It really depends on the server. 50,000 simultaneous connections is a hefty load. 50000 _concurrent_ connections (where you have 50000 entries in the SSL accelerator state table, but not all of them are active at the same instant) may not be so bad. If you have a multiprocessor server with plenty of memory, then one might work. As I said, try it with HTTP first and see if you can support those connections on a single server.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric Johnson Sent: Wednesday February 14, 2007 9:35 AM To: openssl-users@openssl.org Subject: RE: SSL Scaling Question Hi Tim. Thanks for the response. I would be fetching static content so hopefully that should make things easier. I know the number of connections that "should" be supported. I just need to make sure that the SSL Accelerator can achieve the intended target. I have two issues that I am faced with 1) Verifying if the max number of connections can be reached without the use of any load balancers and 2) the number of servers that would be needed to support the max number of connections. II can introduce load balancers but prefer not to at this point in time. I just need to isolate the test results with\without the load balancers in place. In your experience, if I needed to reach 50,000 connections (for example) would you think one server would be enough to handle it? Or would I need multiple servers (and load balancers)? Regardless, I can try one server and if it doesn't yield the required results I can keep adding servers until I get there. Would you happen to know what metrics can be used to determine if another server is needed or not? Thanks a lot for all your help. Hope everything is well. Eric Johnson Nortel Networks SQA Engineer [EMAIL PROTECTED] _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, February 13, 2007 1:23 PM To: openssl-users@openssl.org Subject: RE: SSL Scaling Question If all you are going to do to test the accelerator/server combination is fetch some static content, then your job is fairly easy: Load-test the server using HTTP connections fetching the static content, until you either reach a server bottleneck (CPU/Memory/IO) or achieve your max number of connections. Increase the number of servers (with the appropriate load balancer) as needed until you can support the required number of connections. Then insert your SSL hardware, and generate the load using HTTPS. You should observe an increase in transaction times since the load generators have to do the crypto processing in software. In fact, you may end up needing more generators to compensate for that additional workload. That's a pretty simplified approach, but should serve to get you started. It's been my experience that in real-world usage, the limits encountered at first are more related to the web server and any application server/middleware, primarily in the ability to handle lots of simultaneous sessions and maintain persistence data for all of them. The crypto processing on the accelerators is rarely a performance issue unless you are talking about very static HTML content. Best wishes from another Nortel employee, Timothy M. Metzinger, CISSP, PMP Northop Grumman Information Technologies/Nortel Government Solutions Department of the Treasury Office of the Chief Information Officer HR Connect Program Office 202-622-0579(voice) "HR Connect: Connecting people, performance, and technology" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Johnson Sent: Tuesday, February 13, 2007 11:59 AM To: openssl-users@openssl.org Subject: SSL Scaling Question Hi. I'm new to this forum and was wondering if I could get some assistance. I have an SSL Acceleration device that is comparable of supporting 50,000 concurrent connections. I would like to put this in my lab here at work and test the upper limit of this device. I'm concerned about the backend web server needed for this test effort. I'm trying to find out what the "appropriate" number of backend servers needed to test the upper limit of the SSL device. If I understand correctly each backend server is going to have an upper limit of 65535 TCP ports that can be opened (as the Source IP will most likely always be the SSL device). On the surface it looks like the backend server "should" be enough to handle the upper limit of the SSL device. However, that assumes that every connection is successful and the backend server has enough other resources to handle the load. Does anybody have any practical experience with this? And any recommendations on the number of backend servers at a specific load? Thanks in advance Eric Johnson Nortel Networks SQA Engineer [EMAIL PROTECTED]
