

     

    the bulk cipher plus MAC)."

     

    ::= { sysGlobalServerSslStat 16 }

     

     

    STATISTIC_SSL_COMMON_PARTIALLY_HW_ACCELERATED_CONNECTIONS

     

    sysServersslStatPartiallyHwAcceleratedConns OBJECT-TYPE

     

    SYNTAX Counter64

     

    MAX-ACCESS read-only

     

    STATUS current

     

    DESCRIPTION

     

    "Partially hardware-accelerated indicates that at least the

     

    RSA decryptions are offloaded."

     

    ::= { sysGlobalServerSslStat 17 }

     

     

    STATISTIC_SSL_COMMON_NON_HW_ACCELERATED_CONNECTIONS

     

    sysServersslStatNonHwAcceleratedConns OBJECT-TYPE

     

    SYNTAX Counter64

     

    MAX-ACCESS read-only

     

    STATUS current

     

    DESCRIPTION

     

    "Non-accelerated connections are those for which no

     

    steady-state hardware acceleration is available (either

     

    because no hardware accelerators are available or because

     

    the necessary cryptographic operations are unsupported).

     

    Because the extent of hardware acceleration may not be known

     

    until a connection has closed (mid-stream SSL handshakes

     

    might renegotiate an SSL session not supported by hardware

     

    acceleration), this statistic will not be updated for a

     

    given connection until it has closed

     

  • Joe_Pruitt's avatar
    Joe_Pruitt
    Feb 15, 2010
    Thanks for the pointer and I'll definitely look at getting a refresh of the API docs from some of that information.

     

     

    -Joe