NSX-T 2.4.0 Load Balance Service may observe low performance on HTTPs

Products

VMware NSX Networking

Issue/Introduction

Symptoms:

Low performance observed for HTTPS traffic on Edge node where Load Balancer Service is running.NSX-T Load Balancer with FIPS mode will observe ~450 HTTPS connections per second, compared to 3200 HTTPS connections when FIPS mode is disabled

"perf top -p worker process PID " command output on Edge node for the nginx worker process PID shows open ssl library calling many FIPS functions, thus resulting in low HTTPS performance. Worker PID can be fetched using command “ps -ef |grep nginx |grep lb”

The text highlighted below is a indication of many FIPS function being invoked

perf top -p 12208

PerfTop: 4095 irqs/sec kernel: 0.6% exact: 0.0% [4000Hz cpu-clock], (target_pid: 12208)
------------------------------------------------------------------------------------------------------------------------

    48.09% libcrypto.so.1.0.0 [.] fips_bn_mul_mont
    11.08% libcrypto.so.1.0.0 [.] fips_bn_usub
    10.20% libcrypto.so.1.0.0 [.] bn_sqr4x_mont
     2.64% libcrypto.so.1.0.0 [.] bn_mul4x_mont_gather5
     2.00% libcrypto.so.1.0.0 [.] fips_bn_add_words
     1.85% libcrypto.so.1.0.0 [.] fips_bn_mod_mul_montgomery
     1.63% libcrypto.so.1.0.0 [.] fips_bn_lshift1
     1.48% libcrypto.so.1.0.0 [.] fips_bn_ucmp
     1.30% libcrypto.so.1.0.0 [.] fips_bn_lshift
     1.16% libcrypto.so.1.0.0 [.] fips_bn_rshift1
     1.15% libcrypto.so.1.0.0 [.] FIPS_bn_num_bits_word
     1.12% libcrypto.so.1.0.0 [.] fips_bn_sub
     1.02% libcrypto.so.1.0.0 [.] fips_int_bn_mod_inverse
     0.88% libcrypto.so.1.0.0 [.] fips_bn_rshift
     0.84% libcrypto.so.1.0.0 [.] fips_bn_cmp
     0.77% libcrypto.so.1.0.0 [.] fips_bn_uadd
     0.62% libcrypto.so.1.0.0 [.] fips_bn_mod_lshift_quick
     0.61% libcrypto.so.1.0.0 [.] FIPS_bn_is_bit_set
     0.58% libcrypto.so.1.0.0 [.] fips_bn_ctx_get
     0.54% libcrypto.so.1.0.0 [.] fips_bn_set_word
     0.52% libcrypto.so.1.0.0 [.] fips_ec_gfp_simple_dbl
     0.51% libcrypto.so.1.0.0 [.] FIPS_bn_num_bits
     0.40% libcrypto.so.1.0.0 [.] fips_bn_mod_add_quick
     0.32% libcrypto.so.1.0.0 [.] fips_bn_copy
     0.32% libcrypto.so.1.0.0 [.] fips_bn_mod_sub_quick
     0.32% libcrypto.so.1.0.0 [.] fips_bn_add
     0.32% libc-2.23.so [.] _int_malloc
     0.28% libcrypto.so.1.0.0 [.] fips_bn_ctx_end
     0.28% nginx [.] boost::detail::atomic_exchange_and_add
     0.28% libcrypto.so.1.0.0 [.] fips_ec_wnaf_mul
     0.26% nginx [.] boost::detail::atomic_increment
     0.25% libcrypto.so.1.0.0 [.] fips_bn_mul_add_words
     0.25% libcrypto.so.1.0.0 [.] fips_bn_mod_lshift1_quick
     0.24% libcrypto.so.1.0.0 [.] fips_sha256_block_data_order
     0.23% libcrypto.so.1.0.0 [.] _x86_64_AES_encrypt_compact
     0.20% libcrypto.so.1.0.0 [.] fips_bn_sub_words
     0.17% libcrypto.so.1.0.0 [.] fips_bn_div
     0.17% libcrypto.so.1.0.0 [.] fips_ec_gfp_simple_add
     0.17% libcrypto.so.1.0.0 [.] fips_ec_gfp_mont_field_mul
     0.17% libpthread-2.23.so [.] pthread_mutex_lock
     0.17% libcrypto.so.1.0.0 [.] fips_bn_ctx_start
     0.15% libcrypto.so.1.0.0 [.] fips_ec_gfp_mont_field_sqr
     0.14% libc-2.23.so [.] __memset_avx2
     0.14% libcrypto.so.1.0.0 [.] compute_wNAF
     0.13% nginx [.] boost::asio::ssl::detail::openssl_init_base::do_init::openssl_locking_func
     0.13% libc-2.23.so [.] _int_free
     0.13% libcrypto.so.1.0.0 [.] BN_from_montgomery_word
     0.12% libpthread-2.23.so [.] pthread_mutex_unlock
     0.11% libcrypto.so.1.0.0 [.] fips_bn_mul_words
     0.11% libc-2.23.so [.] malloc
     0.10% nginx [.] boost::shared_ptr<boost::asio::ssl::detail::openssl_init_base::do_init>::shared_ptr
     0.09% nginx [.] boost::detail::shared_count::shared_count
     0.08% libcrypto.so.1.0.0 [.] bn_mul4x_mont

Environment

VMware NSX-T Data Center 2.x
VMware NSX-T Data Center

Cause

The cause for low performance has been identified to be FIPS enablement on the Edge appliance, introduced in NSX-T 2.4 release

Resolution

This is a known issue affecting VMware NSX-T Data Center 2.4.0 and is resolved in VMware NSX-T Data Center 2.4.1

Workaround:

To workaround this issue, follow the procedure below.

