As a heads up, I discovered today that fail2ban was banning my internal clustered servers, and therefor resulting in a bad gateway.
So if you want to run fail2ban on a network with internal IPs, make sure that fail2ban can see real IPs, not just internal IPs. If you know how to do this, please do share. I'm still researching it.