Bug ID 698038: TACACS+ system auth file descriptor leaks when servers are unreachable

Last Modified: Oct 17, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6

Opened: Dec 07, 2017

Severity: 3-Major

Related Article: K05730807

Symptoms

Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure): -- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files]. -- httpd[###]: PAM audit_open() failed: Too many open files -- Other errors that refer to 'Too many open files'. This might eventually lead to lack of HTTP-based access to the BIG-IP system.

Impact

Depending on the number of connection failures, the open files limit of the web server process might be exceeded and new connections to the web server will fail. Administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.

Conditions

-- Remote system authentication configured to use TACACS+. -- Connections to one or more of the configured TACACS+ servers fails. -- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST. -- Repeated automated access using iControl is the fastest route.

Workaround

To prevent the issue, remove unreachable TACACS+ servers from the tacacs configuration, or restart the httpd process as necessary. To recover if logins via remotely authenticated accounts are no longer possible, restart the httpd process.

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips