Bug ID 674300

Bug Tracker
ID 674300

Bug ID 674300: The 'Illegal flow' violation occurs on requests to the same policy on non-synchronized devices

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4

Fixed In:
15.1.0

Opened: Jul 17, 2017

Severity: 3-Major

Symptoms

The 'Illegal flow' violation occurs on requests to the same policy on non-synchronized devices when subsequent requests are handled by a different device.

Impact

'Illegal flow' violation is triggered.

Conditions

Traffic is handled for the same policy by different devices that are not synchronized.

Workaround

To workaround the issue, it is possible to align the differing account_id values by saving ASM configuration on one device, and loading on the other device. Important: This overwrites the full ASM configuration, and should be done only if all ASM policies are identical on both devices. No part of LTM configuration is changed by this action, however. This is the same mechanism used internally by ASM device group sync. To save the full ASM configuration: ---------------------------------------------------------------------- perl -MF5::ConfigSync -MF5::DbUtils -e 'F5::ConfigSync->new(dbh => F5::DbUtils::get_dbh())->save_to_file(filename => shift)' /var/tmp/full_asm_config.tgz ---------------------------------------------------------------------- To load the full ASM configuration: ---------------------------------------------------------------------- perl -MF5::ConfigSync -MF5::BigipVersionUtils -MF5::DbUtils -e 'F5::ConfigSync->new(dbh => F5::DbUtils::get_dbh(), ucs_version => F5::BigipVersionUtils::bigip_version())->load_from_file(filename => shift)' /var/tmp/full_asm_config.tgz ----------------------------------------------------------------------

Fix Information

None

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips