Bug ID 518201: ASM policy creation fails with after upgrading

Last Modified: Dec 19, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2

Fixed In:
13.0.0, 12.1.1, 11.6.1 HF1

Opened: Apr 15, 2015
Severity: 3-Major

Symptoms

You cannot create an ASM security policy after upgrading to version 11.6.x. The system posts the following error message: ------------------ # tmsh create asm policy /Common/blabla active encoding utf-8 Unexpected Error: ASMConfig exception: [101] Policy 'Security Policy /Common/blabla' already exists in this policy. ------------------ It does not matter if the security policy was created at the command line or by the Configuration utility.

Impact

ASM policies cannot be created.

Conditions

-- ASM provisioned -- Upgrade to 11.6.x.

Workaround

As root user, from the command line of the affected BIG-IP system, run these exact commands (tip: you can copy and paste into the command line): --------------------- # mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'DELETE FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)' --------------------- IMPORTANT: This operation permanently affects the mentioned database table. It is strongly advised that you first create a backup of the running configuration by running the following command from the command line of the affected BIG-IP: --------------------- # tmsh save sys ucs /shared/tmp/backup.ucs --------------------- Before applying the workaround, make sure that you need one. To determine that, run the following command: --------------------- # mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'SELECT * FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)' --------------------- In case this query does not return any output, meaning that there is no need for the workaround. If you need the workaround, you can use the same "SELECT *" query to validate the workaround, after it has been applied. Namely, after the workaround was applied, the "SELECT *" query should return no output.

Fix Information

This version fixes ASM policy creation so that it does not fail after upgrade.

Behavior Change