cancel
Showing results for 
Search instead for 
Did you mean: 

Enabling ASM profile from iRule fails

Ustrum
Altocumulus
Altocumulus

Hi everyone!

I´m currently loadbalancing several hosts through the same VIP and I´d like to enable a different ASM profile for each service. To do so I´m trying to use an iRule like this:

 

when HTTP_REQUEST {
  set serviceName [string tolower [getfield [HTTP::host] "." 1]]
  set targetPoolName "pool_autosp_$serviceName"
  set targetASMProfile "/Common/asm_$serviceName"

  if { [class match $serviceName equals class_autoSPServiceList] } {
    pool $targetPoolName
    ASM::enable $targetASMProfile
  }
}

 

I´m trying to test it out with with a service named demoasm, so the string "demoasm" is added to class_autoSPServiceList, and there is a pool named pool_autosp_demoasm, and an ASM profile named asm_demoasm. Nevertheless, when I try it, I get an entry in the ASM log like this:

 

ASM bad request: event code I4331 Request has an unknown HTTP selector: /Common/asm_demoasm

 

I would expect this behaviour, as pointed out in K12210419 , if the ASM profile was non existent or if I missed the partition, which is not the case: I´m 100% certain the name is right and the ASM profile exists.

Am I missing something obvious, maybe the ASM profile must have an existing autogenerated LTM security profile tied to it before applying it or something on that line?

Thanks,

Pablo

1 ACCEPTED SOLUTION

Thanks for replying, what is your current BIGIP version? 

Do you happen to see this message in /var/log/ts/bd.log as well?

 

did not receive account configuration after 600 seconds

 

If you see this you the cause might be BUG ID850673 

 

Also, is the policy name shown as expected in bigip.conf file? Does this only happen on test policy or is it the same for all names? Since you said this is a test policy, have you tried deleting it and creating a new one? 

View solution in original post

6 REPLIES 6

CA_Valli
Cumulonimbus
Cumulonimbus

Hello Pablo, does this VS have one default ASM policy globally configured? 

You need to assign a ASM Policy to your Virtual Server, before you can select a ASM Policy or selectively disable ASM at all.

Log does show that the current $targetASMprofile value is correct, have you tried adding quotes to ASM enable command? 

    ASM::enable "$targetASMProfile"

 

Hi, thanks for your response! yeah, it does have a default ASM policy applied, otherwise I wouldn´t be able to even use the ASM::enable command in the iRule applied to the VS.

Also, I've tried both with and without quotes to no avail 😞

Thanks for replying, what is your current BIGIP version? 

Do you happen to see this message in /var/log/ts/bd.log as well?

 

did not receive account configuration after 600 seconds

 

If you see this you the cause might be BUG ID850673 

 

Also, is the policy name shown as expected in bigip.conf file? Does this only happen on test policy or is it the same for all names? Since you said this is a test policy, have you tried deleting it and creating a new one? 

Thanks maestro! I´m on a theoreticaly fixed version, 15.1.5.1 but I am indeed seeing those entries in the log. Just restarted the ASM proccess and it is working fine now....

gersbah
Cirrostratus
Cirrostratus

Any reason why you are doing this in an iRule and not the Local Traffic Policy?

I know iRules are often still much more flexible, but specifically for this purpose of switching pool/policy based on hostname, I find the LTM policies very straight forward.

Not sure if this would fix your problem, but maybe worth a try.

Well that would probably work just as fine, but it would mean we´d need to mantain the logic in the policy, whereas this way we just need to add a hostname to the data class and create the pool and asm policy for everything to work. Also the pool part is already working and fully automated. Moving to LTM policies would imply refactoring all our automatisms.