Lightboard Lessons: SSL Transactions Per Second

Great video! Do you plan one about PFS? Piotr

Thanks Piotr! I can totally do one on PFS...stay tuned! I'll post it here after I record it.

Great, thanks a lot!

Piotr

There is something wrong here, for I don't see no video showing up! :-)

Hi John,

Would be great if you will include some info about how PFS is handled by both SWG and SSL Orchestrator as well as why PFS breaks Proxy SSL functionality.

Piotr

Thanks Piotr...I'll work to include information on those things in the video.

Hi John,

thanks for the great Video. I have Question about the calculation if I use a Viprion 2250 Blade. The license is unlimited (based on the tmsh command) and a Guest is configured with 8 vCPUs. The only fact that we have is the Hardware Limit and the TMM Count. How can I calculate the SSL TPS for the Guest?

Bernd

@bmichels2, great question! The answer depends on what version you are running. Things change as soon as you go into 12.x because you get per-guest SSL rate-limiting capabilities. Here are the two answers based on that split:

Pre 12.x: The guests are all in a round-robin method of sharing SSL resources. If the 8 vCPU guest is the only one accessing the SSL offload system, it can take all of the TPS the blade can provide. Otherwise, it’ll be sharing with as many other guests that are simultaneously accessing the SSL system, regardless of guest size.

12.x and later: There are 3 modes that you can have a guest in: Shared, Dedicated, and None. None, is just that, no hardware acceleration. Shared is the same as the round-robin method described above. Dedicated is where it gets interesting and, possibly, the situation you are in. When you have a guest in Dedicated SSL mode, the number of TPS is proportional to the number of vCPUs allocated to the guest. Since the guest in question is on a B2250, there are 20 vCPUs possible (1 for each HT, so a physical core is 2 vCPUs). Therefore, the amount of SSL TPS that this guest can have is 17.6K TPS, since the blade is rated for 44K SSL TPS (RSA) and 8 vCPUs is 40% of the total of 20 vCPUs: 2200 TPS/vCPU * 8 vCPUs == 17600 TPS.

I hope this helps!

Hello John, Thanks. That is helpful for Troubleshooting and resource planning.

I opened a case with F5 Support for clarification on this mid-last year:

Question:

I was following "sol6475: Overview of SSL TPS licensing limits" to get licensing information about SSL TPS, and got some discrepancy in the output.

Method 1:

 tmsh show sys license detail | grep -i perf_SSL_total_TPS
perf_SSL_total_TPS [unlimited]

Method 2:

 tmsh show /sys license
...
SSL, 500 TPS Per Core
...

So how exactly am I licensed for SSL TPS?


Answer:

Message 1:

My name is XXXX, I'll be happy to assist with this SSL TPS inquiry.

Because your software perf_SSL_total_TPS is '[unlimited]', you're subject to the hardware platform limitation for SSL TPS.  There are eight logical processor cores in a B2100 blade, so 'SSL, 500 TPS Per Core' means a total of 4000 SSL TPS.

You can see that this lines up with the 'Included SSL TPS: 4,000/Blade' specification in the VIPRION 2100 Blade datasheet:

https://www.f5.com/pdf/products/viprion-overview-ds.pdf

Let me know if that clarifies the SSL TPS licensing on your system, or if I can assist further.

Thanks and regards,
...


Message 2:


Good morning Jie,

Regarding your question about HT-Split (separation of allocation of dedicated CPU cores for admin and data plane tasks), the software knows it has to account for this, and applies a total SSL TPS limit of '2 x per_core_rate_limit x number_of_cores'.  So while you have 4x TMM instances, your SSL TPS is still 4000 (2 x 500 x 4).
...