ADC

Release Notes for Citrix ADC 13.0-58.32 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 13.0-58.32.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 58.32 replaces Build 58.30
  • Additional fixes in this build: NSAUTH-8617, NSAUTH-8712

What’s New

The enhancements and changes that are available in Build 13.0-58.32.

Citrix Gateway

  • DTLS Listener Enhancements

    User can now configure a separate DTLS VPN virtual server using the same IP and port number of a configured SSL VPN virtual server. Configuring DTLS VPN virtual servers enables user to bind the advanced DTLS ciphers and certificates. Also, DTLS 1.2 protocol is supported in addition to the earlier supported DTLS 1.0 protocol.

    [ CGOP-11142 ]

Citrix Web App Firewall

  • Bot Management Statistics

    The Citrix ADC bot management GUI now displays bot traffic and bot violation statistics in both tabular and graphical format.

    [ NSWAF-5270 ]

  • Bot Support for Cluster Configuration

    The Citrix ADC bot management is now supported on a clustered configuration.

    [ NSWAF-4227 ]

  • CAPTCHA validation for IP reputation and device fingerprint detection techniques

    The Citrix ADC bot management now supports CAPTCHA for mitigating bot attacks. A CAPTCHA is a challenge-response validation performed to determine if the incoming traffic is from a human user or an automated bot. The validation helps block automated bots that cause security violations to web applications. You can configure CAPTCHA as a bot action in both IP reputation and device fingerprint detection techniques.

    [ NSWAF-3982 ]

  • Support for auto-updating bot signatures

    The Citrix ADC bot management now supports the auto-update functionality that communicates with the AWS database to fetch the latest signature updates. The update is scheduled for every one hour.

    You can also configure a proxy server to fetch the updates from AWS and periodically update signatures to the ADC appliance. For proxy configuration, you must configure the proxy IP address and port in the bot settings.

    [ NSWAF-3954 ]

  • Export and import of relaxation rules

    A Citrix ADC appliance now enables you to export and import the dynamic profile-based relaxation rules and the regular relaxation rules. You can export the rules from a staging environment and import them into your production environment.
    The “Augment” action ensures that the import of the relaxation rules is additive and does not override the existing configuration.

    [ NSWAF-3813 ]

  • Bot Trap Detection

    The Citrix ADC bot management now supports the bot trap detection technique. The technique advertises a trap URL in the client response. The URL appears invisible and not accessible if the client is a human user. However, if the client is an automated bot, the URL is accessible and when accessed, the attacker is categorized as a bot and any subsequent requests from the bot is blocked. The detection technique is effective in blocking attacks from automated bots.

    [ NSWAF-3231 ]

  • Snort Rule Integration

    You can now integrate Snort rules with a Citrix ADC appliance to prevent malicious attacks at the application layer. The rules are downloaded from the Snort website and converted it into WAF signatures. The snort-based WAF signatures can detect malicious activities such as DOS attacks, buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts. By integrating Snort rules, you can strengthen your security solution at the interface and application layer.

    [ NSWAF-3055 ]

Load Balancing

  • Enhancing the GEO rules to validate wildcard matches for location-based policy expression

    Support is now added in the GEO rules for the location-based policy expression to check wildcard matches. This feature checks whether wildcard qualifiers match any other qualifier including non-wildcard or not. The wildcard match is performed by using the matchWildcardtoany attribute that is added to the “set locationParameter” command.

    The matchWildcardtoany attribute can be set to the following values:

    • Yes: Wildcard qualifiers match any other qualifiers.
    • No: Wildcard qualifiers do not match non-wildcard qualifiers but match other wildcard qualifiers. The default option is No.
    • Expression: Wildcard qualifiers in an expression match any qualifier in an LDNS location but wildcard qualifiers in the LDNS location do not match non-wildcard qualifiers in an expression.

    [ NSHELP-11782 ]

Networking

  • Neighbor discovery owner support for striped IPv6 address

    In a cluster setup, you can now configure a specific node as neighbor discovery (ND) owner for striped IPv6 address to determine the link-layer address. A client sends a Neighbor Solicitation (NS) message to all the nodes in the cluster setup. The ND owner responds with a Neighbor Advertisement (NA) message with the link-layer address for the striped IPv6 address, and serves traffic.

    You can configure the ND owner using CLI by specifying the node ID:

    • add ns ip6 -ndOwner
    • set  ns ip6 -ndOwner

    In GUI, navigate to System > Network > IPs > IPv6s. Select one of the node IDs listed in ”NdOwner in Cluster” while adding or modifying an IPv6 address.

    [ NSNET-10767 ]

  • Global server load balancing support on a Citrix ADC BLX appliance

    Citrix ADC BLX appliances now support Citrix ADC Global server load balancing (GSLB) feature.

    Note: Citrix ADC BLX appliances does not support GSLB auto synchronization sub-feature.

    [ NSNET-9263 ]

Platform

  • Support for Intel X722 10G NIC on the Linux-KVM platform

    A Citrix ADC VPX instance on the Linux-KVM platform now supports Intel X722 10G SR-IOV network interfaces.

    [ NSPLAT-13197 ]

  • Setting up a Citrix ADC VPX high-availability pair with private IP addresses on Google Cloud Platform

    You can now deploy a VPX high-availability pair on GCP using private IP addresses. You must disable the INC mode to configure this feature. The client IP (VIP) and Server IP (SNIP) must be configured as alias IP addresses on the primary node. Upon failover, both Client IP address and Server IP address are moved to the secondary node.

