Best load-balancing method for backends with long-lived, very uneven sessions (some users idle, some heavy)?

Correct: b. Least Connections sends each new connection to the member with the fewest active connections, so it naturally balances long-lived, uneven sessions. Round Robin ignores load and can pile heavy sessions onto one member; Ratio is for weighting by server capacity, not session length.

An HTTP app behind a single corporate NAT keeps overloading one server. Source-address persistence is enabled. What's the fix?

Correct: a. Behind one NAT every user shares a single source IP, so source-address persistence pins them ALL to one member. Cookie persistence pins per-browser using a BIG-IP-inserted HTTP cookie, restoring proper distribution while keeping sessions sticky. (Disabling persistence would break the stateful app.)

A member pings fine and accepts TCP on its port, yet LTM marks it DOWN. Most likely cause?

Correct: c. ICMP up + TCP up means L3 and the listener are healthy, so the failure is application-layer: the HTTP monitor probes the wrong URL or the reply doesn't contain the expected Receive string (redirect, auth page, or 500). Correct the Send/Receive string to match a genuinely healthy response.

Why is 'LTM is just a packet-based load balancer like a router' a failing answer?

Correct: b. A router forwards the same packets and sees only L3/L4. LTM terminates the client TCP and opens a separate server-side TCP — two independent connections. That termination is exactly what makes SSL offload, OneConnect connection reuse and L7 iRules possible. Calling it 'just a router' shows you missed the core architecture.

Everything (VIP, pool, green monitors) looks correct but clients get no response; a capture shows servers replying straight to the client, bypassing the BIG-IP. Best fix and why?

Correct: a. Because LTM is a full proxy, the server's reply must come back to the BIG-IP. If the members' default route isn't the BIG-IP, replies route around it (asymmetric) and the client's TCP drops them. SNAT Automap rewrites the source to a BIG-IP self-IP so servers always reply to the proxy — or make the BIG-IP the servers' default gateway.

Which statement about OneConnect is the most correct in an interview?

Correct: d. OneConnect multiplexes many client requests onto a smaller set of reused server-side TCP connections, cutting connection setup overhead on the backends. It's only possible because the full proxy owns a separate server-side connection it can keep open and reuse — it is not encryption, not an LB method, and not a monitor.

F5 BIG-IP LTM Interview Questions and Answers (2026)

Q: In the F5 LTM object model, what is the difference between a Node and a Pool Member?

Correct: b. A Node is just the server's IP address (e.g. 172.16.10.11). A Pool Member adds the service port (172.16.10.11:8080) — so the same Node can be a member in several pools on different ports. ICMP monitors act on the Node; TCP/HTTP monitors act on the Member.

Q: An Indian e-commerce app at Flipkart keeps logging users out: a user's shopping cart works for a minute, then empties. Each request is landing on a different backend that doesn't share session state. What's missing on the pool/VIP?

Correct: a. The session state lives only on the member that created it. Without persistence, Round Robin spreads each request to a different member and the cart is lost. Enable cookie persistence (best for HTTP) or source-address persistence so the whole session sticks to one member.

Q: A member is marked DOWN. You can ping the Node and you can telnet to its service port successfully, but the HTTP monitor still fails. What's the most likely cause?

Correct: c. ICMP up + TCP port up means L3 and the listener are fine. The failure is at the application layer: the monitor's Send string hits the wrong URL, or the app's reply doesn't contain the expected Receive string (wrong path, redirect, auth page, or 500). Fix the Send/Receive string to match a real healthy response.

Q: When do you specifically NEED to enable SNAT on a Virtual Server?

Correct: d. LTM is a full proxy, so the server's reply must return to the BIG-IP. If the members' default gateway isn't the BIG-IP, replies route around it (asymmetric) and the client never gets them. SNAT Automap rewrites the client source to a BIG-IP self-IP, forcing replies back to the proxy. If the BIG-IP already IS the servers' gateway, you may not need SNAT.

