Bug ID 920961: Devices incorrectly report 'In Sync' after an incremental sync

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 16.0.0, 16.0.0.1, 16.0.1

Fixed In:
16.1.0, 16.0.1.1, 15.1.2, 14.1.3.1

Opened: Jun 25, 2020

Severity: 3-Major

Symptoms

The security policies assigned to a virtual server are different among the devices in a traffic-group.

Impact

After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.

Conditions

-- ASM provisioned. -- Manual Sync Active-Standby Failover Device Group with ASM sync enabled. -- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).

Workaround

Modify the underlying LTM policy to be 'legacy': # tmsh modify ltm policy <LTM Policy Name> legacy

Fix Information

An internal config parameter is now available to work around this issue. In order to use the workaround, you must enable a db variable. To enable the workaround, run the following command from the CLI on every device in the device group: ------------------------------------ # /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1 Operation completed successfully. Don't forget to restart ASM to apply changes. ------------------------------------ NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.

Behavior Change

There is now an internal config parameter that enables a workaround for this issue. In order to use the workaround, you must enable a db variable. To enable the workaround, run the following command from the CLI on every device in the device group: ------------------------------------ # /usr/share/ts/bin/add_del_internal add force_legacy_ltm_policy 1 Operation completed successfully. Don't forget to restart ASM to apply changes. ------------------------------------ NOTE: In this specific case, ASM restart is not required, despite the fact that a message says it is.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips