Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11
Fixed In:
11.6.0, 11.5.2
Opened: Mar 05, 2014 Severity: 2-Critical Related Article:
K72802264
ASM BD process may crash on missing cookie protection config data when traffic is being passed. Error messages in /ts/log/bd.log BD_MISC|NOTICE|Mar 04 14:42:27.913|29378|temp_func.c:0688|-- EMPTY TABLE: CONFIG_TYPE_DB_SECURITY_SERVER ack num 123 DATA_PROTECT|ERR |Mar 04 14:42:27.913|29378|src/data_protect_conf.c:0390|context_init: Error opening file '/ts/var/account/data_protection/data_protection_1d71cdd6c19765a8298828aacdc01d82': No such file or directory DATA_PROTECT|ERR |Mar 04 14:42:27.913|29378|src/data_protect_api.c:0020|data_protect_context_init: failed to initialize security context.
The initial sync state for ASM in a device group does not resolve successfully. ASM starts breaking connections for which customer removed all of the ASM config and re-imported it. Upon the first request, trying to apply the crypto BD crashes.
This is a rare condition where DATA_PROTECT_cookie config is missing from the config and traffic is being passed on a multi-bladed system.
Try one of the following workarounds: -- Issue the following command: bigstart restart asm. -- Complete the following procedure: 1. On the device group environment with the correct ASM config, turn off ASM sync for the device group. 2. Enable 'Full Sync'. 3. Turn on ASM sync for the device group. 4. Push the configuration.
This release fixes an issue where, during stress, the Enforcer intermittently crashed on the secondary blade of a multi-blade unit.