F5 ASM/AWAF – violations logged but no learning suggestions generated

Hey everyone, running into a strange behavior with F5 ASM and hoping someone has seen this before.

Setup:

- Explicit/closed parameter list (only allowed parameters defined, everything else triggers a violation)

- "Illegal Parameter" violation has Learn + Alarm + Block all enabled

- Parameter learning mode is set to Always

- Violations are appearing correctly in the event logs

- no blocked IP addresses exceptions

The Problem:

Despite all of the above, no learning suggestions are being generated for the illegal parameter violations except one  on the Traffic Learning page.

What I noticed:

After digging through the logs, I found a pattern:

- the one request that triggered only the illegal parameter violation (with a valid URL) → learning suggestion WAS generated

- Requests that triggered illegal parameter + illegal URL or  illegal file type simultaneously → no learning suggestion generated

The vast majority of my traffic falls into the second category, which is why the suggestions page looks empty.

My question:

Is there any documented behavior in ASM/AWAF where requests triggering multiple severe violations (illegal URL + illegal file type + illegal parameter together) are suppressed from generating learning suggestions? Or is something else going on here?

Has anyone run into this and found a workaround other than manually adding parameters from the event log?

Thanks in advance.