ASM, System Variables, causing issues on websites

Question

Hey guys/girls,&nbsp;
viprion 2400, 11.4.1, running ASM/LTM&nbsp;
Need some help.  Basically, I am trying to get various websites behind the F5 ASM in transparent/learning mode, as a first step, and letting them run a while.  But, even this is causing us issues.  We have one website that sometimes displays empty image boxes upon refresh, or a tcp connection rst error on refresh or first display.  When I remove the ASM policy we no longer have these issues.  &nbsp;
After a little research I am thinking this may be due to the global ASM system variables, which can be found under Security -&gt; options -&gt; application security -&gt; advanced configuration -&gt; system variables.  But, I am not sure which settings could be causing the issues.  Does the F5 log when a system variable like this causes a connection reset?  If so what logging policy does it use?  &nbsp;
Right now I am not sure which variables could possibly be the culprit.  &nbsp;
Thank you,
James&nbsp;

mva · Answer

Check the Security log (Security-&gt;Even Logs) for any blocks from that security policy.  That would be what I check first.  It should show the whats/whys of any blocks.  Interesting that you don't see the standard ASM "block" page, too.&nbsp;

erik_novak · Answer

Hello James, here is a solution doc for logging TCP reset packets: https://support.f5.com/kb/en-us/solutions/public/13000/200/sol13223.html. &nbsp;
Do you have the blocking flag enabled for web scraping by any chance? That has caused similar behavior in a few cases, and can be corrected by turning off blocking for the web scraping feature. If you do not see anything on the Event Requests screen, it means that this activity is not related to a security event--i.e., an event that occurred because it violated a rule specified in your security policy. There is also this log: System ›› Logs : Application Security which can shed some light on more ASM activity.&nbsp;

james_dawkins_1 · Answer

Correction.  I am actually running 11.5.1.  &nbsp;
Anyway, in the under system/logs/application security I am actually seeing this:
ASM bad request: event code I3652 Request has an unknown HTTP selector:&nbsp;
Though the problem I am having started before these.  Anyway, I think there are two issues going on and I have a ticket opened with F5 right now.  I will follow up.  Thanks for the comments.&nbsp;

shaggy · Answer

if you are using webscraping protection, CSRF protection, or DDoS protection with client-integrity, the F5 will insert Javascript which can cause interoperability issues with some sites/pages/objects. Since these features function by inserting the client-side javascript, they will insert even in transparent mode - transparent mode prevents ASM from blocking, but not necessarily from interacting with traffic

Forum Discussion

ASM, System Variables, causing issues on websites

4 Replies

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

Troubeshooting website connection

APM variable assign examples

iRule variable

Getting Started with iRules: Variables

Fake website, Gmail guideline, GPS spoofing, OWASP LLM, Jan 1st–5th F5SIRT This Week in Security