Support for Intel Coleto and Intel Lewisburg SSL chip-based platforms
The following appliances ship with Intel Coleto chips:
- MPX 5900
- MPX/SDX 8900
- MPX/SDX 15000
- MPX/SDX 15000-50G
- MPX/SDX 26000
- MPX/SDX 26000-50S
- MPX/SDX 26000-100G
The following appliances ships with Intel Lewisburg chips:
- MPX/SDX 9100
- MPX/SDX 16000
Use the ‘show hardware’ command to identify whether your appliance has Coleto (COL) or Lewisburg (LBG) chips.
> sh hardware
Platform: NSMPX-8900 8*CPU+4*F1X+6*E1K+1*E1K+1*COL 8955 30010
Manufactured on: 10/18/2016
CPU: 2100MHZ
Host Id: 0
Serial no: CRAC5CR8UA
Encoded serial no: CRAC5CR8UA
Done
> sh hardware
Platform: NSMPX-9100 10*CPU+64GB+8*F2X+E1K+1*LBG C627 35000
Manufactured on: 10/1/2021
CPU: 2300MHZ
Host Id: 161644678
Serial no: N2Z3ZD9S21
Encoded serial no: N2Z3ZD9S21
Netscaler UUID: 41a26261-227e-11ec-b4db-3cecef56f86b
BMC Revision: 1.00
Done
Limitations
The following ciphers, protocols, and features are not supported:
- DH 512 cipher
- SSLv3 protocol
- Azure Key Vault
- GnuTLS
- ECDSA certificates with ECC curves P_224 and P521
- DNSSEC offload
Note
Support for the Thales Luna Network hardware security module (HSM) is available in release 13.1 build 33.x and later.
View the software-based SSL chip utilization on NetScaler MPX and SDX platforms
You can view more details about the software-based SSL chip utilization on the following platforms:
- MPX and SDX platforms that ship with Intel Coleto chips.
- MPX platforms that ship with Intel Lewisburg chips.
Note
This feature is not supported on the following platforms:
- SDX 9100
- MPX/SDX 16000
At the command prompt, type:
> stat ssl
SSL Summary
1. SSL cards present 4
2. SSL cards UP 4
SSL engine status 1
SSL sessions (Rate) 19849
SSL Crypto Utilization Asym (%) 88
SSL Crypto Utilization Symm (%) 1
Crypto Utilization(%)
Asymmetric Crypto Utilization 86.30
Symmetric Crypto Utilization 0.97
System
Transactions Rate (/s) Total
SSL transactions 19849 45900312
SSLv2 transactions 0 0
SSLv3 transactions 0 0
TLSv1 transactions 0 0
TLSv1.1 transactions 0 0
TLSv1.2 transactions 19849 45900312
TLSv1.3 transactions 0 0
DTLSv1 transactions 0 0
DTLSv1.2 transactions 0 0
Front End
Sessions Rate (/s) Total
SSL sessions 19849 45937019
SSLv2 sessions 0 0
SSLv3 sessions 0 0
TLSv1 sessions 0 0
TLSv1.1 sessions 0 0
TLSv1.2 sessions 19849 45937019
TLSv1.3 sessions 0 0
DTLSv1 sessions 0 0
DTLSv1.2 sessions 0 0
New SSL sessions 19881 50722628
SSL session misses 0 0
SSL session hits 0 0
Back End
Sessions Rate (/s) Total
SSL sessions 0 137
SSLv3 sessions 0 0
TLSv1 sessions 0 0
TLSv1.1 sessions 0 0
TLSv1.2 sessions 0 137
DTLSv1 sessions 0 0
Session multiplex attempts 0 0
Session multiplex successes 0 0
Session multiplex failures 0 0
Encryption/Decryption statistics
Crypto Operation Rate (bytes/s) Total Bytes
Bytes encrypted 24338213 27705995030
Bytes decrypted 24664169 27942280990
Done
Values for the following counters are achieved by polling the hardware:
- SSL Crypto Utilization Asym (%) 88
- SSL Crypto Utilization Symm (%) 1
Values for the following counters are achieved using the software. The values might vary slightly from the hardware-polled values.
- Crypto Utilization(%)
- Asymmetric Crypto Utilization 85.92
- RSA Crypto Utilization 11.43 RSA_4K 0.00 RSA_2K 11.43 RSA_1K 0.00 RSA_Others 0.00
- DH Crypto Utilization 74.50 ECDH Crypto Utilization 0.00 ECDH_P224 0.00 ECDH_P256 0.00 ECDH_P384 0.00 ECDH_P521 0.00
- ECDSA Crypto Utilization 0.00 ECDSA_P224 0.00 ECDSA_P256 0.00 ECDSA_P384 0.00 ECDSA_P521 0.00
- Symmetric Crypto Utilization 0.72
For granular utilization per cipher, run the following command.
