Symptoms
When two or more device are configured with Configuration Management interface in a sync-failover device group: if one of the devices does not have ASM provisioned while another one does, performing a config sync of the sync-failover device group from the non-ASM device will cause the /Common/asm-hidden folder to be deleted along with its content.
The next time ASM is restarted (for any reason) on one of the ASM devices, ASM keeps restarting in a loop. Messages similar to the following appear in /var/log/ltm :
-- err mcpd[6550]: 01070734:3: Configuration error: Can't associate Bot Signature Category (/Common/asm-hidden/ASM-search-engines) folder does not exist.
Similarly messages similar to the following appear in /var/log/ts/ts_debug.log:
asm|INFO|Jul 30 12:03:02.481|5282|,,01070734:3: Configuration error: Can't associate Bot Signature Category (/Common/asm-hidden/ASM-search-engines) folder does not exist.
Impact
-- Search Engines are not applied on JavaScript challenges.
-- Upon an ASM restart, ASM restarts in a loop, and the device will remain offline.
Conditions
- Two or more devices are connected with a sync-failover device group.
- One device has ASM provisioned, while another device does not have ASM provisioned.
- Performing a sync from the non-ASM device to the ASM device.
Workaround
Reload the configuration by running the following command:
tmsh save sys config && tmsh load sys config
As an alternative, re-provision ASM by running the following command:
tmsh modify sys provision asm level nominal
