Release Notes for NetScaler 13.1–12.51 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the NetScaler release Build 13.1–12.51.

Build 13.1–12.51 replaces Build 13.1–12.50.

This build also includes a fix for the following issue: NSWAF-8668.


This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the security bulletin.

What’s New

The enhancements and changes that are available in Build 13.1–12.51.

Authentication, authorization, and auditing

Support for latest versions of Intune NAC APIs

NetScaler Gateway support for Intune Network Access Control (NAC) is now enhanced for the latest versions of Intune NAC APIs.

[ NSAUTH-9722 ]

Support for GSLB active-active deployment for nFactor authentication using connection proxy

Support is now added for GSLB active-active deployment for nFactor authentication using connection proxy. This support is applicable for both NetScaler Gateway and Authentication, authorization, and auditing scenarios. Currently, if various factors are configured in nFactor authentication and if gateway is configured for GSLB, then the authentication might break if the client request lands on different GSLB sites.

For example, if LDAP is configured as first factor and RADIUS is configured as second factor, then the authentication might break in the following scenario.

  • Client request for LDAP lands on GSLB site 1.
  • Radius request lands on GSLB site 2. Connection proxy is now used to route request to the correct GSLB sites for completing authentication and serving traffic.

[ NSAUTH-7141 ]

NetScaler SDX Appliance

On a NetScaler SDX appliance, the Management Service polls the NetScaler instances in the background for operations, such as SSL certificates, network functions, and config audit. You can now enable and disable this polling depending on your requirement. Disabling this polling improves the performance of the Management Service and the ADC instances.

[ NSSVM-4991 ]

NetScaler Web App Firewall

Verbose logging for JSON security checks (SQL, CMD, and XSS)

The NetScaler appliance now enables you to configure verbose log level parameter for logging violation details such as pattern, pattern payload, and HTTP header details for JSON security checks. The log details are then sent to the NetScaler ADM server for monitoring and troubleshooting purpose. The verbose log message is not stored in the ns.log file.

[ NSWAF-8269 ]

Deprecate Web App Firewall Classic auditlog policies

To globally bind Web App Firewall policies, a new global binding type APPFW_GLOBAL is now configurable in the bind audit syslogGlobal and bind audit nslogGlobal commands. The global bound auditlog policies evaluate in the Web App Firewall logging context.

[ NSWAF-406 ]

Load Balancing

Rewrite policy support for the MQTT protocol

The rewrite feature now supports the MQTT protocol. You can configure the rewrite policy to take actions based on the parameters in the MQTT client requests and server responses.

[ NSLB-8661 ]

Priority order for services

The priority order for services feature enables you to prioritize the order for services or service groups based on the load balancing selection preferences. You can now configure the service selection order when you bind the services or service groups to the LB or GSLB virtual servers. A new parameter, -order <number> is added to the bind commands to configure the service selection preference.

By default, the lowest order number has the highest priority. However, you can defer this default selection behavior. Using the new LB action and policy commands, you can now configure the service selection order based on the incoming client traffic.

The priority order for services feature imitates the behavior of the primary and backup virtual server chain functionality with a fewer configuration commands.

[ NSLB-8039 ]


Insert the client IP address in the IP Tunnel outer header for session-less load balancing configuration

In a session-less load balancing configuration with the following settings, the encapsulator NetScaler appliance uses a SNIP address instead of the client IP address as the source IP in IP tunnel’s outer header.

  • Load balancing virtual server:

  • redirection mode (m): IP tunnel
  • sessionless: enabled

  • IP tunnel global parameter:

  • use client source IP address (useClientSourceIP): enabled

However, in some scenarios, the tunnel decapsulator (a back-end NetScaler or a back-end server) needs to be aware of the client’s IP address.

To meet this requirement, the encapsulator NetScaler appliance now uses the client IP address as the source IP in the IP tunnel’s outer header.

For more information, see Configure load balancing in DSR mode by using IP Over IP.

[ NSNET-21804 ]


VMware ESXi image boots up to virtual hardware version 13

When you deploy a NetScaler VPX instance from the VMware ESXi image (12.1 onwards), by default, the virtual machine comes up with the hardware version 13.

