Bug ID 501128: On a HA config or a BIG-IP cluster a large firewall policy may fail to compile on one device/card and compile successfully on the other device/card.

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP AFM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Opened: Jan 15, 2015
Severity: 3-Major

Symptoms

With a large firewall policy, one device in the device group might compile the policy successfully, while another device might fail to compile. The same is true with a cluster.

Impact

PCCD becomes out of sync between devices in the device group or between cards in the cluster. This might cause subsequent HA sync failures. Disabling on-demand-rule-deploy might cause one of the devices/cards to automatically deploy the the policy. In this case the user could end up with mismatched firewall policies enforced on different devices/cards.

Conditions

This occurs with a large firewall policy and heavy use of FQDNs.

Workaround

Modifying the firewall policy and recompiling re-syncs PCCD.

Fix Information

None

Behavior Change