Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2 HF1, 11.5.3 HF1, 11.5.3 HF2, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
13.0.0, 12.1.1, 11.6.1 HF1
Opened: Apr 15, 2015 Severity: 3-Major
You cannot create an ASM security policy after upgrading to version 11.6.x. The system posts the following error message: ------------------ # tmsh create asm policy /Common/blabla active encoding utf-8 Unexpected Error: ASMConfig exception: [101] Policy 'Security Policy /Common/blabla' already exists in this policy. ------------------ It does not matter if the security policy was created at the command line or by the Configuration utility.
ASM policies cannot be created.
-- ASM provisioned -- Upgrade to 11.6.x.
As root user, from the command line of the affected BIG-IP system, run these exact commands (tip: you can copy and paste into the command line): --------------------- # mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'DELETE FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)' --------------------- IMPORTANT: This operation permanently affects the mentioned database table. It is strongly advised that you first create a backup of the running configuration by running the following command from the command line of the affected BIG-IP: --------------------- # tmsh save sys ucs /shared/tmp/backup.ucs --------------------- Before applying the workaround, make sure that you need one. To determine that, run the following command: --------------------- # mysql -uroot -p`perl -MF5::DbUtils -e 'print F5::DbUtils::get_mysql_password(user => qw{root})'` -e 'SELECT * FROM PLC.PL_SESSION_AWARENESS_VIOLATIONS WHERE policy_id NOT IN (SELECT id FROM PLC.PL_POLICIES)' --------------------- In case this query does not return any output, meaning that there is no need for the workaround. If you need the workaround, you can use the same "SELECT *" query to validate the workaround, after it has been applied. Namely, after the workaround was applied, the "SELECT *" query should return no output.
This version fixes ASM policy creation so that it does not fail after upgrade.