keep receiving alert of failed authentication from cluster member in f5 audit logs
We keep receiving alert of failed authentication from cluster member
From active device version 13.x Mar 5 18:44:25 Big-IP-XXXX info httpd(pam_audit)[XXXXX]: 01070417:6: AUDIT - user admin - RAW: httpd(pam_audit): User=admin tty=(unknown) host=x.x.x.x failed to login after 1 attempts (start="Mon Mar 5 18:44:23 2018" end="Mon Mar 5 18:44:25 2018").
where host=x.x.x.x is peer ip(standby)
both HA status looks fine, but getting these false login failure alarms in audit logs
5 03:51:56 Big-IP-xxxx notice unix_chkpwd[xxxx]: password check failed for user (admin) Mar 5 03:51:56 Big-IP-xxxx notice httpd[xxxx]: pam_unix(httpd:auth): authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=x.x.x.x user=admin Mar 5 03:51:59 Big-IP-xxxx err httpd[xxxx]: [error] [client x.x.x.x] AUTHCACHE PAM: user 'admin' (fallback: false) - not authenticated: Authentication failure Mar 5 03:51:59 Big-IP-xxxx info httpd(pam_audit)[xxxx]: User=admin tty=(unknown) host=x.x.x.x failed to login after 1 attempts (start="Mon Mar 5 03:51:56 2018" end="Mon Mar 5 03:51:59 2018"). Mar 5 03:51:59 Big-IP-xxxx info httpd(pam_audit)[xxxx]: 01070417:6: AUDIT - user admin - RAW: httpd(pam_audit): User=admin tty=(unknown) host=x.x.x.x failed to login after 1 attempts (start="Mon Mar 5 03:51:56 2018" end="Mon Mar 5 03:51:59 2018"). Mar 5 03:51:59 Big-IP-xxxx err httpd[xxxx]: [error] [client x.x.x.x] no acceptable variant: /usr/local/www/error/HTTP_UNAUTHORIZED.html.var
where x.x.x.x is the peer ip