Release Notes for NetScaler 13.1–17.42 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the NetScaler release Build 13.1–17.42.


This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the security bulletin.

What’s New

The enhancements and changes that are available in Build 13.1–17.42.

Bot Management

Support for IPv6 addressing

NetScaler bot management now supports Internet Protocol Version 6 (IPv6) addressing for bot detection techniques.

[ NSBOT-690 ]

NetScaler Gateway

DF bit propagation for EDT over NetScaler Gateway

The NetScaler Gateway appliance now supports DF bit enforcement for the EDT Path Maximum Transmission Unit Discovery (PMTUD) feature. Path MTU discovery feature helps in dynamically determining the maximum transmission unit (MTU) when establishing an EDT session. The DF bit enforcement prevents EDT fragmentation that might result in performance degradation or failure to establish a session.

In earlier releases, NetScaler Gateway supported EDT path MTUD but did not support DF bit enforcement.

[ CGOP-18438 ]

NetScaler Web App Firewall

Enhanced support for learning multiple Cross-Site Scripting (XSS) violations

The NetScaler Web App Firewall learning process is now enhanced to reduce false positives in cross-site scripting attacks.

With learning enabled, you can learn all violations in a request and potentially apply relaxation to all tags/attributes/patterns at one time. Previously, you can report only one violation at one time and must repeat the process for multiple violations.

For example, if there are 15 custom tags in a payload each resulting in a violation, you can apply relaxation for the first violation and run the request to flag another custom tag as a violation. The process must be repeated to apply relaxation for all custom tags one by one.

[ NSWAF-7545 ]

Load Balancing

Option to enable or disable members of LB and GSLB Autoscale service group

You can now directly enable or disable specific members of an LB or GSLB (DNS-based) Autoscale service group. Therefore, managing an LB or GSLB (DNS-based) Autoscale service group is now made easier.

Previously, you had to enable or disable an entire LB or GSLB Autoscale service group to enable or disable an individual member. Only non-autoscale service groups had an option to enable or disable an individual member.

[ NSLB-8109 ]


ISSU statistics enhancements

The following two enhancements are added to ISSU statistics:

  • An option dumpsession (Dump Session) has been added to the show migration operation to display the list of existing connections that the old primary node is currently serving. The show migration operation with the dumpsession option must be run only on the new primary node.
  • The show migration operation (without any option) now displays the following additional information related to the ISSU migration operation:
  • Total number of connections that are processed as part of ISSU migration operation
  • Number of remaining connections that are being processed as part of ISSU migration operation

For more information, see .

[ NSNET-23577 ]

Monitor the ports usage on a NetScaler appliance for back-end connections using SNMP

You can use the PORT-ALLOC-EXCEED SNMP alarm to monitor the ports usage on a NetScaler appliance for back-end connections.

PORT-ALLOC-EXCEED SNMP alarm includes the high-threshold and normal-threshold parameters, which specify the total allocated ports of the NetScaler owned IP addresses as percentages. For example, if the high-threshold parameter is set to 90, the NetScaler appliance generates and sends trap messages when the following event happens:

  • when the port allocation percentage exceeds 90 percent on any of the NetScaler owned IP address for the back-end connections

The SNMP alerts help you in deciding the need for more NetScaler owned IP addresses if the free ports available are nearing exhaustion.

[ NSNET-21719 ]

GENEVE protocol support

A NetScaler appliance now supports the Generic Network Virtualization Encapsulation (GENEVE) protocol as defined in RFC 8926.

Server virtualization and cloud computing architecture have increased the demand for isolated Layer-2 networks in a data center. The VLAN limit of 4094 has proven to be inadequate and encapsulation protocols like VXLAN and NVGRE were introduced to overcome this limitation.

These protocols differ mainly in the control plane implementation. GENEVE protocol does not define specifications for the control plane. The protocol leaves to the implementation to define the control plane specifications.

GENEVE protocol is an encapsulation technology that aims to create Layer-2 overlay networks over Layer-3 infrastructure by encapsulating Layer-2 frames in UDP packets. Each VLAN is identified by a unique 24-bit identifier called the VNID. Only within the same segment ID (VNID) can communicate with each other.

A NetScaler appliance supports the GENEVE encapsulation on UDP port 6081.

[ NSNET-21717 ]

Configure SSH access to the Linux host running a NetScaler BLX appliance in dedicated mode

By default, SSH access to a Linux host running NetScaler BLX appliance in a dedicated mode cannot be done through the dedicated interfaces of the appliance.

