Online Access Free 301b Exam Questions

No.# Port lockdown exceptions

TCP mirroring ports: The BIG-IP system maintains a separate mirroring channel for each traffic group. The port range for each connection channel begins at TCP 1029 and increments by one for each new traffic group and channel created. The BIG-IP system allows TCP ports 1029 through 1155.
TCP port 4353: When BIG-IP devices are configured in a synchronization group, peer devices communicate using Centralized Management Infrastructure (CMI) on tcp:4353 on the self IP address, regardless of the port lockdown settings.

Reference: https://my.f5.com/manage/s/article/K17333
Thius, the option D is not the answer.

No.# As we can see the destinated backend node on the subnet 192.168.100.0/24 has the default gateway of 192.168.100.1, and the default gateway ip is hosted by the network firewall. Thus, when the node responds back to the request, it goes to the firewall, and since firewall does not have any connection – it looks the state of the connection. The Network Firewall simply drops the connection.

No.# CMP (Clustered Multi-Processing) allows BIG-IP system to utilize multiple CPU cores (TMMs) for better performance and scalability.

Some iRule statements can break CMP by forcing the connection to be handled by a single TMM, which demotes the virtual server from using CMP. These are called CMP-incompatible operations.



set ::foo 123 demotes CMP

:: is used to reference global variables in iRules.



Using global variables (like ::foo) introduces shared memory access across TMMs, which requires serialization.



As a result, CMP is disabled to maintain consistency.



So, using set ::foo 123 causes the virtual server to be CMP-incompatible.

No.# In an HTTP 1.0 request, no headers are required. However, in an HTTP 1.1 request, the Host headers is required, although it may contain a null value.

https://my.f5.com/manage/s/article/K2167

No.# For the Hardwired Failover – Based on a simple mechanism where the active device assets (or de-asserts) a voltage (CRS/RTS) signal to indicate active status. However, only supports two BIGIP devices. This is independent of network issues.

Reference: https://my.f5.com/manage/s/article/K2397

No.# When the BIG-IP system management interface is connected to a remote switch port with fixed media settings, the BIG-IP management interface may change to half duplex. (100TX-HD)
Reference: https://my.f5.com/manage/s/article/K14579


The “FD” suffix explicitly means Full Duplex, meaning data can be sent and received simultaneously.

No.# {peer} TCP RST from remote system

This clearly indicates that the TCP RST (reset) was initiated by the remote system (the peer) — in this case, the server or client, not by the BIG-IP system itself.

No.# The command causes both the host subsystem and the SCCP to reboot, and is only meant to be used in special circumstances (for example, when the installation of a hotfix updates the SCCP firmware package). You can safely run the command on a BIG-IP platform that does not contain an SCCP; however, the system will behave no differently than if you had just run the reboot command.

https://my.f5.com/manage/s/article/K12381

No.# When an LTM device group (Device Trust) is used to synchronize configuration among multiple BIG-IP devices, the trust between devices relies on:



Device certificates for authentication.

Correct time and valid certificates (non-expired).

Intact trust relationships (not corrupted).

Correct admin credentials for secure API or iControl access (but only if interactive authentication is used).



A. Certificates stored for the device trusts on the LTM device NOT receiving the configuration are corrupted.

If the certificate on the device that’s not syncing is corrupted or invalid, it cannot verify the identity of the peers, and sync will fail. This is a common issue and often requires re-establishing device trust.



B. Certificates expired on all of the peer LTM devices.

If peer devices have expired certificates, they will fail the mutual certificate validation during sync, and the affected device will not be able to establish trust, causing sync to fail.

No.# In HTTP/1.1, the Host header is mandatory for every request. According to RFC 2616,
“A client must include a Host Header filed in all HTTP/1.1 request messages.”


There is no Host: header, which is required for the server to determine which virtual host (domain) the client is trying to reach, especially on servers hosting multiple websites (virtual hosting).

When a server receives an HTTP/1.1 request without a Host header, it will typically respond with:

HTTP/1.1 400 Bad Request

No.# You’re accessing the app over HTTPS (port 443), which means SSL/TLS is required.

But since the virtual server has no SSL profiles, it cannot:
Decrypt incoming SSL traffic from the client (no Client SSL profile),
Encrypt SSL traffic to the server (no Server SSL profile), Or simply pass encrypted traffic transparently unless explicitly configured for SSL passthrough (which requires iRules or special TCP-only setup).

So, SSL communication fails.

Thus, the correct answer is Option B

No.# The bigd process in an F5 LTM system is responsible for running monitors — including HTTP, TCP, HTTPS, and other health checks.

When the bigd process is not running, the LTM cannot perform health checks, and it marks the monitored objects as:
Blue (unchecked)

This means that the system doesn't currently know the health status of those objects because the monitoring service is not operational.

Thus, the correct answer is Option A

No.# Since HTTP compression on the server prevents the BIG-IP system from reading the data stream and performing the intended replacement, you may need to configure the HTTP profile to remove the Accept-Encoding header in the request to prevent compression by the server.
Reference: https://my.f5.com/manage/s/article/K39394712

Thus, the Accept-Encoding header needs to be removed.

No.# F5 BIG-IP Device Groups use a concept called "config-sync", where one device pushes its configuration to the rest of the group.

Here’s how it works:

Only the device that made the change (i.e., has the highest commit ID) is allowed to initiate a config-sync.

Attempting to push configuration from a device that did not make the most recent changes will result in a sync failure, because the system wants to prevent older configurations from overwriting newer ones.

Thus, only from LTM-B is the device eligible to initiate a config-sync

No.# On the redirection response, the destination location is https://webmail.example.com/webmail/ and the send string is “GET /webmail HTTP/1.1”

Thus, the send string is incorrect.

No.# On the virtual server configuration overview, there is no SSL profile being used, which means, even though the destination service port is https, but there is no ssl profile making it process the encrypted traffic in plain text format.

No.# With a blank receive string, any HTTP response marks the pool member UP.
Only network-level issues (like not responding to SYN) will result in the member being marked DOWN.

No.# To troubleshoot why the client can't connect despite the LTM forwarding the request:

✅ Capture on the web server interface to see if it responds and how.
✅ Capture on the client interface to see what, if any, response it receives.

No.# The issue is inconsistent application behavior — sometimes contextual data is correct, sometimes not. The tmsh show sys connection output shows that one client IP (10.0.20.1) has connections to multiple backend servers (172.16.20.1, .2, .3).

This indicates that the client's session is being load-balanced to different backend servers, likely because there is no session persistence configured.

Thus, the option D is the correct one.

No.# The certificate is the self-signed certificate with “No Client certificate CA names sent” prompt on the output. Thus, option D is the correct answer.