F5CAB5 BIG-IP Administration Support and Troubleshooting (F5CAB5) exam Questions and Answers

Comprehensive and Detailed Explanation From BIG-IP Administration Support and Troubleshooting documents: Monitoring resource utilization is essential for maintaining system stability. If the root (/) file system reaches 100% capacity, the BIG-IP may become unresponsive, fail to save configuration changes, or experience daemon crashes83. When the / partition is full, the immediate troubleshooting step is to identify large or unnecessary files—such as old log files, core dumps, or temporary installer files—located specifically within that file system84. In the provided exhibit, /dev/md4 is explicitly listed at 100% usage for the / mount point85. Checking other partitions like /usr (which is at 82% in the exhibit) would not resolve the immediate "Full" status of the root directory86. Administrators often use the du (disk usage) command via the CLI to find the problematic files. Managing disk space is a proactive task; however, when utilization hits 100%, it becomes a reactive troubleshooting emergency that must be resolved to restore the management plane's functionality.

Comprehensive and Detailed Explanation From BIG-IP A41dministration Support and Troubleshooting documents:To confirm functionality across a complex environment, the "Network Map" is the most efficient troubleshooting tool in the Configuration Utility43. It provides a hierarchical, visual representation of the traffic management objects44. A single glance allows the administrator to see the status of a Virtual Server (Green/Red/Yellow), the status of its associated pool, the health of individual pool members, and which iRules are currently attached45. This view is superior to the standard "Virtual Server List" for troubleshooting because it maps the dependencies between objects46. For example, if a Virtual Server is "Red," the Network Map will show if that status is inherited from a failed pool or a specific monitor failing on a pool member. Reviewing these basic stats in the Network Map helps the administrator quickly isolate whether a failure is at the service level (Virtual Server), the logic level (iRule), or the hardware level (Pool Member).

Monitoring granular resource utilization is essential when troubleshooting performance degradation for specific applications. While global system stats show overall hardware health, they do not pinpoint which virtual server is overconsuming resources during traffic spikes. To identify the specific application causing a high CPU load, the administrator should navigate to Statistics > Module Statistics > Local Traffic > Virtual Servers7474. This section provides detailed metrics for each virtual server, including CPU cycles used for traffic processing and iRule execution75. Identifying a "top-talker" or a problematic virtual server allows the administrator to take targeted action, such as optimizing an inefficient iRule, adjusting compression levels, or offloading the virtual server to a different device group76. This targeted troubleshooting ensures that one high-demand virtual server does not negatively impact the performance of other services running on the same BIG-IP hardware, maintaining overall system stability and resource availability

Comprehensive and Detailed Explanation From BIG-IP Administration Support and Troubleshooting documents: When load balancing is not working as 23expected and connections appear skewed across physical hardware, the administrator must distinguish between "member"24 and "node" level balancing. A "member" refers to a specific IP and Port combination (e.g., 10.1.1.1:80), whereas a "node" refers to the underlying IP address (10.1.1.1) regardless of the port25. If a single server hosts multiple services (Web, FTP, API) across different pools, using "Least Connections (member)" would only balance connections within each individual pool26. This could lead to a scenario where one server is overwhelmed because it is winning the "least connections" count in three different pools simultaneously. By selecting "Least Connections (node)," the BIG-IP tracks the total number of concurrent connections to the physical IP address across all pools it belongs to27. This ensures that the administrator can maintain an equal distribution of work across the hardware, preventing performance degradation on backend servers that host multiple application services.

Troubleshooting SSL connection resets often involves verifying license limits against actual resource utilization. F5 devices use a "Transactions Per Second" (TPS) license to control the amount of SSL processing the device can handle. The log entry SSL transaction (TPS) rate limit reached is a clear indicator that the traffic volume has exceeded the licensed capacity. When determining the necessary license level, it is important to know that F5 primarily licenses and limits the "Client-side" SSL TPS—which represents the encrypted connections between the users and the virtual servers. In this specific scenario, the peak demand reached 1200 client-side transactions per second. Although there were also 800 server-side transactions (re-encryption from the BIG-IP to the pool), these typically do not count against the primary TPS license limit in the same manner. Therefore, to ensure that the virtual server works as expected during peak load, the administrator must upgrade the license to at least 1200 TPS. This troubleshooting process links system log errors to license-enforced resource constraints.