Workaround Steps:

Log in as root user on Edge nodes
Navigate to /etc/vmware directory and look for system_fips
Remove the system_fips file using below command
rm -rf system_fips

4. Reboot the Edge appliance

After following the above steps, execute perftop command output on the Edge node for nginx worker process PID, The output will not show the FIPS module being utilized. Further more HTTPS traffic would show increase in LBS performance

NOTE: this procedure has to be done on all the Edge Appliances that runs the LB Service. In addition if a Edge node running LB service is re-deployed, the above procedure has to be performed again

perf top -p 20685

PerfTop: 3905 irqs/sec kernel: 3.6% exact: 0.0% [4000Hz cpu-clock], (target_pid: 20685)
--------------------------------------------------------------------------------------------------------------------

47.23% libcrypto.so.1.0.0 [.] rsaz_1024_sqr_avx2
11.30% libcrypto.so.1.0.0 [.] rsaz_1024_mul_avx2
3.39% libcrypto.so.1.0.0 [.] __ecp_nistz256_mul_montq
2.43% libcrypto.so.1.0.0 [.] __ecp_nistz256_sqr_montq
2.24% libcrypto.so.1.0.0 [.] bn_sqr8x_internal
2.07% libcrypto.so.1.0.0 [.] rsaz_1024_gather5_avx2
1.40% libc-2.23.so [.] _int_malloc
1.34% libcrypto.so.1.0.0 [.] _x86_64_AES_encrypt_compact
1.28% libcrypto.so.1.0.0 [.] sha256_block_data_order_avx2
1.13% libcrypto.so.1.0.0 [.] BN_div
1.10% libcrypto.so.1.0.0 [.] bn_sub_words
0.71% libcrypto.so.1.0.0 [.] bn_mul4x_mont
0.66% libcrypto.so.1.0.0 [.] bn_mul_words
0.58% libc-2.23.so [.] _int_free
0.49% nginx [.] boost::detail::atomic_exchange_and_add
0.47% libcrypto.so.1.0.0 [.] OPENSSL_cleanse
0.44% libc-2.23.so [.] malloc
0.43% nginx [.] boost::detail::atomic_increment
0.41% libcrypto.so.1.0.0 [.] ecp_nistz256_point_double
0.37% libcrypto.so.1.0.0 [.] ecp_nistz256_avx2_select_w7
0.34% libcrypto.so.1.0.0 [.] EVP_MD_CTX_cleanup
0.33% libcrypto.so.1.0.0 [.] FIPS_md_ctx_cleanup
0.31% libc-2.23.so [.] free
0.29% libc-2.23.so [.] malloc_consolidate
0.28% libcrypto.so.1.0.0 [.] bn_add_words
0.28% libcrypto.so.1.0.0 [.] BN_lshift
0.27% libcrypto.so.1.0.0 [.] __ecp_nistz256_mul_by_2q
0.26% libcrypto.so.1.0.0 [.] __ecp_nistz256_sub_fromq
0.25% libc-2.23.so [.] __memmove_avx_unaligned
0.25% libpthread-2.23.so [.] pthread_mutex_lock
0.23% libcrypto.so.1.0.0 [.] EVP_MD_CTX_init
0.23% nginx [.] boost::asio::ssl::detail::openssl_init_base::do_init::openssl_locking_func
0.22% libpthread-2.23.so [.] pthread_mutex_unlock
0.22% libcrypto.so.1.0.0 [.] BN_num_bits_word
0.21% nginx [.] boost::detail::shared_count::shared_count
0.21% [kernel] [k] access_ok_prefault
0.19% libcrypto.so.1.0.0 [.] ecp_nistz256_point_add
0.18% libcrypto.so.1.0.0 [.] BN_rshift
0.17% libc-2.23.so [.] __memset_avx2
0.17% nginx [.] boost::shared_ptr<boost::asio::ssl::detail::openssl_init_base::do_init>::shared_ptr
0.16% libcrypto.so.1.0.0 [.] CRYPTO_malloc
0.16% nginx [.] boost::asio::ssl::detail::openssl_init_base::instance
0.14% libcrypto.so.1.0.0 [.] BN_uadd
0.14% [kernel] [k] _raw_spin_unlock_irqrestore
0.13% libcrypto.so.1.0.0 [.] BN_mod_inverse
0.13% libcrypto.so.1.0.0 [.] FIPS_openssl_cleanse
0.13% libcrypto.so.1.0.0 [.] bn_mul_add_words
0.13% libcrypto.so.1.0.0 [.] RSAZ_1024_mod_exp_avx2
0.13% nginx [.] boost::detail::shared_count::~shared_count
0.12% libcrypto.so.1.0.0 [.] __ecp_nistz256_add_toq
0.12% libcrypto.so.1.0.0 [.] ecp_nistz256_points_mul
0.12% libcrypto.so.1.0.0 [.] EVP_MD_CTX_copy_ex
0.12% nginx [.] boost::shared_ptr<boost::asio::detail::posix_mutex>::operator->
0.11% libcrypto.so.1.0.0 [.] ecp_nistz256_point_add_affine