Last Modified: Dec 06, 2024
Affected Product(s):
BIG-IP APM
Fixed In:
17.1.2
Opened: Mar 14, 2024 Severity: 2-Critical
When you apply multiple access policies, and if there are macros in VPE that expand to lot of Access policy Agents, then creation and initialization of those agents with recursive macro expansion will take more time and also cause 50% to 60% CPU usage by APMD process. Now in this case if LDAP server, especially with pool members configured may lead to 100% CPU usage for more than 2 to 5 min. This is due to clearing of LDAP cache. As LDAP servers pool members use loopback interface and also session db operations are done on same interface, this may lead to failure in session db set/get operations which ultimately leads to failures in OAuth Scope validation and other operations.
OAuth scope validation fails due to high CPU usage by APMD and Access policy is evaluated as failure and Basic auth headers are send to backend.
1. Applying an access policy that is for one or more policies, with more agents (around 3000 for example). 2. LDAP servers are configured and User sends new LDAP auth and query requests to APM at same time. 3. Session db operations should fail to see any unexpected failures like oauth scope validation failure.
None
APMD should not use high CPU usage and Oauth Scope validation should not fail.