Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

asm rejects packets with policy in transparent mode

Hi, I am loadbalancing 2 vmware security servers (gateway) for vmware client view (vdi). I have an ASM policy in transparent mode, and the requests are still getting rejected without logs. I have no content profile, no xml profile. there is nothing blocked in the logs, even if the requests are rejected. When I disable the asm VS configuration, everything works fine.

any hint ?

om.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Do you have any bot detection or web scraping defenses configured? What are you disabling exactly to enable traffic flow?

0
Comments on this Answer
Comment made 01-Jun-2018 by OM 417

No logs in web scraping nor bot detection. When I disable the security policy attached to the VS. Local Traffic ›› Virtual Servers : Virtual Server List ›› VS-name >> Application Security Policy >> Disabled.

BTW, I am using the 12.1.3 version.

0
Comment made 01-Jun-2018 by G. Scott Harris 1648

Is every request being blocked or only some of them? What does the response look like from ASM, is it the blocking response page or a TCP reset? Are their any violations on the Security›› Application Security: Policy Building: Traffic Learning screen? Are there any stats on the Application or DoS Reporting screens?

0
Comment made 01-Jun-2018 by OM 417
  • Is every request being blocked or only some of them? when enabled, the ASM seems truncating some requests, even though the policy is in transparent mode
  • What does the response look like from ASM, No response from ASM.
  • is it the blocking response page or a TCP reset? neither blocking response nor tcp reset.
  • Are their any violations on the Security›› Application Security: Policy Building: Traffic Learning screen? No, since there are not logs in the illegal requests
  • Are there any stats on the Application or DoS Reporting screens? Nope

I am using vmware view client, the authentication goes well, then the servers responds with PCoIP XML, then nothing happens. I believe that when the asm policy is attached to the VS, some part of the request is truncated and the vmware view server responds with an incomplete XML data...

0
Comment made 01-Jun-2018 by G. Scott Harris 1648

From what you have said it seems the traffic is not triggering anything in the ASM security policy or DoS profile (if you're using one). My next thought is you are hitting some predefined limit, maybe one of the settings here: Security ›› Options : Application Security : Advanced Configuration : System Variables.
Are their any error msgs in /var/log/asm log file?
Also ASM has log files in the /var/log/ts directory.

0
Comment made 01-Jun-2018 by Erik Novak

What template is the policy based on? Are the learn and alarm settings enabled on RFC-compliance violations?

0
Comment made 01-Jun-2018 by OM 417

Scott ## I don't see any variable that would impact the traffic flow.

Erik ## I've created a custom asm policy. I also tried the Fundmental, same result.

Here is my last finding: 1- disabled asm profile (unbind it from the VS configuration). 2- in the VS configuration, I selected the default XML profile now I am getting the same behavior, the requests are blocked somehow.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Do you have "log all requests" enabled for the logging profile assigned to the virtual server?

0
Comments on this Answer
Comment made 01-Jun-2018 by OM 417

yes

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

So if you disable Application Security on the VS, traffic passes? And when you enable Application Security on the VS, traffic does not pass, but you get no indication that ASM is blocking requests. If the request to the application contains XML in the payload, you will need an XML profile associated with the security policy--not the virtual server. Additionally, you will need to check the learn, alarm, and block settings for XML-related violations, and probably RFC-compliance violations as well. Can you de-select the "Block" checkbox for each violation and then test traffic? Are you sure the application encoding language for your policy is correct?

0
Comments on this Answer
Comment made 01-Jun-2018 by OM 417

I have created and XML profile and attached it to the url. I also disabled all blocking checkboxes in the asm policy settings. The encoding language is ok... still the same behavior.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

If the policy is in transparent mode, and if blocking is disabled for all violations, then there must be some other existing condition that is causing the issue. Is there anything other than the ASM policy applied to the virtual server? Do you have any other profiles applied to the virtual server, or are you using a mitigation that injects JavaScript into responses--think web scraping and/or proactive bot defense. Can you verify that packets are traveling from the client to the BIG-IP? Do you have SNAT/Auto Map configured on the virtual server?

0
Comments on this Answer
Comment made 01-Jun-2018 by OM 417

the only profile used in the VS is the default http which is mandatory. other than that, yes I am using SNAT. The traffic to the backend servers is working since I am able to authenticate. Actually, I get the first page with the RSA authentication, followed by the AD web page. if my password is incorrect, I get the error message, otherwise, the vmware view client shows the connection message on and on... by the way, I have capture the ssl traffic, and the only difference I see between the asm policy disabled and enabled, is the asm cookie which is inserted by the asm module.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Is ASM receiving encrypted traffic? It may sound obvious but ASM needs to be able to process unencrypted traffic.

0
Comments on this Answer
Comment made 01-Jun-2018 by OM 417

well, ASM is in the same vcmp as LTM, since the VS has client ssl profile attached to it, the ssl traffic is offloaded. the asm is seeing the traffic decrypted.

since all policies are in transparent mode and the blocking mode is unchecked everywhere, I beleive that the vmware view client is unable to handle the ASM cookie for some reason.

0
Comment made 01-Jun-2018 by Erik Novak

Do you have another way to test this by eliminating the VMware view client? If our cookies are breaking your app you should open a support case. There are several TS cookies that perform different functions, and it would be helpful for support to know which one it is.

0
Comment made 01-Jun-2018 by OM 417

yes,I have already opened a ticket with F5 and provided them the ref of the cookie... anyways, thanks a lot for your support.

om

0
Comment made 4 months ago by sanalbabu 120

Hi OM ,

Did you get it resolved ? Appreciate if you can share the root cause. I am facing same issue here...

0
Comment made 3 months ago by OM 417

Hi, I have fixed the issue by whitelisting the uri. the problem was related to the header, the asm was unable to interpret the last line of the header, so I had to whitelist the uri.

F5 support suggested to create an xml profile, but that didn't help.

OM.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi OM,

What uri do you whitelist ?

If you whitelist the domain of your vmware view, the ASM Policy is then useless ..?

0
Comments on this Answer
Comment made 1 month ago by OM 417

/broker/xml to this explicit uri, you have to attach an xml profile though.

/ice/tunnel* to this wildcard uri, no profile is required, body request handling is set to Do Nothing.

that's it.

0