    [ NSPLAT-12516 ]

  • Back-end autoscaling support for GCP

    The Citrix ADC VPX appliance now supports the back-end autoscaling feature for Google Cloud Platform (GCP). This feature detects the back-end servers in a GCP Managed Instance Group (MIG). GCP automatically adds or removes servers from the MIG pool, based on user-defined metrics. The VPX appliance captures the details of the back-end server pool and load balances the traffic accordingly.

    [ NSPLAT-7715 ]

Policies

  • Policy Dataset Configuration

    The policy dataset now allows you to specify a range for different data types. Consider an example,
    add dataset ds1 ipv4
    bind dataset ds1 1.1.1.1 –endRange 1.1.1.10

    Where, value is considered to be in the dataset if it is either equal to a single value bound to the data set or is between the lower-value and upper-value (lower-value <= value && value <- upper-value) of a range bound to the data set.

    [ NSPOLICY-3282 ]

SSL

  • Adaptive SSL traffic control

    When very high traffic is received on the appliance and the crypto acceleration capacity is full, the appliance starts queuing connections to process later. Currently, the size of this queue is fixed at 64K and the appliance starts dropping connections if this value is exceeded. With this enhancement, the appliance drops new connections if the number of elements in the queue is greater than the adaptively and dynamically calculated limit.

    This limit is calculated based on:

    • The actual capacity of the appliance.
    • Value configured by the user as a percentage of the actual capacity. Default value is 150%.

    For example, if the actual capacity of an appliance is 1000 operations/second at a given time and the default percentage is configured, the limit after which the appliance drops connections is 1500 (150% of 1000).

    [ NSSSL-7476 ]

  • Support for DTLSv1.2 protocol on the front end of a Citrix ADC Cavium MPX platform

    DTLS 1.2 protocol is now supported on the front end of a Citrix ADC for Cavium MPX platform. While configuring a DTLS virtual server, you must now specify DTLS1 or DTLS12. By default DTLSv12 will be disabled.

    [ NSSSL-6097 ]

  • Support for secure renegotiation on the backend of a Citrix ADC appliance

    Secure renegotiation is now supported on the backend of a Citrix ADC appliance. You can enable secure renegotiation in the SSL profile, and in global SSL parameters. To enable secure renegotiation, set the “denySSLReneg” parameter to one of the following options:

    • NONSECURE
    • NO
    • FRONTEND_CLIENT
    • FRONTEND_CLIENTSERVER

    Example

     set ssl profile ns_default_ssl_profile_backend -denySSLReneg NONSECURE  
     set ssl parameter -denySSLReneg NONSECURE  
     <!--NeedCopy-->
    

    [ NSHELP-14944 ]

System

  • Built-in HTTP profile for management access

    The Citrix ADC appliance now has a built-in HTTP profile, “nshttp_default_internal_apps” for management access. The profile is configured to block HTTP/0.9 requests and to drop invalid requests for management access. The profile settings are the same as the existing “nshttp_default_strict_validation” profile. However, it is advisable that you do not change the profile settings as done in the “nshttp_default_strict_validation” profile.

    [ NSBASE-9953 ]

User Interface

  • Configure a MatchedId to specify the last evaluated URL set

    A new parameter, “MatchedId” is now added to the “import policy urlset” command. The ID can specify the URL set that was last evaluated after it matched the requested URL. The ID is also sent to the AppFlow collector that collects user-session level information.

    [ NSUI-14674 ]

  • Strict mode support for sync status of the cluster

    You can now configure a cluster node to view errors when applying the configuration. A new parameter, “syncStatusStrictMode” is introduced in both add and set cluster instance command to track the status of each node in a cluster. By default, the “syncStatusStrictMode” parameter is disabled.

    [ NSCONFIG-2796 ]

Fixed Issues

The issues that are addressed in Build 13.0-58.32.

AppFlow

  • A Citrix ADC appliance might crash if there is active traffic while enabling the AppFlow feature.

    [ NSHELP-22361 ]

Authentication, authorization, and auditing

  • User name extraction in OnlyPassword.xml does not work in Citrix ADC. It shows up expression as ${http.req.user.name} which ideally should be replaced by username.

    [ NSHELP-22172 ]

  • Citrix ADC deployed as SAML SP might show a local logout page after user initiates the logout process.

    [ NSHELP-22067 ]

  • In some cases, a Citrix ADC appliance dumps core because SYN packets going towards TACACS server are filled with wrong partition values.

    [ NSHELP-22030 ]

  • A Citrix ADC appliance might dump core upon receiving a RESET command from the client while the appliance is handling VPN traffic requests.

    [ NSHELP-21817 ]

  • Form based SSO fails if the FORMSSO policies contain empty name-value pair for DYNAMIC FORMSSO.

    [ NSHELP-21753 ]

  • A Citrix ADC appliance might crash with StoreFront AuthAction if the following conditions are met:
    • Password is changed post the expiry date.
    • Authentication is attempted from non-nFactor old VPN clients.

    [ NSHELP-21555 ]

  • The “saml:AttributeValue” tag is missing from the SAML assertion whenever “ns_saml_disable_comma_sep_attr_res nsapimgr” knob is enabled.

