LTM v9.3.1. I need to figure out the source address which is suddenly causing us to hit our SSL license limit. We have hundreds of virtuals, so isolation is not a trivial matter. I can't seem to find the info I'm looking for in bigtop, tmstat. b conn might help, but I think I need to know which virtual is being hit for that command to be effective. And I don't know which virtual is being hit.

You will probably have to pull the static for individual ssl profiles individually using SNMP or iControl statistics. If you have cacti there are templates for it on devcentral. If you don't have cacti, you could write the software yourself, but it might be easier to just grab a copy of cacti and run it up (There's a cacti appliance called CactiEZ you can download and run in a VM or on a spare box that's quite good). H

Let's say I want to use SNMP. Those same stats should be available using the b profile clientssl all show all command, right? But it's not clear to me which specific statistic correlates with to the SSL transaction (TPS) rate limit reached message. Handshakes? Key Exchange? conn?

According to SOL6475 it's connections (Specifically the number of connections in a 10ms window. When that goes above 1/100th of the license limit, then TMM will drop connections until the 10ms timeslot is expired). https://support.f5.com/kb/en-us/solutions/public/6000/400/sol6475.html?sr=7209877 In v4 it was different. It was calculated based on key exchanges IIRC... v9 altered that to connections only (Which means you need more TPS licenses for v9+ vs v4 unless you have a very specific set of circumstances)

I did see that article. This seems to be the critical statement: The BIG-IP system measures SSL TPS based on connection attempts to all virtual servers configured with a clientssl profile. But I am having trouble translating that into something I can track. Should I be looking at the "(cur, max, limit, tot)" value in the output of "b virtual all show all"?

The only one of the stats you're looking at that are useful for SSL TPS is the (total) number of connections. From that, if you poll at regular intervals, you can get the average rate over the poll time. But since the licensing works on a 10ms interval, you'd have to poll at 5ms at least in order to get your stats fine grained enough to work out how close you were to the limit (On the basis that you have to sample at 2x the required resolution and the required resolution is 10ms). I don't believe that command line stats are fine grained enough... What's really required is a high resolution count of SSL connections... Something you can poll every second and get 100 entries for the last seconds 10ms intervals. What would be really useful is if the licensing 'borrowed' connections from other 10ms slots. It SHOULD (To be fair) be counting TPS over the LAST second... Not 1/100th over the last ms... After all, just because the last 10ms were unusually busy DOES NOT imply that the other 99x 10ms slots were also as busy. I'll stop here, because I have issues with the way this is done when you buy 1000TPS, I expect 1000TPS. Not 10TP/10ms slot... HTTP is not constant rates... pragma almost_rant_mode off... H

SSL transaction (TPS) rate limit reached

11 Replies

Hamish
Cirrocumulus
Apr 03, 2010
You will probably have to pull the static for individual ssl profiles individually using SNMP or iControl statistics.

If you have cacti there are templates for it on devcentral. If you don't have cacti, you could write the software yourself, but it might be easier to just grab a copy of cacti and run it up (There's a cacti appliance called CactiEZ you can download and run in a VM or on a spare box that's quite good).

H
smp_86112
Cirrostratus
Apr 05, 2010
Let's say I want to use SNMP. Those same stats should be available using the b profile clientssl all show all command, right? But it's not clear to me which specific statistic correlates with to the SSL transaction (TPS) rate limit reached message. Handshakes? Key Exchange? conn?
Hamish
Cirrocumulus
Apr 07, 2010
According to SOL6475 it's connections (Specifically the number of connections in a 10ms window. When that goes above 1/100th of the license limit, then TMM will drop connections until the 10ms timeslot is expired).

https://support.f5.com/kb/en-us/solutions/public/6000/400/sol6475.html?sr=7209877

In v4 it was different. It was calculated based on key exchanges IIRC... v9 altered that to connections only (Which means you need more TPS licenses for v9+ vs v4 unless you have a very specific set of circumstances)
smp_86112
Cirrostratus
Apr 07, 2010
I did see that article. This seems to be the critical statement:

The BIG-IP system measures SSL TPS based on connection attempts to all virtual servers configured with a clientssl profile.

But I am having trouble translating that into something I can track. Should I be looking at the "(cur, max, limit, tot)" value in the output of "b virtual all show all"?
Hamish
Cirrocumulus
Apr 11, 2010
The only one of the stats you're looking at that are useful for SSL TPS is the (total) number of connections. From that, if you poll at regular intervals, you can get the average rate over the poll time. But since the licensing works on a 10ms interval, you'd have to poll at 5ms at least in order to get your stats fine grained enough to work out how close you were to the limit (On the basis that you have to sample at 2x the required resolution and the required resolution is 10ms).

I don't believe that command line stats are fine grained enough... What's really required is a high resolution count of SSL connections... Something you can poll every second and get 100 entries for the last seconds 10ms intervals.

What would be really useful is if the licensing 'borrowed' connections from other 10ms slots. It SHOULD (To be fair) be counting TPS over the LAST second... Not 1/100th over the last ms... After all, just because the last 10ms were unusually busy DOES NOT imply that the other 99x 10ms slots were also as busy.

I'll stop here, because I have issues with the way this is done when you buy 1000TPS, I expect 1000TPS. Not 10TP/10ms slot... HTTP is not constant rates...

pragma almost_rant_mode off...

H
smp_86112
Cirrostratus
Apr 12, 2010
OK that makes sense. I can write a script that will run the command for say, 10 seconds, and sort the output by largest difference in change to total connections. I'll post it once I make it.
Hamish
Cirrocumulus
Apr 12, 2010
If you have cacti, why don't you use that?

I updated the original SSL profiles quite a while ago to include the data you want (Albeit with a resolution of 60 seconds). A good rule of thumb that we've found with reasonable load and a 60sec average on SSL is that once you hit 50% of your license, you're probably going to start getting TPS license violations. (YMMV).

H
LBAL_93235
Nimbostratus
Feb 13, 2012
I saw this conversation thread here, and wanted to ask a followup if I may. One where are these profiles available that you have? Two, do you have a profile that will pull what the appliance is licensed for and be able to compare that to what you're seeing in your sample?
Hamish
Cirrocumulus
Feb 25, 2012
Hmm.. Licensed value is only available in yhe license file itself i think. Im not aware of any icontrol or snmp oid that would return the information.

The cacti profiles are on codeshare. (Or used to be. They should still be there i hope). Ghere are also some other ones on the cacti.net website. But they are slightly different and im not sure if they include the ssl profile graphs.

H
Josh_41258
Nimbostratus
Mar 06, 2012
As far as I know, you can only track SSL TPS per SSL PROFILE, not by virtual server. Have a look at this:

https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/127/SNMP-Capturing-SSL-Statistics-per-Virtual-Server.aspx