Bug ID 498433: Upgrading with ASM iRule and virtual server with no websecurity profile

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP ASM, Install/Upgrade(all modules)

Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 12.1.0 HF1, 12.1.0 HF2, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2

Fixed In:
12.0.0, 11.6.1 HF1

Opened: Dec 25, 2014

Severity: 3-Major


If you have an iRule that uses "ASM::*" assigned to a virtual server with no websecurity profile, when trying to upgrade from BIG-IP version 11.4.0 to any newer version, the upgrade fails, and you receive the following error message: ----------------- ASM::disable in rule (iRule_name) requires an associated WEBSECURITY profile on the virtual server (virtual_server_name). -----------------


Fails to upgrade. Fails to install ucs.


On version 11.4: 1) Have an iRule that uses ASM::*, e.g. when HTTP_REQUEST { ASM::disable } 2) Create a virtual server and associate an ASM policy with it via CPM (L7) policy 3) Assign the iRule to the VS 4) Remove the CPM policy from the VS Now upgrade to any newer version OR Save the ucs and try to manually install it on any newer version


Prior to upgrading and/or saving the ucs, for all virtual servers that have no websecurity profile assigned to them, remove all iRules that contain 'ASM::*' actions.

Fix Information

You can now successfully upgrade from version 11.4.0 to any newer version even if you have an iRule that uses "ASM::*" and a virtual server with no websecurity profile assigned because the upgrade/ucs_install mechanism now detaches the ASM iRule from the virtual server.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips