Views:

Root Cause

To inspect TLS traffic, the network engine waits for session keys for 200ms at most [1]. The latency impact increased by inspecting bi-directional traffic. Similarly to memory usage, the TLS inspection between containers will consume higher memory usage.


Resolution

Bi-directional TLS inspection is usually for different attack surfaces. But it's not necessary for a reverse proxy. If an unacceptable application latency or memory usage happens, here is some advice:

  • Remove one side IPS rules of specific ports if possible
  • Disable one side of Advanced TLS Traffic Inspection [2]
 
[1] 200ms is the usual minimum for TCP retransmission timeout (RTO)
[2] The separated two toggles of Advanced TLS Traffic Inspection have been available since Deep Security Agent 20.0.1-12510. For the on-premise users, Deep Security Manager 20.0.913 is also required.