Bug ID 577664: Policy import, to inactive policies list, results in different policies on the sync-failover peers

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0, 11.6.1 HF1

Opened: Mar 03, 2016
Severity: 3-Major


Having a standard Active/Standby setup, with a single Sync-Failover Device Group, Auto-Sync, with ASM enabled. When importing an ASM policy (named 'ddddd') into the inactive policies list, the following results in GUI screen, Security :: Application Security : Security Policies : Inactive Policies. On active device: Security Policy Name - Version ddddd - 2016-02-25 10:39:49 ddddd_2 - 2016-03-01 00:11:46 On standby device: Security Policy Name - Version ddddd - 2016-03-01 00:11:41 ddddd_2 - 2016-02-25 10:39:49 According to the 'Version' field (time stamps), the 'ddddd' on active is actually 'ddddd_2' on standby and then the other two policies are not the same. The group ends up with three different policies on the two devices.


Three different policies are created on the two devices.


-- Active/Standby configuration. -- ASM provisioned. -- Import security policy to the inactive policies list.



Fix Information

The import policy process now results in a consistent state on both devices in a device group.

Behavior Change