Unusual latency when performing TLS Handshake

book

Article ID: 131625

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

- Between gateway and the backend server there is A10 load balancer
- For each ssl handshake, there is 200ms latency on 'Client Key Exchange' 

The reason of this problem is,
The gateway implements the Nagle's algorithm, which will wait for an ACK from server, or the buffer is full.
On the LB side, the ack-aggressiveness is set to low by default, which means Delayed ACK is enable -- the ACK will not send until receive 2nd segment, or Delayed ACK timeout.
The ssl handshake sends many small packets, the Delayed ACK takes effect on one of the steps, waiting for next packet before sending ACK, but the gateway also waiting for ACK before sending next packet. It becomes a dead lock until Delayed ACK timeout.

Environment

Release:
Component: APIGTW

Resolution

On A10 load balancer, set ack-aggressiveness to medium or high.
The meaning of medium level: enable Delayed ACK, but return ACK on each packet with PUSH flag.
The meaning of high level: return ACK for each packet.

As all ssl handshake packet will be sent with push flag, it's better to set ack-aggressiveness to medium to get the benefit of Delayed ACK for normal traffic.