You can configure SSH access to the Linux host through the dedicated interfaces of the NetScaler BLX appliance. This feature is useful in a single interface Linux host running a NetScaler BLX appliance in dedicated mode.

You can configure direct SSH access to the Linux host in either of the following types:

  • Provide SSH access on port 9022 of NetScaler IP (NSIP) of the NetScaler BLX appliance. - <NetScaler IP address (NSIP)>:9022
  • Define a new IP address in the subnet of NetScaler IP (NSIP) and provide SSH access on port 22. - <new IP address on the NetScaler IP address (NSIP) subnet>:22 Also, all other ports on the Linux host are reachable using the new IP address. For example, a rsyslog server running on the Linux host on port 514/UDP is now reachable on port 514 of the new IP address.

[ NSNET-21586 ]

Simplified deployment of a NetScaler BLX appliance with DPDK ports

The procedure to deploy a NetScaler BLX appliance with DPDK ports have been simplified with the following enhancements:

  • The NetScaler BLX appliance now uses libraries compiled with DPDK version 20.11.1. The appliance automatically loads the DPDK VFIO kernel module on the Linux host.
  • The dpdk-config parameter has been removed from the NetScaler BLX configuration (blx.conf) file. The existing worker-processes parameter now applies to the NetScaler BLX appliance with DPDK ports as well. The worker-processes specifies the number of packet engines for a NetScaler BLX appliance. In other words, the worker-processes is now a common parameter for the NetScaler BLX appliance irrespective of its mode (shared, or dedicated, or DPDK). If worker-process is not set, the NetScaler BLX appliance is configured with 1 packet engine by default.
  • The interfaces parameter now specifies the DPDK compatible NIC ports in addition to the non-DPDK NIC ports. The NetScaler BLX appliance automatically detects the DPDK compatible NIC ports (if any) from the list of ports specified to the interfaces parameter. The appliance then binds the detected DPDK compatible NIC ports to the DPDK VFIO module on the Linux host. After starting the NetScaler BLX appliance, the DPDK and non-DPDK NIC ports are automatically added as part of the appliance.
  • The dpdk-non-uio-intf parameter, which specifies the DPDK bound Mellanox NIC ports, has been removed from the NetScaler BLX configuration (blx.conf) file. The interfaces parameter now specifies the Mellanox NIC ports to be used as DPDK ports in the NetScaler BLX appliance. Before specifying the Mellanox NIC ports for the NetScaler BLX appliance, the Mellanox OFED DPDK libraries and kernel modules must be installed on the Linux host. The NetScaler BLX appliance automatically detects the specified Mellanox NIC ports and initializes them in DPDK mode. After starting the NetScaler BLX appliance, the DPDK bound Mellanox NIC ports are added as part of the appliance.
  • A new parameter total-hugepage-mem have been introduced in the NetScaler BLX configuration (blx.conf) file for setting up the hugepages for DPDK on the Linux host. The total-hugepage-mem parameter specifies the hugepages size in MB or GB (for example, 1024 MB and 2 GB).
  • On upgrading a NetScaler BLX appliance with DPDK ports, the upgrade module automatically converts the existing configurations to the new format in the NetScaler BLX configuration (blx.conf) file.

[ NSNET-20524 ]

Monitor the free ports available on a NetScaler appliance for a new back-end connection

For communication with the physical servers or other peer devices, the NetScaler appliance uses a Citrix owned IP address as the source IP address. The NetScaler appliance maintains a pool of its IP addresses, and dynamically selects an IP address while connecting with a server. Depending on the subnet in which the physical server is placed, the appliance decides which IP address to use. This address pool is used for sending traffic and monitor probes.

You can display the total number of free ports available on the NetScaler owned IP addresses for a new back-end connection. This information helps you in deciding the need for more NetScaler owned IP addresses if the free ports available are nearing exhaustion.

You can provide the following information for the NetScaler appliance to calculate the total number of free ports available for a new back-end connection:

  • Citrix owned IP address (optional)
  • Destination IP address
  • Destination port
  • TCP or non-TCP protocol

[ NSNET-20410 ]


Support for NetScaler VPX configurations at the first boot of the NetScaler appliance on KVM hypervisor

You can now apply the NetScaler VPX configurations during the first boot of the NetScaler appliance on KVM hypervisor. Therefore, a customer setup on a VPX instance can be configured in much lesser time.

