F5 Exchange performance - SSL?
Hi
Before we used a Microsoft load balancer and recently moved to a BIG IP 1600 v11.3 load balancer. The Microsoft software based LB has its limitations but was a lot faster. Looking at monitoring data, I could download the Outlook Web App base page in .4 seconds when using Microsoft NLB and using the F5 it takes ~2.5 - ~3.5 seconds on average! I am pretty sure encryption is the cause of the problem and definitely not load. 1500 concurrent connections and the F5 is idling 🙂
The Web based performance is really quite poor when going through the F5, we are NOT doing SSL offloading. If I were to offload SSL to the load balancers the performance is almost as good as when going to one of the nodes directly.
A test was performed using http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html and found the the SSL keys are NOT reusable, surely this must have a performance hit?
Below is output from another PERL script, the first scan is to the F5 VIP and the second scan is to the pool member node direct:
[root@localhost sslyze-release-0.6] ./sslyze.py --regular outlook.companyX.com:443
REGISTERING AVAILABLE PLUGINS
PluginCertInfo
PluginOpenSSLCipherSuites
PluginSessionRenegotiation
PluginCompression
PluginSessionResumption
CHECKING HOST(S) AVAILABILITY
outlook.companyX.com:443 => 10.187.62.21:443
SCAN RESULTS FOR OUTLOOK.companyX.COM:443 - 10.187.62.21:443
Unhandled exception when processing --tlsv1_2:
utils.ctSSL.errors.ctSSLFeatureNotAvailable - TLS 1.2 is not supported by the version of the OpenSSL library that was loaded. Upgrade to 1.0.1 or later.
Unhandled exception when processing --tlsv1_1:
utils.ctSSL.errors.ctSSLFeatureNotAvailable - TLS 1.1 is not supported by the version of the OpenSSL library that was loaded. Upgrade to 1.0.1 or later.
* Compression :
Compression Support: Disabled
* Certificate :
Validation w/ Mozilla's CA Store: Certificate is Trusted
Hostname Validation: OK - Common Name Matches
SHA1 Fingerprint: DC0F0D189E56150EA5B004EF254355D190A8B7DA
Common Name: *.companyX.com
Issuer: /C=US/O=Thawte, Inc./CN=Thawte SSL CA
Serial Number: 38E16DE9D0A6E51EF7A087528E269042
Not Before: Aug 25 00:00:00 2011 GMT
Not After: Oct 10 23:59:59 2013 GMT
Signature Algorithm: sha1WithRSAEncryption
Key Size: 2048
* Session Renegotiation :
Client-initiated Renegotiations: Honored
Secure Renegotiation: Supported
* Session Resumption :
With Session IDs: Partially supported (1 successful, 4 failed, 0 errors, 5 total attempts). Try --resum_rate.
With TLS Session Tickets: Not Supported - TLS ticket not assigned.
* SSLV2 Cipher Suites :
Rejected Cipher Suite(s): Hidden
Preferred Cipher Suite: None
Accepted Cipher Suite(s): None
Undefined - An unexpected error happened: None
* TLSV1 Cipher Suites :
Rejected Cipher Suite(s): Hidden
Preferred Cipher Suite:
RC4-SHA 128 bits HTTP 401 Unauthorized
Accepted Cipher Suite(s):
AES256-SHA 256 bits HTTP 401 Unauthorized
DES-CBC3-SHA 168 bits HTTP 401 Unauthorized
RC4-SHA 128 bits HTTP 401 Unauthorized
AES128-SHA 128 bits HTTP 401 Unauthorized
Undefined - An unexpected error happened: None
* SSLV3 Cipher Suites :
Rejected Cipher Suite(s): Hidden
Preferred Cipher Suite:
RC4-SHA 128 bits HTTP 401 Unauthorized
Accepted Cipher Suite(s):
AES256-SHA 256 bits HTTP 401 Unauthorized
DES-CBC3-SHA 168 bits HTTP 401 Unauthorized
RC4-SHA 128 bits HTTP 401 Unauthorized
AES128-SHA 128 bits HTTP 401 Unauthorized
Undefined - An unexpected error happened: None
SCAN COMPLETED IN 0.91 S
* * *
* * *
* * *
*****TEST FROM TO THE NODE DIRECT**
root@localhost sslyze-release-0.6] ./sslyze.py --regular 10.186.168.250:443
REGISTERING AVAILABLE PLUGINS
PluginCertInfo
PluginOpenSSLCipherSuites
PluginCompression
PluginSessionResumption
PluginSessionRenegotiation
CHECKING HOST(S) AVAILABILITY
10.186.168.250:443 => 10.186.168.250:443
SCAN RESULTS FOR 10.186.168.250:443 - 10.186.168.250:443
Unhandled exception when processing --tlsv1_1:
utils.ctSSL.errors.ctSSLFeatureNotAvailable - TLS 1.1 is not supported by the version of the OpenSSL library that was loaded. Upgrade to 1.0.1 or later.
Unhandled exception when processing --tlsv1_2:
utils.ctSSL.errors.ctSSLFeatureNotAvailable - TLS 1.2 is not supported by the version of the OpenSSL library that was loaded. Upgrade to 1.0.1 or later.
* Compression :
Compression Support: Disabled
* Session Renegotiation :
Client-initiated Renegotiations: Rejected
Secure Renegotiation: Supported
* Session Resumption :
With Session IDs: Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
With TLS Session Tickets: Not Supported - TLS ticket not assigned.
* Certificate :
Validation w/ Mozilla's CA Store: Certificate is Trusted
Hostname Validation: MISMATCH
SHA1 Fingerprint: DC0F0D189E56150EA5B004EF254355D190A8B7DA
Common Name: *.companyX.com
Issuer: /C=US/O=Thawte, Inc./CN=Thawte SSL CA
Serial Number: 38E16DE9D0A6E51EF7A087528E269042
Not Before: Aug 25 00:00:00 2011 GMT
Not After: Oct 10 23:59:59 2013 GMT
Signature Algorithm: sha1WithRSAEncryption
Key Size: 2048
* TLSV1 Cipher Suites :
Rejected Cipher Suite(s): Hidden
Preferred Cipher Suite:
AES128-SHA 128 bits HTTP 401 Unauthorized
Accepted Cipher Suite(s):
AES256-SHA 256 bits HTTP 401 Unauthorized
DES-CBC3-SHA 168 bits HTTP 401 Unauthorized
RC4-SHA 128 bits HTTP 401 Unauthorized
RC4-MD5 128 bits HTTP 401 Unauthorized
AES128-SHA 128 bits HTTP 401 Unauthorized
Undefined - An unexpected error happened: None
* SSLV3 Cipher Suites :
Rejected Cipher Suite(s): Hidden
Preferred Cipher Suite:
RC4-SHA 128 bits HTTP 401 Unauthorized
Accepted Cipher Suite(s):
DES-CBC3-SHA 168 bits HTTP 401 Unauthorized
RC4-SHA 128 bits HTTP 401 Unauthorized
RC4-MD5 128 bits HTTP 401 Unauthorized
Undefined - An unexpected error happened: None
* SSLV2 Cipher Suites :
Rejected Cipher Suite(s): Hidden
Preferred Cipher Suite: None
Accepted Cipher Suite(s): None
Undefined - An unexpected error happened:
RC4-MD5 socket.timeout - timed out
DES-CBC3-MD5 socket.timeout - timed out
SCAN COMPLETED IN 5.30 S