Any experience with ASM policy affecting response stream (with no vulnerability/attack signature noted)?
Env: LTM 11.5.2, physical appliance (4200), no resource issues
We are experiencing cases where the presence of an ASM security policy is affecting the response to clients, even though the event log shows the access involved as successful, with no attack signatures/violations noted, and even though the response log shows the response content body being sent back. It is demonstrably the security policy that's the cause, though - when the policy is removed from the virtual server, the issue goes away, and vice versa.
Casting a wide net - has anyone experienced anything similar, and what was the cause? Any tips on how to debug this (other than the obvious tcpdump capture, which we are pursuing)? Any hypotheses on a possible cause?
If it helps, it may be related to the size of the response - there's a loose association, with bigger responses triggering it more often, we think. (problem with chunked encoding? Hmm, may try a re-encode strategy)
Any thoughts appreciated, thx!