Forum Discussion

McGhee_59726's avatar
McGhee_59726
Icon for Nimbostratus rankNimbostratus
May 30, 2014

ssl offload and dsr hybrid

Is this possible?

 

  1. client connects to SSL offloading vip with destination nat turned off
  2. f5 forwards packets to real server without translating the destination IP (like with dsr)
  3. real server sources return traffic from vip address which is bound to loopback adapter (like with dsr)
  4. real server sends return traffic (synchronously) back through F5 instead of (asynchronously) through 3rd party router (different from dsr)
  5. F5 recognizes traffic and re-encrypts it before returning to requesting client
application delivery
design
LTM
TMOS

3 Replies

Sort By
  • McGhee_59726's avatar
    McGhee_59726
    Icon for Nimbostratus rankNimbostratus
    Jun 03, 2014

    But that's the key, it can't be asymmetric routing with SSL offload, the F5 needs to reencrypt the server response on the way back to the client. What will the LTM do with packets that return to it from an IP address that it already has bound as a virtual server? In proper DSR, the packets never route back through the load balancer, they use an alternate route back to the client.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 04, 2014

    What will the LTM do with packets that return to it from an IP address that it already has bound as a virtual server?

     

    shouldn't it work fine as long as return traffic matches entry in connection table (which is created when processing request traffic)?