I am loadbalancing 2 vmware security servers (gateway) for vmware client view (vdi).
I have an ASM policy in transparent mode, and the requests are still getting rejected without logs.
I have no content profile, no xml profile.
there is nothing blocked in the logs, even if the requests are rejected.
When I disable the asm VS configuration, everything works fine.
any hint ?
Do you have any bot detection or web scraping defenses configured? What are you disabling exactly to enable traffic flow?
No logs in web scraping nor bot detection.
When I disable the security policy attached to the VS.
Local Traffic ›› Virtual Servers : Virtual Server List ›› VS-name >> Application Security Policy >> Disabled.
BTW, I am using the 12.1.3 version.
Is every request being blocked or only some of them? What does the response look like from ASM, is it the blocking response page or a TCP reset? Are their any violations on the Security›› Application Security: Policy Building: Traffic Learning screen? Are there any stats on the Application or DoS Reporting screens?
I am using vmware view client, the authentication goes well, then the servers responds with PCoIP XML, then nothing happens. I believe that when the asm policy is attached to the VS, some part of the request is truncated and the vmware view server responds with an incomplete XML data...
From what you have said it seems the traffic is not triggering anything in the ASM security policy or DoS profile (if you're using one). My next thought is you are hitting some predefined limit, maybe one of the settings here:
Security ›› Options : Application Security : Advanced Configuration : System Variables.
Are their any error msgs in /var/log/asm log file?
Also ASM has log files in the /var/log/ts directory.
What template is the policy based on? Are the learn and alarm settings enabled on RFC-compliance violations?
Here is my last finding:
1- disabled asm profile (unbind it from the VS configuration).
2- in the VS configuration, I selected the default XML profile
now I am getting the same behavior, the requests are blocked somehow.
Do you have "log all requests" enabled for the logging profile assigned to the virtual server?
So if you disable Application Security on the VS, traffic passes? And when you enable Application Security on the VS, traffic does not pass, but you get no indication that ASM is blocking requests. If the request to the application contains XML in the payload, you will need an XML profile associated with the security policy--not the virtual server. Additionally, you will need to check the learn, alarm, and block settings for XML-related violations, and probably RFC-compliance violations as well. Can you de-select the "Block" checkbox for each violation and then test traffic? Are you sure the application encoding language for your policy is correct?
I have created and XML profile and attached it to the url. I also disabled all blocking checkboxes in the asm policy settings. The encoding language is ok... still the same behavior.
the only profile used in the VS is the default http which is mandatory.
other than that, yes I am using SNAT.
The traffic to the backend servers is working since I am able to authenticate. Actually, I get the first page with the RSA authentication, followed by the AD web page. if my password is incorrect, I get the error message, otherwise, the vmware view client shows the connection message on and on...
by the way, I have capture the ssl traffic, and the only difference I see between the asm policy disabled and enabled, is the asm cookie which is inserted by the asm module.
Is ASM receiving encrypted traffic? It may sound obvious but ASM needs to be able to process unencrypted traffic.
well, ASM is in the same vcmp as LTM, since the VS has client ssl profile attached to it, the ssl traffic is offloaded.
the asm is seeing the traffic decrypted.
since all policies are in transparent mode and the blocking mode is unchecked everywhere, I beleive that the vmware view client is unable to handle the ASM cookie for some reason.
Do you have another way to test this by eliminating the VMware view client? If our cookies are breaking your app you should open a support case. There are several TS cookies that perform different functions, and it would be helpful for support to know which one it is.
yes,I have already opened a ticket with F5 and provided them the ref of the cookie...
anyways, thanks a lot for your support.
Hi OM ,
Did you get it resolved ? Appreciate if you can share the root cause. I am facing same issue here...
I have fixed the issue by whitelisting the uri. the problem was related to the header, the asm was unable to interpret the last line of the header, so I had to whitelist the uri.
F5 support suggested to create an xml profile, but that didn't help.
What uri do you whitelist ?
If you whitelist the domain of your vmware view, the ASM Policy is then useless ..?
to this explicit uri, you have to attach an xml profile though.
to this wildcard uri, no profile is required, body request handling is set to Do Nothing.