Bug ID 674300: The 'Illegal flow' violation occurs on requests to the same policy on non-synchronized devices

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Fixed In:
15.1.0

Opened: Jul 17, 2017
Severity: 3-Major

Symptoms

The 'Illegal flow' violation occurs on requests to the same policy on non-synchronized devices when subsequent requests are handled by a different device.

Impact

'Illegal flow' violation is triggered.

Conditions

Traffic is handled for the same policy by different devices that are not synchronized.

Workaround

To workaround the issue, it is possible to align the differing account_id values by saving ASM configuration on one device, and loading on the other device. Important: This overwrites the full ASM configuration, and should be done only if all ASM policies are identical on both devices. No part of LTM configuration is changed by this action, however. This is the same mechanism used internally by ASM device group sync. To save the full ASM configuration: ---------------------------------------------------------------------- perl -MF5::ConfigSync -MF5::DbUtils -e 'F5::ConfigSync->new(dbh => F5::DbUtils::get_dbh())->save_to_file(filename => shift)' /var/tmp/full_asm_config.tgz ---------------------------------------------------------------------- To load the full ASM configuration: ---------------------------------------------------------------------- perl -MF5::ConfigSync -MF5::BigipVersionUtils -MF5::DbUtils -e 'F5::ConfigSync->new(dbh => F5::DbUtils::get_dbh(), ucs_version => F5::BigipVersionUtils::bigip_version())->load_from_file(filename => shift)' /var/tmp/full_asm_config.tgz ----------------------------------------------------------------------

Fix Information

None

Behavior Change