Forum Discussion

Joad's avatar
Joad
Icon for Nimbostratus rankNimbostratus
Jun 18, 2019

ASM bypass_upon_load variable

Hi all,

when you enable the bypass_upon_load variable , web application traffic bypasses the BIG-IP ASM system when there are insufficient resources for BIG-IP ASM service.

 

I would like to know what is the threshold that triggers the process (high threshold) and if ASM returns to service automatically when resources are available again (low threshold).

 

Thank you

  • By default, the bypass kicks in if the system idle is under 10% (i.e., is 90% used); this can be altered by changing the "bypass_under_high_cpu" system variable from 10 to some other value.

     

    /usr/share/ts/bin/add_del_internal update bypass_under_high_cpu <value>

     

    Sample log when the event has started:

    "High CPU Utilization: event code I617 Bypassing ASM"

     

    There is no log indicating the event has ceased, you'll just stop seeing additional logs.

  • By default, the bypass kicks in if the system idle is under 10% (i.e., is 90% used); this can be altered by changing the "bypass_under_high_cpu" system variable from 10 to some other value.

     

    /usr/share/ts/bin/add_del_internal update bypass_under_high_cpu <value>

     

    Sample log when the event has started:

    "High CPU Utilization: event code I617 Bypassing ASM"

     

    There is no log indicating the event has ceased, you'll just stop seeing additional logs.

  • Andrew we have a follow up question:

    if bypass_upon_load is left disabled, meaning upon high load the 'spill over' traffic will be blocked, what can we expect the customer experience to be like during that? Is the response page issue for the block or does it simply appear as latency in the browser?

     

    Please advise.

     

    Thank you.

     

    • Andrew-F5's avatar
      Andrew-F5
      Icon for Employee rankEmployee

      To the best of knowledge the F5 will simply drop SYNs for new connections.

  • Excellent, thank you! We opened a service request after commenting here and received the following response:

     

    ===

    My name is Andrey and I will be assisting you with this case.

     

    Regarding your issue: I understand that you would like to know what behavior to expect from BigIP ASM policy when these two conditions occur:

     

    1) ASM system variable 'bypass_upon_load' is left disabled (default)

    2) High load is experienced

     

    The system will not block traffic or send blocking page. End user will experience slow load times but connections will still succeed. Under some circumstances the traffic may stop completely due to asm resetting connection due to lack of resources.

     

    K15093: The BIG-IP ASM system bypass_upon_load and bypass_upon_asm_down variables should not be enabled

    https://support.f5.com/csp/article/K15093

     

     

    Please feel free to contact us should you have any questions or require any assistance.

     

    Respectfully,

     

     

    Andrey Kramarevsky | Senior NSE

    ===