F5 and Direct Access

Your LTM not being able to complete a health check to your internal DA node shows there's some kind of communication problem between the two devices (routing, access control).

You should be able to sniff the keepalive traffic by doing a tcpdump on the LTM. Please try this and let us know what you see.

I will try that, but does the F5 require a different setup with the VIP or anything else regarding Direct Access? I couldn't find an iApp for it either.

Doesn't seem to be much documentation in existence that I can find. Though if a simple monitor check from your LTM to the server isn't succeeding, that needs to be fixed first as it could indicate a communications problems between the two devices.

communication seems to be fine (for 443). I think its the way the DA and BibIP communicate, there's something missing somewhere. In the scant documentation there is, it speaks primarily of front and back end BigIPs and communicating with MS UAG, etc. However, my setup is rather simple in that we only use 1 BigIP as the front end and the DA servers sits behind it.

Your initial statement said your LTM sees the DA server as down. Is that still the case?

Yes it sees it still as down (although its not). But, Let me backup a bit, its not as if it was configured correctly to begin with. I'm in the process of trying to configure the F5 with DA, but the information I find is vague or doesn't pertain to my specific setup. I dont see how it should be any different than any other VIP setup, but there's no documentation explaining that. Really the only documents from F5 show basic scenarios, but not how to set it up and explain the process of how DA and F5 work together.

Okay, so your DA is up but LTM is unable to verify its health. What kind of monitor are you using? To simplify things, a standard TCP monitor should work if the routing between the two hosts exists and access control isn't preventing the communications.

I want to see the monitor work first to rule out the communications path as the cause. Once that's been established, then the configuration can be examined.

I have it monitoring on icmp and https, but it fails on https (red triangle). But I know for sure there is nothing blocking https to this device or on the device as external clients are connecting no problem. There is no access control in the F5 preventing this either.

So it sounds like routing is there. Are there devices between your LTM and the DA server that might be blocking the 443 traffic?

Please run a tcpdump on the LTM to see if you are even getting a three way handshake between the LTM and the DA server.

I'll do that. Do you know how DA should be configured with the F5? How I have it setup is a basic vip that that tcp proxys to the internal network, nothing fancy.