Forum Discussion

ecce_297791's avatar
ecce_297791
Icon for Altocumulus rankAltocumulus
Feb 16, 2018

HTTP is fast, HTTPS really slow and causes massive FCS failure

I have two BIGIP VE's on my laptop I use for lab and education. On both of them (not HA) HTTPS to a VS works, but is painfully slow. A simple web page with a few pictures in it takes 20-30 seconds to load. Unencrypted HTTP is lightning fast.

Here is the VS config:

ltm virtual /Common/f5trn.cmos.lab-p443-vs {
    destination /Common/10.1.10.20:443
    ip-protocol tcp
    mask 255.255.255.255
    pool /Common/f5trn.cmos.lab-pool
    profiles {
    /Common/f5trn.cmos.lab {
            context clientside
        }
        /Common/http { }
        /Common/http2 { }
        /Common/tcp { }
    }
    source 0.0.0.0/0
    translate-address enabled
    translate-port enabled
}

ltm pool /Common/f5trn.cmos.lab-pool {
members {
    /Common/10.1.20.11:80 {
        address 10.1.20.11
    }
    /Common/10.1.20.12:80 {
        address 10.1.20.12
    }
    /Common/10.1.20.13:80 {
        address 10.1.20.13
    }
}
monitor /Common/http
}

A packet capture shows a MASSIVE FCS failure. Every single frame. Same on both sides of the BIGIP.

Troubleshooting includes:

  • Disabling SSL (removing clientSSL profile). Not slow.
  • Disabling HTTP/2 profile, using HTTP/1.1 (with SSL) instead. Still slow.
  • Using normal clientssl profile. Still slow.
  • Trying another BIGIP VE on the same laptop (standalone). Still slow.
  • Upgrading virtual hardware from v7 to v12. Still slow.
  • Upgrading memory on BIGIP VE 6 > 8 GB RAM. Still slow.
  • CPU load is around 9%
  • Memory usage is >80% high according to the flash-based dashboard. 6 or 8 GB RAM makes no difference. However TMM uses 5.5% of 3.9 GB.
  • The Configuration Utility uses HTTPS and is very responsive.

Other info:

  • LTM, APM and AVR are provisioned
  • The FQDN is resolved via /etc/hosts file
  • BIGIP version is 13.1
  • My laptop is a MacBook Pro with core i7 with 16GB RAM and not slow or heavily loaded with anything else.

Any ideas to why SSL seems to cause this behaviour?

2 Replies

  • Be careful with the captures taken from you VE, it automatically adds some trailing information/ debugging details, you need to install a plugin in your wireshark to have access to it (you can easily find it devcentral). If you don't have the plugin is normal you see the FCS errors.

     

    Regarding the slowness, it looks like the problem is mainly in the images. Can you configure an http acceleration profile to cache the images in your VE and see the difference? Maybe your problem is on the backend server. I suggest you try first HTTP1.1 and when you solve the problem you continue with HTP2.