F5 Updated F5CAB3 Exam Questions and Answers by orhan

The issue described is a classic symptom of asymmetric routing, which frequently occurs when the BIG-IP system and the back-end servers reside on the same subnet (often referred to as a "one-arm" deployment).

The Routing Problem: By default, the BIG-IP system preserves the original client source IP address when forwarding traffic to a pool member. If the server is in the same subnet as the client or if the server's default gateway is not the BIG-IP, the server will attempt to send its response directly back to the client’s IP address, bypassing the BIG-IP.

Stateful Failure: Since the BIG-IP is a Full Proxy, it maintains a state table. Because the response packet never returns through the BIG-IP, the system cannot complete the three-way handshake or manage the application session, resulting in a connection failure for the user.

The Solution (SNAT): Enabling Source Network Address Translation (SNAT) solves this by changing the source IP address of the request to an IP address owned by the BIG-IP (typically a self-IP).

Requirement for Subnet Alignment: To ensure the server sends the response back to the BIG-IP, the translation address must be reachable. By using a self-IP configured in the same subnet as the servers, the BIG-IP ensures that the server sees the request coming from a local "neighbor." The server will then naturally send the response back to that self-IP, allowing the BIG-IP to translate the packet back and forward it to the client.

Why other options are incorrect:

A: Disabling address translation would ensure the server-side traffic uses the client IP, making asymmetric routing inevitable in this scenario.

B: This is technically contradictory; "Auto Map" specifically uses existing self-IPs and does not require or use a "SNAT pool" configuration.

C: While using a specific translation address can work, it does not inherently guarantee the Layer 2/Layer 3 reachability mentioned in the scenario as effectively as ensuring the self-IP is correctly placed in the server's subnet.

SSH is a TCP Layer 4 protocol. Applying an HTTP profile causes BIG-IP to expect HTTP headers, breaking SSH sessions. Removing the HTTP profile allows raw TCP forwarding.

This scenario describes a classic case of asymmetric routing in a "one-arm" or non-gateway deployment. When a BIG-IP system is configured for SSL offloading, the following traffic flow occurs:

Client-Side: The client establishes a successful SSL/TLS handshake with the Virtual Server. This explains why the user can "successfully establish an SSL connection."

Server-Side: The BIG-IP decrypts the traffic and forwards it as plain HTTP to the backend server. The packet trace confirms the server receives the HTTP GET request and responds with the content.

The Routing Failure: By default, the BIG-IP system preserves the client's original source IP address. If the backend server's default gateway is not the BIG-IP system (or if the server is on the same subnet as the client), the server will attempt to send the response directly back to the client's IP address, bypassing the BIG-IP.

Stateful Drop: Because the BIG-IP is a Full Proxy, it expects the response to return through its own internal state table to be encrypted and sent back to the client. Since the response bypasses the BIG-IP, the BIG-IP connection eventually times out, and the client receives no data despite the server having sent it.

Solution (SNAT): Enabling Secure Network Address Translation (SNAT), specifically SNAT Auto Map, ensures that the BIG-IP replaces the client's source IP with its own internal self-IP before sending the request to the server. This forces the server to send the response back to the BIG-IP, allowing the BIG-IP to complete the transaction and deliver the content to the user.

BIG-IP provides several built-in TCP profiles optimized for different traffic patterns and network conditions. When attempting to improve general TCP performance, the recommended starting point is f5-tcp-progressive.

According to the BIG-IP Administration: Data Plane Configuration documentation:

f5-tcp-progressive is designed as a balanced, general-purpose TCP optimization profile.

It dynamically adjusts TCP behavior to improve throughput and latency for most enterprise applications.

It is the recommended first-choice profile when tuning TCP performance before moving to more specialized profiles.

Why the other options are incorrect:

A. f5-tcp-legacyThis profile exists for backward compatibility and does not include modern TCP optimizations.

C. f5-tcp-mobileThis profile is optimized specifically for high-latency, lossy mobile networks and is not suitable for general-purpose environments.

D. No optionBIG-IP explicitly provides built-in TCP profiles for performance tuning; using none would forgo optimization opportunities.

Correct Resolution:

The administrator should first apply f5-tcp-progressive to evaluate potential TCP performance improvements before considering more specialized profiles.