F5CAB5 Exam Dumps - BIG-IP Administration Support and Troubleshooting (F5CAB5) exam

In an HTTPS session, the application-layer payload—including HTTP request headers, response headers, cookies, and body content—is encrypted using SSL/TLS. Without decrypting the traffic (for example, without SSL offloading on BIG-IP or access to the private keys), a packet capture cannot reveal any HTTP-level details.

However,network-layer and transport-layer information remains visible, even when encryption is used. This includes source and destination IP addresses, source and destination ports, TCP flags, sequence numbers, and TLS handshake metadata. Therefore, thesource IP address (Option B)is visible in a packet capture of HTTPS traffic without decryption.

Options A, C, and D are incorrect because HTTP headers and cookies are part of the encrypted payload once HTTPS is established. BIG-IP troubleshooting documentation emphasizes this distinction when analyzing encrypted traffic flows using tcpdump, as administrators must rely on IP, port, and timing information unless SSL inspection or decryption is configured.

Comprehensive and Detailed Explanation From BIG-IP A41dministration Support and Troubleshooting documents:To confirm functionality across a complex environment, the "Network Map" is the most efficient troubleshooting tool in the Configuration Utility43. It provides a hierarchical, visual representation of the traffic management objects44. A single glance allows the administrator to see the status of a Virtual Server (Green/Red/Yellow), the status of its associated pool, the health of individual pool members, and which iRules are currently attached45. This view is superior to the standard "Virtual Server List" for troubleshooting because it maps the dependencies between objects46. For example, if a Virtual Server is "Red," the Network Map will show if that status is inherited from a failed pool or a specific monitor failing on a pool member. Reviewing these basic stats in the Network Map helps the administrator quickly isolate whether a failure is at the service level (Virtual Server), the logic level (iRule), or the hardware level (Pool Member).

Monitoring resource utilization is essential for maintaining system stability. If the root (/) file system reaches 100% capacity, the BIG-IP may become unresponsive, fail to save configuration changes, or experience daemon crashes83. When the / partition is full, the immediate troubleshooting step is to identify large or unnecessary files—such as old log files, core dumps, or temporary installer files—located specifically within that file system84. In the provided exhibit, /dev/md4 is explicitly listed at 100% usage for the / mount point85. Checking other partitions like /usr (which is at 82% in the exhibit) would not resolve the immediate "Full" status of the root directory86. Administrators often use the du (disk usage) command via the CLI to find the problematic files. Managing disk space is a proactive task; however, when utilization hits 100%, it becomes a reactive troubleshooting emergency that must be resolved to restore the management plane's functionality.

The key clue in the exhibit is the pool member’s availability showing“Offline (Enabled) – Parent down”. In BIG-IP terminology, a pool member inherits the status of itsparent node. If thenodeis marked down (for example, by a node-level monitor or a default “node is down” condition), thenall pool members using that node IPwill also be marked down and will not receive any traffic, even if the application service on the member port might be healthy.

While the HTTPS monitor configuration (send/receive strings) is displayed, the statusspecificallyindicates anode (parent) failure, not a service-level failure. If the problem were the application not matching the receive string, you would typically see the member down due to themember’s monitorfailing (and the status would reflect monitor failure details), rather than “parent down.”

Option D is too broad; BIG-IP can generally reach the subnet (other servers work), and this symptom points to a specific node condition. Option C is incorrect because HTTP/1.1 is commonly used for monitoring and is valid when properly formatted (especially with a Host header). Therefore, the most likely cause is that thenode health monitor is not responding, causing the node—and consequently the member—to be marked down.

When analyzing HTTPS traffic using tools like tcpdump without access to the SSL private keys for decryption, only the Layer 2 through Layer 4 information remains visible.

Visible Information: You can see the Source and Destination IP addresses, TCP ports, and the TLS handshake headers (such as the Server Name Indication/SNI in the Client Hello).

Encrypted Information: Once the encrypted tunnel is established, all Layer 7 data is masked. This includes HTTP Request/Response Headers (Option A and D) and Cookies (Option C).

Troubleshooting Note: To see the headers or cookies, an administrator must either perform the packet capture on the "server-side" of the BIG-IP (if it is performing SSL Offload) or use a tool like Wireshark with the appropriate SSL keys loaded.