Forum Discussion

Jared_46987's avatar
Jared_46987
Icon for Altostratus rankAltostratus
Aug 22, 2012

LTM Error When Users Disconnect from Exchange

Hey everyone,

 

 

Some external users coming in through the F5 are seeing sporadic and seemingly random connection issues since we implemented the LTM/APM (replaced TMG).

 

 

Everytime an Outlook client abruptly disconnects from Exchange, or cannot connect at all, the following entry shows up in the LTM logs:

 

 

Aug 22 15:50:44 tmm2 info tmm2[32503]: 01220009:6: Pending rule event HTTP_REQUEST aborted for 10.10.64.35:53777->74.231.90.196:443 (listener: /Common/Exchange_v4.app/Exchange_v4_combined_https)

 

 

I've picked at Exchange with a fine tooth comb, and even brought Microsoft in to look at it, and we can't find anything Exchange side that would cause the behavior. Its even more maddening because its only effecting a very small minority of external users (it also started occurring only after the LTM was implemented).

 

 

Any idea what this could mean exactly?

 

 

Thanks!

 

  • Dayne_Miller_19's avatar
    Dayne_Miller_19
    Historic F5 Account
    Hello Jared-

     

     

    Could you please open a case with F5 Support so we can gather details about your configuration?

     

     

    Also:

     

     

    1) What version of BIG-IP are you running?

     

    2) What version of the iApp template are you using? If you're not yet up to version 2012_06_08, available from downloads.f5.com, please upgrade/migrate to that version.

     

    3) Is there any chance you can do a test deployment without APM (but with otherwise identical settings) and see if you still get this error? The HTTP_REQUEST event is called in multiple places and we'd like to narrow down where to look.

     

     

    Thanks in advance. Please feel free to send me a private message with your case number once you have it and we can take a look along with the support engineer. Alternately, if you're not yet using the iApp template version 2012_06_08, and an upgrade to that version fixes your issues, please reply to this forum and let us know!

     

     

    -Dayne

     

     

  • Hi Dayne,

     

     

    I opened a ticket with F5 support on Tuesday, just wanted to post here to cast a wider net, so to speak.

     

     

    1). We are running 11.2.0 HF1.

     

    2). We created this with iApp "f5.microsoft_exchange_2010_cas.2012_04_06". Since we've done a lot of customization work to the virtual servers, etc, (strict updates off) how does upgrading/migrating to that iApp effect all that?

     

    3). I removed the acces policy and associated iRules, and users started working fine. So, it would appear as though the policy or one of the iRules is causing the hiccup.

     

     

    Thanks!!!

     

     

     

  • Dayne_Miller_19's avatar
    Dayne_Miller_19
    Historic F5 Account
    Hi Jared-

     

     

    I haven't looked up your case yet but will do so shortly.

     

     

    However, yes, you'll definitely want to use f5.microsoft_exchange_2010_cas.2012_06_08. There are a large number of fixes -- pretty much all of the items that previously had to be done with strict updates off -- thatt address client connectivity and authentication issues. (Most were caused by interactions between F5's OneConnect feature and NTLM authentication, but there were other subtle issues as well). The new version now also allows you to select custom iRules to attach to virtual servers without disabling struct updates, so you can modify or create custom behavior without leaving the iApp.

     

     

    An upgrade will wipe out any changes you made with strict updates disabled, so what I'd actually suggest is this:

     

     

    1) Install the newer iApp template. (This is a safe operation and won't touch anything with your current configuration.)

     

     

    2) Obtain 2 additional IP addresses.

     

    a. IP1 is the address you're currently using on your virtual server.

     

    b. IP2 is a new address for a new virtual server.

     

    c. IP3 is used temporarily and doesn't even have to be something that is real/accessible.

     

     

    3) Deploy a new configuration using the 2012_06_08 version of the iApp and assign IP2 to that virtual. The iApp template will prompt you for all the settings it needs and will allow you, for instance, to combine services such as OWA, Outlook Anywhere, Autodiscover and ActiveSync on the same virtual server.

     

     

    4) Test some clients using that virtual server, perhaps using a local 'hosts' file to force them to connect there rather than the original one.

     

     

    5) If you're satisfied with results, but want to keep the original config just to be safe or for future reference, wait for a service window and then do this:

     

    a) assign IP3 to the original config.

     

    b) switch the new config to use IP1

     

     

    Of course, you can use a different order of the above to just switch the new config to be the primary right away and test that way (instead of using host files), if your policies, service window and users' tolerance permit ;)

     

     

    -Dayne

     

  • Thanks Dayne, I'll have to tackle this after-hours this weekend. In the mean time, we just have the APM policy disabled and all users are as happy as can be.

     

     

    Thanks again!