> stat ssl -detail
SSL Offloading
1. SSL cards present 4
2. SSL cards UP 4
SSL engine status 1
SSL sessions (Rate) 19862
SSL Crypto Utilization Asym (%) 88
SSL Crypto Utilization Symm (%) 1
Crypto Utilization(%)
Asymmetric Crypto Utilization 85.92
RSA Crypto Utilization 11.43
RSA_4K 0.00
RSA_2K 11.43
RSA_1K 0.00
RSA_Others 0.00
DH Crypto Utilization 74.50
ECDH Crypto Utilization 0.00
ECDH_P224 0.00
ECDH_P256 0.00
ECDH_P384 0.00
ECDH_P521 0.00
ECDSA Crypto Utilization 0.00
ECDSA_P224 0.00
ECDSA_P256 0.00
ECDSA_P384 0.00
ECDSA_P521 0.00
Symmetric Crypto Utilization 0.72
System
Transactions Rate (/s) Total
SSL transactions 19861 46039342
SSLv2 transactions 0 0
SSLv3 transactions 0 0
TLSv1 transactions 0 0
TLSv1.1 transactions 0 0
TLSv1.2 transactions 19861 46039342
TLSv1.3 transactions 0 0
DTLSv1 transactions 0 0
DTLSv1.2 transactions 0 0
Server in record 117437 277622634
Front End
Sessions Rate (/s) Total
SSL sessions 19862 46076050
SSLv2 sessions 0 0
SSLv3 sessions 0 0
TLSv1 sessions 0 0
TLSv1.1 sessions 0 0
TLSv1.2 sessions 19862 46076050
TLSv1.3 sessions 0 0
DTLSv1 sessions 0 0
DTLSv1.2 sessions 0 0
New SSL sessions 19801 50861234
SSL session misses 0 0
SSL session hits 0 0
Session Renegotiation
SSL session renegotiations 0 0
SSLv3 session renegotiations 0 0
TLSv1 session renegotiations 0 0
TLSv1.1 session renegotiations 0 0
TLSv1.2 session renegotiations 0 0
DTLSv1 session renegotiations 0 0
DTLSv1.2 session renegotiations 0 0
Key Exchanges
RSA 512-bit key exchanges 0 0
RSA 1024-bit key exchanges 0 2032658
RSA 2048-bit key exchanges 0 143
RSA 3072-bit key exchanges 0 7757028
RSA 4096-bit key exchanges 0 2238698
DH 512-bit key exchanges 0 0
DH 1024-bit key exchanges 0 0
DH 2048-bit key exchanges 19862 5477702
DH 4096-bit key exchanges 0 0
ECDHE 521 curve key exchanges 0 0
ECDHE 384 curve key exchanges 0 0
ECDHE 256 curve key exchanges 0 28569821
ECDHE 224 curve key exchanges 0 0
Total ECDHE key exchanges 0 28569821
Ciphers Negotiated
RC4 40-bit encryptions 0 0
RC4 56-bit encryptions 0 0
RC4 64-bit encryptions 0 0
RC4 128-bit encryptions 0 0
DES 40-bit encryptions 0 0
DES 56-bit encryptions 0 0
3DES 168-bit encryptions 0 0
AES 128-bit encryptions 0 0
AES 256-bit encryptions 19862 17506229
RC2 40-bit encryptions 0 0
RC2 56-bit encryptions 0 0
RC2 128-bit encryptions 0 0
AES-GCM 128-bit encryptions 0 0
AES-GCM 256-bit encryptions 0 28569821
Null cipher encryptions 0 0
Hashes
MD5 hashes 0 0
SHA hashes 0 12028527
SHA256 hashes 19862 5477702
SHA384 hashes 0 0
Handshakes
SSLv2 SSL handshakes 0 0
SSLv3 SSL handshakes 0 0
TLSv1 SSL handshakes 0 0
TLSv1.1 SSL handshakes 0 0
TLSv1.2 SSL handshakes 19862 46076050
TLSv1.3 SSL handshakes 0 0
DTLSv1 SSL handshakes 0 0
DTLSv1.2 SSL handshakes 0 0
Client Authentications
SSLv2 client authentications 0 0
SSLv3 client authentications 0 0
TLSv1 client authentications 0 0
TLSv1.1 client authentications 0 0
TLSv1.2 client authentications 0 0
TLSv1.3 client authentications 0 0
DTLSv1 client authentications 0 0
DTLSv1.2 client authentications 0 0
Authentications
RSA authentications 19862 17506229
DH authentications 0 0
DSS (DSA) authentications 0 0
ECDSA authentications 0 28569821
Null authentications 0 0
Back End
Sessions Rate (/s) Total
SSL sessions 0 137
SSLv3 sessions 0 0
TLSv1 sessions 0 0
TLSv1.1 sessions 0 0
TLSv1.2 sessions 0 137
