F5 LTM vs. Kerberos servers

We logged a case with F5 and have found out what has happened and why, but essentially this is what we had....

 

 

APM setup to use "AD Server" for authentication in it's policies. When pointing to a VIP or using the pool of domain controllers (something they introduced in 11.2 i believe it was), if the domain controller took more than 10 seconds to respond to a kerberos request (for some unknown reason our could take up to 20 seconds and seemed to queue the kerberos requests), APM would mark the domain controller as down (which was a vip), and not authenticate users for 10 minutes. The PD team have confirmed that this is expected functionality within the product.

 

 

When you use DNS to discover the domain controllers in APM (which had other implications for us around slow link sites etc), then the F5 would hit one domain controller, wait 10 seconds, then hit the next until it had exhausted the list (so for us it would go through over 6 DC's if that ever happened).

 

 

So, i guess it all depends on your AD setup, but we had a lot of issues around getting high availability AND control over what domain controllers we could use.