Last Modified: Oct 15, 2025
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
16.1.0, 16.1.1, 16.1.2, 16.1.2.1, 16.1.2.2, 16.1.3, 16.1.3.1, 16.1.3.2, 16.1.3.3, 16.1.3.4, 16.1.3.5, 16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 16.1.6, 17.1.0, 17.1.0.1, 17.1.0.2, 17.1.0.3, 17.1.1, 17.1.1.1, 17.1.1.2, 17.1.1.3, 17.1.1.4, 17.1.2, 17.1.2.1, 17.1.2.2, 17.1.3, 17.5.0, 17.5.1, 17.5.1.2, 17.5.1.3
Opened: Sep 17, 2025 Severity: 3-Major
The incomplete ASM configuration on the new device may be synced to the device group, overwriting the original and complete ASM configuration when an ASM configuration is in the process of being synced from an existing device or group to a new device joined to the group, and there is a request to sync the new device to the group.
Depending on the size of the ASM configuration, system performance and network throughput, the ASM configuration may take a long time to sync to the new device, and may appear to be only partially synced in the meantime. Depending on timing and other non-deterministic conditions, this partially-synced ASM configuration may be synced back to the device group. When this occurs, the existing ASM configuration may be overwritten by the partial ASM configuration on the new device, resulting in a loss of ASM functionality.
This may occur when, -- Multiple device groups are configured, including: -- a (non-ASM) Sync Failover device group -- an ASM Sync-Only device group -- Both device groups are configured for Manual Full Sync. -- The ASM configuration is large enough to require several minutes to apply the complete configuration. -- A new device has joined the cluster and device groups, which has no existing ASM configuration (or, a much smaller subset of the cluster's existing ASM configuration. -- The configuration is synced from an existing device to the non-ASM device group (and thus to the new device). -- After the ASM configuration is synced from an existing device to the ASM device group (and thus to the new device). -- After the ASM configuration is synced from the new device to the ASM device group (and thus to the existing devices).
To avoid this issue when multiple device groups are configured, which include both an ASM and non ASM device group, and both groups are configured for Manual Full Sync: -- Sync the ASM device group first. -- Wait to confirm that the full ASM configuration has been synced to the new device before initiating any further sync operations. -- Be careful not to inadvertently select the new device (with incomplete ASM configuration) as the device to sync to the device group.
None