12-Jul-2022 01:20 - edited 12-Jul-2022 04:52
Hi, I've a new VIP on a VIPRION A109 running 22.214.171.124. I'm aware that on this platform ECDHE ciphers can't be accelerated so have changed from them to AES128-GCM-SHA526:AES256-GCM-SHA384:AES128-SHA256:AES128-SHA but still 90% of my traffic on both client and server sides are having TLS handled in software, 10% in partial. absolutely none in hardware.
Are there any obvious gotchas around this, as everything I can see should say this should have a huge performance benefit, which isn't happening.
EDIT - I've since found that it's AES-GCM ciphers that it's still not liking. Using the CBC other ones explicilty, i do see full hardware acceleration. But the documentation states AES-GCM should work fine?
12-Jul-2022 08:12 - edited 12-Jul-2022 08:35
Hello can you share where it is mentioned that AES-GCM should do full SSL offload for your platform, version and vCMP?
As I see that this has been recently added Hardware acceleration for AES-GCM is now available for vCMP guests on the B2100, B2150, B4200, or B4... and SSL hardware acceleration is always showing partial (f5.com) I think that probably it is normal to be partual and full and also the vCMP host not only vCMP quest should be using the newer version.
Also maybe check SSL hardware mode for the vCMP quest as maybe if you switch to dedicated or add more CPU cores it may help.
I based it on this https://support.f5.com/csp/article/K13213 although compared to the v10 article linked in it, the word "full" is absent. Also though I noticed that the c2400 host is still running 11.4.1, so I would guests explains why I'm not seeing acceleration on the 126.96.36.199 guest?
Better upgrade the host and then see the results as 11.4.1 is an old version, so an upgrade will good in any case.
Oh absolutely, very much out of my hands in that area though!