    [ NSHELP-21552 ]

  • SSO to StoreFront using Citrix ADC fails if the following conditions are met:
    • The Citrix ADC appliance is configured for multi-factor authentication.
    • Citrix ADC session times out before examining the configured authentication factors.

    [ NSHELP-21466 ]

  • Full VPN does not work if the following conditions are met:

    • A Citrix ADC appliance is configured for nFactor authentication with SAML authentication being the last factor of authentication.
    • The appliance is bound to the RfWebUI portal theme.

    [ NSHELP-21157 ]

  • During IdP session creation on an authentication virtual server, any configuration made to the login schema profile associated with the first factor of authentication is not honored. If the login schema profile is configured to use the first factor credentials for the SSO functionality, the configuration is not honored.

    [ NSAUTH-8712 ]

  • A Citrix Gateway appliance dumps core if the following conditions are met:
    • The Citrix Gateway appliance is accessed using the Citrix Workspace app.
    • The Citrix Gateway appliance is configured for nFactor deployment with advanced authentication.

    [ NSAUTH-8617 ]

Caching

  • In a cluster setup, a Citrix ADC appliance might crash, when;
    • Upgrading the setup from Citrix ADC 13.0 47.x or 13.0 52.x build to a later build
    • Upgrading the setup to Citrix ADC 13.0 47.x or 13.0 52.x build

    During the upgrade process, perform the following steps:

    • Disable all cluster nodes and then upgrade each cluster node
    • Enable all cluster nodes after all the nodes are upgraded

    [ NSHELP-21754 ]

Citrix ADC SDX Appliance

  • In some cases, upgrading a Citrix ADC SDX appliance to release 13.0 might fail because of an internal error.

    [ NSSVM-3377 ]

  • On a Citrix ADC SDX appliance, upgrade from release 12.1 build 56.22 to release 13.0 build 52.24 might fail.

    [ NSSVM-3159 ]

  • The instance is not launched when you navigate to Citrix ADC > Instances and click the instance IP address in the SDX GUI. The issue is observed only after you upgrade to release 13.0 build 47.x.

    [ NSHELP-22152 ]

  • Upgrade on a Citrix ADC SDX appliance might fail if pooled licensing server is configured.

    [ NSHELP-22064 ]

  • You cannot modify the VPX instance name on the following platforms when the number of cores assigned to that VPX is greater than the number of free cores available on the appliance.
    • SDX 8900
    • SDX 14xxx-40G
    • SDX 14xxx-40S
    • SDX 14xxx FIPS
    • SDX 15xxx-25G
    • SDX 15xxx-50G
    • SDX 25xxx
    • SDX 26xxx
    • SDX 26xxx-50S
    • SDX 26xxx-100G

    [ NSHELP-22048 ]

  • On Citrix ADC SDX 15xxx and SDX 26xxx platforms, you cannot provision multiple VPX instances in L2 mode.

    [ NSHELP-21367 ]

  • After upgrading to software version 11.1 and 12.1, the appliance might send nsNotifyRestart traps.

    [ NSHELP-18308 ]

Citrix Gateway

  • The Citrix Gateway appliance might crash while copying the session information between CPUs in a VPN setup.

    [ NSHELP-22665 ]

  • The Citrix Gateway appliance crashes when handling a server-initiated connection because of an error in connection linking.

    [ NSHELP-22598 ]

  • The Citrix Gateway appliance might intermittently crash if the following conditions are met.
    • If a server initiated UDP connection to an intranet IP address is assigned to a user.
    • The server does not send UDP packets for a long time after the first packet is sent.

    [ NSHELP-22583 ]

  • During a transfer logon, the Citrix Gateway appliance might crash when trying to store an invalid connection and then dereferencing the invalid connection.

    [ NSHELP-22568 ]

  • The Citrix ADC appliance might crash when configured for classic clientless VPN.

    [ NSHELP-22559 ]

  • In rare cases, the counter for “vpnusers” parameter with value 0 is incorrectly decremented. This decrement resets the counter to a very high value, resulting in the license check failure.

    [ NSHELP-22558 ]

  • Sometimes, Citrix Gateway allows macOS clients to access internal resources even if the EPA scan fails on the client machine.
    This issue occurs only in n-core machines containing the following configuration:
    • A session policy is created with the “clientSecurityGroup” parameter.
    • A responder policy is created to perform some action on the users who are part of this client security group.

    [ NSHELP-22262 ]

  • The Citrix Gateway appliance might crash if you attempt to print over full VPN tunnel when Intranet IP address is assigned.
    This issue is observed in HP printers that use hp-status and WSDAPI protocols.

    [ NSHELP-22191 ]

  • If SAML authentication is configured on the Citrix Gateway and a user tries to log on via the VPN plug-in, the browser displays a blank screen.

    [ NSHELP-22185 ]

  • In the Citrix ADC appliance GUI, you cannot unbind an authorization policy binding from an Authentication, authorization, and auditing group.

    [ NSHELP-22167 ]

  • When you deploy a new Citrix ADC VPX appliance using XVA image on a Citrix Hypervisor or any other server, the Citrix Gateway plug-in packages for Windows are not found in the respective location.

    [ NSHELP-22157 ]

  • In a full tunnel setup and classic client certificate authentication with RfWebUI, the appliance responds with a blank page or “Client not capable” error after login.

    [ NSHELP-22084 ]

  • Sometimes, the PCoIP app or desktop might fail to launch.

    [ NSHELP-22041 ]

  • In a Citrix Gateway high availability setup, the secondary node might crash during core-to-core communication.

