SecurID Authentication Failing on APM 12.1.2

Question

I am having issues with SecurID authentication on a POC APM deployment.&nbsp;
My first authentication attempt succeeds but any attempt after that fail with the following error.&nbsp;
[root@AKOHDCPOCLTM01:Active:In Sync] config  /usr/local/bin/securidtest -p "/config/aaa/ace/Common/rsaama01pakr.bfusa.com" -s 10...* -u username -w *********
ERROR: authentication with 'username' failed in doAuth:SD_Check(): authentication failed, code: 1, state: SECURID_AUTH_STATE_ACCESS_DENIED
Test done: total tests: 1, success=0, failure=1&nbsp;
Some fields changed for privacy&nbsp;
I can get a single authentication test to work by deleting the 'sdstatus.12' file.  RSA is not able to tell me why that makes a difference.&nbsp;
Any thoughts on this?&nbsp;

mvdg · Answer

Jacob,&nbsp;
What is the RSA Authentication Report (logs) telling you?&nbsp;
Do you have a Primary and Replica RSA server? When you delete the sdstatus.12 file, the BIG-IP is performing the first authentication to the Primary RSA server. Once authentication is successfull, the node secret is exchanged and the sdstatus.12 file is updated telling the BIG-IP there is a Replica in the network.&nbsp;
This RSA setup is active/active meaning both RSA servers are accepting authentication request. The difference is, the Replica has a read-only database.&nbsp;
Could it be there is a firewall between BIG-IP and RSA and the firewall is not configured to allow SecurID traffic to the Replica RSA server?&nbsp;
Regards,
Martijn.&nbsp;

Forum Discussion

SecurID Authentication Failing on APM 12.1.2

1 Reply

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

ASM attack signatures not syncing between active and standby F5

Query on source IP preservation for syslog traffic through F5 virtual server

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

VPN Communication Error with F5 BIG-IP Edge Client

simultaneous disabling / enabling of all LTM objects

Related Content

Kerberos Authentication Failing for Exchange 2016 Behind F5 Cloud WAF

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

iControl REST Authentication Token Management

Doing mTLS Authentication per URL

API Pre-Authentication