When a physical network link (like Interface 1.1) reaches its maximum capacity, it creates a bottleneck that negatively impacts network-level performance. To overcome the physical limits of a single interface, BIG-IP administrators use "Trunking," which is the F5 term for Link Aggregation (often implemented via LACP). A trunk object bundles multiple physical interfaces into a single logical link. By creating a trunk with two or more interfaces, the BIG-IP can spread the traffic load across all members of the trunk, effectively doubling or tripling the available bandwidth for the associated VLANs. Beyond performance, troubleshooting redundancy often leads to the use of trunks; if one cable in a trunk fails, the others continue to carry traffic, preventing a complete outage. This is a superior solution to simply increasing MTU (which requires end-to-end support) or manually setting media speeds. In a high-availability environment, configuring trunks is a foundational troubleshooting and optimization step to ensure that traffic spikes do not result in packet loss due to link saturation.

Uneven load balancing on a BIG-IP system typically occurs when traffic is not distributed evenly across all available pool members. One common reason is thatmonitors have marked down multiple pool members (Option B). When health monitors fail for specific pool members, BIG-IP automatically removes those members from load-balancing decisions. As a result, traffic is sent only to the remaining healthy member, creating the appearance that load balancing is not functioning correctly. This behavior is expected and aligns with BIG-IP’s design to ensure traffic is sent only to healthy resources.

Another frequent cause isthe presence of a persistence profile on the pool or virtual server (Option C). Persistence (such as source address or cookie persistence) forces subsequent client connections to be sent to the same pool member for session continuity. While persistence is critical for certain applications, it can override the load-balancing algorithm and cause most or all traffic to be directed to a single pool member, especially during low traffic volumes or testing scenarios.

The other options are incorrect because avirtual server marked down (Option A)would not pass traffic at all, andall pool members marked down (Option D)would result in no connections rather than uneven distribution. This analysis follows standard BIG-IP troubleshooting methodology using pool status, monitor results, and persistence configuration review.

Comprehensive and Detailed Explanation From BIG-IP Administration Support and Troubleshooting documents: Troubleshooting configuration-related issues requires a clear trail of what was changed and by whom. The BIG-IP system includes a dedicated audit logging feature for this purpose28. Whenever a system object—such as a virtual server, pool, or iRule—is created, modified, or deleted, the system records the event in /var/log/audit29. These logs provide critical context during troubleshooting by showing if a performance drop or traffic failure coincided with a specific administrative action30. Unlike /var/log/ltm, which focuses on local traffic events like pool member status changes, or /var/log/secure, which handles authentication attempts, the audit log specifically tracks the "how" and "when" of configuration changes31. This is a vital resource for administrators to determine if a virtual server is not working as expected due to a recent manual change or an automated system action, allowing for a rapid "rollback" or correction of the configuration.

When load balancing is not working as expected across hardware hosting multiple services, the administrator must distinguish between "member" and "node" level algorithms102102102102. A "member" is a specific IP and port (e.g., 10.1.1.1:80), while a "node" is the physical server's IP (10.1.1.1) regardless of the port103. If servers host both FTP and HTTP services in separate pools, using "Least Connections (Member)" only balances connections within each individual pool. This can lead to a skewed distribution where one server is selected for a new HTTP connection because it has the fewest HTTP connections, even if it is currently overloaded with hundreds of FTP connections. By applying "Least Connections (Node)," the BIG-IP tracks the total number of connections to the physical hardware across all ports and pools106106106106. This ensures that the administrator can maintain an even distribution of the total workload across the server fleet, resolving the reports of uneven traffic distribution reported by the server support team