F5 load balancer common misconfigurations for vRA 7 Distributed setup

Working with several customers to build vRealize Automation 7.x in production environment has exposed me to many vRA Distributed installs that involved the use of Load Balancers. There seems common mistakes that customers fall for when configuring load balancers for vRA 7.x distributed environments that cause the installation to fail or the setup not to function as intended. Here I wanted to highlight few of these. While I will be focusing on F5 in here, these mistakes can affect other load balancers as well.

vRealize Automation 7 F5 load balancer

1- Utilize the load balancer VIP for initial installation

Several customers try to use their load balancer VIP during vRA installation. While if setup perfectly this will work, a small mistake with the VIP configuration can make the installation and configuration of vRealize Automation feel impossible. For this I would recommend you create the VIP DNS record and just point it to your first nodes. Complete your vRA installation and configuration and only after confirming your setup is stable and fully installed to point your VIP DNS record to your actual VIP IP. This will make your installation go much smoother, and allow you a much easier path to troubleshooting if you made a mistake during load balancer configuration.

2- Using the default Wild Card Certificate 

Many customers use a wild card certificate generated by a Public CA on their load balancers. While using the wild card certificate is not the most secure way of doing certificates, many customers do that from easiness perspective. As vRealize Automation require a specific type and configurations in it’s certs, these generic wild card certificates will not work and will cause all kind of errors and issues in vRealize Automation 7.x. At my last customer trying this on their F5, we observed HTTPS Status 502 message when we navigate to infrastructure tab. What made debugging this more difficult that the Cloud Team has e-mailed the network team the vRA generated certs to use and assumed the network team would have used them when setting up the F5 load balancer, but the network team decided to do things the way they have always done with the generic certificates which made it a bit more difficult for the cloud team to find out what’s going on till they have checked the returned certs and discovered it’s a generic certs and not the expected vRA certs generated for this purpose.

3- Leaving the vRA Virtual Servers Load balancing Type to “Standard” in F5

F5 load balancer usually offers three Virtual Servers Load balancing types “Standard”, “Performance Layer 4”, and “Layer 7”. By default, F5 vRA Virtual Servers is configured with load balancing type “Standard”, which does not work well with vRealize Automation. I have seen many network team leaving this paramater to the default value of “Standard” causing vRealize automation to fail. Below is a sample errors faced when using the “Standard” Load balancing type:

“Error processing ping response Unable to connect to the remote server Inner Exception: Unable to connect to the remote server”

“Error processing ping response System.Data.Services.Client.DataServiceTransportException: Unable to connect to the remote server —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it :443”

The recommended configuration for the F5 Virtual Servers Load balancing type is “Performance Layer 4” and using any different type can cause issues. I would recommend sticking with the supported, recommended, and tested configuration in here.

4- Forgetting to Setup Protocol Profile (Client) to “fastL4”

Not setting up Protocol Profile (Client) to “fast L4” in the F5 can cause similar issue to the ones seen when setting up the Virtual Servers Load balancing type to “Standard”

 

I hope this help some of you fix their issues caused by F5 load balancer configuration when creating a vRA distributed environment. If you are looking for the steps to configure F5 for vRA Distribute install, you might want to look at my following post: http://www.virtualizationteam.com/cloud/vrealize-automation-7-x-f5-load-balancer-configuration.html

Speak Your Mind

*