[ NSPLAT-21416 ]

Support for Intel Ethernet Controller X710 and XL710 series on Citrix Hypervisor

You can now configure a NetScaler VPX instance running on Citrix Hypervisor using single root I/O virtualization (SR-IOV) with the following NICs:

  • Intel X710 10G
  • Intel XL710 40G

[ NSPLAT-21410 ]

Deploy a VPX high-availability pair using private IP addresses with AWS shared VPC

You can now deploy a VPX high-availability pair using private IP addresses across different AWS zones with AWS shared virtual private clouds (VPCs). VPC sharing allows multiple AWS accounts to create their application resources into shared, centrally-managed VPCs. You can create NetScaler VPX instances in AWS shared VPC. The shared VPC reduces the number of VPCs that you create and manage, while using separate accounts for billing and access control.

[ NSPLAT-21401 ]


New expression to detect malware based on JA3 SSL fingerprint

A new SSL expression, CLIENT.SSL.JA3_FINGERPRINT, is added that helps identify any malicious requests by comparing the request against the configured JA3 fingerprint.

Example: add ssl policy ja3_pol -rule "CLIENT.SSL.JA3_FINGERPRINT.EQ(bb4c15a90e93a25ddc16274395bce4c6)" -action reset

[ NSSSL-10156 ]

Support for certificate bundle in cluster

Certificate bundles are now supported in a cluster setup.

[ NSSSL-9854 ]

Support for SSL certificate bundle

The certificate bundle feature has been enhanced to treat the bundle as an entity. Therefore, there is no need to create files for each intermediate certificate. Two certificate bundles can now share part of the intermediate certificate chain. You can also add a certificate-key pair using the same server certificate and key that is also part of a certificate bundle. Removal of certificate bundle is also simplified.

Earlier, adding a certificate bundle added multiple commands in the configuration. You can not add another certificate bundle if two bundles shared a common intermediate certificate. Removing was also a manual process.

[ NSSSL-9425 ]


The html injection related commands were removed in 13.1 release. This change removes all the backend code.

[ NSBASE-14742 ]

Fixed Issues

The issues that are addressed in Build 13.1–12.51.

Authentication, authorization, and auditing

The NetScaler appliance crashes if email OTP is configured.

[ NSHELP-29312 ]

Native OTP encryption tool does not allow special characters in device name.

[ NSHELP-28795 ]

When you log in to the NetScaler appliance, a blank password field appears when both the following conditions are met.

  • Duo two-factor authentication is configured
  • RfWebuI portal theme is used

[ NSHELP-27868 ]

Access to a service is denied if the following conditions are met:

  • The service is bound to an authentication virtual server.
  • 401 authentication is configured on the service and the virtual server that the service is bound to.

[ NSHELP-26903 ]

In a rare scenario, the secondary node in a high availability setup might crash if the following condition is met.

  • The aaa groups and/or aaa users are configured on the NetScaler appliance.

[ NSHELP-26732 ]

If the admin password for LDAP, RADIUS or TACACS services contains the double quotes (“) character, the NetScaler appliance strips it during the Test Connectivity check, resulting in connection failure.

[ NSHELP-23630 ]

NetScaler SDX Appliance

On the NetScaler SDX 14000-40G, 15000, and 15000-50G platforms, setting the interface speed using the CLI fails.

[ NSHELP-29388 ]

When you change the profile on an ADC instance hosted on the NetScaler SDX platform, you might notice some extra entries for the save config command in the log file.

[ NSHELP-29343 ]

On a NetScaler SDX appliance, an SNMP agent running in the Management Service returns an incorrect error code for non-existing OIDs.

[ NSHELP-29209 ]

The data in ADC events table can now be sorted across pages if the total number of data records is less than 5000.

[ NSHELP-29170 ]

NetScaler Gateway

The NetScaler appliance might crash if EPA is configured and sufficient memory is not available.

[ NSHELP-28329 ]

The directory /var/netscaler/logon/LogonPoint/custom/ is not created after an upgrade if the directory was not present initially.

[ NSHELP-28223 ]

You might see an extra line for NS_AUDITLOG_STR* logs in the ns_aaa_json.c file.

[ NSHELP-28160 ]

DNS registration does not work after the VPN connection is established.

To fix this issue, you must enable the nsapimgr knob, -ys call=toggle_vpn_configured_dns_disable_override.

[ NSHELP-27760 ]

Sometimes, during transfer login, Intranet IP subnets are incorrectly displayed on the client side.

