Bug ID 519262: MCP Validation error when disabling Application Security from Local Traffic :: Virtual Servers GUI.

Last Modified: Nov 14, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Opened: Apr 21, 2015
Severity: 3-Major

Symptoms

The following error appears: --------------------------------- error_string : Could not update policy due to ASMConfig exception: [603] MCP Validation error - 01071912:3: ASM::fingerprint in rule (/Common/<irule_name>) requires an associated WEBSECURITY profile on the virtual-server (/Common/<vs_name>) --------------------------------- When trying to disable "Application Security" for a given Virtual Server via LTM UI at: --------------------------------- "Local Traffic >> Virtual Servers : Virtual Server List >> <vs_name> >> Security Policies (tab) >> Application Security Policy" ---------------------------------

Impact

The following error appears: --------------------------------- error_string : Could not update policy due to ASMConfig exception: [603] MCP Validation error - 01071912:3: ASM::fingerprint in rule (/Common/<irule_name>) requires an associated WEBSECURITY profile on the virtual-server (/Common/<vs_name>) --------------------------------- Note that the operation of disabling "Application Security" for that Virtual Server is successful. However, the iRule (with 'ASM::*' in it) and the WEBSECURITY profile remain assigned to the Virtual Server (this is what the error os about) and need to be dis-assigned manually. First dis-assign the iRule then dis-assign the WEBSECURITY profile. Note that, in this case, the WEBSECURITY profile can be dis-assigned from a Virtual Server via TMSH interface only: --------------------------------- # tmsh modify ltm virtual <vs_name> profiles delete websecurity --------------------------------- In case the iRule and the WEBSECURITY profile remain assigned to a Virtual Server which has "Application Security" disabled - on transaction there will be visible errors in '/ts/log/bd.log' that say "ASM bad request ... Request has an unknown HTTP selector".

Conditions

1) ASM and LTM provisioned 2) A Virtual Server exists with "Application Security" set to some Security Policy. 3) An iRule is assigned to that Virtual Server which has an 'ASM::*' action in it. 4) Attempt to disable "Application Security" for that Virtual Server via LTM UI at: --------------------------------- "Local Traffic ›› Virtual Servers : Virtual Server List ›› <vs_name> ›› Security Policies (tab) ›› Application Security Policy" ---------------------------------

Workaround

The iRule (with 'ASM::*' in it) and the WEBSECURITY profile need to be unassigned manually from the Virtual Server.

Fix Information

None

Behavior Change