Most engineers think…

Most candidates open with “F5 LTM? It's just a load balancer — a packet-based box like a router” — and the interview quietly ends there.

That single sentence fails you. LTM is a FULL PROXY: it terminates the client connection at the Virtual Server and opens a brand-new connection to the server. That termination is exactly what enables SSL offload, OneConnect connection reuse and L7 iRules — none of which a packet-forwarding router can do. This lesson trains the framing that gets you hired.

① LTM core objects — the full-proxy hierarchy

F5 interviews open here, and the very first question is usually a trap: “Is LTM just a load balancer?” The winning answer is that BIG-IP LTM is an ADC (Application Delivery Controller) built as a full proxy. It does not forward packets like a router — it terminates the client's connection at the Virtual Server and opens a brand-new connection to the chosen server.

Figure 1 — LTM is a FULL PROXY, not a router

There is one client-side connection and a totally separate server-side connection. The VIP owns the destination IP:port; the Pool is the group of backends; a Member is a Node plus a service port; a Node is just the server IP. That hierarchy is the first thing every F5 interviewer checks.

The F5 LTM vocabulary every interview opens with

Know these four cold before anything else — getting the hierarchy right is half the interview. Tap each card.

🎯

Virtual Server

tap to flip

The VIP — an IP:port clients connect to (e.g. 10.20.30.40:443). It terminates the client connection and applies profiles, persistence and the LB decision.

👥

Pool

tap to flip

A group of pool members that serve one application. The Virtual Server's Default Pool; the LB method and health monitor live here.

🖧

Pool Member

tap to flip

Node + service port — e.g. 172.16.10.11:8080. The actual load-balancing target. The same Node can be a member in several pools on different ports.

📍

Node

tap to flip

Just the server IP — 172.16.10.11, no port. ICMP monitors and Node-level disable/force-offline act here; one Node can back many members.

The object hierarchy is sacred: a Virtual Server (VIP) sends traffic to a Pool, which contains Pool Members, each of which is a Node plus a service port. The crisp line: VIP = IP:port clients hit; Pool = the backend group; Member = Node:Port; Node = bare server IP.

Quick check · Q1 of 10 · Remember

In the F5 LTM object model, what is the difference between a Node and a Pool Member?

a) They are the same thingb) A Node is the server IP only; a Pool Member is that Node plus a service port (Node:Port)c) A Node is the Virtual Server; a Pool Member is the clientd) A Node is a pool of pools

Correct: b. A Node is just the server's IP address (e.g. 172.16.10.11). A Pool Member adds the service port (172.16.10.11:8080) — so the same Node can be a member in several pools on different ports. ICMP monitors act on the Node; TCP/HTTP monitors act on the Member.

👉 So far: LTM is a full-proxy ADC, not a router: it terminates the client connection at the Virtual Server and opens a NEW one to a Pool Member. Hierarchy: Virtual Server (VIP) → Pool → Member (Node:Port) → Node (IP).

The 'LTM is just a load balancer' trap

Answer firmly: it's a full proxy ADC. Because it terminates the client connection and opens a separate server-side connection, it can decrypt and re-encrypt (SSL offload), reuse server TCP connections (OneConnect), and rewrite L7 with iRules. A packet-based router can do none of those — that termination is the whole point.

② Load balancing & persistence

Once the VIP terminates the request, LTM has to pick a member. The load-balancing method is set on the pool. The four you must know cold: Round Robin (even rotation), Least Connections (fewest active connections), Ratio (weighted by server size) and Priority Group Activation (tiered failover). Fastest sends to the member with the lowest measured latency.

▶ Watch one request cross the full proxy

How a single HTTPS request is terminated, decided, pinned, SNATed and sent to a pool member on a brand-new connection. Press Play for the healthy path, then Break it to see the failure.

① Client-side terminateClient completes TCP to the VIP; the Client-SSL profile decrypts the HTTPS request (SSL offload).