[ NSHELP-26904 ]

The ICA latency of a session is recorded incorrectly as 64,000 ms in the Citrix Director when L7 latency is enabled. L7 latency is enabled when the nsapimgr knob enable_ica_l7_latency is set to 1.

[ NSHELP-23459 ]

The Gateway Insight log file is flooded with the following message when users log in to the NetScaler Gateway appliance and access the ICA apps.

GwInsight: Func=ns_aaa_copy_email_id_to_vpn_record input hash_attrs_len is zero Oct 25 23:01:31 <local0.err> 25 23:01:31 <local0.err> 10/26/2021:06:01:31 GMT NSGWTHDR 0-PPE-0 : default SSLVPN Message 10491736 0 : GwInsight: Func=ns_aaa_copy_email_id_to_vpn_record input hash_attrs_len is zero

[ CGOP-19685 ]

The NetScaler Gateway portal enterprise bookmark feature supports only the following protocols. All other bookmarks are blocked. http://, https://, rdp://, and ftp://.

[ CGOP-19543 ]

NetScaler Web App Firewall

If you are using WAF signatures, after upgrading the build, you must update all the WAF signatures including the default signatures to the latest version. Then, re-enable the required signature rules.

[ NSWAF-8668 ]

In some cases, a NetScaler appliance might crash when trap URLs are auto-generated in the bot management system.

[ NSHELP-29339 ]

Load Balancing

The GSLB service group is unable to handle monitor updates due to a missing ENUM value in failed commands.

[ NSHELP-29050 ]

The NetScaler appliance crashes while trying to free up memory allocated in a different partition from the one it is being freed from.

[ NSHELP-29038 ]

If a ZONE type DNS record is available for the parent domain, query for the child domain with an existing NS record results in parent domain SOA record instead of child domain NS record.

[ NSHELP-28793 ]

The NetScaler appliance might fail to respond to a GSLB domain query with an expected GSLB service IP address, if the GSLB virtual server is configured as follows: Persistence type: Source IP address Load balancing algorithm: Static proximity Backup load balancing method: Round trip time (RTT)

[ NSHELP-28668 ]

The load balancing or GSLB domain-based Autoscale service group state remains DOWN if you use a wildcard port.

[ NSHELP-28548 ]

The last response message is displayed incorrectly for monitors bound to GSLB service groups.

[ NSHELP-28393 ]

The cookieTimeout value is incorrectly set during the GET operation, resulting in failure of CS virtual server update operation.

[ NSHELP-27979 ]

A NetScaler appliance might fail when handling monitor probe for mysql type of monitor, which eventually leads to a system reboot.

[ NSHELP-27953 ]


NetScaler CPX instance, running on a Linux system with 64-bit architecture and 1 TB of file storage, can load certificate and key files now.

[ NSHELP-28986 ]

The URL set pattern matching fails for IDNA2008 standard domains.

[ NSHELP-28902 ]

When MAC-based forwarding (MBF) is enabled for VXLAN, the stateful TCP session was not getting established.

[ NSHELP-27125 ]


Upgrading a NetScaler appliance that has admin partitions might cause some configuration loss if the following condition is met:

  • If the entire available system memory is allocated to admin partitions.

[ NSNET-23031 ]


VLAN ID 2 is reserved for internal usage

VLAN ID 2 is reserved for internal usage for deployments in the bridge and none mode. NetScaler CPX binds all the interfaces, other than the 0/1, to VLAN ID 2 and the MTU (Maximum Transmission Units) of the VLAN ID 2 is set equal to the MTU of the eth0 interface. If you want to configure VLAN and bind interface with it, set MTU on VLAN to interface’s MTU as configured on Linux, if interface MTU is less than 1500 bytes.

[ NSNET-22807 ]

A NetScaler BLX appliance in DPDK mode might crash if a Web Application Firewall profile is configured with advanced security protection checks.

[ NSNET-22654 ]

The NetScaler appliance might crash while creating a monitor probe for the related service if the following conditions are met:

  • A net profile with an IP set that has at least one IPv4 address and no IPv6 address. The net profile is bound to a monitor, which is set to an IPv6 service.
  • A net profile with an IP set that has at least one IPv6 address and no IPv4 address. The net profile is bound to a monitor, which is set to an IPv4 service.

[ NSHELP-29382 ]

In a NetScaler appliance, passive FTP data connections might be lost after a memory allocation failure.

