F5 Updated F5CAB3 Exam Questions and Answers by orhan

When the connection limit is reached, BIG-IP resets new connections, even if pool members are healthy.

The issue described is a classic symptom of asymmetric routing, which frequently occurs when the BIG-IP system and the back-end servers reside on the same subnet (often referred to as a "one-arm" deployment).

The Routing Problem: By default, the BIG-IP system preserves the original client source IP address when forwarding traffic to a pool member. If the server is in the same subnet as the client or if the server's default gateway is not the BIG-IP, the server will attempt to send its response directly back to the client’s IP address, bypassing the BIG-IP.

Stateful Failure: Since the BIG-IP is a Full Proxy, it maintains a state table. Because the response packet never returns through the BIG-IP, the system cannot complete the three-way handshake or manage the application session, resulting in a connection failure for the user.

The Solution (SNAT): Enabling Source Network Address Translation (SNAT) solves this by changing the source IP address of the request to an IP address owned by the BIG-IP (typically a self-IP).

Requirement for Subnet Alignment: To ensure the server sends the response back to the BIG-IP, the translation address must be reachable. By using a self-IP configured in the same subnet as the servers, the BIG-IP ensures that the server sees the request coming from a local "neighbor." The server will then naturally send the response back to that self-IP, allowing the BIG-IP to translate the packet back and forward it to the client.

Why other options are incorrect:

A: Disabling address translation would ensure the server-side traffic uses the client IP, making asymmetric routing inevitable in this scenario.

B: This is technically contradictory; "Auto Map" specifically uses existing self-IPs and does not require or use a "SNAT pool" configuration.

C: While using a specific translation address can work, it does not inherently guarantee the Layer 2/Layer 3 reachability mentioned in the scenario as effectively as ensuring the self-IP is correctly placed in the server's subnet.

SSH is a TCP-based service. A TCP monitor validates service availability without requiring application-layer inspection.

BIG-IP provides several built-in TCP profiles optimized for different traffic patterns and network conditions. When attempting to improve general TCP performance, the recommended starting point is f5-tcp-progressive.

According to the BIG-IP Administration: Data Plane Configuration documentation:

f5-tcp-progressive is designed as a balanced, general-purpose TCP optimization profile.

It dynamically adjusts TCP behavior to improve throughput and latency for most enterprise applications.

It is the recommended first-choice profile when tuning TCP performance before moving to more specialized profiles.

Why the other options are incorrect:

A. f5-tcp-legacyThis profile exists for backward compatibility and does not include modern TCP optimizations.

C. f5-tcp-mobileThis profile is optimized specifically for high-latency, lossy mobile networks and is not suitable for general-purpose environments.

D. No optionBIG-IP explicitly provides built-in TCP profiles for performance tuning; using none would forgo optimization opportunities.

Correct Resolution:

The administrator should first apply f5-tcp-progressive to evaluate potential TCP performance improvements before considering more specialized profiles.