    [ NSHELP-21991 ]

  • If the Citrix Gateway server resolves to a different IP address inside the company network as compared to an external network, roaming from external to internal network or vice versa fails intermittently. As a result, Always on with Windows feature does not work.

    [ NSHELP-21956 ]

  • The Linux VPN client crashes if proxy settings are configured in the session policy.

    [ NSHELP-21955 ]

  • When EPA is configured in nFactor mode, messages related to EPA plug-in installation are not displayed in the VPN plug-in window.

    [ NSHELP-21939 ]

  • If you are using McAfee LiveSafe, the EPA check does not succeed. As a result, the detection of Chinese product names does not work for OPSWAT. However, for other languages, it works as intended.

    [ NSHELP-21938 ]

  • The Web Interface feature might not work as intended after upgrading the Citrix ADC appliance.

    [ NSHELP-21899 ]

  • The Citrix Gateway appliance might crash if there are multiple cores and Intranet IP address is enabled with RfWebUI theme.

    [ NSHELP-21722 ]

  • A Citrix ADC appliance might crash when it tries to access the corrupt collector information.

    [ NSHELP-21653 ]

  • Always On service fails to establish a VPN tunnel if the Force Cache Cleanup parameter is enabled for Cache.

    [ NSHELP-21645 ]

  • You might intermittently see a 403 access forbidden error for portal files.

    [ NSHELP-21620 ]

  • UDP applications performance might be affected sometimes because of traffic congestion.

    [ NSHELP-21599 ]

  • In a Citrix Gateway with nFactor authentication, EPA as a factor might sometimes fail.

    [ NSHELP-21557 ]

  • Sometimes, the Citrix ADC appliance might crash while handling server initiated connection.

    [ NSHELP-21532 ]

  • The VPN plug-in retains DNS suffixes that are added on Wi-Fi or Ethernet adapter while over the VPN connection.

    [ NSHELP-21492 ]

  • The Citrix Gateway appliance configured for global server load balancing does not work as intended in a parent-child topology.

    [ NSHELP-21381 ]

  • App enumeration does not occur if the number of desktops is lesser than the number of apps.

    [ NSHELP-21377 ]

  • In a multicore processor setup, the Citrix Gateway appliance crashes if the Gateway Insight feature is enabled and a request is received on a non-owner core.

    [ NSHELP-21089 ]

  • The Citrix Gateway appliance might crash if the following conditions are met:
    • The client or server connection has a dangling pointer instead of a link.
    • The linked connection is already freed.
    • The appliance tries to flush the connection to free the link.

    [ NSHELP-20901 ]

  • The Citrix ADC appliance might crash if you use classic policies in your gateway configuration.

    [ NSHELP-20070 ]

  • The Citrix ADC appliance might crash when a net profile is added to a service.

    [ NSHELP-19569 ]

  • The DTLS parameter is set to ON by default for a content switching virtual server created through a Unified Gateway wizard.

    [ CGOP-13213 ]

  • RFWebUI custom themes do not work after you upgrade your Citrix Gateway appliance to release 13.0.

    [ CGOP-12740 ]

Citrix Web App Firewall

  • Connection reset occurs if you enable the SSL session reuse option on your front-end gateway virtual servers with TLS 1.3 enabled on the appliance.

    [ NSWAF-5268 ]

  • NITRO does not allow SDK customers to configure WAF if the XML security check “xmlmaxnodescheck” option is enabled.

    [ NSHELP-22111 ]

  • A memory leak is observed on a Citrix ADC appliance if you enable StartURL Closure protection check.

    [ NSHELP-21472 ]

  • After an upgrade, a Citrix ADC appliance might crash because of high memory usage.

    [ NSHELP-21410 ]

  • In Citrix ADC bot management, the trap URL and Javascript are not inserted properly for chunked and FIN terminated data.

    [ NSHELP-21289 ]

  • XML validation fails if the XML content has nested reference to “APPFW_XML_VALIDATION_ERR_INVALID_ELEMENT” parameter.

    [ NSHELP-21128 ]

  • A Citrix ADC appliance might crash if an error case was handled incorrectly for the credit card verification process.

    [ NSHELP-20562 ]

  • A Citrix ADC appliance might crash if you enable the XML Wellformedness protection check in log mode.

    [ NSHELP-18737 ]

Load Balancing

  • In a high availability setup, the primary node crashes while fetching the server PCB from a server reuse pool. The crash occurs because the loop already exists and that results in a tight loop.

    [ NSHELP-22149 ]

  • The packet engines (NSPPE) might crash when it receives the first RTSP data packet with an incomplete header, followed by an ACK before receiving the complete header.

    [ NSHELP-22099 ]

  • In an admin partition setup, when you execute the “stat gslb site” command, the Metric Exchange or Network Metric Exchange state between two GSLB sites is shown as DOWN. This is only a display issue, and there is no impact on the functionality.

    [ NSHELP-21895 ]

  • During high availability synchronization, the connectivity to a secondary device might be lost when pooled license is configured.

    [ NSHELP-21556 ]

  • In a cluster setup, the configuration for diameter identity is lost when a node is upgraded to a newer version.

    [ NSHELP-21444 ]

  • For the requests from NAT-aware clients, the Citrix ADC appliance might crash when the media section in Session Description Protocol (SDP) payload contains the NAT IP address.

