I will take a little more time to look at your config.  One thing that jumped out at me to start with is you have the same VLAN tagg'ed on two different interfaces, 1.1 and  2.1.  

What are these connected to?  What are you trying to accomplish?

One thing that may help you is a logical drawing, instead of a physical one.  Something that shows the individual subnets and how the traffic will flow between them.

Yes, the tagged and untagged thing was a source of confusion, I've been a Cisco guy all my career so a colleague helped to clear that up for me by relating tagged to a trunk and untagged to an access port. I am going to change some of the IP addresses to allow for a HA scenario, with floating addresses for the pair of F5's. Would you recommend doing that for all IP's rather than having just a self IP? I want to ensure there is no downtime associated with my equipment whatsoever. So far the setup is working up to the SNAT part, I think. My test environment wasn't fully functional so I can't say one hundred percent, but the firewall could ping to the virtual server address and a trace route did confirm the path was being traversed correctly. The end goal is to provide SSL offloading for a web based development farm, accessible from different addresses to different development areas in the farm. The f5 is to appear as another host on the subnet, not the default gateway, due to its lack of 10g interfaces. I'm hoping to get some monitors set up next week for node checking, and then verify that they do in fact pass through the load balancers correctly, so the SNAT will be important to essentially fool the devices into believing the f5 is another server, if that makes sense, and the f5 can ensure all the servers are able to be utilized. Thanks for all the help, I've been sort of thrust into these things, I intend to get some formal training within the next two weeks, so hopefully I can answer some of my own questions and I'll try and come up with a logical diagram to accompany this one. Thank you for all your help so far, I don't feel as overwhelmed since I've actually gotten one up and semi-working. :)

Well as you have learned outside the Cisco world tagged is the same as trunk and  untagged is the same as access port.  It's even more confusing as some switches use the term trunk to describe what Cisco calls Etherchannel.

Depending on your definition of "no downtime" you may not be able to accomplish what you want.  The problem is the SSL sessions.

On the F5 you can mirror connections, so any active TCP connections will be mirrored to the standby F5.  If you are using session persistence, you can mirror that also.

However, if you are using SSL, the F5 can't "mirror" the SSL session state, so if you fail over, all SSL  connections will have problems.

All the non-SSL connection will fail over and may show a small delay, but continue on with very few if any problems.  At least that is the theory, luckly we have never had a failure.

All of the selfip's that are used for SNAT, must be floating.  So each F5 needs to have its own selfip within that subnet and then the float.  Without the float when (if) the active F5 fails, the servers will start seeing traffic come from a new IP address.
What we do

Yeah, I've been thinking about the self-IP's. I do need to change that. Would you suggest changing that on all my VLANs so that they are all like this, or just the internal? I would think I would need to have that on all VLANs for the failover to work.

That's an interesting point about the SSL connections, I didn't think about it working out like that. Would new SSL connections have issues as well, or would it just be existing ones? I think that *might* be an acceptable loss if that were the case, but that's a big might.

What sort of persistence do you do in your environment? I like the idea of the cookie persistence, but I think that idea has been shot down in my environment. Who knows....

What sort of monitors would you recommend setting up? I'd like to have some good visibility into the server farm, and I'm not sure what sort of tests are the most telling. I like the idea of using the iRule to get the server pages from the devices, but how much strain does that put on the f5? I am kind of afraid we're going to overload the system with everything we're trying to do, it is a 6900 series, but I hope to get it up and running and convince them to upgrade to one of the 8900 models with 10g.

Thank you for all your help, it really is clearing things up for me, I hope I can get a classroom training session soon, I'd like to master these so I can move on to something else. :)

I will have to double check, but you should only need to float the self IP's.

Only existing SSL sessions will have problems.  New ones will work fine.

We have iRule that does Universal.  However, the type of persistence depends on your requirements.  We have a single virtual host that front ends a few different applications that are spread across 10 or so different pools.

As for monitors, we have a simple check to get one small static page per application/pool to verify the application is up and running on that specific server.   We check every 30 seconds and if we get no replies after 91 seconds we mark the member down.  Not a lot overhead unless you are checking hundreds or thousands of pages.

As for overloading the F5, it depends.  We have 6400's and they are hardly breathing, but our load could be way low compared to you.  We have 1 production virtual server, 1 virtual server used for training classes, and one for special use.  We do SSL offload for all them, caching and compression for all.  We use a custom written iRules for persistence, pool selection, and string replacement using the stream function.  Transaction rate is low normally. We may get into the hundreds per second every now and then.  We avg. a fairly constant 20-30 new connections per second.

As for upgrading to 8900 and 10 gbps.  Are you main users internal or external?  If they are external, what is your connection to the end users?  It makes no sense to have 10 Gbps to the servers if you are mainly used over the Internet and only have a 45 or 100 Mbps Internet link.

So when I try to assign the same Virtual Server to a different pool, I can't specify the same destination port. Does the iRule allow you to do that? I want to be able to say internal clients come in using https on address 172.17.139.xx. Translate that into the 172.17.140.xx address of the virtual server and send it to this pool member-172.17.140.xx:9099 and terminate the SSL connection at the f5. I also want to have the same virtual server address  allow users from the internet to hit the a different pool and be directed to the members on that pool servicing requests on a different port. It sound very similar to what you're doing. So let's say a client will be connecting from 128.192.xx.xx then the f5 should pick that up and translate from the self-ip on the outside VLAN to the Virtual server address and send it according to the source address. Would that be better suited to an iRule or would a SNAT be able to do that? I'm extremely fuzzy on the situation for using the SNATs, they just aren't clicking with me. Would I need to utilize both to make that work correctly?

I like your idea behind the monitor, I think that is exactly what I need. Right now, I just have a ICMP monitor, but I know that's not good enough.

I think you're probably right about the load on the links and devices. I would have to have everyone simultaneously hit the f5 to really see a super drain on the system, and I don't foresee that happening at all. It's probably not going to ever saturate the links, and if it does, I can always trunk some links together and get more bandwidth that way.

Thanks so much for all your help with this, I have a lot of pressure on me to get these working, and if I don't, then it's going to cut my career here pretty short, I think. : \

Made leaps and bounds in learning from this experience. It seems I didn't have my floating address in my self-ip's. So that was one issue. Next, I had to build my profile for my SSL offload. Then I had to get my server guys to give me the proper info. :) That cleared up some things, and allowed me to get the passthrough working. I was also trying to build the SNAT list and didn't need to, I just needed to automap it and it came right up. I am going to use the iRule that you posted, as my servers are on the same VLAN (point of confusion) and they are listening on different ports. So it's become a matter of putting the right iRule in place to use the source address to point it to the correct pool. Thank you for all of the help, I couldn't have done it without you.

No problem and thanks for the points.

The F5's are powerful boxes and for 90% of the environments are not that tough to learn.  Our toughest issue was getting session persistence to work with directly WebSphere, we are not running IBM's plugin for a HTTP server.

I did not know TCL or anything about a F5, took me about a month or so to get code working.  Of course a week after I got the code working somebody posted an iRule on DevCentral to do the same thing.  The good part is my code was 98% the same.  The 2% different was because their code assumed one application and one application pool and I had some debugging code that start logging info if I change a environment variable.

I have had no real training.  We have had a couple consultants out for a day or two there, but its been read the manuals, search the knowledge base, and search DevCentral.

Hi - Did you create a logical diagram?  If so, I would like to see it.  We are setting up a f5 listener device for test and production servers.  I would like to see your logical diagram