Support for Intel Coleto and Intel Lewisburg SSL chip-based platforms

The following appliances ship with Intel Coleto chips:

• MPX 5900
• MPX/SDX 8900
• MPX/SDX 15000
• MPX/SDX 15000-50G
• MPX/SDX 26000
• MPX/SDX 26000-50S
• MPX/SDX 26000-100G

The following appliance ships with Intel Lewisburg chips:

• MPX/SDX 9100

Use the ‘show hardware’ command to identify whether your appliance has Coleto (COL) or Lewisburg (LBG) chips.

> sh hardware    Platform: NSMPX-8900 8*CPU+4*F1X+6*E1K+1*E1K+1*COL 8955 30010    Manufactured on: 10/18/2016    CPU: 2100MHZ    Host Id: 0    Serial no: CRAC5CR8UA    Encoded serial no: CRAC5CR8UA Done<!--NeedCopy-->

> sh hardware        Platform: NSMPX-9100 10*CPU+64GB+8*F2X+E1K+1*LBG C627 35000        Manufactured on: 10/1/2021        CPU: 2300MHZ        Host Id: 161644678        Serial no: N2Z3ZD9S21        Encoded serial no: N2Z3ZD9S21        Netscaler UUID: 41a26261-227e-11ec-b4db-3cecef56f86b        BMC Revision: 1.00Done<!--NeedCopy-->

Limitations

The following ciphers, protocols, and features are not supported:

• DH 512 cipher
• SSLv3 protocol
• Azure Key Vault
• GnuTLS
• ECDSA certificates with ECC curves P_224 and P521
• DNSSEC offload (DNSSEC is supported in software but offload to hardware is not supported.)

Note

Support for the Thales Luna Network hardware security module (HSM) is available in release 13.1 build 33.x and later.

View the SSL chip utilization on Citrix ADC MPX and SDX platforms

From release 13.1 build 21.x, counters are added to view more details about the SSL chip utilization on the following platforms:

• MPX and SDX platforms that ship with Intel Coleto chips.
• MPX platforms that ship with Intel Lewisburg chips.

This feature is not supported on the SDX 9100 platform.

At the command prompt, type:

> stat sslSSL Summary1.  SSL cards present 42.  SSL cards UP 4    SSL engine status 1    SSL sessions (Rate) 19849    SSL Crypto Utilization Asym (%) 88    SSL Crypto Utilization Symm (%) 1Crypto Utilization(%)Asymmetric Crypto Utilization 86.30Symmetric Crypto Utilization 0.97SystemTransactions Rate (/s) TotalSSL transactions 19849 45900312SSLv2 transactions 0 0SSLv3 transactions 0 0TLSv1 transactions 0 0TLSv1.1 transactions 0 0TLSv1.2 transactions 19849 45900312TLSv1.3 transactions 0 0DTLSv1 transactions 0 0DTLSv1.2 transactions 0 0Front EndSessions Rate (/s) TotalSSL sessions 19849 45937019SSLv2 sessions 0 0SSLv3 sessions 0 0TLSv1 sessions 0 0TLSv1.1 sessions 0 0TLSv1.2 sessions 19849 45937019TLSv1.3 sessions 0 0DTLSv1 sessions 0 0DTLSv1.2 sessions 0 0New SSL sessions 19881 50722628SSL session misses 0 0SSL session hits 0 0Back EndSessions Rate (/s) TotalSSL sessions 0 137SSLv3 sessions 0 0TLSv1 sessions 0 0TLSv1.1 sessions 0 0TLSv1.2 sessions 0 137DTLSv1 sessions 0 0Session multiplex attempts 0 0Session multiplex successes 0 0Session multiplex failures 0 0Encryption/Decryption statisticsCrypto Operation Rate (bytes/s) Total BytesBytes encrypted 24338213 27705995030Bytes decrypted 24664169 27942280990Done<!--NeedCopy-->

Values for the following counters are achieved by polling the hardware:

-  SSL Crypto Utilization Asym (%) 88-  SSL Crypto Utilization Symm (%) 1<!--NeedCopy-->

Values for the following counters are achieved using the software. The values might vary slightly from the hardware-polled values.

• Crypto Utilization(%)
• Asymmetric Crypto Utilization 85.92
• RSA Crypto Utilization 11.43 RSA_4K 0.00 RSA_2K 11.43 RSA_1K 0.00 RSA_Others 0.00
• DH Crypto Utilization 74.50 ECDH Crypto Utilization 0.00 ECDH_P224 0.00 ECDH_P256 0.00 ECDH_P384 0.00 ECDH_P521 0.00
• ECDSA Crypto Utilization 0.00 ECDSA_P224 0.00 ECDSA_P256 0.00 ECDSA_P384 0.00 ECDSA_P521 0.00
• Symmetric Crypto Utilization 0.72

For granular utilization per cipher, run the following command.

