Bug ID 498433: Upgrading with ASM iRule and virtual server with no websecurity profile

Last Modified: Mar 12, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM, Install/Upgrade(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1

Fixed In:
12.0.0, 11.6.1 HF1

Opened: Dec 25, 2014
Severity: 3-Major

Symptoms

If you have an iRule that uses "ASM::*" assigned to a virtual server with no websecurity profile, when trying to upgrade from BIG-IP version 11.4.0 to any newer version, the upgrade fails, and you receive the following error message: ----------------- ASM::disable in rule (iRule_name) requires an associated WEBSECURITY profile on the virtual server (virtual_server_name). -----------------

Impact

Fails to upgrade. Fails to install ucs.

Conditions

On version 11.4: 1) Have an iRule that uses ASM::*, e.g. when HTTP_REQUEST { ASM::disable } 2) Create a virtual server and associate an ASM policy with it via CPM (L7) policy 3) Assign the iRule to the VS 4) Remove the CPM policy from the VS Now upgrade to any newer version OR Save the ucs and try to manually install it on any newer version

Workaround

Prior to upgrading and/or saving the ucs, for all virtual servers that have no websecurity profile assigned to them, remove all iRules that contain 'ASM::*' actions.

Fix Information

You can now successfully upgrade from version 11.4.0 to any newer version even if you have an iRule that uses "ASM::*" and a virtual server with no websecurity profile assigned because the upgrade/ucs_install mechanism now detaches the ASM iRule from the virtual server.

Behavior Change