cancel
Showing results for 
Search instead for 
Did you mean: 

ASM block all whitelisted urls and parameters in standby device

THE_BLUE
Cirrus
Cirrus

ASM block all whitelisted urls and parameters in standby device and it allow them in active device. if i faliover to standby device my website doesnt work. where it's working fine if i failover back to my active device.

i have checked the number of whitlisted url and parameters in both devices and they are same. i have tried to check the sync so i have created security policy (test_policy) in active device with transpernet mode , and then i have checked the standby device and (test_policy) exist but in blocking mode not trasperent. i don't know why it has been changed.

Also, i have created security policy (test_policy2) in active device with blocking mode , and then i have checked the standby device and (test_policy2) exist but in blocking mode too. it's remain as it is.

while i'm checking learning and blocking settings in both devices, i noticed that, the default microservices is transpernt in active device and the default microservices is blocking in standby device i don't know if this the issue.

I have checked asm logs in standby device and i find sth like the below:

ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): Expected size of /ts/var/sync/sync_xxxxxxxxx__full_update (256769544) does not match actual size (139853824)

 

ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::spawn_relay_handler): Error during 'sync_receive_file_part' while in sync recovery state. Giving up. State may be inconsistent with other peers.

kindly advice.

1 ACCEPTED SOLUTION

Have you followed article https://support.f5.com/csp/article/K12200102

 

You also do a full sync to clear any issues:

https://support.f5.com/csp/article/K63470472

 

Also sometimes the incremental cache of 1024 for incremental sync needs to be increased to 2048 for example to stop such issues:

 

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-device-service-clusterin...

 

I would also suggest to check the F5 bug tracker and release notes and to upload a qkview to ihealth for your error as your version may have some bug like an asm bigip process for example the asm_config_server needing a restart with bigstart  (https://support.f5.com/csp/article/K9073) etc.

 

bug Tracker:

 

https://support.f5.com/csp/bug-tracker?sf189923893=1

 

example release notes:

 

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-1...

 

F5 ihealth:

https://www.f5.com/services/training/free-training-courses/getting-started-with-big-ip-ihealth

 

 

Just as a security note your policy being in trensperant mode on the active device is normal for the F5 device to not block the traffic but this means that you had a security risk till now so just to know that! Better clear the false positives and make the policy to be in blocking on the active and standby devices:

 

https://support.f5.com/csp/article/K70544352

View solution in original post

2 REPLIES 2

Have you followed article https://support.f5.com/csp/article/K12200102

 

You also do a full sync to clear any issues:

https://support.f5.com/csp/article/K63470472

 

Also sometimes the incremental cache of 1024 for incremental sync needs to be increased to 2048 for example to stop such issues:

 

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-device-service-clusterin...

 

I would also suggest to check the F5 bug tracker and release notes and to upload a qkview to ihealth for your error as your version may have some bug like an asm bigip process for example the asm_config_server needing a restart with bigstart  (https://support.f5.com/csp/article/K9073) etc.

 

bug Tracker:

 

https://support.f5.com/csp/bug-tracker?sf189923893=1

 

example release notes:

 

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-1...

 

F5 ihealth:

https://www.f5.com/services/training/free-training-courses/getting-started-with-big-ip-ihealth

 

 

Just as a security note your policy being in trensperant mode on the active device is normal for the F5 device to not block the traffic but this means that you had a security risk till now so just to know that! Better clear the false positives and make the policy to be in blocking on the active and standby devices:

 

https://support.f5.com/csp/article/K70544352

THE_BLUE
Cirrus
Cirrus

After update the system and fixed sync issue, everythingis working fine. many thanks.