Bug ID 433839: Kerberos high CPU usage

Last Modified: Oct 16, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1

Fixed In:
11.5.0, 11.4.1 HF2, 11.4.0 HF6

Opened: Oct 14, 2013

Severity: 3-Major

Related Article: K15703

Symptoms

The access policy daemon (apd) shows high CPU usage and does not release it, in some rare conditions.

Impact

The impact is that the apd process might use 100% of the CPU and stop responding for incoming requests.

Conditions

In rare cases, if the apd connection to the Kerberos key distribution center (KDC) was shutdown immediately after it was established, the Kerberos library might wait for the length of the initial message indefinitely, which causes one of apd threads to loop infinitely.

Workaround

To work around this issue, restart the apd process.

Fix Information

Now, if the peer is shut down, Kerberos immediately terminates the connection.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips