Bug ID 2338881: SecurID authentication failures cause apmd file descriptor leak leading to service disruption

Last Modified: Jul 10, 2026

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
17.5.1.6

Opened: Jun 16, 2026

Severity: 3-Major

Symptoms

After multiple SecurID authentication failures, the apmd process runs out of file descriptors. The logs indicate that "epoll_create() failed [Too many open files]," leading to failures in subsequent authentication attempts or Active Directory (AD) queries, which generate "Too many open files" errors. Additionally, sockets connecting to the aced daemon accumulate in a CLOSE_WAIT state

Impact

APMD cannot process new access policy requests when file descriptors are exhausted. All APM functionality—including Active Directory queries, authentication, and session management—is affected for all users. A restart of APMD is necessary to recover

Conditions

- SecurID authentication is configured with logon retry enabled (maxLogonAttempt > 1) - Multiple authentication failures occur (e.g., wrong credentials, brute-force attempts) - The user does not complete the retry flow (session is abandoned after initial failure)

Workaround

Restart the apmd service to recover file descriptors. Reducing the maxLogonAttempt value to 0 limits exposure but does not eliminate the issue. Implementing rate-limiting for login attempts at the network layer can help slow FD exhaustion.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips