Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

HTTP is fast, HTTPS really slow and causes massive FCS failure

ecce_297791
Altocumulus
Altocumulus

I have two BIGIP VE's on my laptop I use for lab and education. On both of them (not HA) HTTPS to a VS works, but is painfully slow. A simple web page with a few pictures in it takes 20-30 seconds to load. Unencrypted HTTP is lightning fast.

 

0691T000006ApozQAC.png

 

Here is the VS config:

 

ltm virtual /Common/f5trn.cmos.lab-p443-vs { destination /Common/10.1.10.20:443 ip-protocol tcp mask 255.255.255.255 pool /Common/f5trn.cmos.lab-pool profiles { /Common/f5trn.cmos.lab { context clientside } /Common/http { } /Common/http2 { } /Common/tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled } ltm pool /Common/f5trn.cmos.lab-pool { members { /Common/10.1.20.11:80 { address 10.1.20.11 } /Common/10.1.20.12:80 { address 10.1.20.12 } /Common/10.1.20.13:80 { address 10.1.20.13 } } monitor /Common/http }

A packet capture shows a MASSIVE FCS failure. Every single frame. Same on both sides of the BIGIP.

 

0691T000006App0QAC.png

 

Troubleshooting includes:

 

  • Disabling SSL (removing clientSSL profile). Not slow.
  • Disabling HTTP/2 profile, using HTTP/1.1 (with SSL) instead. Still slow.
  • Using normal clientssl profile. Still slow.
  • Trying another BIGIP VE on the same laptop (standalone). Still slow.
  • Upgrading virtual hardware from v7 to v12. Still slow.
  • Upgrading memory on BIGIP VE 6 > 8 GB RAM. Still slow.
  • CPU load is around 9%
  • Memory usage is >80% high according to the flash-based dashboard. 6 or 8 GB RAM makes no difference. However TMM uses 5.5% of 3.9 GB.
  • The Configuration Utility uses HTTPS and is very responsive.

Other info:

 

  • LTM, APM and AVR are provisioned
  • The FQDN is resolved via /etc/hosts file
  • BIGIP version is 13.1
  • My laptop is a MacBook Pro with core i7 with 16GB RAM and not slow or heavily loaded with anything else.

Any ideas to why SSL seems to cause this behaviour?

 

2 REPLIES 2

Daniel_Varela
F5 Employee
F5 Employee

Be careful with the captures taken from you VE, it automatically adds some trailing information/ debugging details, you need to install a plugin in your wireshark to have access to it (you can easily find it devcentral). If you don't have the plugin is normal you see the FCS errors.

 

Regarding the slowness, it looks like the problem is mainly in the images. Can you configure an http acceleration profile to cache the images in your VE and see the difference? Maybe your problem is on the backend server. I suggest you try first HTTP1.1 and when you solve the problem you continue with HTP2.

 

JoeTheFifth
Altostratus
Altostratus

A bit late but this might help future users:

tmsh show /sys license detail | grep perf_VE_throughput_Mbps

This will show you your license throughtput. Trial VE is limited to 2Mbps.

 

https://support.f5.com/csp/article/K14356