▼

② Profiles + persistenceTCP/HTTP/OneConnect profiles parse it; LTM checks the persistence table for an existing session.

▼

③ Load-balance + SNATNo session yet, so the LB method picks a healthy member; SNAT Automap rewrites the source IP.

▼

④ Server-side connectionLTM opens a NEW TCP to the chosen Pool Member (Node:Port) and records the persistence record for next time.

Press Play to step through the healthy path. Then press Break it.

Figure 2 — A request through the Virtual Server — recite this order

Two facts interviewers love: persistence is checked BEFORE the load-balancing method (a pinned session skips LB entirely), and because LTM is a full proxy the server-side connection is brand-new — that is exactly why SNAT and OneConnect even exist.

COLOUR KEYdown / blockedclient-side / VIPdecision / SSL pointhealthy member / allowed

But load balancing alone breaks stateful apps. Persistence (a.k.a. stickiness) forces every request in a session to the same member. Source-address persistence works for any protocol; Cookie persistence (HTTP only) is the most accurate. There are also SSL, SIP and Universal persistence.

Quick check · Q2 of 10 · Apply

An Indian e-commerce app at Flipkart keeps logging users out: a user's shopping cart works for a minute, then empties. Each request is landing on a different backend that doesn't share session state. What's missing on the pool/VIP?

a) Persistence (e.g. cookie or source-address) so a session sticks to one memberb) A faster load-balancing methodc) A second Virtual Serverd) SSL offload

Correct: a. The session state lives only on the member that created it. Without persistence, Round Robin spreads each request to a different member and the cart is lost. Enable cookie persistence (best for HTTP) or source-address persistence so the whole session sticks to one member.

Pause & Predict

Why is source-address persistence risky when users sit behind a single corporate proxy or NAT? Type your guess.

Answer: Because every user then shares ONE source IP, so source-address persistence pins them ALL to the same pool member — load balancing collapses onto one server. For HTTP traffic, cookie persistence is more accurate because it pins per-browser, not per-IP. That's the classic reason interviewers ask 'cookie vs source-address'.

Sneha at Infosys faces this

A new internal HR portal loses the user's session every few clicks; logs show requests spread across all three members.

Likely cause

No persistence is configured, so each request is load-balanced to a different member and the session (held in server memory) is lost.

Diagnosis

Check the pool's persistence profile; watch the persistence records table while reproducing — if no record is created, persistence isn't applied to the VIP.

Local Traffic ▸ Virtual Servers ▸ (VIP) ▸ Resources ▸ Default Persistence Profile

Fix

Attach a cookie persistence profile (HTTP app) to the VIP, or source-address if it's non-HTTP; verify a persistence record now binds the client to one member.

Verify

Reproduce the journey — the cart/session now survives; the persistence table shows one client → one member.

👉 So far: LB methods live on the pool: Round Robin (even), Least Connections (fewest active), Ratio (weighted), Priority Group Activation (failover). Persistence pins a session to one member — cookie (HTTP, accurate) vs source-address (any protocol, breaks behind shared NAT). Stateful apps REQUIRE persistence.

③ Health monitors — knowing UP from DOWN

LTM only load-balances to members it believes are healthy, and health monitors decide that. The ladder of types: ICMP monitor (L3, Node-level), TCP monitor (port open), and HTTP/HTTPS monitor (application-layer). The HTTP monitor is configured with a Send string and a Receive string.

🖥️ This is the screen you build a VIP in — Local Traffic ▸ Virtual Servers ▸ Virtual Server List ▸ Create in the BIG-IP Configuration utility. Fields ①②③ decide who the VIP serves and how traffic leaves it.

https://bigip-mgmt.corp.local · Local Traffic ▸ Virtual Servers ▸ Create

Name *

vs_web_https_443

Type

Standard

Destination Address/Mask *

10.20.30.40 / 255.255.255.255

Service Port *

443 (HTTPS)

HTTP Profile (Client)

http

SSL Profile (Client)

clientssl

Source Address Translation

Auto Map

Default Pool

pool_web_8080

Finished Cancel

① Source Address Translation = Auto Map rewrites the client source to a BIG-IP self-IP so the server's reply returns to the BIG-IP — set this when the pool members' default route is NOT the BIG-IP. ② Default Pool binds this VIP to the backend group; with no pool (and no iRule) the VIP has nowhere to send traffic. ③ Attaching a Client SSL profile is what performs SSL offload — without it the VIP can't decrypt HTTPS.

