F5 Updated F5CAB3 Exam Questions and Answers by orhan

SSH is a Layer 4 TCP-based protocol that operates on TCP port 22 and does not use HTTP in any capacity. In the exhibit, the Virtual Server is configured with an HTTP Profile applied, which is inappropriate for SSH traffic and causes connection failures.

According to the BIG-IP Administration: Data Plane Configuration documentation:

An HTTP profile must only be applied to Virtual Servers handling HTTP or HTTPS traffic.

When an HTTP profile is attached, BIG-IP expects HTTP headers and attempts to parse application-layer data.

Non-HTTP protocols such as SSH, FTP (control), SMTP, and other raw TCP services will fail if an HTTP profile is enabled.

Why the other options are incorrect:

A. Set Protocol to UDPSSH uses TCP, not UDP. Changing the protocol would break SSH entirely.

B. Set Source Address to 10.1.1.2The source address setting controls client access restrictions and is unrelated to protocol parsing issues.

C. Set Destination Address/Mask to 0.0.0.0/0The destination address is already valid for a specific SSH service and does not impact protocol handling.

Correct Resolution:

The BIG-IP Administrator should remove the HTTP Profile (set it to None) so the Virtual Server functions as a pure Layer 4 TCP service, allowing SSH connections to pass through successfully.

The two load balancing methods that consider all connections between the BIG-IP and each backend node — not just connections to a specific pool member — are Least Connections (node) and Weighted Least Connections (node) .

The critical distinction here lies in the node-level scope of evaluation. A node represents the backend server ' s IP address, regardless of how many services or ports it may be serving. Therefore:

Least Connections (node) directs new connections to the node with the fewest total active connections across all services on that server, providing a holistic connection-count perspective.

Weighted Least Connections (node) operates identically but factors in an administrator-defined ratio weight, allowing servers with greater capacity to proportionally absorb more connections while still evaluating total node-level connection counts.

By contrast:

Ratio (member) distributes traffic based on a static weight ratio and does not dynamically evaluate current connection counts.

Round Robin distributes traffic sequentially in rotation, completely ignoring current connection states on any node or member.

The node-based methods are particularly valuable in environments where a single backend server hosts multiple pool members across different ports, ensuring the server ' s overall load — not just per-service load — governs balancing decisions.

When clients connect through a single source IP (NAT) — such as a corporate proxy or carrier-grade NAT — Source Address Affinity persistence becomes entirely ineffective because all clients share an identical source IP address. This would force every client session to the same pool member, completely eliminating even distribution and defeating the purpose of load balancing.

Cookie Persistence is the optimal solution in this scenario because it operates at Layer 7 , inserting a unique cookie into each client ' s HTTP/HTTPS response. Each individual browser session carries its own distinct cookie value, allowing the BIG-IP to identify and persist individual clients to specific pool members — regardless of whether they share a common source IP address. This guarantees both session persistence and even load distribution across pool members.

The remaining options are unsuitable because:

Destination Address Affinity persists based on destination IP, irrelevant for client-to-server session stickiness.

SSL Persistence uses the SSL Session ID for persistence, but SSL session IDs are frequently renegotiated and are unreliable for long-term persistence across modern TLS implementations.

Source Address Affinity fails entirely under NAT conditions as described.

Cookie persistence is the industry-standard method for HTTPS application load balancing requiring per-client session affinity.

In BIG-IP systems, iRules influence traffic only when they are attached to a Virtual Server. If application traffic is being sent to nodes or pool members that are not defined in the pool, this typically indicates that an iRule is overriding the default load-balancing behavior by explicitly selecting a pool or node.

According to BIG-IP Administration: Data Plane Configuration and official F5 guidance:

iRules are associated with Virtual Servers, not directly with pools or nodes.

To determine whether an iRule is actively affecting traffic, the administrator must inspect the Virtual Server configuration.

Explanation of the correct answers:

B. Via the GUI at the Resources tab for the virtual serverThe Resources tab in the Configuration Utility displays all traffic-handling objects applied to the Virtual Server, including assigned iRules. This is the primary GUI location to verify whether an iRule is influencing data plane traffic.

C. Via TMSH with the list /ltm virtual < virtual_server > commandThis TMSH command displays the full Virtual Server configuration, including any iRules listed under the rules section. It is the authoritative CLI method to confirm iRule usage.

Why the other options are incorrect:

A. Via TMSH with the list /ltm rule < irule > commandThis command only shows the contents of an iRule and does not indicate whether the iRule is attached to or used by any Virtual Server.

D. Via the GUI at the iRule tab for the virtual serverBIG-IP does not provide a dedicated “iRule” tab on Virtual Servers. iRules are viewed and managed under the Resources tab.

Correct Conclusion:

To verify whether an iRule is responsible for unexpected node selection, the BIG-IP Administrator must examine the Virtual Server configuration, either through the Resources tab in the GUI or by using TMSH to list the Virtual Server configuration.