User Guide for Cisco Performance Monitor 3.0 - Monitoring SSL Services [Cisco Security Manager]

Table Of Contents

Monitoring SSL Services

SSL Concepts

Purpose of SSL Modules

Performance of SSL Modules

Monitoring Modules Collectively

Working with SSL Usage and Activity Statistics

Working with SSL Statistics

Working with TCP Connection Statistics

Monitoring Modules Individually

Displaying and Interpreting Module Detail Graphs

Displaying the SSL Proxy Statistics Table

Displaying the SSL Proxy Errors Table

Monitoring SSL Services

Performance Monitor features enable you to monitor and interpret important aspects of Secure Socket Layer (SSL) module operations and performance in real time.

The following topics explain the SSL module monitoring features:

•SSL Concepts

•Monitoring Modules Collectively

•Monitoring Modules Individually

SSL Concepts

Secure Socket Layer (SSL) is a protocol that enables secure transfers of data through privacy, authentication, and data integrity. It relies upon certificates, public keys, and private keys.

The following topics provide information that you might require in order to understand SSL monitoring:

•Purpose of SSL Modules

•Performance of SSL Modules

Purpose of SSL Modules

The SSL service module is an integrated module for Cisco Catalyst 6500 Series switches. Any port on a Series 6500 switch can offload resource-intensive SSL functions from web servers in your network when it is the proxy SSL port for those servers. One SSL module can act as the proxy for several web servers.

SSL modules accelerate the delivery of encrypted web traffic and perform all SSL-related tasks (including delivery of web-enabled applications). Thus, your web servers deliver cleartext web content faster and in greater quantities than they can when they perform their own SSL functions.

Properly configured SSL modules:

•Increase the number of secure connections a website supports.

•Permit a web server to process more requests for content.

•Provide server load balancing.

Performance of SSL Modules

The chassis of a Catalyst 6500 switch can hold as many as four SSL modules. Under optimal conditions, each SSL module provides:

•As many as 2,500 connection setups per second—or 10,000 per chassis when four modules are installed.

•As much as 300-Mbps bulk-encrypted throughput—or 12.2-Gbps per chassis when four modules are installed.

•As many as 60,000 concurrent connections—or 240,000 per chassis when four modules are installed.

Every SSL module has its own CPU and its own IP address.

If an SSL module is not configured correctly or is not functioning correctly, encrypted and cleartext web services in your network might become degraded.

If you determine that an SSL module in your network is providing service levels below its designed capacity, you can isolate the cause, and then take corrective action with your network management tools.

Monitoring Modules Collectively

The following topics explain how you can monitor SSL modules collectively:

•Working with SSL Usage and Activity Statistics

•Working with SSL Statistics

•Working with TCP Connection Statistics

Working with SSL Usage and Activity Statistics

You can display usage and activity statistics for all of the validated SSL modules in your network.

Procedure

Step 1 Select either:

•Monitor > SSL.

•Monitor > SSL > Modules.

Step 2 (Optional) To display detail graphs for one SSL module, click the relevant IP address in the Module column.

Table 3-3 describes other optional tasks that recur throughout the GUI.

Working with SSL Statistics

You can display and work from a table of SSL activity statistics for all of your validated SSL modules.

Step 1 Select Monitor > SSL > Statistics.

All measured values on the SSL Statistics page are computed as deltas (meaning they indicate the scope of difference from one polling cycle to the next)—except for the whole number counts of active sessions and active connections.

Step 2 (Optional) To display summary graphs for one SSL module, click the relevant IP address or DNS name in the Module column.

Table 3-3 describes other optional tasks that recur throughout the GUI.

Working with TCP Connection Statistics

You can display and work from a table of TCP connection statistics for all of your validated SSL modules.

Step 1 Select Monitor > SSL > TCP Connections.

All measured values on the SSL TCP Statistics page are computed as deltas.

Step 2 (Optional) To display summary graphs for one SSL module, click the relevant IP address or DNS name in the Module column.

Table 3-3 describes other optional tasks that recur throughout the GUI.

Monitoring Modules Individually

The following topics explain how you can monitor validated SSL modules individually:

•Displaying and Interpreting Module Detail Graphs

•Displaying the SSL Proxy Statistics Table

•Displaying the SSL Proxy Errors Table

Displaying and Interpreting Module Detail Graphs

You can display and work from a page of detail graphs for one validated SSL module.

Procedure

Step 1 Select Monitor > SSL > Module Details.

By default, Performance Monitor displays graphs that describe the health and performance of whichever module uses the lowest number as its IP address (Table 9-1).

Step 2 (Optional) To view equivalent graphs for a different SSL service module, select the relevant IP address from the Select Device list.

Table 3-3 describes other optional tasks that recur throughout the GUI.

Note A known problem might interfere with your ability to interpret a graph that uses two vertical (Y) axes. The first Y axis always begins at zero, but the second Y axis begins at the lowest value for the specified time range—even when that value is greater than zero. Thus, the two Y axes might not be directly comparable.

Table 9-1 Interpreting SSL Module Graphs

Label

Description

CPU Usage

Illustrates used percentages of module CPU capacity:

•The vertical axis shows the average percentage of CPU capacity used in the relevant polling cycle.

•The horizontal axis shows the time of day for the polling cycle.

Memory Usage

Illustrates used percentages of module memory capacity:

•The vertical axis shows the average percentage of memory capacity used in the relevant polling cycle.

•The horizontal axis shows the time of day for the polling cycle.

Error Rate

Illustrates the trend of module interface errors over time:

•The vertical axis shows the average number of errors in the relevant polling cycle.

•The horizontal axis shows the time of day for the polling cycle.

Throughput vs. Connections

Displays a line chart that helps you compare throughput trends to connection trends over time:

•Because it shows two kinds of information, it has two vertical axes.

–The vertical axis on the left (blue) shows the average throughput in bytes in the relevant polling cycle.

–The vertical axis on the right (red) shows the average number of SSL connections in the relevant hour.

•The horizontal axis shows the time of day at which Performance Monitor calculated the trends in each vertical axis.

Displaying the SSL Proxy Statistics Table

You can display and work from a table of proxy statistics for one validated SSL module.

Step 1 Select Monitor > SSL > Proxy Statistics.

All measured values on the SSL Proxy Statistics page are computed as deltas.

Step 2 (Optional) To view equivalent data for a different SSL service module, select the relevant IP address from the Select Device list.

Table 3-3 describes other optional tasks that recur throughout the GUI.

Displaying the SSL Proxy Errors Table

You can display and work from a table of proxy errors for one validated SSL module.

Step 1 Select Monitor > SSL > Proxy Errors.

All measured values on the SSL Proxy Errors page are computed as deltas.

Step 2 (Optional) To view equivalent data for a different SSL service module, select the relevant IP address from the Select Device list.

Table 3-3 describes other optional tasks that recur throughout the GUI.