> stat ssl -detailSSL Offloading1.  SSL cards present 42.  SSL cards UP 4    SSL engine status 1    SSL sessions (Rate) 19862    SSL Crypto Utilization Asym (%) 88    SSL Crypto Utilization Symm (%) 1Crypto Utilization(%)Asymmetric Crypto Utilization 85.92RSA Crypto Utilization 11.43RSA_4K 0.00RSA_2K 11.43RSA_1K 0.00RSA_Others 0.00DH Crypto Utilization 74.50ECDH Crypto Utilization 0.00ECDH_P224 0.00ECDH_P256 0.00ECDH_P384 0.00ECDH_P521 0.00ECDSA Crypto Utilization 0.00ECDSA_P224 0.00ECDSA_P256 0.00ECDSA_P384 0.00ECDSA_P521 0.00Symmetric Crypto Utilization 0.72SystemTransactions Rate (/s) TotalSSL transactions 19861 46039342SSLv2 transactions 0 0SSLv3 transactions 0 0TLSv1 transactions 0 0TLSv1.1 transactions 0 0TLSv1.2 transactions 19861 46039342TLSv1.3 transactions 0 0DTLSv1 transactions 0 0DTLSv1.2 transactions 0 0Server in record 117437 277622634Front EndSessions Rate (/s) TotalSSL sessions 19862 46076050SSLv2 sessions 0 0SSLv3 sessions 0 0TLSv1 sessions 0 0TLSv1.1 sessions 0 0TLSv1.2 sessions 19862 46076050TLSv1.3 sessions 0 0DTLSv1 sessions 0 0DTLSv1.2 sessions 0 0New SSL sessions 19801 50861234SSL session misses 0 0SSL session hits 0 0Session RenegotiationSSL session renegotiations 0 0SSLv3 session renegotiations 0 0TLSv1 session renegotiations 0 0TLSv1.1 session renegotiations 0 0TLSv1.2 session renegotiations 0 0DTLSv1 session renegotiations 0 0DTLSv1.2 session renegotiations 0 0Key ExchangesRSA 512-bit key exchanges 0 0RSA 1024-bit key exchanges 0 2032658RSA 2048-bit key exchanges 0 143RSA 3072-bit key exchanges 0 7757028RSA 4096-bit key exchanges 0 2238698DH 512-bit key exchanges 0 0DH 1024-bit key exchanges 0 0DH 2048-bit key exchanges 19862 5477702DH 4096-bit key exchanges 0 0ECDHE 521 curve key exchanges 0 0ECDHE 384 curve key exchanges 0 0ECDHE 256 curve key exchanges 0 28569821ECDHE 224 curve key exchanges 0 0Total ECDHE key exchanges 0 28569821Ciphers NegotiatedRC4 40-bit encryptions 0 0RC4 56-bit encryptions 0 0RC4 64-bit encryptions 0 0RC4 128-bit encryptions 0 0DES 40-bit encryptions 0 0DES 56-bit encryptions 0 03DES 168-bit encryptions 0 0AES 128-bit encryptions 0 0AES 256-bit encryptions 19862 17506229RC2 40-bit encryptions 0 0RC2 56-bit encryptions 0 0RC2 128-bit encryptions 0 0AES-GCM 128-bit encryptions 0 0AES-GCM 256-bit encryptions 0 28569821Null cipher encryptions 0 0HashesMD5 hashes 0 0SHA hashes 0 12028527SHA256 hashes 19862 5477702SHA384 hashes 0 0HandshakesSSLv2 SSL handshakes 0 0SSLv3 SSL handshakes 0 0TLSv1 SSL handshakes 0 0TLSv1.1 SSL handshakes 0 0TLSv1.2 SSL handshakes 19862 46076050TLSv1.3 SSL handshakes 0 0DTLSv1 SSL handshakes 0 0DTLSv1.2 SSL handshakes 0 0Client AuthenticationsSSLv2 client authentications 0 0SSLv3 client authentications 0 0TLSv1 client authentications 0 0TLSv1.1 client authentications 0 0TLSv1.2 client authentications 0 0TLSv1.3 client authentications 0 0DTLSv1 client authentications 0 0DTLSv1.2 client authentications 0 0AuthenticationsRSA authentications 19862 17506229DH authentications 0 0DSS (DSA) authentications 0 0ECDSA authentications 0 28569821Null authentications 0 0Back EndSessions Rate (/s) TotalSSL sessions 0 137SSLv3 sessions 0 0TLSv1 sessions 0 0TLSv1.1 sessions 0 0TLSv1.2 sessions 0 137DTLSv1 sessions 0 0Session multiplex attempts 0 0Session multiplex successes 0 0Session multiplex failures 0 0Session RenegotiationSSL session renegotiations 0 0SSLv3 session renegotiations 0 