    [ NSHELP-21438 ]

  • In a NITRO API, the “tickssincelaststatechange” field for a service group does not get updated properly after the state of the service group changes.

    [ NSHELP-21425 ]

  • In a high availability setup, the primary node cannot find a relevant PORT after maximum attempts to establish connection to a specific core on a secondary node. Therefore, the secondary connection table is not fully synchronised with the primary connection table.

    [ NSHELP-21420 ]

  • In a GSLB setup with gateway deployment, the Citrix ADC appliance might fail to resolve the domain name for a GSLB service in the following condition:
    When the primary load balancing virtual server is DOWN, even if the backup load balancing virtual server is UP.

    [ NSHELP-21061 ]

  • After you upgrade the Citrix ADC appliance from release 11.1 build 56.19 to release 12.1 build 53.12, the effective state of the GSLB service is set to DOWN even though the load balancing virtual server is UP.

    [ NSHELP-21025 ]

  • A Citrix ADC appliance might show spikes in memory usage if a secure HTTP monitor is configured and the response size is large.

    [ NSHELP-20712 ]

Networking

  • After you restart the Citrix ADC appliance, the internal transport layer service might get unregistered. As a result, any transport protocol service request on the appliance fails.

    [ NSNET-15252 ]

  • In a cluster topology, on node upgrade or downgrade, the “set snmp mib” command for non-cco nodes is failing. This results in a configuration loss.

    [ NSNET-14562 ]

  • An issue is observed if you set the GUI option as secureonly on CLIP while the issue is not observed on the NSIP address.
    The issue is observed only when you trigger the “set ns ip gui” configuration.

    [ NSNET-14364 ]

  • The Citrix ADC appliance processes any received packet, with the following properties, for active FTP data connection:
    • Protocol = TCP
    • Destination IP address = Citrix ADC IP (NSIP)
    • Source port = 20

    As a result, the Citrix ADC appliance sends the packet to the internal management module instead of the packet engine module for processing, which in turn results in some unexpected processing on the packet.

    [ NSHELP-22637 ]

  • In a high availability setup with Layer-2 mode enabled in a non-default partition, the secondary node might forward the DHCP packets it receives causing a loop in the network.

    [ NSHELP-22140 ]

  • In a Citrix ADC cluster setup with IPv4 and IPv6 policy-based backplane steering (PBS) configurations, ICMPv6 error packets might loop between the cluster nodes when all of the following conditions are true:

    • The inner IP packets of the ICMPv6 error packets have the same IP tuple as in one of the active TCP sessions.
    • A different IPv4 mapped address is present on each cluster node for the same IPv6 address.

    [ NSHELP-21815 ]

  • For no-limit admin partitions, the memory check during allocation is disabled.

    [ NSHELP-21775 ]

  • In a high availability setup in INC mode, after a failover, the new secondary node might not withdraw the default route (learned from other BGP peers) that it advertised when it was functioning as primary. Because of this issue, the data traffic can arrive on the new secondary node as well.

    [ NSHELP-21720 ]

  • In an OpenStack, the command propagation might fail under the following condition:

    When you remove a node from the 3-node cluster, if you get an older heartbeat from the removed node.

    [ NSHELP-21432 ]

  • If an INAT rule is added for a VIP address, the Citrix ADC appliance incorrectly allows the addition of a load balancing configuration in which the virtual server is of type ANY and is set with the same VIP address.

    [ NSHELP-21288 ]

  • On restarting the Citrix ADC appliance, default route is originated before the IP address of the interface is populated. Because of this issue, the next hop of a route is set to NULL leading to a martian error.

    [ NSHELP-16407 ]

NSSWG

  • Memory management error is observed on clustered and high availability configurations which stop Citrix ADC GUI HTTPS access and null appflow URL filtering records.

    [ NSSWG-1220 ]

  • The URL category files do not include the latest updates from the NetSTAR database.

    [ NSSWG-1205 ]

Platform

  • On a Citrix ADC SDX appliance, you might observe Tx stalls on a VPX instance running a software version earlier than 13.0 build 58.x, when the following conditions are met:

    • The SDX appliance contains 10G, 25G, or 40G NICs.
    • The SDX appliance is running version 13.0 build 58.x or later.

    Citrix recommends that you upgrade the software version on the VPX instance to 13.0-58.x before upgrading the SDX software to 13.0-58.x version.

    [ NSPLAT-14422 ]

  • Config wipe scripts fail on some Citrix ADC platforms. With this fix, the date code of the scripts is updated to 01/14/20 and all platforms are supported.

    [ NSPLAT-13498 ]

  • On SDX 8200/8400/8600 platforms, the SDX appliance hangs on the Citrix Hypervisor console if the SDX appliance or the VPX instances running on it are restarted multiple times. When the appliance hangs, the message “INFO: rcu_sched detected stalls on CPUs/tasks,” appears.

    • Restart the SDX appliance by pressing the NMI button at the back.
    • From the LOM GUI, use NMI to restart the appliance.
    • Use LOM to restart the SDX appliance.

    [ NSPLAT-9155 ]

  • The SDX appliance might not be able to rebuild the RAID pair if you replace one of the SSD drives in boot RAID pair slot 1 and slot 2.

    [ NSHELP-22470 ]

  • During heavy traffic, Tx might stop working on Citrix ADC platforms containing 50G interfaces.

