Not seeing all http 500 responses

Have you checked your ASM logs to see if it is blocking some of those 500 error responses? 503 responses are typically allowed to pass through the BIG-IP system but other 500 responses may be blocked depending on how you have ASM configured. Although the following article applies up through ASM v12.1, I'm checking to see if it applies to v13.0 also. (I have no reason to believe it does not apply.) K7922: Overview of BIG-IP ASM HTTP response code filtering

Hi, thanks but I have already allowed 500, I also check all the logs/alerts and there is nothing related.

Hello Paul,

Can you show us your iurle?

Regards,

The whole rule is quite long, but the relevant bit is:

when HTTP_RESPONSE {
 if { [HTTP::status] starts_with "5" } {
  table add -notouch -subtable "ERR5" [IP::client_addr]:[TCP::client_port] 0 950 950
  log local0. "500ERROR: [IP::client_addr] [HTTP::status]"
 }
 }

Whatever else is in the rule, I should always see the http response code.

Hello,

Who you can be sure that your backend server return an 5** error code. how did you detect this problem?

Customer receive erro 500 and irule are not trigged?...

Regards

Hello,

To follow up our exchange, as you know HTTP_RESPONSE occurs on every HTTP response. That's mean that is the first event that will be trigged after an response from the backend. https://devcentral.f5.com/questions/irule-event-order-http

that's why I'm pretty surprised that your irule don't trigged.

to get an answer, we need a request. So Just for testing, you can log all request response and generate this behaviour. Then check if you have an request without response (this would potentially be the 500 error that is not logged).

If we see that the problem starts again and all request have it response, it will be another problem (duplicate log entry at the application level)...

otherwise if we want to be more precise it will be necessary to make a capture on the application and or F5 (TCPDUMP/wireshark)