Forum Discussion
Nimbostratusssl offload and dsr hybrid
Is this possible?
- client connects to SSL offloading vip with destination nat turned off
- f5 forwards packets to real server without translating the destination IP (like with dsr)
- real server sources return traffic from vip address which is bound to loopback adapter (like with dsr)
- real server sends return traffic (synchronously) back through F5 instead of (asynchronously) through 3rd party router (different from dsr)
- F5 recognizes traffic and re-encrypts it before returning to requesting client
3 Replies
- nitass
Employee
i think it is okay as long as bigip sees both request and response.
if it is asymmetric routing, connection.vlankeyed db key needs to be disabled.
sol13558: Allowing asymmetrically routed connections across multiple VLANs (11.x)
http://support.f5.com/kb/en-us/solutions/public/13000/500/sol13558.html 
McGhee_59726But that's the key, it can't be asymmetric routing with SSL offload, the F5 needs to reencrypt the server response on the way back to the client. What will the LTM do with packets that return to it from an IP address that it already has bound as a virtual server? In proper DSR, the packets never route back through the load balancer, they use an alternate route back to the client.
- nitass
What will the LTM do with packets that return to it from an IP address that it already has bound as a virtual server?
shouldn't it work fine as long as return traffic matches entry in connection table (which is created when processing request traffic)?
