While reviewing the Dashboard on the SSL Visibility Appliance, under Overview, the number of sessions is listed.  This number may seem higher or lower than expected based upon bandwidth, SSL bandwidth and load of the appliance.  A session goes through several stages on the SSL Visibility Appliance, beginning with the SYN packet at the start of a TCP handshake.  A flow, in any one of these stages counts against the total session count for the appliance.  This KB goes into some details about the stages of a SSL flow.

Statistic files are available to download on the SSL Visibility via the Diagnostics page.  Within these diagnostic pages are thousands of statistics that the SSL Visibility tracks and logs.  Among these are statistics on flow states.  The statistics can also be seen via SSH in the CLD.

• L_flows is the total current level of flows on the appliance, this is not indicative of the Sessions counter in the Dashboard.  The Sessions counter in the Dashboard if the number of active SSL Sessions.
• L_flows is the total amount of flows on the box at the given time from the first syn of the TCP handshake to the final fin/ack of the connection.

The different flow states that make up L_flows and count towards the total overall flow count as in the below equation:

L_flows = L_flow_state_HALF_CONNECTED + L_flow_state_CLASSIFIER + L_flow_state_ACTION_APP + L_flow_state_ACTION_CUT + L_flow_state_ACTION_REJECT + L_flow_state_ACTION_DROP + L_flow_state_ACTION_APP_EOF.

To further investigate these statistics, as stated previously, you may SSH into the SSL Visibility and look at the CLD.  The counter workers will show the detailed flow information:

• L_flows                             : 00000000000000000000
• L_flows_confirmed                   : 00000000000000000000
• L_flow_state_HALF_CONNECTED         : 00000000000000000000
• L_flow_state_CLASSIFIER             : 00000000000000000000
• L_flow_state_ACTION_APP             : 00000000000000000000
• L_flow_state_ACTION_CUT             : 00000000000000000000
• L_flow_state_ACTION_REJECT          : 00000000000000000000
• L_flow_state_ACTION_DROP            : 00000000000000000000
• L_flow_state_ACTION_APP_EOF         : 00000000000000000000
• L_flow_si_handshake                 : 00000000000000000000

One thing that should be noted is that there is an additional field, the L_evict_list_length.  When calculating flows above, several stages are included in the count.  This is the count that the product spec sheet utilizes.  It may seem higher than expected in certain cases.  The L_evict_list_length counter are flows that have completed and are scheduled to be removed from the flow table.  These are completed flows.  These flows however, may not be removed until additional room is required in the flow count.  

If you are reviewing a high volume appliance subtracting L_evict_list_length from the L_flows field will provide a more accurate number.

Additional details can be found via SSL Visibility Command Line Diagnostics and counters worker.