Forum Discussion

OM's avatar
Icon for Nimbostratus rankNimbostratus
May 31, 2018

asm rejects packets with policy in transparent mode

Hi, I am loadbalancing 2 vmware security servers (gateway) for vmware client view (vdi). I have an ASM policy in transparent mode, and the requests are still getting rejected without logs. I have no content profile, no xml profile. there is nothing blocked in the logs, even if the requests are rejected. When I disable the asm VS configuration, everything works fine.


any hint ?




7 Replies

  • Do you have any bot detection or web scraping defenses configured? What are you disabling exactly to enable traffic flow?


  • Do you have "log all requests" enabled for the logging profile assigned to the virtual server?


  • So if you disable Application Security on the VS, traffic passes? And when you enable Application Security on the VS, traffic does not pass, but you get no indication that ASM is blocking requests. If the request to the application contains XML in the payload, you will need an XML profile associated with the security policy--not the virtual server. Additionally, you will need to check the learn, alarm, and block settings for XML-related violations, and probably RFC-compliance violations as well. Can you de-select the "Block" checkbox for each violation and then test traffic? Are you sure the application encoding language for your policy is correct?


  • If the policy is in transparent mode, and if blocking is disabled for all violations, then there must be some other existing condition that is causing the issue. Is there anything other than the ASM policy applied to the virtual server? Do you have any other profiles applied to the virtual server, or are you using a mitigation that injects JavaScript into responses--think web scraping and/or proactive bot defense. Can you verify that packets are traveling from the client to the BIG-IP? Do you have SNAT/Auto Map configured on the virtual server?


  • Is ASM receiving encrypted traffic? It may sound obvious but ASM needs to be able to process unencrypted traffic.


  • Hi OM,


    What uri do you whitelist ?


    If you whitelist the domain of your vmware view, the ASM Policy is then useless ..?


  • OM's avatar
    Icon for Nimbostratus rankNimbostratus

    I have fixed the issue by whitelisting the uri. the problem was related to the header, the asm was unable to interpret the last line of the header, so I had to whitelist the uri. /broker/xml to this explicit uri, attach an xml profile. /ice/tunnel* this wildcard uri, no profile is required, body request handling is set to Do Nothing.