Forum Discussion
Hi all, I went through this issue too, and I found 2 ways to solve it. My topology: 2 F5 apm in high availability mode. Routing domain 0 bound to management interface only. Other routing domains bound to data vlans only. As the APM does not support routing domain other than 0 in high availability, here are the options that solve the problem:
1- if you have (like me) routing domain 0 bound to management interface only, then you can configure the RSA Server to accept client with an alternate IP (in this case, the standby F5 node management IP address). The aaa server must be created in the Common partition . In aaa server Agent Host IP configuration choose Other and put the management IP address of the F5 failover node. Make sure all firewall rules are opened between F5 nodes and RSA server.
2- You can NAT the management IP addresses of the F5 nodes behind a specific IP when they do a request to RSA Server on port UDP 5500. this way, the RSA Server sees one IP all the time, no matter which F5 node is active. On the F5 aaa securID configuration, go to Agent HOST IP and select other, in the IP address field, put the Natted IP you have chosen in the firewall or router.
my prefered option is 1, as it does not require any additionnal changes on the network.
Omar.