I'm having trouble with using an F5 LTM to load balance API calls. It's a pretty simple setup, 2 nodes in a pool, virtual server with service port as 443, client and server ssl profiles created, yet traffic is not making it anywhere. API calls to either individual server are accepted, but calls to the VIP address fail every time. I don't even see traffic on a tcpdump when filtering by the VIP address.
Is there anything in particular that needs to be done to load balance these API calls?
To add some more detail to this, I have built several other virtual servers in the same way in the past and they are all functioning, so there isn't a routing or addressing problem here. It seems like there is something specific to how these server nodes operate that is causing the traffic to fail.
to be sure API calls are just HTTP requests here right? there shouldnt be something special needed.
if you don't see traffic at your VIP then i would say there is some network or client issue. who is making the API call, how, ...? have your confirmed they now use the VIP instead of the individual server? can they reach other VIPs on the same BIG-IP?
I was told they were HTTPS but they should just be regular 443 communications as far as I'm aware.
It's definitely not a network issue, the user who is making the API calls to the VIP is able to reach other VIP's in that same network range. They are definitely using the VIP and not the individual server.
ok, yet you say: "I don't even see traffic on a tcpdump when filtering by the VIP address."
so why doesn't it reach the VIP, or does it?
That's what I'm trying to figure out.
They can reach the VIP network from their current range and access other F5 servers in that network, but for some reason I'm not seeing traffic hit this specific VIP when they attempt to do a POST to its address.
track it from the client to the vip. perhaps try a ping from the client to see if you find that in your tcpdump. any other easy capture device in between? firewall?
just wondering, did you find the issue?
So far we haven't been able to figure it out. We had an F5 support resource take a look at the configuration of the virtual server. He suggested a few minor changes but saw no issues with the configuration. He also said that the local traffic statistics page indicates that traffic is coming and being passed through correctly.
At this time we're wondering if it may be a certificate issue, so we're waiting for a new cert from the server team. I'll try to post an update if we find anything else.
If it does not match VIP do the tcpdump on a surce as it could match another VIP as seen in https://support.f5.com/csp/article/K14800 . If the clients are directly trying to access the server IP addresses/DNS names you may need to change the DNS/Networking or the client config or configure a wildcard VIP and make the traffic to go to the F5 device.