Forum Discussion
NimbostratusWhy LB_FAILED when pool members are up?
I have an SSL VIP with two SSL pool members, both of which are up. The iRule LB_FAILED event is triggering. A tcpdump shows the health checks to the pool members (working and shown as green in the GUI), but no connection attempt. This started when we migrated from v10.2.4 to v11.5.3, and we suspected an SSL negotiation problem, but I don't see any negotiation attempt.
5 Replies
- Kevin_Stewart
Employee
Do you see any traffic on the server side of the F5? If so, can you tell with a tcpdump
tcpdump -lnni 0.0 port 443 and host [IP of pool member]and SSLDUMP
ssldump -AdNn -i 0.0 port 443 and host [IP of pool member]where the traffic is getting held up?
Stan_Ward_01_13There isn't any traffic on the server side to any of the pool members. And there shouldn't be; no pool member has been selected.
Brad_ParkerCirrus
LB_FAILED triggers after LB_SELECTED and fails
- Stan_Ward_01_13
So why did it fail? What criteria is there beyond the pool members being up and reachable?
- Kevin_Stewart
Based on the description of the event:
LB_FAILED is triggered when LTM is ready to send the request to a pool member and one hasn’t been chosen (the system failed to select a pool or a pool member), is unreachable (when no route to the target exists), has reached a queue limit, or is non-responsive (fails to respond to a connection request).
https://devcentral.f5.com/wiki/iRules.LB_FAILED.ashx
which implies in most cases a TCP connection (layer 4) or routing (layer 3) issue. If you don't even see a TCP SYN from the BIG-IP, then I'd be looking at route or queue limits.