Two timing values matter: Interval (how often to probe) and Timeout — F5's rule of thumb is Timeout ≈ (3×Interval)+1. And know the two modes: out-of-band monitor (active probe, the normal monitors) vs in-band monitor (passive — watches real traffic).

Pause & Predict

A member answers ping and even accepts a TCP connection on port 8080, but the app behind it returns HTTP 500 for every request. Will a plain ICMP or TCP monitor catch this — and which monitor will? Type your guess.

Answer: No. ICMP only proves the server is reachable at L3, and a TCP monitor only proves the port is listening — both will keep the member UP while the app is broken. You need an HTTP monitor with a Receive string (e.g. expecting '200 OK' or 'HEALTHY'); the 500 response won't match, so LTM correctly marks the member DOWN. Always health-check at the application layer for app traffic.

Quick check · Q3 of 10 · Analyze

A member is marked DOWN. You can ping the Node and you can telnet to its service port successfully, but the HTTP monitor still fails. What's the most likely cause?

a) The Node is unreachable at L3b) The service port is closedc) The HTTP monitor's Send/Receive string doesn't match what the app returns (or the health URL is wrong)d) ICMP is disabled on the BIG-IP

Correct: c. ICMP up + TCP port up means L3 and the listener are fine. The failure is at the application layer: the monitor's Send string hits the wrong URL, or the app's reply doesn't contain the expected Receive string (wrong path, redirect, auth page, or 500). Fix the Send/Receive string to match a real healthy response.

Rahul at HCL faces this

After a deploy, one member at an Indian bank flaps UP/DOWN every interval even though the app team swears the server is fine.

Likely cause

The HTTP monitor's Receive string no longer matches — the health endpoint moved or now redirects (302) — or Timeout is too tight relative to Interval, so a slow reply trips it.

Diagnosis

Manually run the Send string against the member (curl the health URL); compare the actual reply to the configured Receive string; check Interval/Timeout ratio.

Local Traffic ▸ Monitors ▸ (http monitor) ▸ Send/Receive String + Interval/Timeout

Fix

Point the Send string at the correct health URL, set the Receive string to text that always appears in a healthy reply, and set Timeout ≈ (3×Interval)+1 so transient latency doesn't flap it.

Verify

Watch the member status hold UP across several intervals; the monitor logs show consistent matches.

ICMP-only monitoring over-confidence

A green ICMP (or even TCP) monitor only proves the box is reachable or the port is open — it says nothing about whether the application works. For web apps always use an HTTP/HTTPS monitor with a real Send/Receive string, so a 500 or a wrong page marks the member DOWN instead of silently serving errors to users.

👉 So far: Monitors: ICMP (Node, L3) → TCP (port listening) → HTTP/HTTPS (Send/Receive string = true app health). Timeout ≈ (3×Interval)+1. Out-of-band = active probe (normal monitors); in-band = passive, watches real traffic. A member DOWN that pings + accepts TCP = a Send/Receive mismatch.

④ Profiles, SNAT, SSL & iRules + troubleshooting

Profiles tune the data path. The TCP profile and HTTP profile let LTM understand the traffic; OneConnect pools and reuses server-side TCP connections so backends aren't hammered. SSL offload uses a Client SSL profile (decrypt at the VIP) and optionally a Server SSL profile (re-encrypt to the server).