    [ NSHELP-22221 ]

  • In some cases, provisioning a VPX instance on a Citrix ADC SDX appliance containing Intel Coleto chips might fail because the SSL Coleto chip initialization failed.

    [ NSHELP-22033 ]

  • When multiple LA channels are configured on an SDX appliance without any management interfaces (0/1, 0/2) and if the first LA channel is disabled through the VPX CLI, the VPX appliance might be unreachable.

    [ NSHELP-21889 ]

  • On the ADC SDX 14000 and 15000 appliances, traffic loss of up to 9 seconds is observed if the following conditions are met:
    • 10G ports are connected using the LA channel to two Cisco switches that are configured in VPC setup as active or passive
    • The link to active or primary Cisco switch bounces.

    [ NSHELP-21875 ]

  • On SDX appliances running 13.0 versions of single bundle upgrade, CPUs might overlap for different VPX instances even though the instances are assigned dedicated cores.

    [ NSHELP-21729 ]

  • On the Citrix ADC MPX platform, a 50G port that is a member of a link aggregation group continues to be DOWN if the following actions are performed:

    1. The 50G port is disabled.
    2. The port on the peer switch is disabled.
    3. The port on the peer switch is enabled.
    4. The 50G port is enabled.

    The 50G port does not come up even after it is enabled. As a result, traffic cannot pass through the 50G port.

    [ NSHELP-20529 ]

  • A Citrix ADC appliance might crash when it runs out of memory.

    [ NSHELP-20130 ]

Policies

  • The “Current Client Est connections” and “Current client connections” counters for a load balancing virtual server display incorrect values if HTTP callout is configured on that virtual server.

    [ NSHELP-22491 ]

SSL

  • On the Citrix ADC MPX 14000 FIPS platforms, all SSL virtual servers appear as DOWN on the non-management CPUs.

    [ NSSSL-8015 ]

  • In some cases, a Citrix ADC appliance might crash while processing DTLS traffic in low memory conditions.

    [ NSHELP-22611 ]

  • The Citrix ADC appliance might crash under heavy traffic if both syslogging and DTLS are enabled on a VPN virtual server.

    [ NSHELP-22195 ]

  • The Citrix ADC appliance might crash if dynamic SNI is configured on the back end and the correct license is not available on the appliance.

    [ NSHELP-22081 ]

  • The SSL action points to the old virtual server even after the virtual server is renamed.

    [ NSHELP-21584 ]

  • Information about the SSL profile bound to a load balancing monitor is lost if default SSL profile is enabled and the appliance reboots.

    [ NSHELP-21321 ]

  • The Citrix ADC appliance might crash if the following conditions are met:
    1. Two OCSP responders are configured with the same host name.
    2. Both responders are bound to same root certificate-key pair.
    3. The request fails with the first responder.
    4. The appliance attempts to send the request to the second responder and the host name is unresolved.

    [ NSHELP-21278 ]

  • The incorrect ciphers exported from the Citrix ADC appliance is causing the Citrix ADM to display the same incorrect cipher information.

    [ NSHELP-21177 ]

  • There is a discrepancy in memory allocation on partitioned Citrix ADC MPX appliances containing Intel Coleto chips.

    [ NSHELP-20853 ]

System

  • A Citrix ADC appliance might crash when detecting duplicate TCP retransmissions. The appliance crashes because of the divide-by-zero operation in the TCP congestion control algorithm.

    [ NSHELP-22693 ]

  • A Citrix ADC appliance might crash if the AppFlow configuration is deleted in the middle of a client connection.

    [ NSHELP-22389 ]

  • In a clustered setup, a Citrix ADC appliance might crash, if the following conditions are observed:
    • The connection is steered from the Flow Processor to the Flow Receiver.
    • TCP out-of-order packets are processed in the Time-Wait state.

    [ NSHELP-21792 ]

  • A Citrix ADC appliance might crash if:
    • An HTTP/2 client sends a connection reset in the middle of a download with cache enabled.
    • The back-end server closes the connection with FIN termination.

    [ NSHELP-21605 ]

  • An AppFlow policy bound to a VPN virtual server that is behind a content switching virtual server is not applied.

    [ NSHELP-20816 ]

  • In MPTCP cluster deployment, the packet loop between the cluster nodes causes high bandwidth usage.

    [ NSHELP-20675 ]

  • In a cluster setup, if timestamp is enabled, some of the requests sent to the server might be dropped.

    [ NSHELP-20394 ]

  • In a cluster setup, a Citrix ADC appliance might restart if logstream is enabled.

    [ NSHELP-20008 ]

  • A Citrix ADC appliance with connection chaining and SSL enabled might send more MTU data.

    [ NSHELP-9411 ]

  • A Citrix ADC appliance sends an incorrect HTTP/2 response on an HTTP/1.1 client connection if the appliance receives:
    • a “100 Continue” HTTP/2 response from the backend server.
    • another HTTP/2 response on the same HTTP/2 stream.

    [ NSBASE-10419 ]

  • A Citrix ADC appliance might crash if you use pitboss for monitoring the metrics-collector.

    [ NSBASE-9743 ]

  • The Citrix ADC appliance serves the connect request only on the first stream and does not process subsequent requests on other streams if the following conditions are observed on the appliance:
    • Multiple HTTP requests are received in a single HTTP/2 connection on different streams.
    • HTTP/2 is disabled on the back-end server.

