Hi,I have a question regarding APM VPN and LDAP authentication.When I configure the LDAP server using the direct LDAP Server IP, the authentication works fine.However, when I use a Pool with the same LDAP Server IP, it shows the error message:"Can't contact LDAP server."From the packet capture, it seems that no traffic is being sent out at all.Is there any specific configuration I need to adjust for LDAP Pool settings?Thank you.

Hi ShawnC, If you use the “direct” option, communication will be through management. If you use the “pool” option, it will be through TMM and self IPs will be used. If self IP is not defined for the VLAN where the LDAP servers are located, and there is no TMM route, you can route the traffic from a different self IP.

It shouldn't be any different you're just using a pool instead of directly accessing the ldap.Only thing I can advise is maybe check that the pool and the member you're using are actually available.Go to pools search for your ldap pool and make sure it is green and available.

What seeting does your LDAP pool has.Maybe you have define specific port there? For example LDAP but in LDAP auth you choose ldaps?Usually, at least in ad auth, where you can create a pool directly through ad auth config, the pool actually be created with wildcard port

I have confirmed that all POOL members are greenlit.

The setup uses LDAP on port 389 for everything. It works when configured as a 'direct' connection, but it fails when switching to the 'pool' configuration.

APM VPN LDAP POOL can't contact ldap server.

14 Replies

Melissa_C
Moderator
Nov 19, 2025
Hello ShawnC

Thank you for posting to our community. I wanted to encourage you to update your post and mark as solved if it has been, or update if you are needing additional assistance and we can see what we can do to get you a solution.

-Melissa
Enes_Afsin_Al
MVP
Oct 28, 2025
Hi ShawnC,

If you use the “direct” option, communication will be through management.

If you use the “pool” option, it will be through TMM and self IPs will be used.

If self IP is not defined for the VLAN where the LDAP servers are located, and there is no TMM route, you can route the traffic from a different self IP.
- ShawnC
  Altostratus
  Oct 29, 2025
  I configured a route domain, and I am unsure if that is affecting the issue. The VLAN responsible for authentication has a self-IP configured, but it does not have a floating IP.
  - Injeyan_Kostas
    Nacreous
    Oct 29, 2025
    you cannot use another route domain exept 0 for AD/LDAP auth if I am not wrong
- Injeyan_Kostas
  Nacreous
  Oct 29, 2025
  I am not sure that direct option uses mgmt
  Unless of course there is no TMM route
Injeyan_Kostas
Nacreous
Oct 28, 2025
What seeting does your LDAP pool has.
Maybe you have define specific port there? For example LDAP but in LDAP auth you choose ldaps?
Usually, at least in ad auth, where you can create a pool directly through ad auth config, the pool actually be created with wildcard port
- ShawnC
  Altostratus
  Oct 29, 2025
  The setup uses LDAP on port 389 for everything. It works when configured as a 'direct' connection, but it fails when switching to the 'pool' configuration.
  - Injeyan_Kostas
    Nacreous
    Oct 29, 2025
    Have you done a tcpdump to check if the traffic is leaving f5 correctly?
Shyy
Cirrus
Oct 28, 2025
It shouldn't be any different you're just using a pool instead of directly accessing the ldap.
Only thing I can advise is maybe check that the pool and the member you're using are actually available.
Go to pools search for your ldap pool and make sure it is green and available.
- ShawnC
  Altostratus
  Oct 29, 2025
  I have confirmed that all POOL members are greenlit.
  - Shyy
    Cirrus
    Oct 30, 2025
    If the pool is available you should run a tcpdump to see where the traffic is coming from,
    plus look at ltm logs /var/log/ltm once you get the error, might be more information there.