Figure 3 — Full proxy (LTM) vs packet-based half-proxy (a router)

The one-liner that wins: a router forwards packets; LTM is a full proxy that ends the client's conversation and starts a fresh one with the server — that termination is what makes SSL offload, OneConnect and L7 iRules possible.

SNAT is the most-asked LTM gotcha. SNAT Automap uses a self-IP as the new source; a SNAT pool supplies many addresses for huge connection counts; SNAT none preserves the real client IP. You need SNAT when the pool members' default route is not the BIG-IP.

Pause & Predict

Your VIP and pool look perfect, monitors are green, but clients get NO response. The servers' default gateway points at the core switch, not the BIG-IP. What single setting fixes it, and why? Type your guess.

Answer: Enable SNAT (Automap) on the Virtual Server. Because LTM is a full proxy, the server's reply must come back to the BIG-IP to be returned to the client. If the server's default route isn't the BIG-IP, it sends the reply straight out via the core switch (asymmetric routing) and the connection breaks. SNAT Automap rewrites the source to a BIG-IP self-IP, so the server always replies to the BIG-IP. The alternative is to make the BIG-IP the server's default gateway.

Arjun at Wipro faces this

A newly built VIP at TCS shows all members green, but external users get a blank page / connection reset; a packet capture shows the server replying straight to the client, not the BIG-IP.

Likely cause

Asymmetric return: the pool members' default route is the core switch, not the BIG-IP, so replies bypass the full proxy and the client's TCP stack drops them.

Diagnosis

tcpdump on the BIG-IP shows the request leaving to the member but no reply returning; the server's route table shows a non-BIG-IP gateway.

Local Traffic ▸ Virtual Servers ▸ (VIP) ▸ Source Address Translation = Auto Map

Fix

Set Source Address Translation to Auto Map (or a SNAT pool for very high connection counts) so the source becomes a BIG-IP self-IP and replies return to the proxy — or make the BIG-IP the servers' default gateway.

Verify

Re-test — the page loads; tcpdump now shows the reply returning to the BIG-IP self-IP and back to the client.

Confirm the VIP, pool, members and SNAT from tmsh

show ltm virtual vs_web_https_443
show ltm pool pool_web_8080 members
list ltm virtual vs_web_https_443 source-address-translation
show ltm node 172.16.10.11      # node-level status (ICMP monitor)

Expected output

Ltm::Virtual Server: vs_web_https_443   Availability: available (green)
  Destination 10.20.30.40:443   Pool pool_web_8080
Ltm::Pool: pool_web_8080
  Member 172.16.10.11:8080  State: up    Member 172.16.10.12:8080  State: up
source-address-translation { type automap }

iRules are LTM's superpower — only possible because of the full proxy. They run on HTTP_REQUEST (and many other events) to do content switching, header rewrites and redirects.

Quick check · Q4 of 10 · Apply

When do you specifically NEED to enable SNAT on a Virtual Server?

a) Always, on every VIPb) Only when SSL offload is enabledc) Only for UDP trafficd) When the pool members' default route is NOT the BIG-IP, so their replies would otherwise bypass the proxy

Correct: d. LTM is a full proxy, so the server's reply must return to the BIG-IP. If the members' default gateway isn't the BIG-IP, replies route around it (asymmetric) and the client never gets them. SNAT Automap rewrites the client source to a BIG-IP self-IP, forcing replies back to the proxy. If the BIG-IP already IS the servers' gateway, you may not need SNAT.

Priya at TCS faces this

A 50/50 A-B app at an Indian bank works for new visitors but breaks for logged-in users — sessions randomly drop, and exactly half of requests fail.

Likely cause

OneConnect is reusing a server-side connection across different clients while persistence isn't honoring the session, so half the authenticated requests land on the wrong member / a pooled connection.

Diagnosis

Check the persistence profile and the OneConnect source mask; reproduce while watching persistence records and the connection table.

