SSL TPS Licensing Planning

i do not think ssl tps is equal to number of pool's current connections.

sol6475: Overview of SSL TPS licensing limits

http://support.f5.com/kb/en-us/solutions/public/6000/400/sol6475.html

i do not think ssl tps is equal to number of pool's current connections.

sol6475: Overview of SSL TPS licensing limits

http://support.f5.com/kb/en-us/solutions/public/6000/400/sol6475.html

how can we compute the required license using the current HTTP connection?

that is difficult question. :-)

i understand ssl tps is new ssl sessions per second (i.e. not concurrent connections, not connections per second), so i think you have to do something like this (but the sol is about ssl data).

sol6644: Using SNMP to collect SSL transactions per second data

you may see if somebody here has other suggestion.

hope this helps.

how can we compute the required license using the current HTTP connection?

that is difficult question. :-)

i understand ssl tps is new ssl sessions per second (i.e. not concurrent connections, not connections per second), so i think you have to do something like this (but the sol is about ssl data).

sol6644: Using SNMP to collect SSL transactions per second data

you may see if somebody here has other suggestion.

hope this helps.

If I may add, it's important to understand the nature of a session as it relates to protocol and layer context. TCP has sessions, SSL has sessions, and some application protocols support sessions, and none of these are the same thing. A TCP session is established, at OSI layer 4, when a client (using a random source port) and server (using an established destination port) complete a 3-way TCP handshake. These sessions, depending on the upper-level protocols, are generally transient. An SSL session is established when a client and server complete an SSL/TLS handshake, exchange cryptography, and start encrypting data to one another. The session is based on an ID value that can also be used to link new sessions to old ones. An SSL session will generally live much longer than a TCP session, and in fact many TCP sessions may come and go within the span of a single TCP session. An HTTP session is really an application session, in that it's less about the protocol and more about the application's mechanisms to maintain "state" (ie. cookies). In many cases, multiple HTTP requests can happen within the span of both TCP and SSL sessions.

The stats that you pooled form the pool information is layer 4 TCP sessions. Because HTTP is generally stateless, it is usually measured in terms of requests per second. SSL actually has two measurements: transactions per second and bulk encryption. Transactions per Second (TPS) is the gauge of SSL handshakes per span of a second. These can be new sessions or renegotiations. For HTTP specifically, this event will happen far fewer times than either new TCP sessions or HTTP requests. The second is bulk encryption, which is the gauge of the amount of data that can be cryptographically processed (encrypted or decrypted) within the span of a second. Bulk cryptography uses much smaller keys than TPS, so this number is always significantly higher than TPS.

So in terms of licensing, in a nutshell, if you have roughly 5k current TCP sessions, and let's assume that all of these are unique new user sessions (though that may not necessarily be true as a single client agent can have multiple TCP sessions open), you would have at least as many SSL sessions. These numbers will absolutely skew plus or minus, but it should be a good indication of where to shoot for in licensing.

it seems the multiple TCP sesssions open will be lessen using the oneconnect profile correct?

Not really. OneConnect is really a server side TCP session aggregation function. Client side TCP sessions will always be unique and 1-to-1 per client.