Hello,

I think I am in the twilight zone right now so if somebody can put me out of my misery please do :-)

Here is the situation: I have a pretty straightforward configuration where I load-balance SSL in a very simple way, here is my config:

service ssl-1

redundant-index 6

ip address 1.1.1.1

port 443

protocol tcp

keepalive type ssl

active

service ssl-1

redundant-index 7

keepalive type ssl

ip address 1.1.1.2

port 443

protocol tcp

active

content sec.site

advanced-balance ssl

add service ssl-1

add service ssl-2

redundant-index 49

vip address 2.2.2.8

port 443

protocol tcp

active

Yet when I access the site with https://myurl.com, I get the following flows:

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

3.3.3.3 2331 2.2.2.8 443 0.0.0.0 TCP 1/1 -

2.2.2.8 443 3.3.3.3 2331 0.0.0.0 TCP - 1/1

When I access the site with http://myurl.com:443 I get the following:

--------------- ----- --------------- ----- --------------- --- ------- ------

Src Address SPort Dst Address DPort NAT Dst Address Prt InPort OutPort

--------------- ----- --------------- ----- --------------- --- ------- ------

3.3.3.3 2327 2.2.2.8 443 1.1.1.1 TCP 1/1 1/2-80

1.1.1.1 443 3.3.3.3 2327 3.3.3.3 TCP 1/2-80 1/1

But in both cases I never have a complete response from the servers. The site works well locally and with other machines in the same subnet.

I don't see any nat issues as everything is pretty straightforward, VIPs on one interface and servers on a trunk on the other.

This is a 11503 with 7.40.1.03 software.

Any idea?