Cirrus
EmployeeYou should be able to refer a VIP as far as everything is in route domain 0 (you may make this work in other route domains if strict isolation is disabled). In your VIP configuration then set a pool of ICAP servers and look after persistence. This should work fine.
Regarding ASM triggering the violation, yes it does and it provides some details about the malware/thread detected. You need to go to advanced settings in ASM en set the specific ICAP header that your ICAP server uses to provide this information. Then you should see nice alarm violations in your event log (this is always subject to your block setting configuration)
When to use ASM and LTM, well I'd say LTM is more flexible and it works better overall but it lacks integration with ASM. ICAP on ASM got some limitations, for example the longest request length supported by the system by default is 10MB and you can go to 30MB without big issues. If you expect to deal with big files this may be a problem. Going beyond that requires to involve F5 support.