[ NSHELP-26522 ]


The NetScaler VPX instances that use VMXNET3 driver might randomly crash if the instance is running on one of the following NetScaler builds:

  • NetScaler 13.1 build 4.x
  • NetScaler 13.1 build 9.x

[ NSHELP-29120 ]


A NetScaler appliance might crash with the following conditions:

  • An audit message action is configured with the string builder expression with one or more REGEX functions applied to the body of a request.
  • An Application Firewall profile configured with the Streaming option enabled.

For example, HTTP.REQ.BODY(10000000).REGEX_SELECT(re/name=[^\r\n]*[\r\n]+/).

[ NSHELP-27895 ]


A NetScaler appliance crashes while processing an HTTP request if the policy action is set to Forward for a policy that is already bound at the request bind point.

[ NSHELP-29115 ]

A NetScaler appliance crashes if the following steps are followed:

  1. A monitor of type SSL is added.
  2. A certificate-key pair is bound to the monitor.
  3. The monitor is removed.
  4. Another monitor with the same name is added.
  5. The certificate-key pair is updated.

[ NSHELP-28666 ]

All the IP addresses in a SAN certificate are now displayed. Earlier only the last SAN IP address of all the IP addresses in the SAN certificate were displayed.

[ NSHELP-27336 ]

SSL handshake fails if you use DH ciphers with an external HSM.

[ NSHELP-25307 ]


When a NetScaler appliance receives an HTTP/2 GOWAY frame from a client, it incorrectly resets all streams with stream ID greater than promised ID (last peer initiated stream identifier).

[ NSHELP-29328 ]

On a NetScaler ADM, the ADM-Agent might report a high memory usage due to an issue in the ADM-Agent.

[ NSHELP-29285 ]

The NetScaler appliance crashes when all of the following conditions are met:

  • A content inspection action, with a server IP address, uses the internal data of a service if already configured.
  • As a result, the internal data of the service is also removed when the CI action is removed.
  • When the actual service is removed, the NetScaler appliance makes an attempt access and delete the already removed internal data.

[ NSHELP-28293 ]

In a NetScaler appliance with admin partitions, nstrace utility might not run properly in a non-default partition

[ NSBASE-15738 ]

In a cluster configuration, a node with CCO priority gets disconnected from Open vSwitch (OVS) because of network issues. After the node rejoins to the cluster configuration, it does not receive the latest SYN cookie.

[ NSBASE-14419 ]

User Interface

ADC instances in a cluster mode configured with pooled capacity go down. This issue happens when a hostname is configured in the cluster nodes and if the nodes take more time in connecting to the ADM license server on bootup.

[ NSHELP-28613 ]

NetScaler GUI might incorrectly generate a cluster technical support bundle of only one node instead of all the cluster nodes.

[ NSHELP-28606 ]

Generating a cluster technical support bundle by using NetScaler GUI might fail with an error.

[ NSHELP-28586 ]

In a NetScaler CLI interface, the options to bind commands are not auto-populated if you press the <Tab> key while typing the command in the command prompt.

For example, type the following command and when using the <Tab> key the objects are not auto-populated.

bind authentication vserver <authvservername> -policy <Tab>.

Here, the authentication virtual server can be bound to multiple object types such as radius policy, Idappolicy, cert policy, TACAS policy, advanced authentication policy, and so on.

[ NSCONFIG-6340 ]

Known Issues

The issues that exist in release 13.1–12.51.


HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.


Authentication, authorization, and auditing

In some cases, memory leak is observed in a NetScaler appliance if the SSO functionality is used with a proxy server.

[ NSHELP-27744 ]

A NetScaler appliance does not authenticate duplicate password login attempts and prevents account lockouts.

[ NSHELP-563 ]

The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of NetScaler GUI.

[ NSAUTH-6106 ]

ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command. show adfsproxyprofile <profile name>


Connect to the primary active NetScaler in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.

[ NSAUTH-5916 ]

The Configure Authentication LDAP Server page on the NetScaler GUI becomes unresponsive if you pursue the following steps:

  • The Test LDAP Reachability option is opened.
  • Invalid login credentials are populated and submitted.
  • Valid login credentials are populated and submitted.


Close and open the Test LDAP Reachability option.

[ NSAUTH-2147 ]


A NetScaler appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

[ NSHELP-22942 ]

NetScaler SDX Appliance

On a NetScaler SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.

