This issue has been perplexing me for some time, and I am running out of ideas, so here goes:
I recently stood up an SA-4500 (6.5r6) in a remote office (India) as a point of ingress for local users to access local resources more quickly.
Ever since we have deployed this appliance in the field, I have gotten some very strange behavior out of it.
1. I can ping and traceroute it by name and IP.
2. nslookups resolve.
3. http redirect works
https fails, but not across the board. Half of our users get sign-in pages just fine. The other half just time out.
Doing a packet trace from a failed client, I see the SSL client hello send out, but no SSL server hello return.
I have run TCP dumps on the IVE, and I see server hellos attempting to go out, but It just retransmits as if it cannot reach the client.
The network setup is simple - a single router and switch comprise the edge (only one simple inbound access list that should not affect SSLVPN). The IVE is plugged into the switch. I removed the ACL just in case, and the same behavior occured.
I have adjusted the IVE for what TLS/SSL settings it accepts, and no change.
I have flattened the box to a factory state (6.3r7), and put on a bare-bones config - no change.
I set up an https web server on a switch on the same network and tested. All clients could connect to it.
Ideas? Thanks in advance.