Query on SSL termination. Following is the logical path,
The encrypted traffic hits the router -> hits the ASA IPS -> and then hits the VIP for load balancing via ACE.
The SSL encrypted traffic should terminate on the ACE load balancer. However, the IPS scan can only be performed on a decrypted traffic.
How can we re-encrypt the traffic to terminate on the load balancer. Or is it a bad idea due to performance issues ?
This does not apply to your design. The VPN will be encr/decr on the edge ASA device. For inbound traffic (from the outside) it will be decrypted by the edge ASA, processed by the CSC, then by the second ASA+IPS and then it will reach the LAN host/server. In the opposite directon, it will be procesed by ASA+IPS, then ASA+CSC then encrypted by the ASA 'outside' interface and finally go out.
Yes your understanding is spot on. Both IPS/CSC need decrypted traffic to do anything meaningful.