Forum Discussion
ASM bypass_upon_load variable
Hi all,
when you enable the bypass_upon_load variable , web application traffic bypasses the BIG-IP ASM system when there are insufficient resources for BIG-IP ASM service.
I would like to know what is the threshold that triggers the process (high threshold) and if ASM returns to service automatically when resources are available again (low threshold).
Thank you
By default, the bypass kicks in if the system idle is under 10% (i.e., is 90% used); this can be altered by changing the "bypass_under_high_cpu" system variable from 10 to some other value.
/usr/share/ts/bin/add_del_internal update bypass_under_high_cpu <value>
Sample log when the event has started:
"High CPU Utilization: event code I617 Bypassing ASM"
There is no log indicating the event has ceased, you'll just stop seeing additional logs.
- Andrew-F5Employee
By default, the bypass kicks in if the system idle is under 10% (i.e., is 90% used); this can be altered by changing the "bypass_under_high_cpu" system variable from 10 to some other value.
/usr/share/ts/bin/add_del_internal update bypass_under_high_cpu <value>
Sample log when the event has started:
"High CPU Utilization: event code I617 Bypassing ASM"
There is no log indicating the event has ceased, you'll just stop seeing additional logs.
- WAF_EngineeringNimbostratus
Andrew we have a follow up question:
if bypass_upon_load is left disabled, meaning upon high load the 'spill over' traffic will be blocked, what can we expect the customer experience to be like during that? Is the response page issue for the block or does it simply appear as latency in the browser?
Please advise.
Thank you.
- Andrew-F5Employee
To the best of knowledge the F5 will simply drop SYNs for new connections.
- WAF_EngineeringNimbostratus
Excellent, thank you! We opened a service request after commenting here and received the following response:
===
My name is Andrey and I will be assisting you with this case.
Regarding your issue: I understand that you would like to know what behavior to expect from BigIP ASM policy when these two conditions occur:
1) ASM system variable 'bypass_upon_load' is left disabled (default)
2) High load is experienced
The system will not block traffic or send blocking page. End user will experience slow load times but connections will still succeed. Under some circumstances the traffic may stop completely due to asm resetting connection due to lack of resources.
K15093: The BIG-IP ASM system bypass_upon_load and bypass_upon_asm_down variables should not be enabled
https://support.f5.com/csp/article/K15093
Please feel free to contact us should you have any questions or require any assistance.
Respectfully,
Andrey Kramarevsky | Senior NSE
===
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com