    [ NSBASE-9510 ]

  • A Citrix ADC appliance might crash because of memory allocation failure in a TCP timestamp scenario. As a result, the appliance resets the client connection.

    [ NSBASE-9297 ]

  • The “observationPointId” parameter in the “set appflow param” command does not change even when you change the NSIP address using the “set ns config” command. As a result, the data is not transmitted to Citrix ADM server.

    [ NSBASE-8622 ]

User Interface

  • When a system user tries to lock or unlock an appliance, the Citrix ADC GUI displays an error message, “User does not exist”.

    [ NSUI-14999 ]

  • The LB Visualizer does not display the services bound to the virtual server if the services are part of the service group. However, if the service is bound individually, the service is displayed in the LB Visualizer.

    [ NSHELP-22436 ]

  • When modifying a parameter, other than ring size, (for example duplex, speed, HAmon) from the GUI the following error message appears:
    Ringsize change not allowed on this NIC type

    [ NSHELP-21934 ]

  • In a Cluster setup, you see the following issues because VXLAN is not supported:
    • The “Create IPv6 Neighbor” GUI page displays the following error message when you try to create a IPv6 neighbor:

    “Operation not supported in Cluster”

    • On the “Create IPv6 Route” GUI page, the Create button does not respond.

    [ NSHELP-19451 ]

  • Data with multiple argument values are not properly stored in the Citrix ADC configuration database.

    [ NSHELP-18633 ]

Known Issues

The issues that exist in release 13.0-58.32.

Authentication, authorization, and auditing

  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

    [ NSHELP-563 ]

  • During IdP session creation on an authentication virtual server, any configuration made to the login schema profile associated with the first factor of authentication is not honored. If the login schema profile is configured to use the first factor credentials for the SSO functionality, the configuration is not honored.

    [ NSAUTH-8712 ]

  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

    [ NSAUTH-6106 ]

  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    “show adfsproxyprofile “

    Work Around: Connect to the primary active Citrix ADC in the cluster and issue “show adfsproxyprofile “ command. It would display the proxy profile status.

    [ NSAUTH-5916 ]

Caching

  • A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

    [ NSHELP-22942 ]

Citrix ADC SDX Appliance

  • If the IP address of a Citrix ADC SDX appliance that is configured using pooled licensing is changed in SDX, the Citrix ADM managing the SDX appliance continues to show the old SDX IP address.

    [ NSHELP-23490 ]

  • Upgrading a Citrix ADC SDX appliance to release 12.1 build 56.x might timeout due to a latency in interprocess communication.

    [ NSHELP-22644 ]

  • On the Citrix ADC SDX appliance, a user with read-only permissions can transfer files to Management Service using a file transfer utility, such as SCP or SFTP.

    [ NSHELP-22638 ]

  • The Citrix ADC SDX UI might be inaccessible after you try to upgrade to release 13.0-58.30.
    Workaround:

    1. SSH to the SVM IP address using the “nsrecover” credentials.
    2. At the shell prompt, type “svmd stop” to stop all SVM processes.
    3. To verify that all SVM processes have stopped, type ps -ax | grep svm. To kill any running SVM processes, type kill -9.
    4. Edit the file /var/mps/mps_featurelist.conf.bak using the vi editor. Add “DisableMetricCollection” at the end of the file and save the file.
    5. Type “svmd start” to restart the SVM processes. The upgrade continues and the SDX UI is launched after approx. 30 minutes.

    [ NSHELP-23904 ]

Citrix Gateway

  • You might face issues when editing documents using the web based office apps linked in SharePoint when these apps are accessed through the advanced clientless VPN.

    [ NSHELP-23364 ]

  • When the Citrix Workspace app is used to connect to Citrix Gateway, session establishment might fail if session policy is bound to the VPN virtual server.

    Work around: Bind the session policy to the user or user group.

    [ NSHELP-23148 ]

  • In rare cases, the Citrix ADC appliance might become unresponsive if the appliance is configured for EDT, and HDX Insight is enabled for EDT sessions.

    [ NSHELP-22640 ]

  • In a Citrix Gateway double hop high availability setup, the ICA connection might be lost after an HA failover.
    Workaround: Change the FQDN to the IP address of the next hop server.

    [ NSHELP-22444 ]

  • In a Citrix Gateway high availability setup, the secondary node might crash during a failover if syslog is configured.

    [ NSHELP-22438 ]

  • The Citrix Gateway appliance might crash because some commands are not run.

    [ NSHELP-22371 ]

  • The Citrix Gateway appliance might crash intermittently if a syslog policy is configured.

    [ NSHELP-22304 ]

  • Sometimes while browsing through schemas, the error message “Cannot read property ‘type’ of undefined” appears.

    [ NSHELP-21897 ]

  • When the syslog server is configured through TCP, intermittently some logs are not sent to the syslog server.

    [ NSHELP-21624 ]

  • In case a Citrix ADC appliance is configured for nFactor authentication, upon RADIUS authentication failure, the Citrix ADM appliance incorrectly displays the failed authentication type as “LDAP”.

    [ NSHELP-20440 ]

  • When you upgrade your Unified Gateway environment to release 13.0 build 58.x or later, the DTLS knob is disabled in the content switching virtual server that is configured before the gateway or the VPN virtual server. You must manually enable the DTLS knob in the content switching virtual server after the upgrade. Do not enable the DTLS knob if you are using the wizard for configuration.

