Bug ID 1787517: After upgrade to 17.1.2, expired auth tokens are not deleted from /var/run/pamcache

Last Modified: Jul 18, 2025

Affected Product(s):
BIG-IP Install/Upgrade, TMOS(all modules)

Known Affected Versions:
16.1.6, 17.1.2, 17.1.2.1, 17.1.2.2

Fixed In:
17.5.0

Opened: Jan 20, 2025

Severity: 2-Critical

Symptoms

REST tokens that are present in /var/run/pamcache on BIG-IP are not deleted after token expiration after the upgrade to version 17.1.2 Potentially noticeable higher memory and CPU use

Impact

More memory will be used as /run/pamcache is an in-memory filesystem Users who have requested 100+ REST tokens may start to receive 400 responses with the message: "user <username> has reached maximum active login tokens". CPU use may be raised by higher activity of the csyncd process.

Conditions

The system is upgraded to version 17.1.2

Workaround

Manually remove expired tokens from /var/run/pamcache or delete them using the /mgmt/shared/authz/tokens API endpoint. restcurl -X DELETE /shared/authz/tokens

Fix Information

None

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips