Forum Discussion
Why am I seeing so many "Partial" SSL Hardware Accelerated transactions?
My ssl profile uses ciphers "default" show /ltm profile client-ssl myprofile gives this: (i've just recently reset the stats)
SSL Hardware Acceleration Full 32.4K Partial 14.1K None (Software) 47
What are those Partial transactions? And how might I go about getting everything to be fully hw accelerated?
- What_Lies_Bene1Cirrostratus
I believe Partial relates to where a COMPAT cipher is negotiated and OpenSSL is used. Its partial because the handshake is always handled in hardware but the bulk crypto operations then move to OpenSSL if a COMPAT cipher is in use.
No clue about the None related output.
To have everything h/w accelerated, change your cipher string to NATIVE (or DEFAULT if you're on v11 I think) but do some research on what that might mean for your clients and what ciphers will be available. Start here with that: http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html
- ingardNimbostratus
Hi thanks for replying. I'm already using DEFAULT cipher suite, so its nothing to do with COMPAT. We're on version 11.4.1 with latest hotfix. Anyway, support came back to me with a suggestion that since I was sorting the ciphers by strength the inital handshake had to be done by the tmm. I'm not sure that is entirely accurate however as I am still seeing partial transactions after disabling the :@STRENGTH.
- What_Lies_Bene1Cirrostratus
Perhaps try NATIVE rather than DEFAULT. I'm not confident it'll help mind.
I'd speculate its related to particular ciphers that use ECDHE and the like.
- John_Heyer_1508Cirrostratus
I don't think it's necessarily anything to do with NATIVE. I'm seeing 100% Native and 0% Compatibility for all connections, but still getting a good chunk of Partial under the SSL acceleration table.
- nitassEmployee
can you open a support case to verify?
i do see a couple of bug but do not know whether it matches yours.
e.g.
- John_Heyer_1508Cirrostratus
I've opened a case with F5. Incidentally, I upgraded from 11.5.1 HF4 to HF6 last night, and the ratio of partial accelerations appears to have dropped significantly. So it could very well be a software bug.
- John_Heyer_1508Cirrostratus
I got two possible answers back from F5 support. They first said you'd see a Partial when the SSL handshake is done in hardware, but the data connection is not. For example if using RSA+3DES+MD5.
I pointed out that we manually limit our ciphers to those with Native, and the Connections table confirms that 100% of all connections have been Native. They offered this alternate explanation:
The connections listed as "Partial" are very likely the resumed SSL sessions, in which the bulk cryptography is hardware-accelerated but the handshake for the resumed session is handled in software.
I suppose I could disable SSL session resumption to confirm this, but probably will not worry about it. We use the F5 for large file transfers, so are actually more concerned about the data connection than the handshake.
- nitassEmployee
The connections listed as "Partial" are very likely the resumed SSL sessions, in which the bulk cryptography is hardware-accelerated but the handshake for the resumed session is handled in software.
thanks for update. this is new to me (i thought resumed session is hardware-accelerated too).
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com