[ NSPLAT-21571 ]

Exclude nstrace folder from NetScaler admin partitions during backup operation

In a NetScaler appliance with admin partitions, backup operation of nstrace folder is excluded. This reduces the overall backup size of NetScaler without losing important data.

[ NSPLAT-21433 ]


Support for CIDR subnet notation in IPv4 and IPv6 addresses for policy dataset

The Policy datasets for IPv4 and IPv6 addresses now allow the bound value to be subnets using the CIDR notation (for example, a.b.c.d/n). The CIDR notation specifies the address and the range of the subnet. Previously, there was no option to add subnets in the policy datasets.

For more information, see

[ NSPOLICY-3828 ]


Disable non-secure protocols on front-end SSL services on a NetScaler appliance

Standard security scans might trigger an alert for non-secure protocols on the front-end SSL services created by default when a NetScaler appliance boots. To avoid such alerts, these protocols are now disabled by default on the front-end SSL services when the appliances boot up. Examples of non-secure protocols are SSLv3, TLv1, and TLSv1.1.

When the default SSL profile is enabled, a new SSL profile is created in which these protocols are disabled. This new profile is bound to the front-end SSL services (ns_default_ssl_profile_internal_frontend_service). This profile is editable.

[ NSSSL-9985 ]

Support for certificates signed using the RSASSA-PSS algorithms

All NetScaler platforms now support certificates that are signed with the RSASSA-PSS algorithms. These algorithms are supported in the X.509 certificate path validation.

[ NSSSL-9289 ]

Fixed Issues

The issues that are addressed in Build 13.1–17.42.

Authentication, authorization, and auditing

The NetScaler appliance crashes if the ADFSPIP URL is set to type http://. ADFSPIP only supports https:// URL types.

[ NSHELP-29838 ]

The NetScaler appliance might crash during a SAML IdP flow, if there is a significant delay in request processing.

[ NSHELP-29789 ]

Rewrite policies for endpoints such as /logon/LogonPoint/Resources/List and /cgi/Resources/List are not supported.

[ NSHELP-29488 ]

In rare cases, the NetScaler appliance might crash due to an incorrect log position.

[ NSHELP-29267 ]

A NetScaler appliance configured to authenticate using OAuth Service Provider, cannot be configured with ‘client-secrete_post` to authenticate with IDP tokenEndPoint.

With this fix, the authentication method client_secret_basic is added to the OAuth service provider feature of ADC when it communicates with the token endpoint of the IDP.

[ NSHELP-28945 ]

A NetScaler appliance might fail to respond when SAML authentication is in progress and X.509 certificates of size 1800 bytes or more are used in the SAML authentication.

[ NSHELP-28608 ]

The Authentication, authorization, and auditing.USER.ATTRIBUTE expression might give an empty value in multi-core NetScaler appliance when user password is changed on expiry.

[ NSHELP-28419 ]

The NetScaler appliance, when configured as an OAuth Relying Party, does not add the extracted ‘email’ and ‘username’ field information from the ID token to the hash attribute of the authentication, authorization, and auditing session.

[ NSHELP-28262 ]

When SAML metadata is configured, memory leak is observed with SSL certificates.

[ NSHELP-27846 ]

When a user performs a SAML logout, the log out does not happen immediately and the following error message is displayed:

Unsupported mechanisms found in Assertion; Please contact your administrator.

This error is seen because the IDP that the customer configured uses a different URL encoding technique to encode the signature algorithm parameter in the response. This fix now supports encoding the signature algorithm parameter in a SAML response using multiple URL encoding techniques.

[ NSHELP-27621 ]

Sometimes, if nFactor is configured, incorrect IP address is logged in the logout message.

[ NSHELP-26692 ]

The NetScaler appliance crashes if both of the following conditions are met.

  • Email OTP is configured
  • Email server does not respond or there is a network issue with the email server

[ NSHELP-26137 ]

In a high availability setup, the NetScaler appliance crashes when a forced synchronization is initiated.

[ NSAUTH-11876 ]

Intune NAC v2 is not supported for Android 11 and later.

[ NSAUTH-11872 ]

Admins cannot use the LDAP or RADIUS connectivity tool if the password contains a certain special character or if the arguments have a space in it.

[ NSAUTH-11322 ]

Bot Management

When the CAPTCHA challenge is in progress, the NetScaler bot management does not honor the configured value set by the user for the CAPTCHA retry attempts.

[ NSBOT-801 ]


CallHome registration might fail for NetScaler MPX appliances using pooled licensing. The registration fails because CallHome uses an incorrect serial number for registering the appliances with the NetScaler support Server.

