TCP Connection Failed After Adding New Members

What is the latency between F5 and the old/new pool members ? Normally, you can use WAN profile for the client side and LAN profile for the server side. If the latency is too high, you can try and use the WAN profile on both client and server side as a check.

If you disable the old pool members, are all connections successful ? I am wondering if your network set up may require SNAT by any chance.

If I understand correctly, you have a virtual server with a client ssl profile (ssl cert on the F5) with a pool including 2 pool members on a separate vlan that's directly connected to the F5, but different the virtual server's vlan. Traffic flows from the internet to the ssl virtual server who then distributes traffic between the two servers on the vlan behind the F5. If you add servers to the pool that are not on a directly connected vlan behind the F5 with a return route through the F5's floating IP, you will have several situations, the main one being asymmetric routing. If that is the case you will probably need to do several things. The first one can be to activate SNAT Automap. This will require you to allow access through your firewalls from the F5's egress floating IP address to the pool members. This will also change the source IP address you'll see on your pool members from the client's IP address to the egress floating IP addresses of the F5s.

By asymmetric routing I mean the following: Client connects to the F5's virtual and establishes an ssl session F5 forwards traffic to selected pool member leaving the client's source address intact Pool member on the new separate vlan receives the request from the client and sends response back directly to client Client gets an error as it gets a response that's not encrypted and from a different IP address he sent the request to

For the connections to work correctly the requests and responses need to flow through the F5's ssl virtual server.

If I understand correctly, you have a virtual server with a client ssl profile (ssl cert on the F5) with a pool including 2 pool members on a separate vlan that's directly connected to the F5, but different the virtual server's vlan. Traffic flows from the internet to the ssl virtual server who then distributes traffic between the two servers on the vlan behind the F5. If you add servers to the pool that are not on a directly connected vlan behind the F5 with a return route through the F5's floating IP, you will have several situations, the main one being asymmetric routing. If that is the case you will probably need to do several things. The first one can be to activate SNAT Automap. This will require you to allow access through your firewalls from the F5's egress floating IP address to the pool members. This will also change the source IP address you'll see on your pool members from the client's IP address to the egress floating IP addresses of the F5s.

By asymmetric routing I mean the following: Client connects to the F5's virtual and establishes an ssl session F5 forwards traffic to selected pool member leaving the client's source address intact Pool member on the new separate vlan receives the request from the client and sends response back directly to client Client gets an error as it gets a response that's not encrypted and from a different IP address he sent the request to

For the connections to work correctly the requests and responses need to flow through the F5's ssl virtual server.