Bug ID 950917: Apply Policy fails due to internal signature overlap following ASU ASM-SignatureFile_20200917_175034

Last Modified: Oct 22, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP ASM(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4

Opened: Oct 04, 2020
Severity: 3-Major

Symptoms

Following Signature Update (ASM-SignatureFile_20200921_124008 or later), newly added/activated policies may fail Apply Policy due to a duplicate key database error: ---------------------------------------------------------------------- Sep 25 18:54:24 bigip1 crit g_server_rpc_handler_async.pl[16921]: 01310027:2: ASM subsystem error (asm_config_server.pl,F5::SetActive::Impl::set_active): Setting policy active failed: Failed to insert to DCC.ACCOUNT_NEGSIG_SIGNATURE_PROPERTIES (DBD::mysql::db do failed: Duplicate entry '8112518117000363265' for key 'PRIMARY' at /usr/local/share/perl5/F5/BatchInsert.pm line 219. ) ----------------------------------------------------------------------

Impact

Apply policy fails.

Conditions

Signature Update ASM-SignatureFile_20200921_124008 is installed, and a newly imported or inactive policy is applied.

Workaround

WORKAROUND 1: - Install older signature update ASM-SignatureFile_20200917_175034 WORKAROUND 2: - Disable staging for either signature 200101255 or signature 200101258 (or both) in the affected policies. The policy can then be successfully applied. WORKAROUND 3: - Run the following SQL to correct all affected policies on the device: ---------------------------------------------------------------------- UPDATE PL_POLICY_NEGSIG_SIGNATURES policy_sigs INNER JOIN (select previous_enforced_rule_md5, policy_id, count(*) as mycount from PL_POLICY_NEGSIG_SIGNATURES where previous_enforced_rule_md5 != '' group by previous_enforced_rule_md5, policy_id having mycount > 1) as multi_sigs on policy_sigs.policy_id = multi_sigs.policy_id and policy_sigs.previous_enforced_rule_md5 = multi_sigs.previous_enforced_rule_md5 SET policy_sigs.previous_enforced_rule_md5 = '', policy_sigs.previous_enforced_rule = ''; ----------------------------------------------------------------------

Fix Information

None

Behavior Change