F5 Networks F5CAB5 Exam Questions

To successfully perform SSL offload and re-encryption on a BIG-IP system, the virtual server must be configured with both a Client SSL profile and a Server SSL profile. The Client SSL profile enables BIG-IP to decrypt inbound HTTPS traffic from clients, while the Server SSL profile is required to re-encrypt traffic before forwarding it to the pool members.

From the exhibit, the virtual server has a Client SSL profile configured, which allows BIG-IP to accept HTTPS connections from clients. However, there is no Server SSL profile attached, meaning BIG-IP attempts to send unencrypted HTTP traffic to pool members listening on HTTPS (port 443). This protocol mismatch causes the server-side SSL handshake to fail, resulting in users being unable to connect to the application.

This behavior is well documented in BIG-IP SSL troubleshooting guides: when backend servers expect HTTPS, a Server SSL profile is mandatory to establish a secure connection from BIG-IP to the pool members.

The other options are incorrect:

Removing the Client SSL profile (Option A) would break client-side HTTPS.

The server-side TCP profile (Option B) is unrelated to SSL encryption.

Forward Proxy (Option C) is only used for outbound SSL inspection scenarios.

Therefore, configuring an SSL Profile (Server) is the correct and required solution.

Comprehensive and Detailed Explanation From BIG-IP Administration Support and Troubleshooting documents: The 'Manual Resume' feature is a safety mechanism used when a pool is not working as expected due to flapping services or unstable backend applications. Normally, when a health monitor fails, the pool member is marked 'Offline' (Red), and when the monitor passes, it automatically returns to 'Available' (Green)47. However, if 'Manual Resume' is enabled, the BIG-IP will not automatically put the member back into rotation after a failure48. Even if the health check begins to pass again, the member remains in an 'Offline (Disabled)' state49. This requires an administrator to manually intervene and re-enable the member. This is a common point of confusion when troubleshooting; a member may show passing health checks but still not receive traffic because it is waiting for a manual administrative 'resume' command. This feature is intended to prevent 'unhealthy' servers from receiving traffic until an engineer has confirmed the root cause of the initial failure was resolved.

Troubleshooting failed SSL handshakes involves interpreting the resource limits defined by the system's license8888. The log message SSL transaction (TPS) rate limit reached indicates the BIG-IP is dropping SSL connections because it has exceeded its licensed 'Transactions Per Second' capacity. When analyzing stats to determine the correct license level, the administrator must focus on 'Client-side' SSL TPS. This represents the initial encrypted handshakes between users and the BIG-IP virtual servers91. In this scenario, the peak client-side demand is 1200 TPS. While the 800 server-side transactions represent re-encryption toward the backend, F5's primary SSL TPS license limits typically apply to the client-facing side of the traffic flow. Therefore, to resolve the intermittent connectivity issues and ensure the virtual server works reliably during peaks, the license must be upgraded to at least 1200 TPS949596969696. 9798Confirming this peak via statistics and comparing it to the current license is a standard troubleshooting step for SSL performance issues.

In BIG-IP TMOS administration, the 'Forwarding (IP)' virtual server type is unique because it is designed to act as a high-performance router rather than a typical load balancer. Unlike a 'Standard' virtual server, which terminates a connection and directs it to a specific pool of members, a Forwarding (IP) virtual server is intended to forward packets based on the system's routing table. Consequently, the configuration for this type of virtual server explicitly removes the option to associate a default pool. If an administrator is troubleshooting a scenario where they cannot assign a pool to a virtual server, they must verify if the type was accidentally set to Forwarding (IP). This type is most commonly used for outbound internet traffic (outbound SNAT) or to allow the BIG-IP to serve as a gateway between internal subnets. Identifying this constraint is vital for troubleshooting configuration errors where an administrator expects the system to load balance traffic but finds the pool association settings are grayed out or unavailable in the Configuration Utility.

Comprehensive and Detailed Explanation From BIG-IP Administration S73upport and Troubleshooting documents: Persistence is critical for ensuring that a client's session remains with the same pool member throughout its duration. If primary persistence (like Cookie Persistence) fails---for instance, because the client has disabled cookies---load balancing will not work as expected, and the session may be broken. A 'Fallback Persistence Profile' provides a backup method75. The most common and reliable fallback method is 'Source Address Affinity'76. This method tracks the client's IP address in the BIG-IP's persistence table and ensures that any subsequent requests from that IP are routed to the same pool member, even if the primary persistence token is missing. Troubleshooting session drops often involves checking if a fallback method is configured to handle scenarios where the primary method is unsupported by the client's browser or environment. Without a fallback, the BIG-IP would revert to standard load balancing, potentially sending the client to a different server that lacks their session data.