Bug ID 779345: Security policy import via REST, to replace an existing policy, that is assigned to an LTM VS. May fail on the peer device

Last Modified: Jan 20, 2023

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1

Fixed In:
16.0.0

Opened: May 05, 2019
Severity: 3-Major

Symptoms

Security policy import via REST, to replace an existing policy, that is assigned to an LTM virtual server might fail on the peer device, with an error in asm log: ---------------------------- -- crit g_server.pl[16565]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): MCP Validation error - 01071726:3: Cannot deactivate policy '/Common/new_test3_policy'. It is in use by ltm policy '/Common/asm_auto_l7_policy__vs_dvwa'. ----------------------------

Impact

Security policy import via REST, to replace an existing policy, that is assigned to an LTM virtual server might fail on the peer device

Conditions

-- Having an Active/Standby configuration. -- Single sync-failover device group. -- ASM sync enabled. -- Incremental auto-sync set. -- Having security policy assigned to a virtual server and devices In-Sync. POST https://localhost/mgmt/tm/asm/tasks/import-policy { "fullPath": "/Common/existing_security_policy_name", "file": "<?xml version=\"1.0\"... HUGE POLICY ...</policy>\n" }

Workaround

Issue a manual full sync, from the device where the policy was imported to via REST to the device group.

Fix Information

None

Behavior Change