Symptoms
The hidden dos profile /Common/asm-hidden/dos-hidden might be created in a non-Common partition, causing error messages and not bypassing of known search engines.
(This profile is created automatically when provisioning ASM.)
When this happens:
-- An error message appears in /var/log/ltm:
- err mcpd[6558]: 01070726:3: DoS Profile Compiled Signatures /Common/asm-hidden/dos-hidden dos-hidden /Common/asm-hidden/ASM-search-engine-Google in partition Common cannot reference DOS application /Common/asm-hidden/dos-hidden dos-hidden in partition partition1
-- The /Common/asm-hidden/dos-hidden profile is saved in the config file of the partition (/config/partitions/<partition>/bigip.conf) instead of /config/bigip.conf.
Impact
The impact is that the system does not bypass known Search Engines when sending the JavaScript challenges.
Also, on 12.1.x, this error message is written to /var/log/asm:
-- err tsconfd[31293]: dcc|ERR|Oct 11 07:14:04.065|31293| [tsconfd::ASMCONFIG_CALL, update dos bot signature] Failed due to ASMConfig exception: 01070726:3: DoS Profile Compiled Signatures /Common/asm-hidden/dos-hidden dos-hidden /Common/asm-hidden/ASM-search-engine-Yandex in partition Common cannot reference DOS application /Common/asm-hidden/dos-hidden dos-hidden in partition partition_1.
Conditions
This happens when provisioning ASM using the GUI, and the partition (on the top-right corner) is set to any partition other than the Common one.
Note: The GUI page 'System :: Resource Provisioning' does not allow changing the partition (it is grayed out). The partition must be changed on a different page, such as Virtual Servers.
Workaround
To prevent the problem from happening, make sure the Common partition is selected when provisioning ASM. (Change it on a different page to Common, and then come back to the provisioning page and provision ASM. This only works if ASM was not yet provisioned before.)
If the problem has already occurred, run the following commands to solve the problem:
tmsh delete security dos profile /Common/asm-hidden/dos-hidden
tmsh save sys config
tmsh load sys config
tmsh save sys config
Fix Information
The system now creates the hidden dos profile /Common/asm-hidden/dos-hidden in the Common partition correctly, and correctly bypasses known Search Engines when sending JavaScript challenges.
