Forum Discussion

Ustrum's avatar
Ustrum
Icon for Cirrus rankCirrus
Jul 19, 2022
Solved

Enabling ASM profile from iRule fails

Hi everyone!

I´m currently loadbalancing several hosts through the same VIP and I´d like to enable a different ASM profile for each service. To do so I´m trying to use an iRule like this:

 

when HTTP_REQUEST {
  set serviceName [string tolower [getfield [HTTP::host] "." 1]]
  set targetPoolName "pool_autosp_$serviceName"
  set targetASMProfile "/Common/asm_$serviceName"

  if { [class match $serviceName equals class_autoSPServiceList] } {
    pool $targetPoolName
    ASM::enable $targetASMProfile
  }
}

 

I´m trying to test it out with with a service named demoasm, so the string "demoasm" is added to class_autoSPServiceList, and there is a pool named pool_autosp_demoasm, and an ASM profile named asm_demoasm. Nevertheless, when I try it, I get an entry in the ASM log like this:

 

ASM bad request: event code I4331 Request has an unknown HTTP selector: /Common/asm_demoasm

 

I would expect this behaviour, as pointed out in K12210419 , if the ASM profile was non existent or if I missed the partition, which is not the case: I´m 100% certain the name is right and the ASM profile exists.

Am I missing something obvious, maybe the ASM profile must have an existing autogenerated LTM security profile tied to it before applying it or something on that line?

Thanks,

Pablo

  • Thanks for replying, what is your current BIGIP version? 

    Do you happen to see this message in /var/log/ts/bd.log as well?

     

    did not receive account configuration after 600 seconds

     

    If you see this you the cause might be BUG ID850673 

     

    Also, is the policy name shown as expected in bigip.conf file? Does this only happen on test policy or is it the same for all names? Since you said this is a test policy, have you tried deleting it and creating a new one? 

6 Replies

  • Hello Pablo, does this VS have one default ASM policy globally configured? 

    You need to assign a ASM Policy to your Virtual Server, before you can select a ASM Policy or selectively disable ASM at all.

    Log does show that the current $targetASMprofile value is correct, have you tried adding quotes to ASM enable command? 

        ASM::enable "$targetASMProfile"

     

    • Ustrum's avatar
      Ustrum
      Icon for Cirrus rankCirrus

      Hi, thanks for your response! yeah, it does have a default ASM policy applied, otherwise I wouldn´t be able to even use the ASM::enable command in the iRule applied to the VS.

      Also, I've tried both with and without quotes to no avail 😞

      • Thanks for replying, what is your current BIGIP version? 

        Do you happen to see this message in /var/log/ts/bd.log as well?

         

        did not receive account configuration after 600 seconds

         

        If you see this you the cause might be BUG ID850673 

         

        Also, is the policy name shown as expected in bigip.conf file? Does this only happen on test policy or is it the same for all names? Since you said this is a test policy, have you tried deleting it and creating a new one? 

  • Any reason why you are doing this in an iRule and not the Local Traffic Policy?

    I know iRules are often still much more flexible, but specifically for this purpose of switching pool/policy based on hostname, I find the LTM policies very straight forward.

    Not sure if this would fix your problem, but maybe worth a try.

    • Ustrum's avatar
      Ustrum
      Icon for Cirrus rankCirrus

      Well that would probably work just as fine, but it would mean we´d need to mantain the logic in the policy, whereas this way we just need to add a hostname to the data class and create the pool and asm policy for everything to work. Also the pool part is already working and fully automated. Moving to LTM policies would imply refactoring all our automatisms.