Developer

Hi!

I've been writing a script that uses aruba switches REST-API to get a bunch of information and then presenting it on a webpage.

However when using the app in production I want to use https requests.

I notice quite a big difference in response times comparing http to https.

Here is a measurement from postman.

HTTP:

EDIT: replaced image above with non-cached tcp-handshake test.

HTTPS:

Is this to be expected ? It's quite noticeable in the lab with just one switch. Polling would take forever in a bigger environment.

This is a 2530-8g-poe+ switch. I've just created a selfsigned cert.

I'm quite new to flask and python, so maybe it's nothing unusual and I just need to write data to a db and then present it instead of polling on loading the page.

Hi,

I get the same issue (i think the CPU is very limited on this product...)

Do you have try different cipher ? (and TLS version ?)

Hi!

Ok, thanks for the info. Will check on the chiper tomorrow.

Do you know if https works better with bigger switches like 2540-24g or 2930 / 5406 etc ?

I'm not really make some bench for compare...

So I changed from RSA to ecdsa, still the same. VERY slow.

Checked a 2530-24G and that one was also very slow.

Will check with other switches when able to.

Can you check what are the times when you run the same query again?

I checked on a 2930F 12 port, and first request took 1.5-2 seconds or so, after that it is comparable to HTTP:

HTTP:

HTTPS (first request or when SSL needs to be reinitialized):

HTTPS (subsequent request on existing SSL session):

The requested call: /rest/v1/system

The 2530 switch is an entry-level switch and quite old as well, so that may be why the transfer is slower on that switch. As you can see the download itself on the 2930F is not significantly slower, which is different from your screenshot where the actual download is also slowed down.

I'd expect an additional delay on the SSL session setup under all conditions, and both client and server play a role in there, as well there is more information transferred compared to non-SSL.

On more powerful switches, there is no excuse not to use SSL. On less powerful switches you shouldn't use non-encrypted access during authentication or transfer of non-public information either in my opinion.

Hi!

yeah, using cached ssl session does speed up the process. Still sometimes takes a while. But that might be because of the old harware as you say.

Do you know how I would reuse the session using python requests module ?

is it requests.session()  . I tried this but wasn't seeing any improvements, never used session before so not sure I used i correctly.

Do you have an example of using several calls to a switch reusing the same session ?

The request.session() works for me:

Time: 1.936s, from start: 1.936s. (this is the first login call)
b'{"uri":"/login-sessions","cookie":"sessionId=QR9DWRy8984EH4OJvvOmLm1KEFCZwysWHfaVLbczblX0JYmGXdG0rZrZRBfgtDv"}'
sessionId=QR9DWRy8984EH4OJvvOmLm1KEFCZwysWHfaVLbczblX0JYmGXdG0rZrZRBfgtDv

Time: 0.029s, from start: 1.970s (these are followup calls)
Time: 0.118s, from start: 2.093s
Time: 0.027s, from start: 2.125s
Time: 0.027s, from start: 2.157s
Time: 0.026s, from start: 2.188s
Time: 0.027s, from start: 2.220s
Time: 0.027s, from start: 2.252s
Time: 0.027s, from start: 2.285s
Time: 0.026s, from start: 2.316s

With the following code:

#!/usr/bin/python3

import requests
import time
import json

r = requests.Session()

url = "https://10.1.254.1/rest/v1/login-sessions"

payload = "{\"userName\": \"admin\", \"password\":\"go-figure\"}"
headers = {
  'Content-Type': 'application/x-www-form-urlencoded'
}

start=time.time()
tstart=time.time()
response = r.request("POST", url, headers=headers, data = payload, verify=False)
print('Time: %0.3fs, from start: %0.3fs' % (time.time()-tstart, time.time()-start))
print(dir(response.elapsed))
print(response.text.encode('utf8'))

cookie=json.loads(response.text)['cookie']
print(cookie)

time.sleep(5)
start+=5

url = "https://10.1.254.1/rest/v1/system"

headers = {
  'Cookie': cookie
}

for i in range(1,10):
  tstart=time.time()
  response = r.request("GET", url, headers=headers, verify=False)
  print('Time: %0.3fs, from start: %0.3fs' % (time.time()-tstart, time.time()-start))
#  print(response.text.encode('utf8'))
  time.sleep(5)
  start+=5

I noticed that I had to add the 5 second sleeps in between the calls, otherwise the call lasted 2-5 seconds.

Ok.

So as I understand making several calls would still take a long time for example checking stp, loop-protect, snmpv3 and system-status (4 different calls), would need a 5sec pause between each call ?

I'm creating a python flask page that presents some basic info from the switches (like the examples above). The proper way to do this would be to write all the data to a db then ? Else the page would take forever to load each time ?

Or did I misunderstand ?

What I observed was that in my demo case (and I spent the minimum time to demonstrate the session caching as you asked), with the same call over and over, the calls took more time when performed back to back. Different calls probably have different times to complete, and you probably will need to test and find out what works best for you.

Also, I see the same behavior with HTTP and HTTPS what this question started with.

I don't have further insights in how many API calls you can do and at what rate, and if there is (configurable) throttling. If you run into issues, please work with Aruba TAC to get it investigated.

yes, there is a another issue, we need to wait 5 second different GET (or POST) query... (or restart a session) with Aruba OS Switch (no issue on Aruba CX...)

You can look https://community.arubanetworks.com/t5/Developer-Community/ArubaOS-REST-API-Random-Delays/td-p/553228

Hi!

Thanks both of you for verifying that it wasn't my script that worked incorrectly.

So the solution for faster https is to use sessions and thereby not needing to do the ssl-handshake each time.

But there is some kind of bug / throttling that makes several calls in the same sessions very slow.

Thanks for the link to the discussion around this. I tried using "connection":"close" in my headers, this got around the session thing. But now it creates a new session each time instead so I'm back to square one because of the ssl-handshake slowdown.

I might just use https for login and sensitive data and http for the rest I think for now.

Hopefully it is a bug and might be solved in future releases, it does seem strange.

---

@Gonz wrote:

Hi!

 

[...]

 

Hopefully it is a bug and might be solved in future releases, it does seem strange.

---

i should be need to open a case on TAC..

but yes, it is very strange the latency between each request on the same session...

Yeah, I might open a TAC case. Don't have time right now but maybe in the coming weeks.