Good morning, experts! :) I've got a weird one today and I don't know if it's on the SSL VPN side or the load balancer side. Basically, we've got a pair of SA4000s in Active/Active mode being load balanced by a Cisco CSS. For users using Network Connect, ESP mode has never worked and it's always fallen back to SSL. I finally started looking into it recently. I've got content rules on the load balancer for tcp 443 and tcp 80 (in case a user forgets to use https), and one for udp 4500. For the tcp rules, everything works as it should, no problem. Traffic coming back from the IVEs is sourced as the load balanced VIP as it should. But then it gets weird. For the udp rule, it seems to direct traffic traffic to one of the devices just fine, however the return traffic is sourced from the device itself instead of the VIP. This breaks any attempt to use ESP since the end user workstation is trying to talk to 18.104.22.168 and is hearing back from 22.214.171.124 instead. This ONLY happens for the udp traffic... Anything I might have missed? Maybe even a setting on the IVEs themselves? Thanks!
... View more