TTechclick ⚡ XP 0% All lessons
F5 · BIG-IP LTM · Troubleshooting ScenariosInteractive · L1 / L2 / L3

F5 LTM Troubleshooting Scenarios - VIP Down, Website Timeout, tcpdump, curl, SNAT & Asymmetric Routing

This is a bridge-call style F5 LTM troubleshooting guide. Instead of one clean lab failure, it covers the messy scenarios engineers actually face: VIP down, user cannot open a website, green pool but app broken, tcpdump evidence, curl isolation, SNAT return-path failure, asymmetric routing, SSL profile mismatch, persistence pinning and HA traffic-group ownership.

📅 2026-06-22 · ⏱ 22 min · 9 scenarios · 4 image infographics · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Scenario-based F5 BIG-IP LTM troubleshooting guide for VIP down, website timeout, tcpdump, curl, SNAT, asymmetric routing, SSL profiles, monitors, persistence and HA ownership.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Find the break

Client, VIP, pool, profile, SNAT and return path.

 2

VIP down

Virtual server, VLAN, ARP and HA owner checks.

 3

Proof commands

curl, tmsh, tcpdump and log evidence.

 4

SNAT/asymmetry

Return path and route symmetry failures.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. A user says the website is down. What is the first engineering move?

Answered in Incident triage map.

2. The pool is green. What does that prove?

Answered in Website not opening.

3. Serverside SYN leaves BIG-IP but no reply returns. What family of issue is likely?

Answered in SNAT and asymmetric routing.

Weak answer vs real troubleshooting answer

A weak answer says: 'The pool is green, so F5 is fine.' In real incidents, that skips VIP listener status, VLAN selection, SSL/profile behavior, SNAT and return path.

A strong answer collects proof first: curl from client to VIP, curl from BIG-IP to pool member, tmsh show ltm virtual, tmsh show ltm pool, tmsh show sys connection, tcpdump filtered on client/VIP/member, /var/log/ltm, virtual server VLAN/listener, pool monitor send/receive string, SNAT setting, server default gateway, persistence record and traffic-group owner. Then it changes only the proven break point.

ChatGPT Image Infographic 1 - F5 LTM troubleshooting decision tree
Hand-drawn F5 LTM troubleshooting decision tree covering user symptom, VIP, virtual server, pool, monitor, SNAT, tcpdump, curl and logs.
Start here when the symptom is vague. The goal is to prove the break point before changing production.

① Incident triage map - where can the flow break?

Most LTM outages are misdiagnosed because teams jump straight to pool members. The correct approach is to isolate control-plane status, data-plane packet flow and application-layer response in one evidence ladder.

Healthy path: Client test -> VIP/listener -> Pool select -> Profile logic -> Return path. Do not skip a layer just because one dashboard tile is green.

Production rule: prove whether the packet fails before VIP, at virtual server selection, during pool selection, inside profile logic, or on return path.

Figure 1 — Troubleshooting flow evidence path
Trace one transaction from user symptom to return path.Troubleshooting flow evidence pathClient testcurl and user pathVIP/listenervirtual + VLANPool selectmember + monitorProfile logicHTTP/SSL/persistReturn pathSNAT/route/HA
Trace one transaction from user symptom to return path.
Quick check · Q1 of 10 · Understand

What makes an LTM troubleshooting answer production-ready?

Correct: b. Production troubleshooting must isolate where the transaction stops before changing objects.
👉 So far: One failed transaction has six major checkpoints: client, VIP, pool, profile, return path and verification.
ChatGPT Image Infographic 2 - F5 LTM scenario board
Hand-drawn F5 LTM scenario board for VIP down, website timeout, monitor false green, SSL profile, persistence, HA owner, ARP, VLAN, curl and tcpdump.
One user-facing symptom can map to several LTM break points. This board keeps the triage ordered.

② VIP down or virtual server not accepting traffic

When the VIP looks down, do not start at the backend. First prove whether BIG-IP is even selected for the connection.

