Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 19 replies
  • Subscribers 31 subscribers
  • Views 5519 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow TLS Decryption throughput compared to Web Proxy with KVM on v18 GA.

Prism

I've been converting my XG bare metal setup to a VM one using KVM+QEMU as the hypervisor.

The problem here is, the Web Proxy Decryption is much faster than the new DPI Engine for TLS Decryption, but currently, only on KVM.

 

Some Information about the Setup.

  • I'm using the VirtiO Drivers, which currently doesn't support Fast Path, but still, It's much faster than vmxnet3.
  • The XG VM have full access to all CPU Flags (Also AES-NI), I'm currently using a host-passthrough for the VM.
  • The XG VM have 6C/12GB RAM.
  • Host have 8C/16T / 32GB RAM.
  • M.2 SSD, both VM has been using VirtiO for the Disks.

 

Tested this using curl + nginx, the encrypted connection used TLS_AES_128_GCM_SHA256, 128 bit keys, TLS 1.2.

4GB iso file being transferred over HTTPS.

 

Without TLS Decryption or WebProxy | IPS+AV+ATP =  ~287MB/s
With TLS Inspection | IPS+AV+ATP = ~33.5MB/s
With WebProxy + Decryption | IPS+AV+ATP = ~213MB/s

Using the new DPI engine for TLS Decryption I get hard stuck at ~35MB/s, doesn't matter the TLS traffic being decrypted.

 

I'm doing something wrong? I believe there's something wrong with this.

 

Also XG v18 GA is much faster in raw throughput than v17.5. With IPS Iperf3 has capable of 7.21 Gbits/sec with the XG VM, so CPU isn't the issue here.



This thread was automatically locked due to age.
Parents
  • 0

    Hi prism,

    Currently , V18's feature for TLS decryption seems to be quite unstable and cannot rely on the same .

    In my lab , i have done the same testing and found approximately same output .Also i tried to block Psiphon proxy but No success with DPI engine . The same thing is getting blocked with Web proxy.

    Now in this case What i have done is tweaked some settings in IPS and now have nearly 100 MB/S throughput. Still it is not up to the mark but it has improved .

     

    Thanks ,

    Exion

     

  • 0 in reply to exion eh

    exion eh said:
    Currently , V18's feature for TLS decryption seems to be quite unstable and cannot rely on the same .

    It's not unstable, It's working really well compared to what I've seen on v18 EAP.

    Most of the problems people are having with it, are IoT Devices. These problems didn't exist before simply because the Web Proxy isn't capable of doing the same things as the DPI Engine.

     

    exion eh said:
    Now in this case What i have done is tweaked some settings in IPS and now have nearly 100 MB/S throughput. Still it is not up to the mark but it has improved .

    IPS improved a lot from v17.5 to v18 GA.

    On v17.5 if you used ac-q or hyperscan you would be stuck at 900Mbit/s on a good CPU, I've even made a post about this since hyperscan is much faster than ac-q in reality.

    Now, something change in v18. ac-q I'm still getting the same throughput as before (900Mbit/s) but with Hyperscan I've been able to push almost 3Gbit/s over a single core (~2.6Gbit/s on real traffic), but a reminder, that has on a OC'd CPU.

  • 0 in reply to Prism

    Hi Prism,

    just a question, although I think you will use the same config for the bare metal and the kvm machines:

    Do you have a WAN QoS limit configured?

    I opened a thread for this some weeks ago as this is limiting my internal throughput as well. (I‘m on KVM, too.)

    Regards

    Dom

  • 0 in reply to Dom Nik

    Sadly QoS isn't the issue here.

    Apparently I'll have to use the Web Proxy for now on, after the full migration to KVM.

     In reality is better to stay bare metal right now, the XG VM isn't worth the headache.

     

    Thanks,

Reply Children
No Data