Last Modified: Sep 14, 2023
Affected Product(s):
BIG-IP ASM
Known Affected Versions:
12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4
Fixed In:
15.1.0
Opened: Jul 17, 2017 Severity: 3-Major
The 'Illegal flow' violation occurs on requests to the same policy on non-synchronized devices when subsequent requests are handled by a different device.
'Illegal flow' violation is triggered.
Traffic is handled for the same policy by different devices that are not synchronized.
To workaround the issue, it is possible to align the differing account_id values by saving ASM configuration on one device, and loading on the other device. Important: This overwrites the full ASM configuration, and should be done only if all ASM policies are identical on both devices. No part of LTM configuration is changed by this action, however. This is the same mechanism used internally by ASM device group sync. To save the full ASM configuration: ---------------------------------------------------------------------- perl -MF5::ConfigSync -MF5::DbUtils -e 'F5::ConfigSync->new(dbh => F5::DbUtils::get_dbh())->save_to_file(filename => shift)' /var/tmp/full_asm_config.tgz ---------------------------------------------------------------------- To load the full ASM configuration: ---------------------------------------------------------------------- perl -MF5::ConfigSync -MF5::BigipVersionUtils -MF5::DbUtils -e 'F5::ConfigSync->new(dbh => F5::DbUtils::get_dbh(), ucs_version => F5::BigipVersionUtils::bigip_version())->load_from_file(filename => shift)' /var/tmp/full_asm_config.tgz ----------------------------------------------------------------------
None