Applies To:Show Versions
- 14.1.3, 14.1.2, 14.1.0
Connection Mirroring with ASM
Intro to connection mirroring with ASM
Connection mirroring limitations with ASM
- Only 2 devices supported: Traffic is mirrored only to one stand-by device in case of several devices.
- No multiple failover support: Only 2 devices are supported. The connection is reset on the third device in the case of failover from the first device to the second and then from the second to the third.
- No failback support: The connection is reset in case of failover from one device to another and back.
- No default SSL cert/key support.
- When sending a request to a remote service, such as remote logging, DNS, ICAP, and CPB, the remote service will get 2 requests from both devices in mirroring.
- CS features, such as Brute Force, Session Awareness and Device ID, can have a different state (different counters) on active and stand-by devices.
- Mirroring of CS challenges in case of failover can work incorrectly.
- PB on an Active device periodical syncs statistics to the Standby device. This can cause non deterministic behavior.
Non-floating Self-IP ASM Feature Limitations
Parts Not Supported
Transparent & Blocking
Fully Supported (maintenance window assumed )
Device ID learning is not supported, but there is no relevant configuration option. This is under the hood
In Request only
Redirection Protection (see feature below)
Content-Based Routing (see feature below)
Dynamic Session ID in URL
Not present in 22.214.171.124
Anti-Virus protection (ICAP)
Single Page Application
Content-Based Routing (CBR)
Not supported because stats/counters collection can be unstable due to threads sync. After failover bf counters are reset, so prevention for attack can not continue.
CORS(HTML5 Cross-Origin Request Sharing)
"Modified domain cookie(s)"
Fully supported if iRule is doing deterministic operation.
Logging and Reporting
Not present in 126.96.36.199
Allowed Response Status Codes
"Illegal HTTP status in response" violation
Duplicate entries in remote logger, each with different device name (mgmt_ip).
Configuring SSL with mirroring
- Enable sys db:
- tmsh modify sys db statemirror.secure value enable
- tmsh modify sys db statemirror.verify value enable
- On the Main tab, clickand create a new SSL certificate.Standard SSL certificates are not supported for this feature.
- On the Main tab, click. The SSL Server profile list screen opens. Create a new SSL profile with the created SSL certificate and with "Cache Size" = 0.See the BIG-IP System: SSL Administration Guide for more information on creating a custom SSL profile.