NetScaler 12 SSL Performance: A Benchmark Test

The marketing claims an insane increase for the NetScaler 12 SSL performance – even on the software based VPX and CPX platforms. Reason enough to dig a little deeper and put this performance claim to a test and I have to admit I’m quite impressed!

  1. Test Setup
  2. Test Results
  3. Conclusion

As a consultant I often get asked for advise on whether to upgrade to the new version of NetScaler or not. Typically my answer to that is “Do you need any of the new features? No? Then better wait a little.”

But SSL performance increase is a “feature” that’s hard to argue against and that everyone needs, right? That’s why I found it super critical to validate the marketing claims here.

So I put the NetScaler 12 SSL performance to a little test…

Test Setup

My test setup is rather simple and far from a scientifically representative benchmark. But that makes the results even more impressive – it’s like I didn’t even tried to optimize for performance and yet got it.

I just setup two NetScalers and SSL offloaded one IIS backend through both NetScalers. Client, NetScaler 11.1, NetScaler 12 and the published backend server are all sitting on the same small lab hypervisor sharing the same Intel i5 Dual-core CPU.

NetScaler 12 SSL Performance Test Lab Setup
NetScaler 12 SSL Performance Test Lab Setup

For the NetScalers I’ve used the latest builds available at date which were NS11.1 Build 53.11.nc and NS12.0 Build 41.16.nc.

As a benchmark I ran “openssl s_time” with a strong ECDHE cipher for 5 minutes. This commands runs two tests, first it establishes as many new SSL sessions as it can, then it establishes as many SSL sessions as it can using SSL Session Reuse.

I’ve done that one by one against each NetScaler and then from each NetScaler towards another SSL enabled backend to test both frontend and backend SSL performance on both NetScaler 11.1 and NetScaler 12.

I’ve tracked the OpenSSL established sessions per second as well as NetScaler’s CPU usage while being benchmarked.

Test Results

The most important performance indicator is of course the performance towards the front end. NetScaler 12 outran 11.1 by +68% for the new SSL sessions and +41% for the sessions established with Session ID reuse.

NetScaler 12 SSL Performance Front End Benchmark
Front End Benchmark

It did so consuming pretty much the same CPU (PE CPU) resources which indicates that both my test result were probably limited by this factor.

NetScaler 12 SSL Performance Front End CPU Usage
Front End CPU Usage

After validating the frontend performance increase I tested the backend.

Now this result is to be treated with care as I’ve executed the benchmark from the NetScaler’s FreeBSD shell which runs outside the NetScaler packet engine that usually processes user traffic!

Never the less I got a +58% increase in the new connections and a very low number in the reused sessions for both NetScaler 12 and 11.1.

I couldn’t figure out why the reuse connections are so low, it might come down to using OpenSSL from the FreeBSD shell. However, even if it would apply to the packet engine connection multiplexing and keep-alives between NetScaler and the backends would take care of this anyway.

NetScaler 12 SSL Performance - Back End Benchmark
Back End Benchmark

Even more impressive is the fact that while delivering better backend performance the NetScaler also consumed 32% less CPU (MGMT CPU) for new SSL sessions and 20% less for sessions using Session ID reuse

NetScaler 12 SSL Performance Back End CPU usage
Back End CPU Usage

Pretty cool stuff!

Conclusion

The results are just impressive. I don’t know how they did it but they did indeed increase the overall performance by up to 70% in the frontend and up to 60% in the backend.

How this behaves outside of a lab needs to be looked at but I’m quite confident that there will be a significant impact.

So would I generally recommend for an immediate upgrade? Probably not! Remember, the performance impact is most noticeable when your box is actually running full throttle and most deployments I face are far from that.

If that is the case for you though, then you should seriously consider an upgrade!

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.