[ NSSVM-4333 ]

NetScaler Gateway

In some cases, the server validation code fails when the server certificate is trusted. As a result, end users cannot access the gateway.

[ NSHELP-28942 ]

Sometimes, after disconnecting the VPN, the DNS resolver fails to resolve the host names, because the DNS suffixes are removed during VPN disconnection.

[ NSHELP-28848 ]

Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

[ NSHELP-28551 ]

Sometimes, a user is logged out of NetScaler Gateway within a few seconds when the client idle timeout is set.

[ NSHELP-28404 ]

The Windows plug-in might crash during authentication.

[ NSHELP-28394 ]

The Gateway Insight does not display accurate information on the VPN users.

[ NSHELP-23937 ]

VPN plug-in doesn’t establish tunnel after Windows logon, if the following conditions are met:

  • NetScaler Gateway appliance is configured for Always On feature
  • The appliance is configured for certificate based authentication with two factor authentication off

[ NSHELP-23584 ]

Sometimes while browsing through schemas, the error message Cannot read property 'type' of undefined appears.

[ NSHELP-21897 ]

If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to NetScaler Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

[ CGOP-19355 ]

Application launch failure due to invalid STA ticket is not reported in Gateway Insight.

[ CGOP-13621 ]

The Gateway Insight report incorrectly displays the value Local instead of SAML in the Authentication Type field for SAML error failures.

[ CGOP-13584 ]

In a high availability setup, during NetScaler failover, SR count increments instead of the failover count in NetScaler ADM.

[ CGOP-13511 ]

While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

[ CGOP-13050 ]

The text Home Page in the Citrix SSO app > Home page is truncated for some languages.

[ CGOP-13049 ]

An error message appears when you add or edit a session policy from the NetScaler GUI.

[ CGOP-11830 ]

In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

[ CGOP-7269 ]

In a cluster deployment, if you run force cluster sync command on a non-CCO node, the ns.log file contains duplicate log entries.

[ CGOP-6794 ]

Load Balancing

In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

[ NSLB-7679 ]

The serviceGroupName format in the entityofs trap for the service group is as follows: <service(group)name>?<ip/DBS>?<port>

In the trap format, the service group is identified by an IP address or a DBS name and port. The question mark (?) is used as a separator. The NetScaler sends the trap with the question mark (?). The format appears the same in the NetScaler ADM GUI. This is the expected behavior.

[ NSHELP-28080 ]


When a forced synchronization takes place in a high availability setup, the appliance executes the set urlfiltering parameter command in the secondary node. As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the TimeOfDayToUpdateDB parameter.

[ NSSWG-849 ]

A NetScaler appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

[ NSHELP-22409 ]


After an upgrade from NetScaler BLX appliance 13.0 61.x build to 13.0 64.x build, settings on the BLX configuration file are lost. The BLX configuration file is then reset to default.

[ NSNET-17625 ]

The following interface operations are not supported for Intel X710 10G (i40e) interfaces on a NetScaler BLX appliance with DPDK:

  • Disable
  • Enable
  • Reset

[ NSNET-16559 ]

On a Debian based Linux host (Ubuntu version 18 and later), a NetScaler BLX appliance is always deployed in shared mode irrespective of the BLX configuration file (/etc/blx/blx.conf) settings. This issue occurs because mawk, which is present by default on Debian based Linux systems, does not run some of the awk commands present in the blx.conf file.


Install gawk before installing a NetScaler BLX appliance. You can run the following command in the Linux host CLI to install gawk:

  • apt-get install gawk

[ NSNET-14603 ]

Installation of a NetScaler BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable


Run the following commands in the Linux host CLI before installing a NetScaler BLX appliance:

  • dpkg –add-architecture i386
  • apt-get update
  • apt-get dist-upgrade
  • apt-get install libc6:i386

[ NSNET-14602 ]

In some cases of FTP data connections, the NetScaler appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

[ NSNET-5233 ]

In a high availability setup, in the case of HA version mismatch between both the nodes, dynamic routes are not synched to the secondary node. The secondary node is not reachable if its accessibility is dependent on the dynamic routes.

As a fix, dynamic routes are synchronized to the secondary node even in case of HA version mismatch.

[ NSHELP-28326 ]

When an admin partition memory limit is changed in NetScaler appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

[ NSHELP-21082 ]


The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and NetScaler VPX on-premises. Both of these issues are caused when the following conditions are met:

  1. During the first boot of the NetScaler appliance, you do not save the prompted password.
  2. Subsequently, you reboot the NetScaler appliance.

