Last Modified: Jul 10, 2026
Affected Product(s):
BIG-IP APM
Known Affected Versions:
17.5.1.6
Opened: Jun 16, 2026 Severity: 3-Major
After multiple SecurID authentication failures, the apmd process runs out of file descriptors. The logs indicate that "epoll_create() failed [Too many open files]," leading to failures in subsequent authentication attempts or Active Directory (AD) queries, which generate "Too many open files" errors. Additionally, sockets connecting to the aced daemon accumulate in a CLOSE_WAIT state
APMD cannot process new access policy requests when file descriptors are exhausted. All APM functionality—including Active Directory queries, authentication, and session management—is affected for all users. A restart of APMD is necessary to recover
- SecurID authentication is configured with logon retry enabled (maxLogonAttempt > 1) - Multiple authentication failures occur (e.g., wrong credentials, brute-force attempts) - The user does not complete the retry flow (session is abandoned after initial failure)
Restart the apmd service to recover file descriptors. Reducing the maxLogonAttempt value to 0 limits exposure but does not eliminate the issue. Implementing rate-limiting for login attempts at the network layer can help slow FD exhaustion.
None