Modified ASM Domain Cookie block in v11.1

Heard there is such experience before but no clues surfaced yet. But clearing the cookie and the issue may no longer seen, tried?

 

Also wondering if there is internal cookie hash parameter that has differ btw the two version or the way cookie handling was done differs. Suggest open the case for investigation

I guess as a side question, I am trying to determine what the differences are between the following violations, and do you need to be using all of them or is there some overlap?

 

 

Modified ASM Cookie

 

ASM Cookie Hijacking

 

Modified Domain Cookie

Rather different though all revolving ASM cookie.

 

 

Modified ASM Cookie - This tampering of ASM Main or Frame Cookie or their structure. See http://support.f5.com/kb/en-us/solutions/public/7000/000/sol7011.html?sr=19803122

 

 

ASM Cookie Hijacking - Happened when ASM Frame cookie and an ASM Main cookie that were generated with different MD5 digest keys. Prior to 10.1.0, it is known as "Wrong message key". See http://support.f5.com/kb/en-us/solutions/public/9000/500/sol9584.html?sr=19803134

 

 

Modified Domain Cookie - Mainly happened when ASM detected tampering of Web Server's Domain cookie. But there would be many other possible reasons too. See http://support.f5.com/kb/en-us/solutions/public/5000/900/sol5907.html

 

 

Suspecting it would be anyone whom is the culprit

So update on this issue, in researching this with support it was thrown out there that the ASM cookie being flagged was from a different ASM. So I have 2 ASMs in my lab 1 v11 and 1 v10 and they sit behind an LTM this way I can easily switch between versions for testing.

 

 

With this setup I was able to start with v10 box enabled and the v11 forced offline and I start browsing the site and of course I see an ASM cookie set lets call TS1234, then I stop browsing and force offline the v10 box and enable the v11 box, the next click I make on the site I get blocked by ASM for Modified ASM Cookie and in my trace I see that the TS1234 is being sent and is the reason for the violation.

 

 

However if I clear my cookies and close and reopen the browser and start my browsing going through the v11 box, I see an ASM cookie set lets say TS5678, then I stop browsing and force offline the v11 box and enable the v10 box. This time able to browse just fine and I see the TS1234 cookie get set but the TS5678 cookie remains in the traffic flow, but the v10 does seem bothered by it at all.

 

 

I have taken some ssldumps and http watches and given them to support this afternoon to review to see why this is happening on v11 but not v10. In my prod environment I have the same setup 2 ASMs behind an LTM but they are both enabled and LBed all the time. Right now they are both 10.2.0 HF2.

 

 

I will report more once I know more on what will fix this and why the detection behavior seems to have changed

 

Bottom line, you can't LB an application to two ASMs when one is on v11 and one is on v10, you will get this block when passing through the v11 box with a v10 ASM cookie.