[ NSPLAT-22013 ]

When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the NetScaler appliances. This issue is fixed for the following NetScaler versions:

  • 13.1-4.x
  • 13.0-82.31 and later
  • 12.1-62.21 and later

The python packages are not installed, when you downgrade the NetScaler versions from 13.1-4.x to any of the following versions:

  • Any 11.1 build
  • 12.1-62.21 and earlier
  • 13.0-81.x and earlier

[ NSPLAT-21691 ]

Provisioning a VPX instance with version 12.0 XVA fails on a NetScaler SDX appliance running version 13.1.

Only VPX versions 12.1 and later are supported. Upgrade the VPX version before upgrading the SBI to version 13.1.

[ NSPLAT-21442 ]

In a cluster setup on a NetScaler SDX appliance, there is a CLAG MAC mismatch on the second node and CLIP if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You add another VPX instance to the cluster and CLAG setup.

As a result, traffic to the VPX instance stops.

[ NSPLAT-21049 ]

In a cluster setup on a NetScaler SDX appliance, the first node goes DOWN because of a MAC address mismatch on CLIP and MAC table, if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You remove the second node from the cluster.

[ NSPLAT-21042 ]

When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the rm cloudprofile command to delete the profile.

[ NSPLAT-4520 ]

In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears. Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.

[ NSPLAT-4451 ]


Connections might hang if the size of processing data is more than the configured default TCP buffer size.Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

[ NSPOLICY-1267 ]


On a heterogeneous cluster of NetScaler SDX 22000 and NetScaler SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.


  1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
  2. Save the configuration.

[ NSSSL-9572 ]

Update command is not available for the following add commands:

  • add azure application
  • add azure keyvault
  • add ssl certkey with hsmkey option

[ NSSSL-6484 ]

You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

[ NSSSL-6478 ]

You can create multiple Azure Application entities with the same client ID and client secret. The NetScaler appliance does not return an error.

[ NSSSL-6213 ]

The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type. ERROR: crl refresh disabled

[ NSSSL-6106 ]

Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

[ NSSSL-4427 ]

An incorrect warning message, Warning: No usable ciphers configured on the SSL vserver/service, appears if you try to change the SSL protocol or cipher in the SSL profile.

[ NSSSL-4001 ]

An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

[ NSSSL-3184 ]


The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

[ NSHELP-21240 ]

The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

[ NSHELP-10972 ]

When processing large streams of gRPC traffic, the TCP advertised window increases exponentially leading to high memory usage.

[ NSBASE-15447 ]

Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

[ NSBASE-8506 ]

User Interface

For the MQTT Rewrite feature, you cannot delete an expression using the Expression Editor in the GUI.


Use the add or edit action command of type MQTT through the CLI.

[ NSUI-18049 ]

In NetScaler GUI, the Help link present under the Dashboard tab is broken.

[ NSUI-14752 ]

Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.


Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the NetScaler GUI or CLI.

[ NSUI-13024 ]

If you create an ECDSA key by using the GUI, the type of curve is not displayed.

[ NSUI-6838 ]

In a high availability setup, VPN user sessions get disconnected if the following condition is met:

  • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.


Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

[ NSHELP-25598 ]

When you downgrade a NetScaler appliance version 13.0-71.x to an earlier build, some Nitro APIs might not work because of the file permission changes.


Change permission for /nsconfig/ns.conf to 644.

[ NSCONFIG-4628 ]

If you (system administrator) perform all the following steps on a NetScaler appliance, the system users might fail to log in to the downgraded NetScaler appliance.

  1. Upgrade the NetScaler appliance to one of the builds:
  • 13.0 52.24 build
  • 12.1 57.18 build
  • 11.1 65.10 build
  1. Add a system user, or change the password of an existing system user, and save the configuration, and
  2. Downgrade the NetScaler appliance to any older build.

To display the list of these system users by using the CLI: At the command prompt, type:

query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]


To fix this issue, use one of the following independent options:

  • If the NetScaler appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the NetScaler appliance using a previously backed up configuration file (ns.conf) of the same release build.
  • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
  • If none of the above options work, a system administrator can reset the system user passwords.

For more information, see

[ NSCONFIG-3188 ]

Release Notes for NetScaler 13.1–12.51 Release