F5CAB5 BIG-IP Administration Support and Troubleshooting (F5CAB5) exam Questions and Answers

When a BIG-IP system experiences high overall CPU usage, troubleshooting requires identifying which specific application or service is the primary consumer of resources. While the system-wide performance graphs provide a global view, the granular data necessary to isolate a "top talker" is found in the "Local Traffic" statistics. Navigating to Statistics > Module Statistics > Local Traffic > Virtual Servers allows the administrator to see specific metrics for each configured virtual server, including the number of packets processed, current connections, and critical CPU cycles consumed. This is essential for troubleshooting performance issues where an inefficient iRule, high SSL handshake volume, or complex L7 profiles (like Compression or ASM) might be overtaxing the Traffic Management Microkernel (TMM) for one specific application. By reviewing these basic stats, an administrator can determine if a performance bottle-neck is a system-wide h1ardware issue or if it is isolated to a single virtual server, enabling targeted remediation such as optimizing iRule logic or moving the high-load virtual server to a dedicated device.

Uneven load balancing on a BIG-IP system typically occurs when traffic is not distributed evenly across all available pool members. One common reason is thatmonitors have marked down multiple pool members (Option B). When health monitors fail for specific pool members, BIG-IP automatically removes those members from load-balancing decisions. As a result, traffic is sent only to the remaining healthy member, creating the appearance that load balancing is not functioning correctly. This behavior is expected and aligns with BIG-IP’s design to ensure traffic is sent only to healthy resources.

Another frequent cause isthe presence of a persistence profile on the pool or virtual server (Option C). Persistence (such as source address or cookie persistence) forces subsequent client connections to be sent to the same pool member for session continuity. While persistence is critical for certain applications, it can override the load-balancing algorithm and cause most or all traffic to be directed to a single pool member, especially during low traffic volumes or testing scenarios.

The other options are incorrect because avirtual server marked down (Option A)would not pass traffic at all, andall pool members marked down (Option D)would result in no connections rather than uneven distribution. This analysis follows standard BIG-IP troubleshooting methodology using pool status, monitor results, and persistence configuration review.

The issue described is a classic case of asymmetric routing in a "one-arm" or same-subnet topology.

Symptom Analysis: The Virtual Server (10.10.1.100) and the pool members (10.10.1.101 and 10.10.1.102) are on the same subnet.

The Problem: When a client sends a request to the VIP, the BIG-IP translates the destination IP but keeps the client's original source IP. The server receives the packet and sees a source IP from a different subnet. Instead of sending the response back to the BIG-IP, the server sends it directly to its default gateway. The client receives a response from the server's IP, which it doesn't recognize, causing the connection to fail.

The Solution: Enabling SNAT Auto Map ensures the BIG-IP changes the source IP of the packet to its own self-IP. This forces the pool member to send the response back to the BIG-IP, which then translates it correctly and sends it to the client.

Incorrect Options: Adding an HTTP profile (Option B) or an HTTP monitor (Option C) would enhance the configuration but would not fix the underlying Layer 3 routing issue causing the traffic drop.

In an HTTPS session, the application-layer payload—including HTTP request headers, response headers, cookies, and body content—is encrypted using SSL/TLS. Without decrypting the traffic (for example, without SSL offloading on BIG-IP or access to the private keys), a packet capture cannot reveal any HTTP-level details.

However,network-layer and transport-layer information remains visible, even when encryption is used. This includes source and destination IP addresses, source and destination ports, TCP flags, sequence numbers, and TLS handshake metadata. Therefore, thesource IP address (Option B)is visible in a packet capture of HTTPS traffic without decryption.

Options A, C, and D are incorrect because HTTP headers and cookies are part of the encrypted payload once HTTPS is established. BIG-IP troubleshooting documentation emphasizes this distinction when analyzing encrypted traffic flows using tcpdump, as administrators must rely on IP, port, and timing information unless SSL inspection or decryption is configured.

The "Manual Resume" feature is a safety mechanism used when a pool is not working as expected due to flapping services or unstable backend applications. Normally, when a health monitor fails, the pool member is marked "Offline" (Red), and when the monitor passes, it automatically returns to "Available" (Green)47. However, if "Manual Resume" is enabled, the BIG-IP will not automatically put the member back into rotation after a failure48. Even if the health check begins to pass again, the member remains in an "Offline (Disabled)" state49. This requires an administrator to manually intervene and re-enable the member. This is a common point of confusion when troubleshooting; a member may show passing health checks but still not receive traffic because it is waiting for a manual administrative "resume" command. This feature is intended to prevent "unhealthy" servers from receiving traffic until an engineer has confirmed the root cause of the initial failure was resolved.

A gateway_icmp monitor checks basic network reachability by sending ICMP echo requests (pings) to the pool member or its gateway. If the pool is markedDOWNwhile the server is confirmed to be online, the most likely cause is thatICMP traffic is being blocked.