    [ CGOP-13972 ]

  • The Gateway Insight report incorrectly displays the value “Local” instead of “SAML” in the Authentication Type field for SAML error failures.

    [ CGOP-13584 ]

  • The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).
    Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.

    [ CGOP-13532 ]

  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

    [ CGOP-13511 ]

  • In Outlook Web App (OWA) 2013, clicking “Options” under the Setting menu displays a “Critical error” dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]

Load Balancing

  • In a cluster setup, ACL rules with VLAN settings do not take effect resulting in packets hitting other ACL rules.

    This issue occurs when you delete a virtual server on the cluster setup resulting in the cluster nodes not adding VLAN information on the steered packets.

    [ NSHELP-22103 ]

  • In a high availability (HA) setup, when the secondary node restarts, the primary node might crash during connection mirroring of sessions to the secondary node.

    [ NSHELP-21715 ]

  • The Citrix ADC appliance might run out of memory when a client sends packets at regular intervals but the first packet is blocked in the appliance. As a result, packets are queued up and the appliance runs out of memory to store the packets.

    [ NSHELP-20871 ]

Networking

  • The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:
    ERROR: Operation timed out
    ERROR: Communication error with the packet engine

    [ NSNET-4312 ]

  • The Citrix ADC appliance might fail during a NAT64 translation of a received IPv6 request packet if the following condition is true:

    The last 32 bits of the destination IPv6 address, which is the translated destination IPv4 address, is greater than 240.0.0.0 (falls in reserved IP range).

    Workaround: Add an ACL to deny such packets.

    [ NSHELP-22742 ]

  • A Citrix ADC appliance might crash during deployment if the following conditions are observed:
    • Multipath TCP (MPTCP) is enabled with MBF and PMTUD
    • MPTCP traffic is received and the response causes ICMP Fragmentation Needed error.

    [ NSHELP-22418 ]

  • In a high availability setup, one of the Citrix ADC appliances might crash if you perform In Service Software Upgrade (ISSU) from Citrix ADC software version 13.0 47.24 or previous, to a later version.

    [ NSHELP-21701 ]

  • In a cluster setup with retainConnectionsOnCluster option enabled, a cluster node might crash when it receives fragmented packets followed by non-fragmented packets.

    [ NSHELP-21674 ]

  • When the Citrix ADC appliance is cleaning up large number of server connections as part of remove command, the Pitboss process might restart. This Pitboss restart might cause the ADC appliance to crash.

    [ NSHELP-136 ]

Policies

  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267 ]

  • The rewrite action of insert_after type might not work with HTTP chunked or FIN terminated response.

    [ NSHELP-22743 ]

SSL

  • Update command is not available for the following add commands:
    • add azure application
    • add azure keyvault
    • add ssl certkey with hsmkey option

    [ NSSSL-6484 ]

  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

    [ NSSSL-6478 ]

  • You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

    [ NSSSL-6213 ]

  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled

    [ NSSSL-6106 ]

  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427 ]

  • An incorrect warning message, “Warning: No usable ciphers configured on the SSL vserver/service,” appears if you try to change the SSL protocol or cipher in the SSL profile.

    [ NSSSL-4001 ]

  • A Citrix ADC appliance might crash if the following conditions are met:
    • A certificate-key pair is added with the expiry monitor option enabled.
    • The certificate date is earlier than 01/01/1970.

    [ NSHELP-22934 ]

  • The Citrix ADC appliance might crash during an abbreviated (resumed) TLS 1.3 handshake if all of the following settings are applied to an SSL profile:

    • SNIHTTPHostMatch is set to CERT
    • TLSv1.3 is enabled
    • Session ticket is enabled.

    Workaround: Set SNIHTTPHostMatch to either STRICT or NO.

    [ NSHELP-22126 ]

  • A partitioned Citrix ADC appliance might not respond as expected if you perform the following actions:
    1) Create two OCSP responders in different partitions.
    2) Clear the config in one partition.
    3) Remove the OCSP responder in the other partition.

    [ NSHELP-20861 ]

  • In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.

    [ NSHELP-13466 ]

System

  • A Citrix ADC appliance might crash if the following conditions are observed:
    • HTTP/2 enabled in the HTTP profile bound to load balancing virtual server of type HTTP/SSL or service.
    • Connection multiplexing option disabled in the HTTP Profile bound to load balancing virtual server or service.

    [ NSHELP-21202 ]

  • For synflood trap generation, if you do not reset the varbinding values, the appliance uses the old trap varbinding values instead of the current and threshold values.

    [ NSHELP-20653 ]

  • In Multi-path TCP (MPTCP) the si_cur_Clients and si_cur_clnt_ConnOpenEst counters are incremented twice.

    [ NSHELP-19896 ]

User Interface

  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

    [ NSUI-13024 ]

  • Only the last three digits of the year are displayed in “Up since (Local)” line of the “stat system” command.

    [ NSHELP-22960 ]

  • When you use the scroll bar in the Syslog dashboard in Citrix ADC GUI, the page either scrolls fast or displays whitespace.

    [ NSHELP-21267 ]

  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:

      • 13.0 52.24 build
      • 12.1 57.18 build
    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    query ns config -changedpassword [-config ]

    Workaround:

    To fix this issue, use one of the following independent options:

    • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.

    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.

    • If none of the above options work, a system administrator can reset the system user passwords. For more information, see: https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

    [ NSCONFIG-3188 ]

Release Notes for Citrix ADC 13.0-58.32 Release