on 22-Mar-2017 13:01
The number of SSL Transactions Per Second (TPS) that your BIG-IP can handle is important to know as you deploy web applications. In this video, we discuss how the BIG-IP calculates how many SSL TPS you can perform and what you can do if you are getting close to your limit. During the video, a couple of tmsh commands are referenced; here they are for your review.
The command (and sample response) to show how many SSL Transactions Per Second you are licensed for:
tmsh show sys license detail | grep -i perf_SSL_total_TPS
perf_SSL_total_TPS : 500
The command (and sample response) to show how many TMMs you have:
tmsh show sys tmm-info global | grep -i 'TMM count'
TMM Count 4
Remember to multiply the SSL TPS by the number of TMMs to get the overall number of SSL TPS for your BIG-IP system (in this case, 500 x 4 = 2,000 total SSL TPS).
Great video! Do you plan one about PFS? Piotr
Great, thanks a lot!
Would be great if you will include some info about how PFS is handled by both SWG and SSL Orchestrator as well as why PFS breaks Proxy SSL functionality.
thanks for the great Video. I have Question about the calculation if I use a Viprion 2250 Blade. The license is unlimited (based on the tmsh command) and a Guest is configured with 8 vCPUs. The only fact that we have is the Hardware Limit and the TMM Count. How can I calculate the SSL TPS for the Guest?
@bmichels2, great question! The answer depends on what version you are running. Things change as soon as you go into 12.x because you get per-guest SSL rate-limiting capabilities. Here are the two answers based on that split:
Pre 12.x: The guests are all in a round-robin method of sharing SSL resources. If the 8 vCPU guest is the only one accessing the SSL offload system, it can take all of the TPS the blade can provide. Otherwise, it’ll be sharing with as many other guests that are simultaneously accessing the SSL system, regardless of guest size.
12.x and later: There are 3 modes that you can have a guest in: Shared, Dedicated, and None. None, is just that, no hardware acceleration. Shared is the same as the round-robin method described above. Dedicated is where it gets interesting and, possibly, the situation you are in. When you have a guest in Dedicated SSL mode, the number of TPS is proportional to the number of vCPUs allocated to the guest. Since the guest in question is on a B2250, there are 20 vCPUs possible (1 for each HT, so a physical core is 2 vCPUs). Therefore, the amount of SSL TPS that this guest can have is 17.6K TPS, since the blade is rated for 44K SSL TPS (RSA) and 8 vCPUs is 40% of the total of 20 vCPUs: 2200 TPS/vCPU * 8 vCPUs == 17600 TPS.
I hope this helps!
I opened a case with F5 Support for clarification on this mid-last year:
Question: I was following "sol6475: Overview of SSL TPS licensing limits" to get licensing information about SSL TPS, and got some discrepancy in the output. Method 1: tmsh show sys license detail | grep -i perf_SSL_total_TPS perf_SSL_total_TPS [unlimited] Method 2: tmsh show /sys license ... SSL, 500 TPS Per Core ... So how exactly am I licensed for SSL TPS? Answer: Message 1: My name is XXXX, I'll be happy to assist with this SSL TPS inquiry. Because your software perf_SSL_total_TPS is '[unlimited]', you're subject to the hardware platform limitation for SSL TPS. There are eight logical processor cores in a B2100 blade, so 'SSL, 500 TPS Per Core' means a total of 4000 SSL TPS. You can see that this lines up with the 'Included SSL TPS: 4,000/Blade' specification in the VIPRION 2100 Blade datasheet: https://www.f5.com/pdf/products/viprion-overview-ds.pdf Let me know if that clarifies the SSL TPS licensing on your system, or if I can assist further. Thanks and regards, ... Message 2: Good morning Jie, Regarding your question about HT-Split (separation of allocation of dedicated CPU cores for admin and data plane tasks), the software knows it has to account for this, and applies a total SSL TPS limit of '2 x per_core_rate_limit x number_of_cores'. So while you have 4x TMM instances, your SSL TPS is still 4000 (2 x 500 x 4). ...
When I install BIGIP-11.5.4-hf2 on a Viprion C2400 having two B2100 blades, I see the following output for Total SSL TPS:
[root@localhost:/S1-green-P:Active:Standalone] config tmsh show sys license detail | grep -i perf_SSL_total_TPS
[root@localhost:/S1-green-P:Active:Standalone] config tmsh show sys tmm-info global | grep -i 'TMM count'
TMM Count 4
[root@localhost:/S1-green-P:Active:Standalone] config tmsh show /sys license | grep SSL
Using the methodology specified by you, and the response in previous comment for a B2100 Blade, my total TPS works out to 500 TPS / core x 8 cores / Blade = 4,000 TPS / Blade.
 Is the above calculation correct? Or, since there is no entry (500 TPS per Core), does it not apply?
 How did we arrive at the total of 10,000 TPS, written into the file bigip.license alongside the entry for perf_SSL_total_TPS? I have not installed any separate license, only used the default license that came as part of the ISO. Has this anything to do with the line "SSL, C2200/C2400"?
 If one contacts sales and purchases additional TPS license, does the value for perf_SSL_total_TPS in the license file change (increase) from the value of 10,000 TPS?