F5 Networks F5CAB3 Exam Questions

The issue described is a classic symptom of asymmetric routing, which frequently occurs when the BIG-IP system and the back-end servers reside on the same subnet (often referred to as a 'one-arm' deployment).

The Routing Problem: By default, the BIG-IP system preserves the original client source IP address when forwarding traffic to a pool member. If the server is in the same subnet as the client or if the server's default gateway is not the BIG-IP, the server will attempt to send its response directly back to the client's IP address, bypassing the BIG-IP.

Stateful Failure: Since the BIG-IP is a Full Proxy, it maintains a state table. Because the response packet never returns through the BIG-IP, the system cannot complete the three-way handshake or manage the application session, resulting in a connection failure for the user.

The Solution (SNAT): Enabling Source Network Address Translation (SNAT) solves this by changing the source IP address of the request to an IP address owned by the BIG-IP (typically a self-IP).

Requirement for Subnet Alignment: To ensure the server sends the response back to the BIG-IP, the translation address must be reachable. By using a self-IP configured in the same subnet as the servers, the BIG-IP ensures that the server sees the request coming from a local 'neighbor.' The server will then naturally send the response back to that self-IP, allowing the BIG-IP to translate the packet back and forward it to the client.

Why other options are incorrect:

A: Disabling address translation would ensure the server-side traffic uses the client IP, making asymmetric routing inevitable in this scenario.

B: This is technically contradictory; 'Auto Map' specifically uses existing self-IPs and does not require or use a 'SNAT pool' configuration.

C: While using a specific translation address can work, it does not inherently guarantee the Layer 2/Layer 3 reachability mentioned in the scenario as effectively as ensuring the self-IP is correctly placed in the server's subnet.

In the F5 BIG-IP ecosystem, a standard ICMP health monitor functions by sending an ICMP echo request to a target node and expecting an ICMP echo reply within a specified timeout period. When a node is marked 'DOWN' despite the backend server being configured to respond to ICMP, the issue typically lies in the network path or the specific packet exchange between the BIG-IP's self IP and the node's IP. Running a tcpdump is the most effective next step because it provides a real-time packet capture of the actual monitor traffic leaving the BIG-IP and any return traffic coming back from the server. This allows the administrator to verify if the BIG-IP is actually sending the echo request, if the request is reaching the server, and if the server is indeed replying or if the reply is being dropped by an intermediate firewall or a security policy.

While other tools have their place, they are inappropriate for this specific layer 3/4 connectivity issue. A qkview is a comprehensive diagnostic file used primarily for F5 Support to analyze the entire system's state but is overkill for initial connectivity troubleshooting. An ssldump is used for inspecting SSL/TLS handshakes and encrypted payloads, which is irrelevant for a non-encrypted ICMP monitor. A curl command is a tool for testing HTTP/HTTPS application-level responses; it cannot be used to troubleshoot ICMP (ping) connectivity directly. By using tcpdump -ni <vlan_name> host <node_ip>, the administrator can see the ICMP 'type 8' (request) and 'type 0' (reply) packets, immediately identifying if the monitor failure is due to a 'Destination Unreachable' message or a simple lack of response, thereby pinpointing the root cause in the data plane.

To determine if an iRule is influencing traffic for a specific Virtual Server, the administrator must verify the association between the Virtual Server object and any applied scripts. In the BIG-IP Configuration Utility (GUI), this association is found under the Resources tab of the specific Virtual Server. While there is an 'iRules' sub-menu under Local Traffic, checking the Virtual Server's Resources tab is the definitive way to see which specific rules are currently active and in what order they are being processed for that particular traffic flow.

From the Command Line Interface (CLI), the tmsh list /ltm virtual <virtual_server> command provides a full text-based output of the virtual server's configuration. If iRules are applied, they will appear within a 'rules { ... }' block in the command output. This is more effective than Option A, which only lists the contents of the iRule itself but does not show if or where it is applied. Option C is a common misconception; while some versions of the GUI have reorganized menus, the standard location for managing the association of profiles, policies, and iRules to a Virtual Server remains the 'Resources' section. By identifying the applied iRule, an administrator can then review the script logic---often containing commands like pool or node---to see if it is overriding the default pool selection based on specific HTTP headers, URI paths, or client IP addresses.

According to the provided exhibit, the 'SSL Profile (Client)' section in the Virtual Server configuration is empty. For a BIG-IP system to process HTTPS traffic, it must act as an SSL/TLS endpoint. This process, known as SSL Termination or SSL Offload, requires the assignment of a Client SSL Profile to the Virtual Server. Without this profile, the BIG-IP does not have the necessary certificate and private key information to perform the SSL handshake with the client's browser. Consequently, when a user attempts to connect via HTTPS, the TCP connection may establish, but the SSL handshake will fail because the BIG-IP will not know how to decrypt the incoming encrypted packets.

A Client SSL profile defines the ciphers, certificates, and keys that the BIG-IP uses to communicate securely with the client. In a standard HTTPS deployment, the BIG-IP decrypts the traffic and can then send it to the backend pool members either as plain text (header insertion/manipulation) or re-encrypt it using a Server SSL profile. While a Server SSL profile (Option C) is needed if the backend servers themselves require HTTPS, the initial failure for a user reaching a Virtual Server is almost always the lack of a Client SSL profile to terminate the user's connection. Changing the Service Port to HTTP (Option D) would be incorrect because the goal is to handle HTTPS traffic (typically port 443). Assigning the 'clientssl' or a custom client-side profile from the 'Available' list to the 'Selected' list in the GUI is the mandatory step to make the Virtual Server operational for secure web traffic.

To fulfill the requirement of 'SSL Offload' limited to 'TLSv1.2 only,' the administrator must focus on the client-side of the connection. SSL Offload means the BIG-IP terminates the encrypted connection from the user, processes the traffic (often as plain text internally), and optionally sends it to the backend. The profile responsible for this termination and the initial negotiation with the client's browser is the Client SSL Profile.

A custom Client SSL Profile must be created because the default clientssl profile typically allows a broad range of protocols for compatibility (including TLS 1.0, 1.1, and 1.2). To restrict communication specifically to TLS 1.2, the administrator modifies the Ciphers string within the profile. Using a string such as DEFAULT:!SSLv3:!TLSv1:!TLSv1.1 or specifically defining TLSv1.2-only suites ensures that the BIG-IP will reject any handshake attempts from older, less secure protocols.

Server SSL Profiles (Options B and C) are used for the encryption between the BIG-IP and the backend nodes, which is not what is requested here. Simply selecting 'no TLSv1' in an options list (Option D) is insufficient and often refers to older versions of the software; the modern and standard way to control protocol negotiation on a BIG-IP is through the precise application of Cipher Strings within the Client SSL profile. This ensures compliance with security standards like PCI-DSS while providing the offloading benefits to the backend infrastructure.