Performance Issues with NetScaler SSL

Performance issue with NetScaler SSL. The throughput with HTTP is about 10 times more than HTTPS.

To resolve this issue create a TCP profile, increase the buffer size, and bind it to virtual server:
add ns tcpProfile tcp_test -WS ENABLED -SACK ENABLED -maxBurst 20 -initialCwnd 8 -bufferSize 4096000 -flavor BIC -dynamicReceiveBuffering DISABLED -sendBuffsize 4096000

TCP Window Scaling is less aggressive or slower on an SSL Virtual Server than a HTTP Virtual Server.

Analyzing the network path trace indicates that a NetScaler appliance agrees to use Window Scaling, but it is very slow to increase the size of the Receive Window with an SSL Virtual Server. The advertised Receive Window increases steadily to a maximum of only 93 k with an average size of 46 k. The throughput is 136 kbps with 250 ms Round Trip Time (RTT). When HTTP Virtual Server is used, with services running in non-endpoint mode the throughput is 10 times more even with a lower RTT.

When SSL Virtual Server is used, with services running in endpoint mode, the appliance sets the Window size to two times 16 k (+ misc.) worth of data. Therefore, when the SSL card is processing one record layer of data, the Receive Window has the buffer for another record layer of data. This is by design and not a limitation of the SSL accelerator card. Increasing the Window size can negatively impact the total number of active SSL transactions the appliance can support. There is also no option to increase the buffer size of the Receive Window.

When using HTTP Virtual Server the appliance does not require storing data in a buffer. The Virtual Server can forward the Receive Window without limiting the total number of connections the appliance can manage. When using an HTTP Virtual Server, the appliance buffers data only if there is an error such as out-of-order packets or split HTTP headers. When the appliance processes compression, the buffer is larger (96 k or 128 k) but not adjustable.