Manual Chapter : Connection Mirroring with ASM
Applies To:Show Versions
- 14.1.3, 14.1.2, 14.1.0
Connection Mirroring with ASM
Intro to connection mirroring with ASM
ASM security policies can be applied to LTM mirrored traffic. The best practice for using ASM with connection mirroring is an LTM and AWAF license and a floating Self IP configuration. For details on configuring LTM connection mirroring, see the Managing Connection Mirroring section in the BIG-IP Device Service Clustering: Administration Guide. For troubleshooting traffic mirroring with ASM, see this knowledge article
Connection mirroring limitations with ASM
Applying an ASM security policy to mirrored traffic has certain limitations.
- Only 2 devices supported: Traffic is mirrored only to one stand-by device in case of several devices.
- No multiple failover support: Only 2 devices are supported. The connection is reset on the third device in the case of failover from the first device to the second and then from the second to the third.
- No failback support: The connection is reset in case of failover from one device to another and back.
- No default SSL cert/key support.
- When sending a request to a remote service, such as remote logging, DNS, ICAP, and CPB, the remote service will get 2 requests from both devices in mirroring.
- CS features, such as Brute Force, Session Awareness and Device ID, can have a different state (different counters) on active and stand-by devices.
- Mirroring of CS challenges in case of failover can work incorrectly.
- PB on an Active device periodical syncs statistics to the Standby device. This can cause non deterministic behavior.
Connection mirroring works fully only with a licensed and provisioned LTM. In the case of a standalone ASM or standalone AWAF license, mirroring can be enabled for a virtual server but, in such cases, it works with the same limitation as we have for non-floating Self IP, even in case of floating Self IP.
Non-floating Self-IP ASM Feature Limitations
If a HA pair is configured with a non-floating Self IP, then only the first HTTP request in the TCP connection is mirrored, while the whole connection is not mirrored. In particular all HTTP requests and any response for any HTTP request are not mirrored. In addition, only the first response or request in the same TCP connection are mirrored to the stand-by device.
In the case of a floating Self IP, all ASM features are supported with the known ASM limitations. As a lot of ASM features do not work with a non-floating Self IP configuration, we strongly recommend that you use a floating Self IP configuration with mirroring. See the table below.
Parts Not Supported
Transparent & Blocking
Fully Supported (maintenance window assumed )
Device ID learning is not supported, but there is no relevant configuration option. This is under the hood
In Request only
Redirection Protection (see feature below)
Content-Based Routing (see feature below)
Dynamic Session ID in URL
Not present in 184.108.40.206
Anti-Virus protection (ICAP)
Single Page Application
Content-Based Routing (CBR)
Not supported because stats/counters collection can be unstable due to threads sync. After failover bf counters are reset, so prevention for attack can not continue.
CORS(HTML5 Cross-Origin Request Sharing)
"Modified domain cookie(s)"
Fully supported if iRule is doing deterministic operation.
Logging and Reporting
Not present in 220.127.116.11
Allowed Response Status Codes
"Illegal HTTP status in response" violation
Duplicate entries in remote logger, each with different device name (mgmt_ip).
Configuring SSL with mirroring
You need to create an SSL certificate and custom SSL profile for secure communications between the two mirrored devices.
- Enable sys db:
- tmsh modify sys db statemirror.secure value enable
- tmsh modify sys db statemirror.verify value enable
- On the Main tab, clickand create a new SSL certificate.Standard SSL certificates are not supported for this feature.
- On the Main tab, click. The SSL Server profile list screen opens. Create a new SSL profile with the created SSL certificate and with "Cache Size" = 0.See the BIG-IP System: SSL Administration Guide for more information on creating a custom SSL profile.