Ahost-based firewall active on the server (Option C)can block ICMP echo requests or replies, preventing BIG-IP from receiving a successful response to the health check. This results in the monitor failing and the pool member being marked down, even though the server and application are otherwise functioning normally. This explanation is consistent with the scenario where other servers in the same subnet work correctly, indicating that routing and BIG-IP configuration are not the issue.

The other options are unrelated to ICMP monitoring. Logged-in users (Option A), missing patches (Option B), and stopped HTTP services (Option D) do not affect a gateway_icmp monitor. BIG-IP troubleshooting best practices recommend verifying ICMP reachability and firewall policies when diagnosing ICMP-based monitor failures.

Comprehensive and Detailed 150 to 250 Words Explanation From BIG-IP Administration, Support, and Troubleshooting Documents:

AQKViewfile is the primary diagnostic support bundle used by F5 Support to troubleshoot BIG-IP system issues. It contains comprehensive system information, including running configuration, licensing details, module provisioning, hardware status, software versions, log files, statistics, and the output of numerous diagnostic commands. Generating a QKView is a standard and recommended first step when investigating performance problems, configuration issues, or when opening a support case with F5.

In the BIG-IP Configuration Utility (GUI), the correct and supported location to generate a QKView isSystem > Support. This menu is specifically designed for support and troubleshooting operations. From this section, administrators can generate a QKView file, monitor its creation progress, download it locally, or upload it directly to F5 iHealth for automated analysis. This workflow is clearly documented in BIG-IP Administration and Support guides and aligns with F5 best practices.

The other menu options are not appropriate:

System > Configurationis used for system-wide settings such as DNS, NTP, and device identity.

System > Archiveis used to create UCS backup files, which are configuration backups, not diagnostic bundles.

System > Logsis used only for viewing system logs, not generating support files.

Therefore,System > Supportis the correct and only valid answer.

According toofficial F5 documentation (K52015891 – Troubleshooting BIG-IP power supply issues),hardware-related alerts for power supplies, fans, and chassis components are logged in /var/log/ltm.

When a BIG-IP device experiences a power supply issue—such as failure, intermittent outages, or fan-related faults—the system generates alerts through internal platform monitoring services. These alerts are written to the/var/log/ltmfile and often appear with messages similar to:

Chassis power supply 2 has experienced an issue. Status is as follows: FAN=bad; STATUS=bad.

This makes /var/log/ltm theauthoritative log filefor identifying and verifying power supply and chassis-related problems on BIG-IP systems.

The other log files are not appropriate for this purpose:

/var/log/daemon.logcontains general daemon messages but isnot the primary sourcefor chassis hardware alerts.

/var/log/kern.loglogs kernel-level events, not platform power status.

/var/log/auditrecords administrative actions and configuration changes.

Conclusion:

Per F5-supported guidance, when suspecting power supply outages or chassis hardware issues, the BIG-IP Administrator shouldalways check /var/log/ltm first.

Comprehensive and Detailed 150 to 250 Words Explanation From BIG-IP Administration, Support, and Troubleshooting Documents:

These log messages indicate that the BIG-IP system’sTraffic Management Microkernel (TMM)has enteredaggressive eviction modedue tohigh global memory utilization. When TMM memory consumption reaches critical thresholds, BIG-IP activates thedefault eviction policyto protect system stability and prevent a full traffic processing failure. This condition directly corresponds toOption A, where the global eviction policy is triggered because TMM memory resources are nearing exhaustion.

Once aggressive mode is activated, BIG-IP begins using theconnection sweeper mechanism, which selectively terminates existing connections to free memory. The repeated log entries stating“1 connections killed”confirm that the system isreaping some connections, not all connections. This behavior matchesOption C. The eviction process is incremental and controlled, targeting idle, low-priority, or least-recently-used connections first to minimize impact on active traffic.

Option B is incorrect because BIG-IP doesnotdrop all connections during aggressive mode; it only removes enough connections to relieve memory pressure. Option D is also incorrect because TMM eviction is based onTMM global memory usage, not swap memory utilization. TMM does not rely on swap space in the same way the host Linux system does.

These messages are a critical warning sign that the system is under memory stress and may require traffic optimization, connection limits, or hardware scaling.

When adding new members to an active, high-traffic pool, the Slow Ramp Time setting is critical for maintaining application stability.

Mechanism: The Slow Ramp Time feature (located in the Pool properties) allows the BIG-IP system to gradually increase the number of connection requests sent to a newly added or recently enabled pool member.

The Issue: In a highly utilized pool, if Slow Ramp Time is set to 0 (the default), the BIG-IP immediately begins sending a proportional share of traffic to the new members. If the application requires a "warm-up" period (e.g., to build local caches or establish database connection pools), the sudden influx of traffic can overwhelm the new server, causing it to drop requests or fail to load content for users.

Recommendation: F5 recommends setting a non-zero Slow Ramp Time (measured in seconds) to allow the new member to scale up its processing capacity incrementally.

To successfully performSSL offload and re-encryptionon a BIG-IP system, the virtual server must be configured withboth a Client SSL profile and a Server SSL profile. The Client SSL profile enables BIG-IP to decrypt inbound HTTPS traffic from clients, while the Server SSL profile is required tore-encrypt traffic before forwarding it to the pool members.

