Bug ID 779345: Security policy import via REST, to replace an existing policy, that is assigned to an LTM VS. May fail on the peer device

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP ASM(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 13.1.5, 13.1.5.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 14.1.4, 14.1.4.1, 14.1.4.2, 14.1.4.3, 14.1.4.4, 14.1.4.5, 14.1.4.6, 14.1.5, 14.1.5.1, 14.1.5.2, 14.1.5.3, 14.1.5.4, 14.1.5.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4, 15.1.4.1, 15.1.5, 15.1.5.1, 15.1.6, 15.1.6.1, 15.1.7, 15.1.8, 15.1.8.1, 15.1.8.2, 15.1.9, 15.1.9.1, 15.1.10, 15.1.10.2, 15.1.10.3, 15.1.10.4, 15.1.10.5, 15.1.10.6

Fixed In:
16.0.0

Opened: May 05, 2019

Severity: 3-Major

Symptoms

Security policy import via REST, to replace an existing policy, that is assigned to an LTM virtual server might fail on the peer device, with an error in asm log: ---------------------------- -- crit g_server.pl[16565]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::ASMConfig::Handler::log_error_and_rollback): MCP Validation error - 01071726:3: Cannot deactivate policy '/Common/new_test3_policy'. It is in use by ltm policy '/Common/asm_auto_l7_policy__vs_dvwa'. ----------------------------

Impact

Security policy import via REST, to replace an existing policy, that is assigned to an LTM virtual server might fail on the peer device

Conditions

-- Having an Active/Standby configuration. -- Single sync-failover device group. -- ASM sync enabled. -- Incremental auto-sync set. -- Having security policy assigned to a virtual server and devices In-Sync. POST https://localhost/mgmt/tm/asm/tasks/import-policy { "fullPath": "/Common/existing_security_policy_name", "file": "<?xml version=\"1.0\"... HUGE POLICY ...</policy>\n" }

Workaround

Issue a manual full sync, from the device where the policy was imported to via REST to the device group.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips