A P P E N D I X E

SSL Statistics

This appendix lists and describes the key SSL statistics. The following topics are addressed:

Persistence of Statistics Counters

Statistics Counters Important to SSL Proxy Blade

Variable Descriptions

Persistence of Statistics Counters

The statistics counter on the SSL proxy blade system are persistent. Thus, the statistics counters are not cleared on power-off or reboot. All statistics are accumulated since the last statistics reset. The reset stats command resets all statistics counters to zero.

Persistent statistics have better diagnostics value and provide better tracking and auditing because valuable information is not lost with power-off or reboot. To fully update counters on power-down, use the shutdown command. However, the counters are also updated every time the config save command is used.

Statistics Counters Important to SSL Proxy Blade

Performance

The SSL proxy blade exhibits very high performance in SSL handshakes per second, number of concurrent connections, and encrypted data throughput. To provide the best value, the SSL proxy blade comes in various models that exhibit different performance. These models can be upgraded by means of software. Thus, SSL proxy blade statistics counters include measures of the above performance figures. This is useful, both to display the value provided by the SSL proxy blade, and to determine when to upgrade to a higher performance model. Some counters are provided both as an average and as a maximum value reached, to facilitate decisions about model capacity required in installations with variable load. Variable loads can occur during the day, as a result of promotions, or seasonally.

SSL Connection vs. SSL Session

An SSL connection is the same as an TCP connection that uses SSL. An SSL session can include many connections if the SSL session ID is reused. When this happens, it is said that the SSL session was resumed. For example, the counter for concurrent SSL connections refers to the SSL connection and session concepts.

Session ID Reuse

Some statistics are associated with SSL session ID reuse. SSL can reuse an SSL session ID that was negotiated through a previous full handshake. When a session ID is reused, the handshake can be processed more quickly. Reuse of sessions ID is commonly used by the browser to retrieve objects on a given web page. Reuse is typically not extended to other pages because to much reuse can weaken the security associated with encryption.

To support reuse, the reuse IDs must be cached in the Reuse ID Cache. a cache miss is a rejection of a session that was not found in the cache. Rejections can also occur when the cache is full. In some types of traffic, reuse rejections can occur; for example, if more than 32,000 sessions are pending reuse. In most cases, reuse rejections due to cache full are not an indication of a problem, because those sessions are negotiated as new, which actually increases the security. The SSL proxy blade can process a new session almost as fast as a reuse session, unlike most other implementations of SSL acceleration.

Variable Descriptions

Up Time

Statistics begin date

Statistics display: Start stat. date 01/02/2001 05:04:32

Description: Date when statistics started. This is the same as the date of last statistics reset. This records the date from when statistics have been accumulated.

Power-on time (persistent)

Statistics display: On time 14 hrs 33 min 30 sec

Description: Accumulated time ON since last statistics reset. This is not time since last reboot, but since last statistics reset. This tracks use or effective hours of service of the SSL proxy blade.

SSL up time (persistent)

Statistics display: Up (traffic) time 10 hrs 06 min 02 sec

Description: Accumulated time is Start or SSL mode since last statistics reset. This is not time since last reboot, but since last statistics reset. This tracks effective hours on the network ready to pass SSL traffic.

Transactions Per Second (TPS)

SSL Connection rate average

Statistics display: Connection rate ave.(1min) 830 [SSL/sec]

Description: Average number of successfully completed SSL connections in one second. The average is over one minute, with one second sampling rate. The SSL connection rate is also called SSL TPS (SSL Transactions Per Second). The TPS will normally not exceed the TPS limit of the SSL proxy blade model. Use show features to see the TPS limit. The TPS information is useful to determine the TPS load that the SSL proxy blade is processing. The TPS number should match that reported by external test tools that may be used for evaluation in a test environment, such as WebBench, or by sniffer equipment. When the TPS load varies within a second or a minute, and the sampling rate or the average time of the tool is different than that of the SSL proxy blade, some minor differences may be observed due to averaging.

Maximum SSL connection rate (persistent)

Statistics display: Connection rate max. 1200 [SSL/sec]

Description: Maximum value of the connection rate average (or TPS, see Transactions Per Second (TPS)) that occurred since the last time the statistics counters were reset to zero. Connections that are "Reusing" the SSL session ID are also counted. The maximum TPS will normally not exceed the TPS limit of the SSL proxy blade model. Use show features to see the TPS limit. The Max. TPS information is useful to determine if the TPS limit is being reached, in which case, a TPS feature upgrade or an additional SSL proxy blade system should be obtained.

TPS Limit Counter (persistent)

Statistics display: TPS requests 3,200,000

Description: Number of SSL requests rejected (forces client to retry) due to TPS limit reached. The TPS average went above the TPS feature limit, and this caused a rejection of a connection. SSL rejections due to other causes are not included here. Any number larger than zero means that traffic reached the SSL proxy blade TPS capacity after statistics were reset.