Safe fix: correct the listener, VLAN or traffic-group owner only after proving the VIP is the break point.

Figure 2 — Objects to inspect before backend changes
Name the LTM object that can make the decision.Objects to inspect before backend changesVirtual serverThe listener that matches destination IP, port, protocol, VLAN and traffic profiles.Pool monitorThe health check that decides whether a member is eligible, but it may not prove the full application path.tcpdumpThe packet-level proof showing SYN, SYN-ACK, TLS handshake, resets, retransmits and one-way flow.curlA fast application test for VIP and pool member behavior, HTTP code, TLS errors and timeout comparison.SNATSource translation used when backend replies must return through BIG-IP instead of bypassing it.Traffic groupThe floating HA ownership unit that controls which device owns virtual addresses.
Name the LTM object that can make the decision.
Control plane first, then data plane

Check virtual server, VLAN, traffic-group owner and ARP before touching pool members.

③ User cannot access website but BIG-IP looks green

This is the most common trap. A green pool usually means the configured monitor condition passed; it does not always prove the real URI, TLS, host header, authentication path or application dependency.

ScenarioEvidence clueWhat to prove
VIP downcurl times out before TLS; no connection table entryCheck destination, service port, VLAN enablement, virtual address, traffic-group owner, ARP and route.
Website not opening but VIP upcurl to VIP connects but HTTP code or TLS failsCompare VIP curl with pool-member curl, then inspect HTTP/clientssl/serverssl profiles and app response.
Pool green but app brokenmonitor reports up but user path failsVerify monitor type, send string, receive string, alias address/port and whether the monitor proves the real URI.
SNAT/asymmetric issueserverside SYN leaves BIG-IP; reply does not returnCheck backend default gateway, route table, SNAT setting and tcpdump on both directions.
Persistence issuesame users fail repeatedly while others workInspect persistence records, pool member state, cookie/source persistence and whether the stuck member is unhealthy for that user path.
HA owner mismatchVIP reachable only through one side or after failoverCheck floating self IPs, traffic-group owner, ARP, failover state and config sync before moving traffic.

Do not say: Restart the pool member because the user says the website is down. That answer creates downtime because it skips the actual evidence path.

Figure 3 — Scenario evidence hub
Every symptom needs command, packet and application proof.Scenario evidence hubBreak pointprove then fixVirtual serverPool monitortcpdumpcurlSNATTraffic group
Every symptom needs command, packet and application proof.
1
VIP down
tap to flip

Check virtual server enabled state, destination, port, VLAN, virtual address, ARP and traffic-group owner.

2
Website timeout
tap to flip

Compare curl to VIP with curl from BIG-IP to pool member, then inspect connection table and tcpdump.

3
Green pool trap
tap to flip

Monitor up means monitor condition passed; validate the real user URI, host header, TLS and app response.

4
SNAT/asymmetry
tap to flip

If request goes out but response bypasses BIG-IP, fix SNAT or route symmetry.

An L2 engineer on a banking change bridge faces this

Multiple users report that the HTTPS website is down. The virtual server exists, the pool is green, but curl to the VIP times out from some networks and succeeds from others.

Likely cause

The failure can be in more than one layer: VIP not listening on the expected VLAN, a monitor that only proves TCP and not the real app, missing SNAT for an asymmetric backend route, SSL profile mismatch, persistence pinning, or the wrong HA traffic-group owner.

Diagnosis

Use one failing client IP and one known-good client IP. Compare curl, tmsh status, connection table and tcpdump on both clientside and serverside before changing any pool, monitor, SNAT or profile.

Local Traffic > Virtual Servers + Local Traffic > Pools + Network > Self IPs/VLANs + tmsh show ltm virtual/pool + tmsh show sys connection + tcpdump -ni 0.0 host
Fix

Fix only the proven break point: enable the correct virtual/VLAN, repair monitor scope, add SNAT or route symmetry, attach the correct clientssl/serverssl profile, clear bad persistence carefully, or fail traffic group to the expected owner.

