Putting GTM web management behind LTM

Question

Hi,&nbsp;
I have a requirment to put two GTMs that are configured in a sync group, behind a LTM for management purposes.&nbsp;
The two GTM nodes in the LTM are configured with priority group activation, so we will always to go one unless it is unavailable.  We need this because we have an automated API which will needs to talk to a GTM at all times, so this helps us with redundancy.&nbsp;
Anyway, my problem is that whenever I try to access the GTM web management page using the virtual server on the LTM the page never loads.  Firefox just gives me an 'Unable to connect' error.&nbsp;
TCP dumps on the LTM show that the LTM is sending TCP resets back to me.&nbsp;
It seems to be a problem with the GTM being on HTTPS, I have tried to use client side and server side certs but no luck.  The GTM is just using the standard self signed cert.&nbsp;
Normally when a node is doing it's own SSL, I just make the VIP on the LTM to be 'Performanc (layer 4) type but this also isn't working.&nbsp;
Any thoughts on how I can make this work?&nbsp;

michael_yates · Answer

Hi Luca, 
&nbsp;  
&nbsp; You not load balance your Management Interfaces since they are totally independent devices and should always be reachable independently.  Not to mention that you could end up in a mismatch configuration where you are being load balanced to the Management Interface of the Standby/Offline GTM Management Interface, you should load balance your GTM Listeners.  You can use the same process to load balance your GTM Devices as a normal DNS Server. 
&nbsp;  
&nbsp; DNS Traffic Management using the BIG-IP Local Traffic Manager 
&nbsp;  
&nbsp; Hope this helps.

luca_55898 · Answer

Yes i'm aware of the issues.   The API only modifies things that are replicated by the sync groups.  Also, we are using priority groups in the LTM so if all is well the conifg will only ever be done on one GTM.&nbsp;
With this type of setup we won't have issues with config being out of sync.  If I need to change something manually, of course I will logon to the appropriate device.&nbsp;
 &nbsp;
 &nbsp;
Anyway - back to my question - I still should be able to get the web logon page to display something though, any ideas why that isn't working?&nbsp;
I just need SSL passthrough, but the layer 4 profile doesn't work&nbsp;
Edit:  And what is interesting is that I set this up on another LTM running 10.2 code and it worked.  The exact same config on my new LTM running 11.2.1 with th exact same config does't work&nbsp;

Forum Discussion

Putting GTM web management behind LTM

2 Replies

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Disabling signature for a URL

F5 rSeries || Upgrade tenant

Round-robin method not load balanced

F5 AI Roadmap

F5 object groups in AFM

Related Content

Automating Certificate Management on F5 BIG-IP

Automating ACMEv2 Certificate Management on BIG-IP

Announcing F5 NGINX Instance Manager 2.20

Introduction to F5 BIG-IP Advanced Firewall Manager (AFM)

Re: Management Certificate

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS