Forum Discussion
AltocumulusVIP-targeting-VIP solution using Standard and performance L4 VS
In that scenario since the standard virtual server is terminating TLS the traffic still all needs to be handled by the first tmm. The fastest path is to just let it do its job and forward the traffic.
Forwarding it to a second virtual server starts another handshake (w/ TCP) between two tmm’s where the second makes a load balancing decision, so essentially you’re adding unnecessary overhead by forwarding just to have a load balancing decision made at the second virtual server.
This is a good reference article. https://my.f5.com/manage/s/article/K8082#l4
The FPGA is in the dataplane on ingress and egress from the switch (iSeries for example) or is the network interface on rSeries. Therefore if the first tmm terminating TLS has to process the traffic, it's being released down to the FPGA for forwarding on egress already.
EmployeeAh. I see. VIP targeting will not be of any value here.
I would suspect that your additional CPU might be due to your ciphers not being hardware accelerated. If you're running older hardware some of the chipsets don't support newer ciphers and therefore might be processed in general purpose CPU. This K article lists which ones are accelerated by version and by platform.
https://my.f5.com/manage/s/article/K13213
The clientssl profile statistics for your virtual server can likely help you with that research as well.
You can sometimes re-order the ciphers to prefer ciphers that are hardware accelerated. A lot of modern browsers also tend to order preferring newer ciphers but that might buy you some breathing room for a bit. This can help you there.
https://my.f5.com/manage/s/article/K01770517
If those don't help, you might want to reach out to your friendly neighborhood SE or open a support case to maybe help diagnose where the additional load is coming from and possible options.
AltocumulusBrandon_
The Ciphers are definitely offloaded to the hardware. I could see them populated in the "Offload" field for various ciphers for the VS as you mentioned in your screenshot.
We are aware of the load of the CPU dataplane due to application traffic on the even numbered cores . Just wanted to see if it can be offloaded to Hardware (FPGA) somehow😀 with some VS (Performance L4) magic as it was doing prior to encryption.
But seems like to perform SSL termination on Bigip, Standard VS is necessary.
Thanks for your help and providing insight needed to debunk the VIP-targeting-VIP possibility for this issue.
- Brandon_
Unfortunately no such voodoo. 🙂
PSFletchTheTekCumulonimbus
Hi Brandon_ ,
To ask a possibly stupid question, if the performance L4 pushes the tls to hardware.
Could you not set a performance L4 as the front VS to do the decrypt, then set a standard VS behind that with NO SSL Client SSL profile.
It might still be putting load on the TMM, but it might be lower? Or have a missed the point here?
- Brandon_
https://my.f5.com/manage/s/article/K12015
Virtual servers capable of performing SSL decryption/encryption
If you want the BIG-IP system to decrypt and/or encrypt SSL traffic, you must define the following virtual server type:
- Standard
The standard virtual server is the only virtual server type that can be associated with Client SSL and Server SSL profiles, and perform SSL decryption and/or encryption. If you want the BIG-IP system to decrypt and/or encrypt SSL traffic, you must import the SSL certificates to the BIG-IP system and configure a standard virtual server and appropriate SSL profile.
As you can see below there is no configuration option for clientssl on anything other than a standard virtual server. But in your scenario, the FPGA fast-path forwarding would happen before TLS termination which needs to be done by tmm. The FPGA and crypto chipsets are different hardware components within a BIG-IP. And tmm pushes the crypto operations to the specialized hardware for offload.
- Standard
- PSFletchTheTek
Thanks for the explaination, I "thought" that performance L4 had the ssl client/server config in it.
But i'm corrected. I was thinking of HTTP Profiles!
