Avi Service Engine crash with Segmentation fault at se_dp_merge_waf

Products

VMware Avi Load Balancer

Issue/Introduction

Service Engines may crash when using WAF Persistent Collections like SESSION or IP in the ruleset.

Example Modsec Rule:

The crash stack trace will include the function: se_dp_merge_waf_kvs. (It should be present in initial #0 method calls)

Sample StackTrace:

To investigate further, you can review the latest stack traces from the Controller or SE by accessing the following path:

CLI:

Login to Controller via ssh and run this command.Please note you have to replace the name of se_dp file here.

root@<Controller ip>:# cat /opt/avi/archive/stack_traces/<se_dp.timestamp>.stack_trace

UI:
Navigate to Administration > Support > Crash Reports > Expand the latest crash file.

Environment

Affects Version(s):

22.1.1 - 22.1.7-2p4

30.1.1

30.1.2 - 30.1.2-2p2

30.2.1 - 30.2.1-2p5

30.2.2 - 30.2.2-2p2

31.1.1

Cause

This is a new issue that was identified with WAF collection with the use of setvar:SESSION in the rule.

Resolution

Please upgrade or patch the system to the fix version.

AV-227943: Possible failure in SE when WAF persistent collections like SESSION or IP in are used in user defined rules

Fix Version(s): 22.1.7-2p5, 30.2.2-2p3, 30.2.3, 31.1.1-2p1

Workaround:

Please disable any Pre-CSR WAF rulesets that contain setvar:SESSION in the rule.