Verify

Replay the same client request, compare curl output, confirm connection table direction, capture both sides if needed and get user confirmation.

A green pool can still be wrong

The monitor may not test the real URI, host header, login dependency or SSL path users need.

Quick check · Q2 of 10 · Analyze

The pool is green but users still get timeout. What should you validate next?

Correct: a. Green pool status can be too shallow; prove the actual app path and packet return.
👉 So far: Green pool means the monitor passed; it does not always mean the website works for users.
ChatGPT Image Infographic 3 - curl, tmsh, tcpdump evidence ladder
Hand-drawn F5 LTM evidence ladder showing curl tests, tmsh checks, tcpdump clientside, tcpdump serverside, pcap and var log ltm.
Use small proof commands first. Compare client-to-VIP, BIG-IP-to-member and packet direction before changing objects.

④ curl, tmsh, tcpdump and log command ladder

Use the smallest possible test first, then widen only when evidence is missing. Keep one failing client IP, one VIP and one pool member in scope.

curl -vk https://<vip-fqdn-or-ip>/health
curl -vk --resolve app.example.com:443:<vip-ip> https://app.example.com/
curl -vk https://<pool-member-ip>:<port>/health
tmsh show ltm virtual /Common/<vs-name>
tmsh show ltm pool /Common/<pool-name> members
tmsh show sys connection cs-client-addr <client-ip>
tcpdump -s0 -ni 0.0 host <client-ip> or host <pool-member-ip>
tail -f /var/log/ltm

Interpretation: if curl to VIP fails but curl to pool member works from BIG-IP, inspect listener, profile and SNAT. If both fail, involve server/app routing. If tcpdump sees request on clientside but not serverside, BIG-IP decision logic stopped it. If serverside sees request but reply bypasses BIG-IP, suspect SNAT or routing symmetry.

Figure 4 — Weak vs strong incident response
The strong answer narrows scope before changing production.Weak vs strong incident responseWeak bridge-call answerPool is greenRestart web serverDisable SSL to testAdd SNAT everywhereCapture all traffic with no filterStrong bridge-call answerTest client to VIPTest BIG-IP to memberCompare clientside and serversideCheck SNAT and route symmetryVerify exact fix with original
The strong answer narrows scope before changing production.
Filter tcpdump

Use client, VIP or member filters so you can explain the packet path instead of drowning in noise.

Quick check · Q3 of 10 · Apply

Which command pairing best separates F5 and backend scope?

Correct: b. Comparing VIP behavior with direct member behavior quickly narrows the failure layer.
👉 So far: curl and tcpdump must answer: did the request arrive, did BIG-IP forward it, and did the response come back?
ChatGPT Image Infographic 4 - SNAT and asymmetric routing
Hand-drawn F5 LTM SNAT and asymmetric routing diagram showing broken return path, tcpdump evidence, route table, SNAT automap, SNAT pool and route symmetry.
If packets leave BIG-IP but the reply bypasses it, the fix is usually route symmetry, SNAT Automap or a scoped SNAT pool.

⑤ SNAT issue and asymmetric routing

SNAT is not a magic checkbox; it is a return-path control. F5 documentation explains that SNAT can ensure server responses return through BIG-IP when the server default route would not normally do so.

Failure pattern: clientside tcpdump shows SYN to VIP, serverside tcpdump shows SYN to member, but the SYN-ACK either never appears back on BIG-IP or comes from an unexpected path. The server may be replying to its default gateway instead of to BIG-IP.

Safe fix options: set backend default gateway to BIG-IP, add route symmetry, use SNAT Automap for simple cases, or use a scoped SNAT pool when you need predictable translation addresses and scale.

SNAT is return-path control

Use scoped SNAT or route symmetry based on evidence and address exhaustion risk, not as a blind global setting.

Watch one failed HTTPS request cross LTM

Press Play to trace the normal path, then Break it to see the asymmetric return-path failure.

