ASM slows basic website

Question

We have a pretty basic ASM policy applied in transparent mode against a standard https website.  When we apply the ASM HTTP Class the website slows to a crawl to get to the home page.  If we remove the ASM HTTP Class the site opens as expected less than a second.  I know it doesn't make a difference whether the ASM policy is in transparent mode or blocking mode its still processing the request its just the final outcome that is different.&nbsp;
Does anyone have any suggestions on what to look for?&nbsp;
ASM Policy includes the following.&nbsp;
RFC – Evasion technique detected, HTTP protocol compliance failed&nbsp;
Access Violations - Access from malicious IP address, Illegal HTTP status in response, Illegal meta character in parameter name, Illegal method, Illegal URL, Request length exceeds defined buffer size&nbsp;
Length Violations - Illegal cookie length, Illegal header length&nbsp;
Input Violations - Disallowed file upload content detected, Illegal meta character in value&nbsp;
Cookie Violations - Modified ASM cookie&nbsp;
Negative Security Violations - Attack signature detected&nbsp;

mike_maher · Answer

So I run over 20 web applications behind ASM and I don't see what you are seeing here.  So let me ask you a couple more questions. 
&nbsp;  
&nbsp; What version are you running? 
&nbsp;  
&nbsp; What does your resource provisioning look like? 
&nbsp;  
&nbsp; What type of Virtual Server is this? 
&nbsp;  
&nbsp; When you remove the HTTP Class do you keep or remove the http protocol profile on the Virtual Server? 
&nbsp;  
&nbsp; Do you have a client SSL profile applied to the Virtual Server? 
&nbsp;  
&nbsp; Are there any iRules attached to the Virtual Server? 
&nbsp;  
&nbsp; From an ASM standpoint  
&nbsp; Do you have IP Intelligence licensed and turned on in the policy? 
&nbsp;  
&nbsp; Have you tried going in and disabling various protection you think may be the problem and retesting?  I would do it one a at time 
&nbsp;  
&nbsp; Mike

nathe · Answer

jokragly, 
&nbsp;  
&nbsp; Just some thoughts, suggestions: 
&nbsp;  
&nbsp; Anything in /var/log/asm or /var/log/ltm that might give some clues? Have you tried running httpfox/ httpwatch from a client? What about a tcpdump capturing both on the client and server side of the connection? 
&nbsp; Are you terminating the SSL connection on the f5 and/or re-encrypting to the backend server? 
&nbsp; Is this the only HTTP Class / ASM enabled VS? Do the others work ok? 
&nbsp; What about if you run the "top" command whilst the HTTP Class is enabled? I think the "bd" process is the one to bear in mind with ASM. 
&nbsp;  
&nbsp; Rgds 
&nbsp; N

jokragly · Answer

I feel bad posting this as I should have known better to try this before hand but Mike, thanks for the suggestion. 
&nbsp; The Illegal URL Violation was causing this issue.  I had to accept the homepage as a trusted URL.  The hit count was several hundred, I also cleared this. 
&nbsp;  
&nbsp; We are running ASM on several other VIPs without any issues, this was just unique. 
&nbsp;  
&nbsp; Thanks again!

Forum Discussion

ASM slows basic website

3 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Chrome V 124+ on MacOS - Virtual Server Access Issue

google-visualization-issues

The best load balance method on this scenario?

SMS server with BIGIP

Related Content

Troubeshooting website connection

Implementing basic OAuth with F5 BIG-IP APM

Basic OAuth concept and OAuth with F5 solutions

iRule - Authorization Bearer / Basic

Troubleshooting BIG-IP - The Basics