Last Modified: Oct 17, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.0, 11.5.1, 11.5.2, 11.5.3, 11.5.4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6
Opened: Dec 07, 2017 Severity: 3-Major Related Article:
K05730807
Administrative access to the system with remote authenticated accounts fails, and the following is seen in the security log (/var/log/secure): -- httpd[###]: PAM [error: /lib/security/pam_bigip_authz.so: cannot open shared object file: Too many open files]. -- httpd[###]: PAM audit_open() failed: Too many open files -- Other errors that refer to 'Too many open files'. This might eventually lead to lack of HTTP-based access to the BIG-IP system.
Depending on the number of connection failures, the open files limit of the web server process might be exceeded and new connections to the web server will fail. Administrative access using remote authenticated accounts is no longer possible. This also includes access from SSH and console. The root account, which always uses local authentication, is not affected.
-- Remote system authentication configured to use TACACS+. -- Connections to one or more of the configured TACACS+ servers fails. -- Administrative access to the BIG-IP system using any HTTP-based results in leaked file descriptors. Relevant access methods include Web UI, iControl and iControl-REST. -- Repeated automated access using iControl is the fastest route.
To prevent the issue, remove unreachable TACACS+ servers from the tacacs configuration, or restart the httpd process as necessary. To recover if logins via remotely authenticated accounts are no longer possible, restart the httpd process.
None