① ClientsideClient sends SYN and TLS to VIP.
② Virtual serverBIG-IP matches destination, port, protocol and VLAN.
③ Pool decisionLTM selects a monitored pool member.
④ ServersideBIG-IP opens a new backend connection.
⑤ Return pathSNAT or routing keeps the response through BIG-IP.
Press Play to step through the healthy path. Then press Break it.
Quick check · Q4 of 10 · Evaluate

Serverside SYN leaves BIG-IP but reply never returns. What fix should be considered after proof?

Correct: a. This is the classic asymmetric return-path pattern.
👉 So far: Asymmetric routing is proven when traffic enters through BIG-IP but returns elsewhere.

⑥ Persistence, HA owner and closeout verification

Not every intermittent issue is network routing. Persistence can keep one user stuck to a weak pool member, and HA ownership can make a VIP behave differently after failover.

Figure 5 — Fix and verify loop
Close the incident only after the original user path passes.Fix and verify loopScopeone failing flowChangeproven layerRetestsame client pathObservetmsh/log/tcpdumpCloseowner confirms
Close the incident only after the original user path passes.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which evidence proves BIG-IP selected a virtual server?

Correct: c. You need both object status and traffic evidence.
Q6 · Understand

Why is pool green not enough?

Correct: d. Monitor scope may be narrower than the user path.
Q7 · Apply

VIP curl fails, but BIG-IP can curl the pool member. Where do you focus?

Correct: a. The backend can answer from BIG-IP, so inspect LTM path and clientside behavior.
Q8 · Analyze

tcpdump shows clientside request but no serverside connection. What does that suggest?

Correct: b. The flow reached BIG-IP but did not leave toward the member.
Q9 · Evaluate

What is the safest SNAT approach?

Correct: c. SNAT has scaling and logging implications; scope it based on evidence.
Q10 · Create

What should your final incident note contain?

Correct: d. A closeout note must preserve the reasoning and proof path.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: which layer did the packet fail at, and what proof showed it? Then compare with the expert version.

Expert version: A strong answer states the exact layer, the evidence command, the safe change and the verification result.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

VIP
The client-facing virtual IP address owned by the BIG-IP virtual server or virtual address.
Clientside
Traffic between client and BIG-IP.
Serverside
Traffic between BIG-IP and the selected pool member.
Monitor false green
A monitor says up, but the monitor does not test the real application condition users need.
Asymmetric routing
Traffic goes through BIG-IP in one direction but returns through another path.
Automap
A SNAT option that uses BIG-IP self IP addresses as translation addresses.
SNAT pool
A group of translation addresses that can be assigned to a virtual server or SNAT policy.
Traffic group owner
The active HA device that currently owns a floating virtual address.

📚 Sources

  1. F5 TechDocs - Introduction to Local Traffic Manager. https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-5-1/2.html
  2. F5 TechDocs - About Virtual Servers. https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-local-traffic-management-basics-14-0-0/02.html
  3. F5 TechDocs - About Pools. https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-basics-11-6-0/4.html
  4. F5 TechDocs - Health and Performance Monitoring. https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-5-1/15.html
  5. F5 TechDocs - SNATs. https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-concepts-11-5-1/17.html
  6. F5 TechDocs - NATs and SNATs. https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/tmos-routing-administration-12-1-1/7.html
  7. F5 MyF5 - K411: Overview of packet tracing with the tcpdump utility. https://my.f5.com/manage/s/article/K411
  8. F5 MyF5 - K00463541: A breakdown of the tcpdump utility, recommended actions, and filters. https://my.f5.com/manage/s/article/K00463541
  9. F5 MyF5 - K12531: Troubleshooting health monitors. https://my.f5.com/manage/s/article/K12531

What's next?

Next, take one failed transaction and explain where it disappears: before VIP, at virtual server selection, during pool selection, on serverside connect, on return path, or after SSL/profile processing.

Next · All interview lessons → Practice on exam.techclick.in →