Local Traffic ▸ Virtual Servers ▸ (VIP) ▸ persistence + OneConnect profile

Fix

Apply the correct persistence profile (cookie for HTTP) and tune OneConnect's source mask so connection reuse doesn't cross client sessions — pinning each authenticated user to one member.

Verify

Logged-in users stay on one member across the journey; the 50/50 split holds for NEW sessions only, exactly as intended.

Figure 4 — A Pool Member shows DOWN — why? climb the monitor ladder

ICMP/TCP down = it is below the application; a green TCP but failing Send/Receive = the app is up but your health check is wrong; a member that flaps with no errors usually means the server's return path doesn't go back through the BIG-IP (SNAT fixes it).

Figure 5 — F5 BIG-IP LTM interview cheat-sheet

Tap the Preview button at the top to save this one-page card before your interview.

Prove it, don't assume

Don't close an LTM ticket on 'the VIP looks fine'. show ltm virtual proves the VIP is available; show ltm pool <p> members proves the members are UP; a tcpdump on the BIG-IP proves traffic leaves to the member AND the reply returns (if it doesn't, you need SNAT). Those three checks answer most LTM tickets.

Experienced-level deep dive — the questions seniors get asked

Name the Virtual Server types and when you'd pick one over another. The four you must know: Standard — the full-proxy VIP, terminates the client connection and supports profiles, SSL, OneConnect, persistence and L7 iRules (use it for HTTP/HTTPS apps). Performance (Layer 4) / FastL4 — a fast, mostly hardware-accelerated path that does NOT terminate the connection at L7; it forwards L4 flows with minimal processing, so pick it for very high-throughput TCP/UDP where you only need load balancing and don't need SSL offload, cookie persistence or HTTP iRules. Forwarding (IP) — no pool at all; LTM just routes the packet to its destination (an L3 forwarder, e.g. for outbound or transparent paths). Stateless — for high-volume UDP (e.g. DNS, syslog) where LTM doesn't keep a per-connection table. Rule of thumb: need L7 features → Standard; need raw speed at L4 → FastL4; need plain routing → Forwarding.

Explain Action On Service Down (None / Reset / Reselect / Drop). This pool setting decides what happens to existing connections when their member goes DOWN. None (default) leaves established connections alone until they time out — new ones go elsewhere. Reset sends a TCP RST so the client immediately knows to reconnect (fast failover, good for short HTTP). Reselect tries to move the connection to another healthy member without telling the client (works for stateless/idempotent traffic; risky for stateful flows). Drop silently discards the packets, leaving the client to hang until its own timeout. For most web apps Reset gives the cleanest user experience.

What is Priority Group Activation, and how does Slow Ramp bring a recovered member back gracefully? Priority Group Activation tiers members by a priority number; lower-priority members only take traffic when the count of available higher-priority members drops below a minimum you set (active/standby or N+1 failover). Slow Ramp Time solves the opposite problem: when a member that was DOWN comes back UP, Least Connections would dump a flood of new sessions onto it (because it has zero connections) and overwhelm cold caches/JIT. Slow Ramp linearly increases the share of traffic the recovered member receives over the configured window, so it warms up instead of being hammered.

Cookie persistence sub-modes — insert vs rewrite vs passive vs hash, and when cookie persistence can't be used. Insert (default) — BIG-IP adds its own cookie naming the chosen member; needs nothing from the app and is the usual choice. Rewrite — the app sends a blank/placeholder cookie that BIG-IP overwrites with the persistence value (app cooperates, but BIG-IP supplies the value). Passive — BIG-IP does NOT set or change the cookie; it only reads a cookie the application already sets (the app must encode the member). Hash — BIG-IP hashes an existing application cookie's value to map to a member, useful when you can't insert. Cookie persistence is HTTP-only and breaks if the traffic is non-HTTP, if it's encrypted end-to-end without an HTTP profile (no SSL termination to read/insert the cookie), or if the client refuses cookies — then fall back to source-address or universal persistence.

After enabling SNAT the backend logs show the self IP, not the client IP — how do you preserve the real client IP? SNAT replaces the client source with a BIG-IP self-IP, so servers logging the source now see the proxy. Because LTM is a full proxy parsing HTTP, the fix is to insert an X-Forwarded-For header carrying the original client IP — turn on Insert X-Forwarded-For in the HTTP profile (or write an iRule that sets the header), then configure the web/app server to log X-Forwarded-For instead of the TCP source. (For non-HTTP traffic you'd preserve the client IP another way — e.g. SNAT none with the BIG-IP as the gateway.)

iRule events in order, with real code. An iRule is a TCL script bound to the VIP that fires on data-path events: CLIENT_ACCEPTED (client TCP established), HTTP_REQUEST (full client request parsed — before the LB decision, ideal for content switching), LB_SELECTED (a pool member has just been chosen), SERVER_CONNECTED (server-side TCP up) and HTTP_RESPONSE (server reply parsed). A common content-switching example:

iRule — content switching + header insertion on HTTP_REQUEST

when HTTP_REQUEST {
    # route /api to the API pool, everything else to the web pool
    if { [HTTP::uri] starts_with "/api" } {
        pool pool_api_8443
    } else {
        pool pool_web_8080
    }
    # preserve the real client IP for the backend logs
    HTTP::header insert X-Forwarded-For [IP::client_addr]
}
when LB_SELECTED {
    log local0. "client [IP::client_addr] -> member [LB::server addr]"
}

iRules vs LTM Policies — which and why. LTM Policies are a GUI-driven, rule-based way to do the common 80% (URI/host matching, pool selection, redirects, header insert) with no code — easier to audit, version and hand off. iRules give the full TCL programmability for the complex 20% (custom logic, data-group lookups, multi-event state). Prefer a Policy when a Policy can express it; reach for an iRule only when you need real logic.

What does CMP-compatible mean, and how can a bad iRule demote a VS? CMP (Clustered Multiprocessing) lets BIG-IP fan a VIP's connections across every TMM/CPU. An iRule that uses a global/serialized construct (certain table/session operations, some after/global-variable patterns) is CMP-incompatible; binding it forces that VS to run on a single TMM — it gets demoted, throughput drops, and tmsh show ltm virtual reports a CMP status of single. The fix: rewrite the iRule to avoid the serializing call, or move logic to an LTM Policy.

Gotcha: Reselect on a stateful app silently corrupts sessions

Action On Service Down = Reselect looks attractive ('move the connection to a healthy member instead of dropping it') but it moves an existing connection to a server that never saw the start of that session. For stateful/authenticated traffic that means a half-written transaction lands on a stranger member and the user sees errors with no obvious cause. Use Reset for stateful web apps so the client cleanly reconnects (and re-persists); reserve Reselect for idempotent, stateless flows.

Karan at Tech Mahindra faces this

After a maintenance reboot, one freshly-recovered member at an Indian bank throws 502s and CPU-spikes for the first minute, then settles — and the security team complains every backend log line now shows the BIG-IP self-IP, not real client IPs.

Likely cause

Two issues: with Least Connections, the recovered member (0 active connections) is hit by a stampede before its cache/app warms up; and SNAT Automap is masking the client source so logs show the self-IP.

Diagnosis

Check the pool's Slow Ramp Time (likely 0) and the HTTP profile's X-Forwarded-For setting; reproduce a member recovery while watching new-connection rate to that member.

Local Traffic ▸ Pools ▸ (pool) ▸ Slow Ramp Time + Virtual Servers ▸ (VIP) ▸ HTTP Profile ▸ Insert X-Forwarded-For

Fix

Set Slow Ramp Time (e.g. 60–300s) so a recovered member ramps up gradually; enable Insert X-Forwarded-For on the HTTP profile and reconfigure the web server to log that header.

Verify

Next recovery shows new connections rising smoothly (no 502 spike); backend logs now record the genuine client IP from X-Forwarded-For.

