Bug ID 684369: AFM ACL Rule Policy applied on Standby device

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP AFM(all modules)

Known Affected Versions:
12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1

Opened: Sep 19, 2017

Severity: 3-Major

Related Article: K35423171

Symptoms

In a Active/Standby setup, with a Virtual Server configured to Mirror Connection State, the Standby Device is aware of the state of connections. The Standby device apart from maintaining the state of connections, need not apply ACL policy to the mirrored connections. But in a specific case where a ACL Policy happens to have Rule with Schedules attached, the Standby happens to apply policy on mirrored connections, which also generates ACL rule hit logs.

Impact

Does not impact handling of traffic. Generation of ACL Rule hit logs from Standby is unexpected, and is not desirable.

Conditions

1) Active/Standby device setup. 2) Virtual Server with Connection Mirroring enabled. 3) ACL Policy with a Rule having a Schedule attached, and during periods of transition when a Schedule may cause a Rule to be enforced or expired.

Workaround

Objective: - Disable sweeper applying ACL policy on Standby device. - Sys DB tunable must disable only on Standby device. Because sys db settings are auto-sync'd to Active device as well, you must do so using the following procedure. Steps to Apply Sys DB setting only on Standby device: 1. Turn off auto-sync for the device-group. 2. Apply settings just before Rule Schedule expiry on Standby device. 3. Wait till Rule Schedule change takes effect. 4. Revert the settings to normal, and enable auto-sync again. TMSH Command Sequence: root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos) # list sys db tm.sweeper.flow.acl value sys db tm.sweeper.flow.acl { value "enable" <<<< Set this to 'disable' } root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos) # modify cm device-group <device-group-for-failover> auto-sync disabled root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos) # modify sys db tm.sweeper.flow.acl value disable root@(BIG-IP-primary)(cfg-sync Changes Pending)(Standby)(/Common)(tmos) # list sys db tm.sweeper.flow.acl value sys db tm.sweeper.flow.acl { value "disable" } On Active, it's still 'enable': root@(BIG-IP-secondary)(cfg-sync Changes Pending)(Active)(/Common)(tmos) # list sys db tm.sweeper.flow.acl value sys db tm.sweeper.flow.acl { value "enable" } Enable auto-sync again: root@(BIG-IP-primary)(cfg-sync In Sync)(Standby)(/Common)(tmos) # modify cm device-group <device-group-for-failover> auto-sync enable Might have to issue this run command if the device is reported as 'requiring sync'. root@(BIG-IP-primary)(cfg-sync Changes Pending)(Standby)(/Common)(tmos) # run cm config-sync to-group <device-group-for-failover>

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips