When you set up a federated health monitor for use with Avi GSLB (Global Server Load Balancing) services, it's crucial that any associated objects, such as SSL profiles, are also federated.

Currently, there's a known issue where our CLI and API allow you to configure a non-federated SSL profile with a federated LDAPS health monitor.

This is an unsupported configuration. If this occurs, your GSLB cluster will go "Out of Sync," leading to potential synchronization problems across your services.

This issue is caused by a configuration validation gap within the system. When using the controller CLI or API, the software fails to prevent a non-federated SSL profile from being assigned to a federated LDAPS health monitor.

The validation is correctly implemented in the UI, so this issue does not occur when the health monitor is configured through the UI.

This issue is resolved in Avi version 31.2.1. The updated version adds the necessary validation to prevent this unsupported configuration.

To immediately resolve this issue on an affected system, you must manually correct the configuration:

1. Identify any federated LDAPS health monitors.
2. Review the SSL profile assigned to each one.
3. If a non-federated SSL profile is being used, replace it with the correct federated SSL profile.