For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Brad_146558's avatar
Brad_146558
Icon for Nimbostratus rankNimbostratus
May 02, 2014

APM Connectivity Issue

Hi Everyone,   I'm troubleshooting an APM issue that, unfortunately I wasn't a part of. The short story is there was AD maintenance and all of the domain controllers that APM was configured to use...
BIG-IP Access Policy Manager (APM)
security
kunjan's avatar
kunjan
Icon for Nimbostratus rankNimbostratus
May 02, 2014

If I may add, on the later versions there is a db key called apm.ad.kdclockout. Default value is 0. 

tmsh list sys db apm.ad.kdclockout

The purpose is to control the behaviour of lockout of a KDC if the APM notices an outage to reach it.

So if it is 0, every request it will try to reach the KDC even if the earlier request to KDC failed. So if a AD pool is configured a pool, this kdclockout value has to be zero. Else one pool member failure can bring the pool to be marked as down for the kdclockout duration.

Again, if configured as direct, don't use value 0. If the first KDC is not reachable it won't go to a second KDC even if it's configured.