We've upgraded our BigIP from 9.4.3 to 11.1.0 Build 2268.0 Hotfix HF5. This is the latest software version which is supported by our appliance.
Since that time the number of modified asm cookie violations raised extremely. Every week we have hundreds of new violations. Before the upgrade, we had less than 10 asm cookie violations in a week.
Most of these requests are from the googlebot. e. g.
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
But there are a lot of other requests which look like valid requests being sent from a web browser.
I don't think that this is an attack against our website, because those violations occured right after our BigIP software upgrade. So I assume this is a problem with the new software version. However I don't want to disable the modified asm cookie violation. Is this a known problem and can it be solved?
I'd be glad about help. Thanks in advance.
Could this be the cause? See http://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnote-asm-11-1-0.html
"Important: The system creates its internal TS cookie in versions 10.2.4 and later (including all versions of 11.x) differently than in versions prior to 10.2.4. As a result, while upgrading your system from a version prior to 10.2.4 to version 10.2.4 or later, the system will produce the Modified ASM Cookie violation for existing browser sessions. If the security policy has the Modified ASM Cookie violation enabled and set to block traffic when this violation occurs, after upgrading to version 10.2.4 or later, the system will block traffic to the web application. However, since the TS cookie is a session cookie, the system will block traffic only until the browser session ends (the end-user restarts the browser). To prevent the security policy from blocking traffic until the end-user’s browser is restarted, before upgrading to version 10.2.4 or later, we recommend you disable the security policy from blocking the Modified ASM Cookie violation, upgrade, and wait long enough to allow all users to restart their browsers (two weeks are expected to be enough). After enabling the violation, we recommend you monitor the logs. If the Modified ASM Cookie violation appears, consider disabling the violation again for a longer period of time, or communicate to the users to restart their browsers."
Just to confirm that you're not alone with this issue. I also have this problem since upgrading from 10.2.4 to v11 some time ago, so there is no session based cookies remaining, certainly not in the quantity that I'm seeing this violation occur in.
My LTM/ASM is configured in a Active/Standby HA pair.
Hopefully we will be able to resolve this issue soon.