The marketing claims an insane increase for the NetScaler 12 SSL performance – even on the software based VPX and CPX platforms. Reason enough to dig a little deeper and put this performance claim to a test and I have to admit I’m quite impressed!
As a consultant I often get asked for advise on whether to upgrade to the new version of NetScaler or not. Typically my answer to that is “Do you need any of the new features? No? Then better wait a little.”
But SSL performance increase is a “feature” that’s hard to argue against and that everyone needs, right? That’s why I found it super critical to validate the marketing claims here.
So I put the NetScaler 12 SSL performance to a little test…
My test setup is rather simple and far from a scientifically representative benchmark. But that makes the results even more impressive – it’s like I didn’t even tried to optimize for performance and yet got it.
I just setup two NetScalers and SSL offloaded one IIS backend through both NetScalers. Client, NetScaler 11.1, NetScaler 12 and the published backend server are all sitting on the same small lab hypervisor sharing the same Intel i5 Dual-core CPU.
For the NetScalers I’ve used the latest builds available at date which were NS11.1 Build 53.11.nc and NS12.0 Build 41.16.nc.
As a benchmark I ran “openssl s_time” with a strong ECDHE cipher for 5 minutes. This commands runs two tests, first it establishes as many new SSL sessions as it can, then it establishes as many SSL sessions as it can using SSL Session Reuse.
I’ve done that one by one against each NetScaler and then from each NetScaler towards another SSL enabled backend to test both frontend and backend SSL performance on both NetScaler 11.1 and NetScaler 12.
I’ve tracked the OpenSSL established sessions per second as well as NetScaler’s CPU usage while being benchmarked.
The most important performance indicator is of course the performance towards the front end. NetScaler 12 outran 11.1 by +68% for the new SSL sessions and +41% for the sessions established with Session ID reuse.
It did so consuming pretty much the same CPU (PE CPU) resources which indicates that both my test result were probably limited by this factor.
After validating the frontend performance increase I tested the backend.
Now this result is to be treated with care as I’ve executed the benchmark from the NetScaler’s FreeBSD shell which runs outside the NetScaler packet engine that usually processes user traffic!
Never the less I got a +58% increase in the new connections and a very low number in the reused sessions for both NetScaler 12 and 11.1.
I couldn’t figure out why the reuse connections are so low, it might come down to using OpenSSL from the FreeBSD shell. However, even if it would apply to the packet engine connection multiplexing and keep-alives between NetScaler and the backends would take care of this anyway.
Even more impressive is the fact that while delivering better backend performance the NetScaler also consumed 32% less CPU (MGMT CPU) for new SSL sessions and 20% less for sessions using Session ID reuse
Pretty cool stuff!
The results are just impressive. I don’t know how they did it but they did indeed increase the overall performance by up to 70% in the frontend and up to 60% in the backend.
How this behaves outside of a lab needs to be looked at but I’m quite confident that there will be a significant impact.
So would I generally recommend for an immediate upgrade? Probably not! Remember, the performance impact is most noticeable when your box is actually running full throttle and most deployments I face are far from that.
If that is the case for you though, then you should seriously consider an upgrade!