predictable session ID

Hello,

 

 

WE are failing a security audit due to having a predicitable session ID number for the HTTP protocol.

 

 

We have a group of webservers in a pool and a virtual server polls from the pool, we use cookies for the

 

 

persistence profile. Is this a problem in the F5 or should I look in the IIS 6 webservers sitting in the pool.

 

 

The F5 handles the HTTP and HTTPS traffic.

 

 

Thanks