View all questions & answers for the BIG-IP Administration Data Plane Configuration (F5CAB3) exam


Question 34 Discussion

A virtual server is configured to offload SSL from a pool of backend servers. When users connect to the virtual server, they successfully establish an SSL connection but no content is displayed. A packet trace performed on the server shows that the server receives and responds to the request. What should a BIG-IP Administrator do to resolve the problem? (Choose one answer)

  • A. enable Server SSL profile
  • B. disable Server SSL profile
  • C. disable SNAT
  • D. enable SNAT
Correct Answer: D

Brave-Dump Clients Votes

D 75%
B 25%

Comments



Anonymous User 2025-12-29 19:11:52

Selected Answers: D


I think this one will have to be "D. enable SNAT" and this is why:

-The virtual server is configured to offload SSL (terminate SSL on BIG-IP).
-Users successfully establish an SSL connection to the BIG-IP.
-The backend servers receive and respond to the request (as seen in the packet trace), but no content is displayed to the client.

This typically means the server’s response never reaches the client. Why?
Because the backend server is sending the response to the client’s original IP address, not to the BIG-IP. If the client is on a different network and the server does not have a route back to the client, the response is lost.

Solution:
Enable SNAT (Secure Network Address Translation) on the virtual server. This ensures that the BIG-IP replaces the client’s source IP with its own self-IP when forwarding traffic to the server. The server then responds to the BIG-IP, which correctly forwards the response to the client.

Anonymous User 2026-01-09 05:35:23

Selected Answers: D


D. enable SNAT

Explanation

This is a classic SSL offload + asymmetric routing problem.

What’s happening

The virtual server terminates SSL (Client SSL offload is working — users can connect).

The backend server receives the request and sends a response (confirmed by packet capture).

However, no content reaches the client.

This usually means:

The server’s response is bypassing the BIG-IP and going directly back to the client.

BIG-IP never sees the response, so it cannot forward it to the client correctly.

Why enabling SNAT fixes it

SNAT forces return traffic back through the BIG-IP

The server replies to the BIG-IP’s SNAT address instead of the client’s IP

BIG-IP can then forward the response to the client properly

Why the other options are incorrect

A. enable Server SSL profile ❌
SSL offload means traffic to servers should be HTTP, not HTTPS.

B. disable Server SSL profile ❌
In SSL offload, Server SSL is already not required and is not the root cause here.

C. disable SNAT ❌
This would worsen the problem by allowing asymmetric routing.

Exam takeaway

SSL offload + server responds but client sees nothing = missing SNAT

Anonymous User 2026-01-29 18:52:37

Selected Answers: B


https://my.f5.com/manage/s/article/K65271370

Anonymous User 2026-02-26 00:01:52

Selected Answers: D


D. Enable SNAT
Here's the reasoning: The virtual server is offloading SSL, meaning the BIG-IP terminates SSL from clients and forwards traffic to backend servers in plain HTTP. The packet trace confirms the servers receive and respond to the request — but the response never makes it back to the client.
This is a classic asymmetric routing problem. The backend servers are sending their responses directly to the client (bypassing the BIG-IP) instead of routing return traffic back through the BIG-IP. Enabling SNAT causes the BIG-IP to replace the client's source IP with its own, so the servers have no choice but to send responses back to the BIG-IP, which then forwards them to the client.