Low performance observed for HTTPS traffic on Edge node where Load Balancer Service is running.NSX-T Load Balancer with FIPS mode will observe ~450 HTTPS connections per second, compared to 3200 HTTPS connections when FIPS mode is disabled
"perf top -p worker process PID " command output on Edge node for the nginx worker process PID shows open ssl library calling many FIPS functions, thus resulting in low HTTPS performance. Worker PID can be fetched using command “ps -ef |grep nginx |grep lb”
The text highlighted below is a indication of many FIPS function being invoked
perf top -p 12208
PerfTop: 4095 irqs/sec kernel: 0.6% exact: 0.0% [4000Hz cpu-clock], (target_pid: 12208)
------------------------------------------------------------------------------------------------------------------------
48.09% libcrypto.so.1.0.0 [.] fips_bn_mul_mont
11.08% libcrypto.so.1.0.0 [.] fips_bn_usub
10.20% libcrypto.so.1.0.0 [.] bn_sqr4x_mont
2.64% libcrypto.so.1.0.0 [.] bn_mul4x_mont_gather5
2.00% libcrypto.so.1.0.0 [.] fips_bn_add_words
1.85% libcrypto.so.1.0.0 [.] fips_bn_mod_mul_montgomery
1.63% libcrypto.so.1.0.0 [.] fips_bn_lshift1
1.48% libcrypto.so.1.0.0 [.] fips_bn_ucmp
1.30% libcrypto.so.1.0.0 [.] fips_bn_lshift
1.16% libcrypto.so.1.0.0 [.] fips_bn_rshift1
1.15% libcrypto.so.1.0.0 [.] FIPS_bn_num_bits_word
1.12% libcrypto.so.1.0.0 [.] fips_bn_sub
1.02% libcrypto.so.1.0.0 [.] fips_int_bn_mod_inverse
0.88% libcrypto.so.1.0.0 [.] fips_bn_rshift
0.84% libcrypto.so.1.0.0 [.] fips_bn_cmp
0.77% libcrypto.so.1.0.0 [.] fips_bn_uadd
0.62% libcrypto.so.1.0.0 [.] fips_bn_mod_lshift_quick
0.61% libcrypto.so.1.0.0 [.] FIPS_bn_is_bit_set
0.58% libcrypto.so.1.0.0 [.] fips_bn_ctx_get
0.54% libcrypto.so.1.0.0 [.] fips_bn_set_word
0.52% libcrypto.so.1.0.0 [.] fips_ec_gfp_simple_dbl
0.51% libcrypto.so.1.0.0 [.] FIPS_bn_num_bits
0.40% libcrypto.so.1.0.0 [.] fips_bn_mod_add_quick
0.32% libcrypto.so.1.0.0 [.] fips_bn_copy
0.32% libcrypto.so.1.0.0 [.] fips_bn_mod_sub_quick
0.32% libcrypto.so.1.0.0 [.] fips_bn_add
0.32% libc-2.23.so [.] _int_malloc
0.28% libcrypto.so.1.0.0 [.] fips_bn_ctx_end
0.28% nginx [.] boost::detail::atomic_exchange_and_add
0.28% libcrypto.so.1.0.0 [.] fips_ec_wnaf_mul
0.26% nginx [.] boost::detail::atomic_increment
0.25% libcrypto.so.1.0.0 [.] fips_bn_mul_add_words
0.25% libcrypto.so.1.0.0 [.] fips_bn_mod_lshift1_quick
0.24% libcrypto.so.1.0.0 [.] fips_sha256_block_data_order
0.23% libcrypto.so.1.0.0 [.] _x86_64_AES_encrypt_compact
0.20% libcrypto.so.1.0.0 [.] fips_bn_sub_words
0.17% libcrypto.so.1.0.0 [.] fips_bn_div
0.17% libcrypto.so.1.0.0 [.] fips_ec_gfp_simple_add
0.17% libcrypto.so.1.0.0 [.] fips_ec_gfp_mont_field_mul
0.17% libpthread-2.23.so [.] pthread_mutex_lock
0.17% libcrypto.so.1.0.0 [.] fips_bn_ctx_start
0.15% libcrypto.so.1.0.0 [.] fips_ec_gfp_mont_field_sqr
0.14% libc-2.23.so [.] __memset_avx2
0.14% libcrypto.so.1.0.0 [.] compute_wNAF
0.13% nginx [.] boost::asio::ssl::detail::openssl_init_base::do_init::openssl_locking_func
0.13% libc-2.23.so [.] _int_free
0.13% libcrypto.so.1.0.0 [.] BN_from_montgomery_word
0.12% libpthread-2.23.so [.] pthread_mutex_unlock
0.11% libcrypto.so.1.0.0 [.] fips_bn_mul_words
0.11% libc-2.23.so [.] malloc
0.10% nginx [.] boost::shared_ptr<boost::asio::ssl::detail::openssl_init_base::do_init>::shared_ptr
0.09% nginx [.] boost::detail::shared_count::shared_count
0.08% libcrypto.so.1.0.0 [.] bn_mul4x_mont
To workaround this issue, follow the procedure below.
