Bug ID 805089: JavaScript challenges fail when using LTM Rules which disable DoSL7, Bot Defense, or ASM by default

Last Modified: Oct 16, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 15.0.0, 15.0.1

Opened: Jul 15, 2019
Severity: 4-Minor

Symptoms

When using complex CPM rules (LTM Policy), and the default rule is to disable DoSL7, Bot Defense, or ASM, the special URLs cannot reach the DoSL7 hudfilter or BD, and are getting blocked. These cause any JavaScript challenges to not pass, and block the users. Example of l7dos disabled by default: default { actions { 0 { l7dos disable } } ordinal 3 } In this case, the following error is observed in /var/log/ltm if ASM Policy is also used: [2aeadec:931] Internal error (ASM requested abort (trans begin error)) The request reaches ASM but without the policy identifier and the error is seen.

Impact

JavaScript challenges fail and block traffic from browsers.

Conditions

Using complex CPM rules (LTM Policies) in which the default rule is to disable DoSL7, Bot Defense, or ASM.

Workaround

-- If l7dos or bot-defense is disabled on the default rule, then add a rule for enabling l7dos or bot-defense on requests to /TSPD/* URLs. -- If asm is disabled on the default rule, then add a rule for enabling asm on requests to /TSbd/* URLs.

Fix Information

None

Behavior Change