Can someone explain to me what the difference is when some of my content seems to load balance 'correctly'. Return traffic appears to be sent to the VIP... BUT some of the traffic I need to actually configure a group for... to get the return traffic to come back to the vip instead of directly to the client (and thereby failing when it hits the firewall)
indeed, even for tcp, you need to make sure the response from the server goes back through the CSS so that the appropriate address translation can be perform.
So, if your servers are one or more hops away, there is a chance that the response will bypass the CSS and go directly to the client which will reject it not expecting a response from the server but from the css.
With your group config in place, you do client nat. So, this should guarantee the response back to the CSS but as mentioned before will prevent the server to recognize the client based on its ip address since all traffic will be coming from the css address.