SNMP: Capturing SSL Statistics per Virtual Server
This question about gathering SSL statistics was recently raised:
"Can we use SNMP to read the number of sessions and TPS to a Virtual Server on BigIP LTM?
If so, which SNMP variable can we use for this?"
In this article I'll show you how to configure your LTM to collect SSL TPS statistics per virtual server and how to find the relevant SNMP data in the MIB.
A little background to get us started...
Ask F5 and Chapter 16 of the LTM Network and System Management Guide have some good information on getting system-wide SSL TPS statistics. That's a very useful metric for most customers since it lets them know when they might be bumping up against their LTM SSL TPS global license limits.
However, in this case the request was for more granular per-object statistics. You can’t exactly get Virtual Server-specific statistics, but you can get profile-specific ones, so the trick there is simply to make sure the SSL profile in question is only used by that one virtual server.
Once you have that one-to-one profile-to-virtual server configuration in place, then you'll need to find the specific OID leaf objects for the SSL profile associated with your virtual server.
Finding the Right OIDs
The OIDs indicated in the manual for system-wide SSL TPS statistics are:
sysClientsslStatTotNativeConns
The poll of this OID will output the total number of concurrent NATIVE connections with established SSL sessions being maintained by the filter. These are connections that are handled by the BIG-IP LTM system's NATIVE SSL stack, the DEFAULT cipher listed in the SSL Profile.
and
sysClientsslStatTotCompatConns
The poll of this OID will output the total number of concurrent compatible connections with established SSL sessions being maintained by the filter. These are connections that are handled by the OpenSSL compatibility stack. This is used when the Ciphers option within the SSL profile is changed from the DEFAULT cipher setting.
But we want to find out if there are profile-specific OIDs as well that we can poll to capture the same statistics for a single object rather than system wide, so here's where some poking around in the MIB is in order.
You can look at a dissected overview of the MIB here and see if you can find OIDs you're after, but it's a bit more deterministic in most cases to use the snmpwalk and snmptranslate utilities included in the LTM build to quickly find what you're after (or to determine if something is not in the MIB).
In this case, I used snmpwalk to find all other OIDs containing the same string labels as those indicated for system-level stats.
First I looked for "StatTotNativeConns":
config # snmpwalk -c public -v 2c localhost .1.3.6.1.4.1.3375| grep StatTotNativeConns
F5-BIGIP-SYSTEM-MIB::sysClientsslStatTotNativeConns.0 = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysServersslStatTotNativeConns.0 = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmClientSslStatTotNativeConns."clientssl" = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmServerSslStatTotNativeConns."serverssl" = Counter64: 0
then for "StatTotCompatConns":
config # snmpwalk -c public -v 2c localhost .1.3.6.1.4.1.3375| grep StatTotCompatConns
F5-BIGIP-SYSTEM-MIB::sysClientsslStatTotCompatConns.0 = Counter64: 0
F5-BIGIP-SYSTEM-MIB::sysServersslStatTotCompatConns.0 = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmClientSslStatTotCompatConns."clientssl" = Counter64: 0
F5-BIGIP-LOCAL-MIB::ltmServerSslStatTotCompatConns."serverssl" = Counter64: 0
Notice the output contains both the original system-wide objects mentioned in the manual which come from the F5 SYSTEM MIB with names prefixed with "sys", and also the objects for 2 specific profiles (the default profiles "clientssl" and "serverssl"), which come from the F5 LOCAL MIB and are prefixed with "ltm".
You can find the OID value for each of these profile-level counters by using snmptranslate. Just cut & paste the OID names you found above into the snmptranslate command, backslash escaping any double quotes:
config # snmptranslate -On F5-BIGIP-LOCAL-MIB::ltmClientSslStatTotNativeConns.\"clientssl\"
.1.3.6.1.4.1.3375.2.2.6.2.2.3.1.6.9.99.108.105.101.110.116.115.115.108
config # snmptranslate -On F5-BIGIP-LOCAL-MIB::ltmClientSslStatTotNativeConns.\"serverssl\"
.1.3.6.1.4.1.3375.2.2.6.2.2.3.1.6.9.115.101.114.118.101.114.115.115.108
config # snmptranslate -On F5-BIGIP-LOCAL-MIB::ltmClientSslStatTotCompatConns.\"clientssl\"
.1.3.6.1.4.1.3375.2.2.6.2.2.3.1.9.9.99.108.105.101.110.116.115.115.108
config # snmptranslate -On F5-BIGIP-LOCAL-MIB::ltmClientSslStatTotCompatConns.\"serverssl\"
.1.3.6.1.4.1.3375.2.2.6.2.2.3.1.9.9.115.101.114.118.101.114.115.115.108
Calculating SSL TPS
Now that you've identified the OIDs you need for profile-specific counters, you can use the same polling and calculations you would use to calculate system-wide stats of the same variety, as indicated in the LTM manual and AskF5 solution:
LTM Network and System Management Guide: Collecting Data on SSL Transactions per Second
(go to page 16-23 in the manual, which is page 329 in the PDF)
AskF5 Solution 6644: Using SNMP to collect SSL transactions per second data
- Jeff_Silverman_Historic F5 AccountHere is a bash script to calculate TPS over time