Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP ASM, Install/Upgrade
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.0.0, 11.6.1 HF1
Opened: Dec 25, 2014 Severity: 3-Major
If you have an iRule that uses "ASM::*" assigned to a virtual server with no websecurity profile, when trying to upgrade from BIG-IP version 11.4.0 to any newer version, the upgrade fails, and you receive the following error message: ----------------- ASM::disable in rule (iRule_name) requires an associated WEBSECURITY profile on the virtual server (virtual_server_name). -----------------
Fails to upgrade. Fails to install ucs.
On version 11.4: 1) Have an iRule that uses ASM::*, e.g. when HTTP_REQUEST { ASM::disable } 2) Create a virtual server and associate an ASM policy with it via CPM (L7) policy 3) Assign the iRule to the VS 4) Remove the CPM policy from the VS Now upgrade to any newer version OR Save the ucs and try to manually install it on any newer version
Prior to upgrading and/or saving the ucs, for all virtual servers that have no websecurity profile assigned to them, remove all iRules that contain 'ASM::*' actions.
You can now successfully upgrade from version 11.4.0 to any newer version even if you have an iRule that uses "ASM::*" and a virtual server with no websecurity profile assigned because the upgrade/ucs_install mechanism now detaches the ASM iRule from the virtual server.