have a similar TMOS version, using 11.4.1 without hotfix, but see the same thing happening.
when i modify the iRule like this it does what I would expect to happen, is that enough for you?
when ASM_REQUEST_BLOCKING {
set x [ASM::violation_data]
for {set i 0} { $i < 7 } {incr i} {
switch $i {
0 { log local0. "violation=[lindex $x $i]" }
1 { log local0. "support_id=[lindex $x $i]" }
2 { log local0. "web_application=[lindex $x $i]" }
3 { log local0. "severity=[lindex $x $i]" }
4 { log local0. "source_ip=[lindex $x $i]" }
5 { log local0. "attack_type=[lindex $x $i]" }
6 { log local0. "request_status=[lindex $x $i]" }
}}
if {([lindex $x 0] contains "VIOLATION_ATTACK_SIGNATURE_DETECTED")}
{
log local0. "VIOLATION_ATTACK_SIGNATURE_DETECTED detected, let's customized reject page"
set response "We are sorry,\
but the site you are looking for is temporarily out of service\
If you feel you have reached this page in error, please try again."
remove the current ASM payload
ASM::payload replace 0 [ASM::payload length] ""
insert the new payload
ASM::payload replace 0 0 $response
set new payload length
set asm_payload_length [ASM::payload length]
}
}
when HTTP_RESPONSE_RELEASE {
if {$asm_payload_length > 0} {
HTTP::header remove Content-Length
HTTP::header insert Content-Length $asm_payload_length
}
}
the reason? perhaps it never worked or F5 stopped allowing this from 10 to 11 or when the added the HTTP_RESPONSE_RELEASE / HTTP_REQUEST_RELEASE. the iRule is a bit odd anyway, this line seems very redundant: HTTP::header insert header_1 value_1.
it seems that with 11.5 a new event is introduced ASM_REQUEST_DONE that can be used in all cases and might support HTTP::header again. will have a look once i got 11.5 installed.
if you can confirm the above works for you ill try to update the wiki.