Concurrent Connections

Concurrent SSL connections

Statistics display: Concurrent connections (now) 5,000

Description: Number of concurrent connections open at the current time. Connections that are "Reusing" the SSL session id are also counted. The number of concurrent connections will normally not exceed the concurrent connection limit of the SSL proxy blade model. Use show features to see the concurrent connection limit. The concurrent connection information is useful to determine if the concurrent connection limit is being reached, in which case, a performance/feature upgrade or an additional SSL proxy blade system should be obtained. A single SSL proxy blade can handle at least 16000 concurrent sessions.

Maximum concurrent SSL connections (persistent)

Statistics display: Concurrent connections max. 16,000

Description: Maximum number of concurrent connections that were reached since last statistics reset. Connections that are "Reusing" the SSL session ID are also counted. The maximum number of concurrent connections will normally not exceed the concurrent connection limit of the SSL proxy blade model. Use show features to see the concurrent connection limit. The concurrent connection information is useful to determine if the concurrent connection limit is being reached, in which case, a performance/feature upgrade or an additional SSL proxy blade system should be obtained. A single proxy blade can handle at least 16000 concurrent sessions.

Concurrent SSL Connections Limit Counter (persistent)

Statistics display: Concurrent limit 20,000

Description: Number of SSL requests rejected (forces client to retry) due to concurrent connections limit being reached. The concurrent connections went above the concurrent connection feature limit, and this caused a rejection of a connection. SSL rejections due to other causes are not included here. Any number larger than zero means that traffic reached the SSL proxy blade concurrent connection capacity after statistics were reset.

Throughput

SSL data throughput delivered to the server (persistent)

Statistics display: Clear data in [KB]: 350,009

Description: Accumulated bytes of data delivered to the server using SSL. Thus, it is the SSL data throughput of the incoming (inbound) traffic channel, that is, from client to server. This counter is persistent since last statistics reset. This measure is about payload delivered to the servers. This counter includes all SSL proxy blade ports with traffic to the servers. Thus, this measure includes all effective data (by SSL only) that goes from client to server. Network overhead (retries) and encryption overhead (handshake, signatures) are not included. The counter relies on the TCP sequence numbers to track the data payload byte count.

SSL data throughput returned by the server (persistent)

Statistics display: Clear data out [KB]: 4,350,002

Description: Accumulated bytes of data returned by the server using SSL. Thus, it is the SSL data throughput of the outgoing (outbound) traffic channel, that is, from client to server. This counter is persistent since last statistics reset. This measure is about payload delivered to the clients. This counter includes all SSL proxy blade ports with traffic from the servers to the clients. Thus, this measure includes all effective data (via SSL only) that goes from Server to Client. Network overhead (retries, etc.) and encryption overhead (handshake, signatures) are not included. The counter relies on the TCP sequence numbers to track the data payload byte count.

Number of TCP requests (persistent)

Statistics display: TCP requests 3,200,000

Description: Number of accumulated TCP requests. Any type, clear and secure, broadcast or not.

SSL Handshakes

Number of SSL requests (persistent)

Statistics display: SSL requests 3,000,000

Description: Number of SSL handshake requests accumulated since last statistics reset. SSL handshakes completed, and also those not completed, are counted. Handshakes with a reused SSL session ID are also counted. This counter captures all SSL requests.

Number of completed SSL handshakes (persistent)

Statistics display: SSL handshakes 2,900,000

Description: Number of successfully completed SSL Handshakes, accumulated since last statistics reset. Handshakes with reused SSL session ID are also counted. A difference between handshake requests and completed handshakes is the number of failed handshakes. Handshakes can fail for a variety of reasons, from bad certificates to performance limitations. The statistics counters provide a quick way to analyze the SSL traffic behavior.

SSL Handshakes With Reused Session IDs

Number of SSL requests with reused SSL session IDs (persistent)

Statistics display: SSL requests/ Reuse 2,500,000

Description:

Number of SSL Handshake requests with a reused ID, accumulated since last statistics reset. This counter includes only reused handshakes. Reuse SSL handshakes completed, and also those not completed, are counted.

Number of Reuse ID requests found in cache (persistent)

Statistics display: SSL Reuse/ Reuse hit 1,056

Description: Number of reuse SSL requests found in the reuse ID cache. This count is accumulated since last statistics reset.

Number of Dropped Reuse ID Requests (Persistent)

Reuse request drops due to ID not in cache.

Statistics display: SSL Reuse/ Reuse drop/ Look-up miss 56

Description: Number of reuse SSL requests dropped because of a session ID look-up miss; that is, the SSL session ID not found in the cache. This does not include cache full or timeout. This is not common.

Reuse request drops due to reuse cache full.

Statistics display: SSL Reuse/ Reuse drop/ Cache full 23

Description: Number of reuse SSL requests dropped because of a session ID look-up miss; that is, the SSL session ID is not found in the cache. This is most likely due to timeout or full reuse cache.

Reuse request drops due to timeout.

Statistics display: SSL Reuse/ Reuse drop/ Timeout 85

Description: Number of reuse SSL requests dropped because of a session ID look-up miss; that is, the SSL session ID is not found in the cache. This is most likely due to timeout or full reuse cache.