Any experience with ASM policy affecting response stream (with no vulnerability/attack signature noted)?

Question

Env:  LTM 11.5.2, physical appliance (4200), no resource issues&nbsp;
We are experiencing cases where the presence of an ASM security policy is affecting the response to clients, even though the event log shows the access involved as successful, with no attack signatures/violations noted, and even though the response log shows the response content body being sent back. It is demonstrably the security policy that's the cause, though - when the policy is removed from the virtual server, the issue goes away, and vice versa.&nbsp;
Casting a wide net - has anyone experienced anything similar, and what was the cause?  Any tips on how to debug this (other than the obvious tcpdump capture, which we are pursuing)?  Any hypotheses on a possible cause?&nbsp;
If it helps, it may be related to the size of the response - there's a loose association, with bigger responses triggering it more often, we think. (problem with chunked encoding? Hmm, may try a re-encode strategy)&nbsp;
Any thoughts appreciated, thx!&nbsp;

daboochmeister · Answer

I should have clarified - the clients seem to receive the response headers, but then no response content, not even a single byte. Still working on tcpdumps on both sides, but via e.g. curl access, the headers stream back (the last header being "Transfer-Encoding: chunked", followed by two carriage returns) - then nothing else.

samstep · Answer

It depends on your ASM Policy. Several features in ASM depend on things like injecting JavaScript into responses which may potentially break the content from rendering in the browser (should not affect the tcpdump though). &nbsp;
Such features include Web Scraping, CSRF protection, device fingerprinting, Bot Defense / Client-Side Human User Indicator /CAPTCHA etc... &nbsp;
So instead of removing the ASM policy completely the recommendation is to switch off off the features and violations which may interfere with response first.&nbsp;
Also try your application with the most basic policy such as Rapid Deployment Template.&nbsp;
Also check Support Knowledge base, for example this article:&nbsp;
K11040: Certain HTTP profile Response Chunking settings interfere with BIG-IP ASM and BIG-IP WebAccelerator processing&nbsp;

Forum Discussion

Any experience with ASM policy affecting response stream (with no vulnerability/attack signature noted)?

2 Replies

Recent Discussions

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Can iRule mask the payload content on event logs of security

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

My Experience So Far

The DROWN Attack: Another SSL Vulnerability

Accellion FTA Vulnerabilities Exploited in APT Attacks - New AWAF Signatures

Experience F5 Distributed Cloud with Multi-Cloud Sites and Distributed Apps

VLAN Failsafe failover settings change on STANDBY device - affect ACTIVE device?