Forum Discussion

Mike_Maher's avatar
Mike_Maher
Icon for Nimbostratus rankNimbostratus
Mar 01, 2012

Modified ASM Domain Cookie block in v11.1

Has anyone noticed that after upgrading to v11.1 that they are seeing Modified ASM Domain Cookie blocks where they were not seeing them before. I recently upgraded a box from 10.2.0 HF2 and I am doing testing in a controlled lab of my two major public websites and now randomly I am getting these blocks. I can sit and just try and hit the logon page to one site and I get blocked about 30% of the time. I am going to work to get some traces and gather data tonight and early tomorrow, (Got people testing other stuff and had to move traffic back to the 10.2.0 box for now), and I plan to open a case. However I wanted to see if anyone has any thoughts.

 

  • Heard there is such experience before but no clues surfaced yet. But clearing the cookie and the issue may no longer seen, tried?

     

    Also wondering if there is internal cookie hash parameter that has differ btw the two version or the way cookie handling was done differs. Suggest open the case for investigation
  • I guess as a side question, I am trying to determine what the differences are between the following violations, and do you need to be using all of them or is there some overlap?

     

     

    Modified ASM Cookie

     

    ASM Cookie Hijacking

     

    Modified Domain Cookie
  • Rather different though all revolving ASM cookie.

     

     

    Modified ASM Cookie - This tampering of ASM Main or Frame Cookie or their structure. See http://support.f5.com/kb/en-us/solutions/public/7000/000/sol7011.html?sr=19803122

     

     

    ASM Cookie Hijacking - Happened when ASM Frame cookie and an ASM Main cookie that were generated with different MD5 digest keys. Prior to 10.1.0, it is known as "Wrong message key". See http://support.f5.com/kb/en-us/solutions/public/9000/500/sol9584.html?sr=19803134

     

     

    Modified Domain Cookie - Mainly happened when ASM detected tampering of Web Server's Domain cookie. But there would be many other possible reasons too. See http://support.f5.com/kb/en-us/solutions/public/5000/900/sol5907.html

     

     

    Suspecting it would be anyone whom is the culprit
  • So update on this issue, in researching this with support it was thrown out there that the ASM cookie being flagged was from a different ASM. So I have 2 ASMs in my lab 1 v11 and 1 v10 and they sit behind an LTM this way I can easily switch between versions for testing.

     

     

    With this setup I was able to start with v10 box enabled and the v11 forced offline and I start browsing the site and of course I see an ASM cookie set lets call TS1234, then I stop browsing and force offline the v10 box and enable the v11 box, the next click I make on the site I get blocked by ASM for Modified ASM Cookie and in my trace I see that the TS1234 is being sent and is the reason for the violation.

     

     

    However if I clear my cookies and close and reopen the browser and start my browsing going through the v11 box, I see an ASM cookie set lets say TS5678, then I stop browsing and force offline the v11 box and enable the v10 box. This time able to browse just fine and I see the TS1234 cookie get set but the TS5678 cookie remains in the traffic flow, but the v10 does seem bothered by it at all.

     

     

    I have taken some ssldumps and http watches and given them to support this afternoon to review to see why this is happening on v11 but not v10. In my prod environment I have the same setup 2 ASMs behind an LTM but they are both enabled and LBed all the time. Right now they are both 10.2.0 HF2.

     

     

    I will report more once I know more on what will fix this and why the detection behavior seems to have changed

     

  • Bottom line, you can't LB an application to two ASMs when one is on v11 and one is on v10, you will get this block when passing through the v11 box with a v10 ASM cookie.