DTLSv1 sessions 0 0
Session multiplex attempts 0 0
Session multiplex successes 0 0
Session multiplex failures 0 0
Session Renegotiation
SSL session renegotiations 0 0
SSLv3 session renegotiations 0 0
TLSv1 session renegotiations 0 0
TLSv1.1 back-end session renegot 0 0
TLSv1.2 back-end session renegot 0 0
DTLSv1 session renegotiations 0 0
Key Exchanges
RSA 512-bit key exchanges 0 0
RSA 1024-bit key exchanges 0 0
RSA 2048-bit key exchanges 0 137
RSA 3072-bit key exchanges 0 0
RSA 4096-bit key exchanges 0 0
DH 512-bit key exchanges 0 0
DH 1024-bit key exchanges 0 0
DH 2048-bit key exchanges 0 0
DH 4096-bit key exchanges 0 0
ECDHE 521 curve key exchanges 0 0
ECDHE 384 curve key exchanges 0 0
ECDHE 256 curve key exchanges 0 0
ECDHE 224 curve key exchanges 0 0
Ciphers Negotiated
RC4 40-bit encryptions 0 0
RC4 56-bit encryptions 0 0
RC4 64-bit encryptions 0 0
RC4 128-bit encryptions 0 0
DES 40-bit encryptions 0 0
DES 56-bit encryptions 0 0
3DES 168-bit encryptions 0 0
AES 128-bit encryptions 0 0
AES 256-bit encryptions 0 137
RC2 40-bit encryptions 0 0
RC2 56-bit encryptions 0 0
RC2 128-bit encryptions 0 0
AES-GCM 128-bit encryptions 0 0
AES-GCM 256-bit encryptions 0 0
Null encryptions 0 0
Hashes
MD5 hashes 0 0
SHA hashes 0 137
SHA256 hashes 0 0
SHA384 hashes 0 0
Handshakes
SSLv3 handshakes 0 0
TLSv1 handshakes 0 0
TLSv1.1 handshakes 0 0
TLSv1.2 handshakes 0 137
DTLSv1 handshakes 0 0
Client Authentications
SSLv3 client authentications 0 0
TLSv1 client authentications 0 0
TLSv1.1 client authentications 0 0
TLSv1.2 client authentications 0 0
DTLSv1 client authentications 0 0
Authentications
RSA authentications 0 137
DH authentications 0 0
DSS authentications 0 0
ECDSA authentications 0 0
Null authentications 0 0
System Total
RSA key exchanges offloaded 0 0
RSA sign operations offloaded 0 0
DH key exchanges offloaded 19841 5481037
RC4 encryptions offloaded 0 0
DES encryptions offloaded 0 0
AES encryptions offloaded 0 0
AES-GCM 128-bit encryptions offl 0 0
AES-GCM 256-bit encryptions offl 0 0
Encryption/Decryption statistics
Crypto Operation Rate (bytes/s) Total Bytes
Bytes encrypted 12129801 27790903638
Bytes encrypted in hardware 12129801 27790903638
Bytes encrypted in software 0 0
Bytes encrypted on the front-end 5450907 13430410630
Bytes encrypted in hardware on t 5450907 13430410630
Bytes encrypted in software on t 0 0
Bytes encrypted on the back-end 6678894 14360493008
Bytes encrypted in hardware on t 6678894 14360493008
Bytes encrypted in software on t 0 0
Bytes decrypted 12449504 28029427518
Bytes decrypted in hardware 12449504 28029427518
Bytes decrypted in software 0 0
Bytes decrypted on the front-end 8190208 19876552670
Bytes decrypted in hardware on t 8190208 19876552670
Bytes decrypted in software on t 0 0
Bytes decrypted on the back-end 4259296 8152874848
Bytes decrypted in hardware on t 4259296 8152874848
Bytes decrypted in software on t 0 0
SSL
Rate (/s) Total
Total SPCB in use -87 84656
Active SSL sessions -30309 5615559
Current queue size -1 4153
CardQ
Rate (/s) Total
In Q count for current card -1 4153
In BulkQ count for current card 0 0
In KeyQ count for current card -1 4153
Done
Notes
- Admin partition is supported, but the utilization for all partitions is shown in the default partition. On non-default partitions, these values display as 0.
