ASM not passing client cookies to the node servers

Question

Hello everyoneWe're having issues when enabling ASM on the virtual server serving the Cisco Meeting Server WebRTC application. Te problem is that the users are unable to join meetings as soon as we enable ASM on the VS. we have tried to attach the ASM policy with everything possible disabled and in transparent mode, but the issue still remains.&nbsp;What we have notice when comparing traffic with ASM enabled and disabled is in case when ASM is enabled, that the cookies sent from client are not passed to the server.Below is diff betwen the client side request (left) and the servers side (right) when ASM is enabled.Therefore, we suspect something must be related to the cookies.Does anyone have any idea what could cause this? the BIG-IP version is v15.1.8.1 (Build 0.0.3).Thanks for any help!

urosh · Accepted Answer

The problem was resolved by enabling the websocket profile on the VS.Thank you all for your help and suggestions.&nbsp;

mohamed_salah_ · Answer

Hello,
I think you can start checking bug tracker as Mohamed_Ahmed_Kansoh&nbsp; mentioned and you might find something related to your issue. From my side, I faced the below BUGID with one of my customers, and the WAF was blocking requests even if the policy in transparent mode.
Article:
https://my.f5.com/manage/s/article/K22520599
BUG:
https://cdn.f5.com/product/bugtracker/ID961509.html
Thanks,

mohamed_ahmed_kansoh · Answer

Hi&nbsp;Urosh&nbsp;,&nbsp;while your issue is strange to me , I started to check if there is " ASM system variable attribute " contols Domain cookies as you said you switched the policy to transparent but this is hasn't solve your issue.&nbsp;I have another explanation you may hit on it :&nbsp;&nbsp;I opened F5 Bug Tracker to see all bugs related to TMOS V 15.1.8.1 and explored all bugs related to Cookies with ASM module provisoned , and I found below Bug , it outlines Bigip AWAF may truncate your Cookies because it has spaces in cookie name.&nbsp;This is the Bug and has workaround , may solve your issue :&nbsp;https://cdn.f5.com/product/bugtracker/ID1095041.htmlTry it , your issue is interesting&nbsp;

ca_valli · Answer

Hello,I think you might be reading this information wrong. By design, the F5 WAF engine injects a new cookie in the client-side connection, and uses it to correlate client events within a session and to check data integrity.
So, the behavior you're seeing in the capture is correct. The full server-response that you're receiving is being forwarded as-is to the client (well, it does strip the nginx information), and the WAF uses the set-cookie attribute to create a hash for this session.
Consequent client requests to the WAF will include this hashed cookie, and since the server doesn't require to see it, it's not being forwarded.&nbsp;
I'm not seeing missing informations from the logs you attached. Let me know if this is clear enough!&nbsp;KB reference for ASM cookies:&nbsp;https://my.f5.com/manage/s/article/K6850

mohamed_ahmed_kansoh · Answer

Please&nbsp;Urosh&nbsp;.&nbsp;Mark your last reply of "The problem was resolved by enabling the websocket profile on the VS "&nbsp;as an accepter solution , to help others who hit in this issue to find the workaround quickly.&nbsp;Thanks again for sharing...

urosh · Answer

I noticed, that I didn't have websocket profile enabled on the virtual server. As soon as I enabled that, it started working, even with ASM policy.

Forum Discussion

ASM not passing client cookies to the node servers

6 Replies

Recent Discussions

Disk space full - what files, folders are safe to delete?

ASM instance creation

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

Related Content

Passing Client CAC / Smart Card Cert to Application Server

Cookie-based DDoS protection

Decoding the IPv4 address from the persistence cookie

2. SYN Cookie: Operation

1. SYN Cookie: Intro