Hi,
I would guess the security audit is errantly identifying the LTM persistence cookie as predictable because the values of the cookie doesn't change over the course of multiple users' sessions. The persistence cookie is not a session identifier--it is simply an encoding of the pool member's IP address and port. You can check SOL6917 for details on the encoding:
SOL6917: Overview of BIG-IP LTM cookie encoding for the cookie persistence profile
https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html
If you consider the exposure of the server IP:port a security risk, you could configure LTM to encrypt the persistence cookie value using the HTTP profile option. I think this option was added at some point in 9.4.x.
Aaron