- In a cluster setup, the CLIP address displays the average utilization for all the nodes in the cluster. For node-specific utilization, run the command on the CLI of each node. This data might be incorrect for an SDX platform if the nodes of the cluster are hosted on the same hardware.
- For VPX instances on the SDX platform, the utilization of each VPX instance is displayed.
SNMP OID and trap for SSL symmetric and asymmetric crypto utilization
Note:
This feature is available in NetScaler release 14.1 build 17.x and later.
SNMP OIDs are used for monitoring and SNMP alarms are sent when the crypto utilization reaches the configured limit and when it returns to normal. From release 14.1 build 17.x, NetScaler can send traps for software-based symmetric and asymmetric crypto utilization when the configured thresholds are crossed. It also provides an SNMP OID to read these crypto utilization absolute values. Earlier, NetScaler only had CLIs to read these crypto utilization values.
Configure SNMP alarms for crypto utilization using the CLI
At the command line, type:
> set snmp alarm SSL-ASYM-CRYPTO-UTILIZATION
-logging ( ENABLED | DISABLED )
-severity <severity>
-state ( ENABLED | DISABLED )
-thresholdValue <positive_integer> [-normalValue <positive_integer>]
-time <secs>
> set snmp alarm SSL-SYM-CRYPTO-UTILIZATION
-logging ( ENABLED | DISABLED )
-severity <severity>
-state ( ENABLED | DISABLED )
-thresholdValue <positive_integer> [-normalValue <positive_integer>]
-time <secs>
Example:
set snmp alarm SSL-ASYM-CRYPTO-UTILIZATION -thresholdValue 37 -normalValue 17
set snmp alarm SSL-SYM-CRYPTO-UTILIZATION -thresholdValue 25 -normalValue 15
Configure SNMP alarms for crypto utilization using the GUI
- Navigate to System > SNMP > Alarms.
- Do one of the following:
- To configure an asymmetric crypto utilization, search for SSL-ASYM-CRYPTO-UTILIZATION and click it.
- To configure a symmetric crypto utilization, search for SSL-SYM-CRYPTO-UTILIZATION and click it.
- In the Configure SNMP Alarm page, enter the values for the different parameters and click OK.
Crypto utilization on NetScaler SDX
SNMP OID and trap implementation are based on software-based crypto utilization. The maximum crypto is fixed for MPX, and the software uses that to derive the values.
For SDX, each VPX can have a predefined number of crypto units allocated. The allocated crypto units are the minimum guaranteed resources for the VPX, but it can also use the free crypto units available at the SDX level. The software-based crypto utilization provided for VPX on SDX is at the SDX level.
Therefore, when thresholds are configured for symmetric or asymmetric SNMP alarms on SDX, admins must take into account the percentage of crypto units allocated for each VPX and derive a threshold to be configured for these alarms.
For example, if the total crypto units on SDX are 100 K and three VPX instances are provisioned on SDX. The crypto units allocated to VPX1, VPX2, and VPX3 are 50 K, 25 K, and 25 K respectively. The threshold is set at 80%.
| Actual utilization on VPX1 | Actual utilization on VPX2 | Actual utilization on VPX3 | Comments | |
|---|---|---|---|---|
| Scenario 1 | 80% | 0% | 0% | When utilization hits 80% on VPX1, it generates a trap. Since there is no traffic to the other VPX, the trap from VPX1 indicates the actual utilization at SDX as well. |
| Scenario 2 | 40% | 25% | 15% | None of the VPX generate a trap although overall utilization is 80%. |
Problem: In scenario 2, the trap is not sent even though the overall utilization at the SDX level has crossed the threshold.
Solution: Admins must manually intervene and derive the equivalent percentage based on the allocation. In scenario 2, calculate the corresponding percentage for each VPX by multiplying the % of crypto units allocated and the threshold % set.
| VPX1 | VPX2 | VPX3 | Comments | |
|---|---|---|---|---|
| Crypto units = 100k | 50K | 25K | 25K | |
| Derived threshold = % crypto units allocated * % threshold (Overall threshold = 80%) | 40% | 20% | 20% | For example, VPX 1 has 50% of crypto units allocated. Therefore the derived threshold is 50% of the overall threshold. VPX2 and VPX3 each have 25% of the crypto units allocated. Therefore, the derived threshold is 25% of the overall threshold. |
An SNMP alarm will now be sent out when the threshold for VPX1 crosses 40% instead of when it crosses 80%. Even if the threshold for SDX might not have crossed the configured percentage, the alarm is an indication to the admin to monitor.