Bug ID 552139: ASM limitation in the pattern matching matrix builtup

Last Modified: Feb 13, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.2.1, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 12.0.0

Fixed In:
12.1.0, 12.0.0 HF1, 11.6.1, 11.5.4, 11.4.1 HF10, 10.2.4 HF13

Opened: Oct 13, 2015
Severity: 2-Critical
Related AskF5 Article:
K61834804

Symptoms

The signature configuration is not building up upon adding new signatures. This can look like a configuration change is not finishing, or if it does, it may result in crashes when the Enforcer starts up resulting in constant startups.

Impact

Configuration change doesn't finish or crashes in the ASM startup (which results in constant startups of the system).

Conditions

Too many signatures are configured with custom signatures. The exact number varies (depending on the signature) but hundreds of signatures may be enough to trigger it.

Workaround

Workarounds are possible only in a custom signature scenario, only using fewer signatures or by removing unused signatures.

Fix Information

Fixed a limitation in the attack signature engine.

Behavior Change