Forum Discussion

Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Oct 05, 2017

TMOS v13 Update: ASM::enable / ASM::disable commands are causing TCL exemptions...

Hi Folks,

I'm in the process of updating an ASM enabled LTM from version 12.1 to v13.0. The update process was overall successful.

The only problem we're facing right now is, that one of our ASM related iRules gots broken after the migration. The mentioned iRule is used to selectively 

ASM::enable "Common/$PolicyName"
or 
ASM::disable
depending on the requested HOSTNAME/URI.

The error messages are as following:

TCL error: /Common/iRuleName  - while executing "ASM::disable"

... or ... 

TCL error: /Common/iRuleName  - while executing "ASM::enable "/Common/$PolicyName""

Anybody here at DevCentral faced this problem so far?

Cheers, Kai

ASM Advanced WAF
LTM
security
  • Chris_Grant's avatar
    Chris_Grant
    Icon for Employee rankEmployee
    Oct 05, 2017

    Do you have a local traffic policy on the same policy? It is possible that ASM has already been disabled, which could generate this issue. Barring that you're probably looking at a case with support to get the level of detail needed to troubleshoot.

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Oct 06, 2017

    Hi Chris,

     

    We have a manually created LTM Policy in place which deploys a BLOCK ALL ASM Policy to our Virtual Servers. This policy gets then overwritten by a bunch of iRules.

     

    I've already tried using the ASM auto generated LTM Policy and also verified the funtionality of ASM in general with success.

     

    Its just that the iRule commands are broken...

     

    Cheers, Kai

     

  • Chris_Grant's avatar
    Chris_Grant
    Icon for Employee rankEmployee
    Oct 06, 2017

    It is possible that the ASM::disable is not actually the problem, but rather something previous in the iRule logic (or syntax). I would suggest adding logging to the irule and trying to determine if things are working as expected to that point.

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Oct 10, 2017

    Hi Chris,

     

    I'm 100% confident that the previous iRule code works as expected, since I was able to isolate the problem on a clean Virtual Server.

     

    Also experience some ASM related issues with a clean v13.0 (HF2) installation. Will skip the migration for now and simply wait for HF3. If HF3 also fails I'll open a support request...

     

    Cheers, Kai

     

  • Jeremy_140196's avatar
    Jeremy_140196
    Icon for Nimbostratus rankNimbostratus
    Oct 26, 2017

    Hi Kai,

     

    I encounter the same issue as you (13.0 HF2) Example : TCL error: /Common/asm_irule - while executing "ASM::enable /Common/security_xxx"

     

    I have a LTP assigned with my "default" Policy (LTP created by the system). Once assigned, I would like to change the Policy on "HTTP::host" event and error occurs...

     

    I saw this issue occured ramdomly... if I change my default Policy, no issue. I have checked the difference between both and the root cause is ....:

     

    Detect Session Hijacking by Device ID Tracking (Security ›› Application Security : Sessions and Logins : Session Tracking)

     

    You have to ENABLE it. Very very strange, but it works for me.

     

    Could you please test it ? Let me know If you have the same behavior.

     

    Jeremy.

     

    • Kai_Wilke's avatar
      Kai_Wilke
      Icon for MVP rankMVP
      Nov 29, 2017

      Hi Jeremy,

       

      I will check this out next week during a maintenance windows. Will let you know if this works out for me...

       

      Thanks for commenting and Cheers, Kai

       

  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Oct 29, 2017

    This looks like a bug un ASM v13.0 please open a support case with F5