👉 So far: Profiles: TCP/HTTP parse traffic, OneConnect reuses server TCP, Client-SSL = SSL offload (+Server-SSL re-encrypts). SNAT Automap = self-IP source, needed when the server's default route isn't the BIG-IP. iRules run on events like HTTP_REQUEST for L7 logic. Verify with show ltm virtual/pool + tcpdump.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from F5 docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: why is F5 LTM called a full proxy, and why does it matter? Then compare to the expert version.

Expert version: Because LTM terminates the client's TCP connection at the Virtual Server and opens a completely separate, new connection to the chosen pool member — two independent TCP stacks instead of forwarding the same packets. That termination is what lets it decrypt and re-encrypt HTTPS (SSL offload), pool and reuse server-side connections (OneConnect), pin sessions with persistence, and inspect/rewrite L7 with iRules. A packet-based router or L4 forwarder can do none of those because it never owns either connection.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Interview Prep at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

BIG-IP LTM: Local Traffic Manager — F5's full-proxy Application Delivery Controller (ADC) that load-balances and manipulates L4–L7 traffic.
Full proxy: LTM terminates the client connection and opens a separate, new server-side connection — two independent connections, not packet forwarding.
Virtual Server (VIP): An IP:port clients connect to; it terminates the client connection and applies profiles, persistence and the LB decision.
Pool / Member / Node: Pool = group of members for one app; Member = Node:Port (e.g. 172.16.10.11:8080); Node = bare server IP.
Load-balancing method: Round Robin (even), Least Connections (fewest active), Ratio (weighted), Fastest, Priority Group Activation (failover tiers).
Persistence: Pins a session to one member — cookie (HTTP, accurate per-browser) vs source-address (any protocol, breaks behind shared NAT); also SSL/SIP/Universal.
Health monitor: Periodic check: ICMP (Node/L3), TCP (port), HTTP/HTTPS (Send/Receive string = app health). Timeout ≈ (3×Interval)+1.
In-band vs out-of-band: Out-of-band = active scheduled probe (normal monitors); in-band = passive, watches real client traffic for failures.
SNAT: Source NAT — Automap (self-IP source), pool (many addresses), or none; needed when the server's default route isn't the BIG-IP.
OneConnect / iRules: OneConnect reuses server-side TCP across requests; iRules are TCL scripts on events like HTTP_REQUEST for L7 logic — both need the full proxy.

📚 Sources

F5 MyF5 / techdocs — BIG-IP Local Traffic Manager: Concepts (nodes, pools, members, virtual servers). techdocs.f5.com
F5 MyF5 / techdocs — NATs and SNATs & SNATs (Automap, SNAT pool, none). techdocs.f5.com
F5 MyF5 / techdocs — Health and Performance Monitoring & Monitors Reference (Send/Receive, Interval/Timeout). techdocs.f5.com
F5 MyF5 — K12531: Troubleshooting health monitors. my.f5.com
F5 clouddocs — iRules reference: SNAT command & HTTP events. clouddocs.f5.com
Oracle Coherence docs — Integrating with F5 BIG-IP LTM (full-proxy traffic flow & persistence). docs.oracle.com

What's next?

Cleared the F5 LTM round? Keep going — the interview-prep library covers Palo Alto, Fortinet, Zscaler, Checkpoint and more, all in the same hands-on style.

Next · All interview lessons → Practice on exam.techclick.in →

F5 BIG-IP LTM Interview Questions — Full Proxy, SNAT, Answers & Cheat-Sheet

🎯 By the end you will be able to

Pick where you want to start

Core objects

LB & persistence

Health monitors

Profiles, SNAT & iRules

① LTM core objects — the full-proxy hierarchy

The F5 LTM vocabulary every interview opens with

② Load balancing & persistence

▶ Watch one request cross the full proxy

③ Health monitors — knowing UP from DOWN

④ Profiles, SNAT, SSL & iRules + troubleshooting

Experienced-level deep dive — the questions seniors get asked

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?