If you are using F5 LTM in the DMZ to load balance (LB) the VMware Unified Access Gateway (UAG) appliance, it is very important to use the iAPP or the F5 Deployment guide to set the Persistence Profile options properly or/else you might end up with issues.
Background:
The F5 LTM VIP for UAG Appliance was created manually without using the f5_vmware_view iApp and the Persistence Profile settings were manually configured. (I highly recommend to use the iApp and go through the F5 deployment guides)
Issue1:
The BLAST connection fails in the backend. The original SessionID request was going to UAG1 and due to the LB in the front the next request for the same SessionID was going to UAG2.
Log Snippet UAG1:
[2017-XX-XX 12:50:33.428] [INFO] 2289 [absg-master] – Added route 810DF5FF-*** to target 10.x.x.x|22443
Log Snippet UAG2:
[2017-XX-XX 12:50:35.589] [ERROR] 2723 [absg-worker] – Failed to resolve proxying route: 810DF5FF-***
As noted above the SessionID is the same but the initial BLAST connection request is going to different UAG appliance instead of going to the same appliance which it originally initiated.
Issue2:
You might time to time receive an Error Message “Your session has expired. Please re-connect the server” while entering the username, password and 2-factor authentication details on UAG landing page. It has to do with the timeout value on the F5 persistence profile – Source IP Address
Solution:
Whenever you have F5 LTM as the Load Balancer in front of UAG make sure you handle these three settings carefully to not run into the above described issue:
Timeout Value: Specifies the duration of the persistence entries.
This value should match the Horizon Administrator(Global Settings – View Administrator session timeout) time out value. The default value set on the F5 LTM is 180 seconds = 3 mins
Example – If the View Administrator session timeout is 480 mins
Then we should set the same value under the F5 Timeout value in seconds
Mirror Persistence: If the active unit goes into the standby mode, the system mirrors any persistence records to its peer.
We had this option un-check as it was a manually configured persistence profile
Match Across Services: All persistent connections from a client IP address that go to the same virtual IP address also go to the same node. The default is disabled
We had this option un-check as it was a manually configured persistence profile
How does the overall Persistence of the profile look:
If you are using the F5 Horizon iApp for the configuration of the UAG VIP then you might not end-up with the above issue.
I hope you find these tips useful during the F5 LTM VIP creation for VMware Unified Access Gateway Appliance.
Thanks,
Aresh Sarkari