ASM: "Illegal Request"

Question

I have come across a weird problem. A user access was blocked, with a support ID displayed. After searching the event log withe the support ID, I found that there was no learning suggestion for the access request, and I could not "accept" the request: the text shown when having the mouse over the grayed-out button of "Accept" was "there was no violation".&nbsp;
I had to configure "never block this IP address" to allow the request through. And the log entry showed that this was an "illegal" request.&nbsp;
Is there a way to allow an "illegal" request through in this situation? The IP address based solution is only temporary as the user was on a dynamic address.&nbsp;

wackitron_36350 · Answer

That’s weird. It should show the violation it caused. BTW, illegal request is like it’s Flagged and but not Blocked.
Best solution here would be to recreate the issue and look up the event logs for the violation it caused.
Like illegal uri, illegal param, cookie hijack, session hijack, etc. so we need to know to the violation to poke the hole in ASM policy.

samstep · Answer

ASM will not generate learning suggestions for some violations, probably that is why there was no learning suggestion to accept, see support article K14945:&nbsp;
https://support.f5.com/csp/article/K14945&nbsp;
Cookie not RFC-compliantIllegal HTTP formatNon-RFC requestEvasion Technique DetectedAccess ViolationsIllegal HTTP status in responseIllegal session ID in URLLogin object expiredLogin object bypassedRequest length exceeds defined buffer sizeInput ViolationsFailed to convert characterForbidden Null in requestIllegal number of mandatory parametersNull in multi-part parameter valueSOAP method not allowedCookie ViolationsExpired timestampModified ASM cookieWrong message key

jg · Answer

Thanks to all who have responded and offered help.
I opened a support case and the following fix was suggested to me:
The escalation engineer found that there were some issues with the databases involved in the tracking and reporting of requests and violations.

Unfortunately, there is no easy way to repair the existing DB entries to get historic reports fixed, but we could try to fix it for future requests by restarting the "asmlogd" service using the command below:

pgrep asmlogd | xargs kill -9

(this command will kill the process and it will be restarted automatically)

This should not cause interruptions to your production traffic, but please still consider doing it during a maintenance window.

I implemented this fix and after observing the system for a significant period of time, I am now satisfied that this has solved the problem.

Forum Discussion

ASM: "Illegal Request"

3 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

I-rule for adapt request "response page"

ASM logs

ASM LOGS

Seeing "echo (ping) request -- (no response found!)" from a ACI leaf to the F5 floating ip

Bug ID 878641: "TLS1.3 certificate request message does not contain CAs" not fixed?