Forum Discussion
Hi, I believe it's a known issue (238556)
From https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-12-0-0.html:
Other issues
AAA types for Securid and RADIUS in APM will not source packets from the floating IP address for the traffic group, as customers would expect. Because RSA authentication server is sensitive to the incoming IP address of the authentication packets, an extra virtual server is required to SNAT the authentication requests to the correct (floating) address so that the same source IP will be used in both members of an HA pair. You see this when you use RADIUS AAA or RSA AAA in an APM access policy. Authentication will fail because RSA expects the source IP address to be specific, and will not tolerate changes for HA failover.