0TLSv1 session renegotiations 0 0TLSv1.1 back-end session renegot 0 0TLSv1.2 back-end session renegot 0 0DTLSv1 session renegotiations 0 0Key ExchangesRSA 512-bit key exchanges 0 0RSA 1024-bit key exchanges 0 0RSA 2048-bit key exchanges 0 137RSA 3072-bit key exchanges 0 0RSA 4096-bit key exchanges 0 0DH 512-bit key exchanges 0 0DH 1024-bit key exchanges 0 0DH 2048-bit key exchanges 0 0DH 4096-bit key exchanges 0 0ECDHE 521 curve key exchanges 0 0ECDHE 384 curve key exchanges 0 0ECDHE 256 curve key exchanges 0 0ECDHE 224 curve key exchanges 0 0Ciphers NegotiatedRC4 40-bit encryptions 0 0RC4 56-bit encryptions 0 0RC4 64-bit encryptions 0 0RC4 128-bit encryptions 0 0DES 40-bit encryptions 0 0DES 56-bit encryptions 0 03DES 168-bit encryptions 0 0AES 128-bit encryptions 0 0AES 256-bit encryptions 0 137RC2 40-bit encryptions 0 0RC2 56-bit encryptions 0 0RC2 128-bit encryptions 0 0AES-GCM 128-bit encryptions 0 0AES-GCM 256-bit encryptions 0 0Null encryptions 0 0HashesMD5 hashes 0 0SHA hashes 0 137SHA256 hashes 0 0SHA384 hashes 0 0HandshakesSSLv3 handshakes 0 0TLSv1 handshakes 0 0TLSv1.1 handshakes 0 0TLSv1.2 handshakes 0 137DTLSv1 handshakes 0 0Client AuthenticationsSSLv3 client authentications 0 0TLSv1 client authentications 0 0TLSv1.1 client authentications 0 0TLSv1.2 client authentications 0 0DTLSv1 client authentications 0 0AuthenticationsRSA authentications 0 137DH authentications 0 0DSS authentications 0 0ECDSA authentications 0 0Null authentications 0 0System TotalRSA key exchanges offloaded 0 0RSA sign operations offloaded 0 0DH key exchanges offloaded 19841 5481037RC4 encryptions offloaded 0 0DES encryptions offloaded 0 0AES encryptions offloaded 0 0AES-GCM 128-bit encryptions offl 0 0AES-GCM 256-bit encryptions offl 0 0Encryption/Decryption statisticsCrypto Operation Rate (bytes/s) Total BytesBytes encrypted 12129801 27790903638Bytes encrypted in hardware 12129801 27790903638Bytes encrypted in software 0 0Bytes encrypted on the front-end 5450907 13430410630Bytes encrypted in hardware on t 5450907 13430410630Bytes encrypted in software on t 0 0Bytes encrypted on the back-end 6678894 14360493008Bytes encrypted in hardware on t 6678894 14360493008Bytes encrypted in software on t 0 0Bytes decrypted 12449504 28029427518Bytes decrypted in hardware 12449504 28029427518Bytes decrypted in software 0 0Bytes decrypted on the front-end 8190208 19876552670Bytes decrypted in hardware on t 8190208 19876552670Bytes decrypted in software on t 0 0Bytes decrypted on the back-end 4259296 8152874848Bytes decrypted in hardware on t 4259296 8152874848Bytes decrypted in software on t 0 0SSLRate (/s) TotalTotal SPCB in use -87 84656Active SSL sessions -30309 5615559Current queue size -1 4153CardQRate (/s) TotalIn Q count for current card -1 4153In BulkQ count for current card 0 0In KeyQ count for current card -1 4153Done<!--NeedCopy-->

Notes

• Admin partition is supported, but the utilization for all partitions is shown in the default partition. On non-default partitions, these values display as 0.
• In a cluster setup, the CLIP address displays the average utilization for all the nodes in the cluster. For node-specific utilization, run the command on the CLI of each node. This data might be incorrect for an SDX platform if the nodes of the cluster are hosted on the same hardware.
• For VPX instances on the SDX platform, the utilization of each VPX instance is displayed.