Workaround Steps:
4. Reboot the Edge appliance
After following the above steps, execute perftop command output on the Edge node for nginx worker process PID, The output will not show the FIPS module being utilized. Further more HTTPS traffic would show increase in LBS performance
NOTE: this procedure has to be done on all the Edge Appliances that runs the LB Service. In addition if a Edge node running LB service is re-deployed, the above procedure has to be performed again
perf top -p 20685
PerfTop: 3905 irqs/sec kernel: 3.6% exact: 0.0% [4000Hz cpu-clock], (target_pid: 20685)
--------------------------------------------------------------------------------------------------------------------
47.23% libcrypto.so.1.0.0 [.] rsaz_1024_sqr_avx2
11.30% libcrypto.so.1.0.0 [.] rsaz_1024_mul_avx2
3.39% libcrypto.so.1.0.0 [.] __ecp_nistz256_mul_montq
2.43% libcrypto.so.1.0.0 [.] __ecp_nistz256_sqr_montq
2.24% libcrypto.so.1.0.0 [.] bn_sqr8x_internal
2.07% libcrypto.so.1.0.0 [.] rsaz_1024_gather5_avx2
1.40% libc-2.23.so [.] _int_malloc
1.34% libcrypto.so.1.0.0 [.] _x86_64_AES_encrypt_compact
1.28% libcrypto.so.1.0.0 [.] sha256_block_data_order_avx2
1.13% libcrypto.so.1.0.0 [.] BN_div
1.10% libcrypto.so.1.0.0 [.] bn_sub_words
0.71% libcrypto.so.1.0.0 [.] bn_mul4x_mont
0.66% libcrypto.so.1.0.0 [.] bn_mul_words
0.58% libc-2.23.so [.] _int_free
0.49% nginx [.] boost::detail::atomic_exchange_and_add
0.47% libcrypto.so.1.0.0 [.] OPENSSL_cleanse
0.44% libc-2.23.so [.] malloc
0.43% nginx [.] boost::detail::atomic_increment
0.41% libcrypto.so.1.0.0 [.] ecp_nistz256_point_double
0.37% libcrypto.so.1.0.0 [.] ecp_nistz256_avx2_select_w7
0.34% libcrypto.so.1.0.0 [.] EVP_MD_CTX_cleanup
0.33% libcrypto.so.1.0.0 [.] FIPS_md_ctx_cleanup
0.31% libc-2.23.so [.] free
0.29% libc-2.23.so [.] malloc_consolidate
0.28% libcrypto.so.1.0.0 [.] bn_add_words
0.28% libcrypto.so.1.0.0 [.] BN_lshift
0.27% libcrypto.so.1.0.0 [.] __ecp_nistz256_mul_by_2q
0.26% libcrypto.so.1.0.0 [.] __ecp_nistz256_sub_fromq
0.25% libc-2.23.so [.] __memmove_avx_unaligned
0.25% libpthread-2.23.so [.] pthread_mutex_lock
0.23% libcrypto.so.1.0.0 [.] EVP_MD_CTX_init
0.23% nginx [.] boost::asio::ssl::detail::openssl_init_base::do_init::openssl_locking_func
0.22% libpthread-2.23.so [.] pthread_mutex_unlock
0.22% libcrypto.so.1.0.0 [.] BN_num_bits_word
0.21% nginx [.] boost::detail::shared_count::shared_count
0.21% [kernel] [k] access_ok_prefault
0.19% libcrypto.so.1.0.0 [.] ecp_nistz256_point_add
0.18% libcrypto.so.1.0.0 [.] BN_rshift
0.17% libc-2.23.so [.] __memset_avx2
0.17% nginx [.] boost::shared_ptr<boost::asio::ssl::detail::openssl_init_base::do_init>::shared_ptr
0.16% libcrypto.so.1.0.0 [.] CRYPTO_malloc
0.16% nginx [.] boost::asio::ssl::detail::openssl_init_base::instance
0.14% libcrypto.so.1.0.0 [.] BN_uadd
0.14% [kernel] [k] _raw_spin_unlock_irqrestore
0.13% libcrypto.so.1.0.0 [.] BN_mod_inverse
0.13% libcrypto.so.1.0.0 [.] FIPS_openssl_cleanse
0.13% libcrypto.so.1.0.0 [.] bn_mul_add_words
0.13% libcrypto.so.1.0.0 [.] RSAZ_1024_mod_exp_avx2
0.13% nginx [.] boost::detail::shared_count::~shared_count
0.12% libcrypto.so.1.0.0 [.] __ecp_nistz256_add_toq
0.12% libcrypto.so.1.0.0 [.] ecp_nistz256_points_mul
0.12% libcrypto.so.1.0.0 [.] EVP_MD_CTX_copy_ex
0.12% nginx [.] boost::shared_ptr<boost::asio::detail::posix_mutex>::operator->
0.11% libcrypto.so.1.0.0 [.] ecp_nistz256_point_add_affine