SSL LTM 9.3 can't get it to work

For upgrading I say 'consider' 9.4.5HF2. 9.3.1 is more stable as it's a maintenance release. 9.4.5 will have much better performance for ASM and the new ASM policy format--but it's less stable. You would get better out of the box security with the ASM attack signatures in 9.4.5. And you'd avoid having to build a 9.3.x format policy and have to migrate that to the new 9.4.5 format. So I wouldn't say it's an automatic decision.

 

 

The SNAT iRule should work find as long as you have a floating self IP address on the VLAN that the traffic to the pool would go through. You could simplify the configuration for your basic initial test by just applying SNAT automap on the VIP for all connections. Once that's working, you can add the iRule.

 

 

Was the HTTP VIP whcih was working referencing pool members on the same subnet as the HTTPS VIPs' pool? There shouldn't be any difference in configuration between a standard TCP VIP defined on port 80 versus one defined on port 443. So if the port 80 VIP was working correctly, just copy that config and use it for the port 443 VIP. Once that's working you can add the more complex objects like client and server SSL, the SNAT iRule, an HTTP profile and eventually an HTTP class with App Security enabled.

 

 

Aaron