From the exhibit, the virtual server has aClient SSL profile configured, which allows BIG-IP to accept HTTPS connections from clients. However, there isno Server SSL profile attached, meaning BIG-IP attempts to sendunencrypted HTTP trafficto pool members listening on HTTPS (port 443). This protocol mismatch causes the server-side SSL handshake to fail, resulting in users being unable to connect to the application.

This behavior is well documented in BIG-IP SSL troubleshooting guides: when backend servers expect HTTPS, a Server SSL profile is mandatory to establish a secure connection from BIG-IP to the pool members.

The other options are incorrect:

Removing the Client SSL profile (Option A) would break client-side HTTPS.

The server-side TCP profile (Option B) is unrelated to SSL encryption.

Forward Proxy (Option C) is only used for outbound SSL inspection scenarios.

Therefore, configuring anSSL Profile (Server)is the correct and required solution.

This virtual server is intended to function as aforwarding (IP-forwarding) virtual server, which is commonly used for routing or firewall-style deployments where BIG-IP forwards traffic transparently without load balancing or address translation. For a forwarding virtual server to match and passall traffic, the destination must be configured as 0.0.0.0:anywith a mask of 0.0.0.0, not 255.255.255.255.

The configured mask 255.255.255.255 represents a/32 host mask, which restricts the virtual server to matching traffic destined only for the exact IP address 0.0.0.0. Since 0.0.0.0 is not a valid routable destination for normal traffic, no packets will ever match the virtual server, causing it to pass no traffic at all.

This is a well-documented BIG-IP behavior:

destination 0.0.0.0:any

mask 0.0.0.0

together define acatch-all forwarding virtual server.

The destination itself (Option A) is correct for a forwarding VS, and disabling address translation (Option C) is expected and required for IP-forwarding mode. Therefore, the incorrect subnet mask is the sole reason the virtual server is not functioning as expected.

The failure of the Forwarding (IP) virtual server is caused by an incorrect Network Mask configuration for a wildcard destination.

Wildcard Destination: The administrator intends to create a "Wildcard" Virtual Server that listens for any destination IP address (0.0.0.0).

The Mask Conflict: A mask of 255.255.255.255 (or /32) tells the BIG-IP to look for a specific, single host address. When combined with 0.0.0.0, the system is literally looking for traffic destined for the IP 0.0.0.0, which is not a valid routable destination for standard traffic.

Correct Configuration: To allow the virtual server to catch traffic for any IP address, the mask must be changed to 0.0.0.0 (or /0). This signifies that the system should ignore all bits of the destination address and match everything.

Forwarding Logic: The rest of the configuration—including ip-forward (Forwarding IP type), translate-address disabled, and translate-port disabled—is correct for a BIG-IP acting as a router/gateway.

When analyzing HTTPS traffic using tools like tcpdump without access to the SSL private keys for decryption, only the Layer 2 through Layer 4 information remains visible.

Visible Information: You can see the Source and Destination IP addresses, TCP ports, and the TLS handshake headers (such as the Server Name Indication/SNI in the Client Hello).

Encrypted Information: Once the encrypted tunnel is established, all Layer 7 data is masked. This includes HTTP Request/Response Headers (Option A and D) and Cookies (Option C).

Troubleshooting Note: To see the headers or cookies, an administrator must either perform the packet capture on the "server-side" of the BIG-IP (if it is performing SSL Offload) or use a tool like Wireshark with the appropriate SSL keys loaded.

F5 BIG-IP provides two distinct ways to throttle traffic on a Virtual Server: total capacity and velocity.

Connection Rate Limit: This setting specifically controls the number of new connection attempts per second. It is the correct tool for managing traffic spikes and protecting backend resources from being overwhelmed by a high frequency of new requests.

Comparison (Connection Limit): A standard Connection Limit (Option C) restricts the total concurrent connections allowed at any one time, regardless of how fast they arrive.

Other Profiles: OneConnect (Option A) is used for connection pooling and reuse to reduce server-side load, and HTTP Compression (Option B) reduces bandwidth usage but does not limit connection counts or rates.

In F5 TMOS administration, the traffic flow is processed through specific event huddles w3ithin iRules. To troubleshoot or m4odify traffic based on a URI (Uniform Resource Identifier), the BIG-IP system must first parse the application-layer data. The HTTP_REQUEST event is triggered when the system has fully received and parsed the HTTP request headers from the client5. This is the correct point to implement logic that selects a pool or pool member based on the path or file requested (e.g., /images or /api). Using CLIENT_ACCEPTED would be too early in the troubleshooting process because that event triggers at the L4 (TCP) connection establishment phase, before any URI information is available6. Conversely, HTTP_RESPONSE occurs during the return traffic from the server, which is too late to make a load balancing decision7. For troubleshooting virtual server behavior where URIs are involved, ensuring the iRule is attached to a Virtual Server with an HTTP profile and using the HTTP_REQUEST event is essential for proper traffic steering and inspection.