05-14-2009 10:31 AM
Is is possible to use source-nat together with SSL termination (SSL offload)?
SSL traffic is not working anymore as soon as I enable source-nat globally. Normal HTTP traffic is working.
(running @ release <= 11.0
05-14-2009 10:40 AM
This is supported and it is working. Be careful with it - I have seen the following problem multiple time:
The SSL offload is getting done at a special "processing blade". This blade is independent from the other processor and it requires a dedicated IP address as source-nat-ip. All other traffic (like plain text HTTP traffic does not require an additional IP). Please ensure you do have a source-nat-ip for SSL traffic configured. At the MASTER ServerIron:
server source-nat-ip <ip-address> <netmask> <gateway> port-range 2 for-ssl
at the BACKUP ServerIron
server source-nat-ip <ip-address> <netmask> <gateway> port-range 1 for-ssl
This is looking like server source-nat-ip 192.168.100.122 255.255.255.0 0.0.0.0 port-range 2 for-ssl or similar most of the time. Check if you do have a SSL source-nat-ip or not.