[ NSHELP-28667 ]

NetScaler SDX Appliance

When you restore a NetScaler SDX appliance from the backup, the CLI prompt string is not restored.

[ NSHELP-30238 ]

On a NetScaler SDX 115xx appliance, restoring a VPX allotted with a high number of CPU cores (3–5 cores) might fail if the appliance backup contains three or more instances.

[ NSHELP-30135 ]

On a NetScaler SDX appliance, the default value for raising the alarm on the Hypervisor Disk Usage High alert is increased to 98 percentage.

[ NSHELP-29688 ]

When the interface speed value is more than 4 Gbps, a wrong value is returned due to integer overflow.

[ NSHELP-29658 ]

In rare cases, ADC inventory does not occur on a NetScaler SDX appliance.

[ NSHELP-29607 ]

On a NetScaler SDX appliance, the Management Service does not send syslog or email notifications if the power supply, voltage, or disk failures occur more than once.

[ NSHELP-29443 ]

NetScaler Gateway

Users cannot launch the EPA plug-in or the VPN plug-in after an upgrade to Chrome 98 or Edge 98 browser versions. To fix this issue, perform the following:

  1. For the VPN plug-in upgrade, end users must connect using VPN client for the first time to get the fix on their machines. In the subsequent login attempts, users can choose the browser or the plug-in to connect.
  2. For EPA only use case, the end users will not have the VPN client to connect to gateway. In this case, perform the following:

    1. Connect to the gateway using a browser.
    2. Wait for the download page to appear and download the nsepa_setup.exe.
    3. After downloading, close the browser and install the nsepa_setup.exe file.
    4. Restart the client.

[ NSHELP-30641 ]

In a high availability setup with TCP SYSLOG configuration, a node might crash during HA failover or during clear config operation.

[ NSHELP-29251 ]

In the NetScaler Gateway portal page, RDP proxy link icon does not change with RfWebUI portal theme.

[ NSHELP-28974 ]

After you upgrade the NetScaler Gateway appliance to version 13.0, the proxy configuration in session profile does not work as intended. The Proxy connection is bypassed for non-HTTP NS proxy configured.

Example: add vpn sessionAction-proxy NS -httpProxy -sslProxy

In this example, -httpProxy works as intended but -sslProxy does not work.

[ NSHELP-28640 ]

The NetScaler Gateway appliance crashes while processing STA in DTLS Audio because the allocated memory is not reset.

[ NSHELP-28432 ]

The NetScaler appliance logs stale messages related to the VPND process that is deprecated.

[ NSHELP-28163 ]

Access to StoreFront through a VPN virtual server fails if StoreFront is accessed through a backup load balancing virtual server.

[ NSHELP-27852 ]

The NetScaler Gateway appliance might crash when reconnecting to an existing ICA session.

[ NSHELP-27441 ]

You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.

With this fix, you can now unbind the authorization policy by using the GUI.

[ NSHELP-27064 ]

NetScaler Web App Firewall

An upgrade to XML library version 2.9.12 causes the WAF signature-related XML files to break during parsing.

[ NSWAF-8662 ]

The JSON command injection protection appears Not blocked in the ns.log message, even if the HTTP request was blocked by the Web App Firewall module.

[ NSHELP-29709 ]

The Web App Firewall log message displays, BAD URL for Cross-Site Scripting (XSS) URL attribute violations, and the term Bad URL is not clear as to which category it belongs (such as tag, pattern, or attribute).

[ NSHELP-29358 ]

The bot device fingerprint post URL might fail if the bot management policy is enabled on a load balancing virtual server of type SSL.

[ NSHELP-29198 ]

The Web App Firewall signature ID 1048 blocks the NetScaler Gateway page from loading.

[ NSHELP-29113 ]

A NetScaler appliance might crash if the following modules are enabled:

  • Web App Firewall with advanced security checks.
  • Appqoe.

[ NSHELP-28251 ]

Load Balancing

When a member of the DNS service group of type Autoscale is in TROFS state and if the same member is added to the group again, the status of this member is not propagated.

[ NSHELP-29493 ]

Incremental synchronization fails for the add dns action and add location commands with policy expressions that contain wildcards.

[ NSHELP-29301 ]

Some service group members are not removed from the Autoscale service group list when there is a conflict between statically bound member and dynamically resolved DNS records. This issue leads to memory corruption.

[ NSHELP-28949 ]

The state of the service group displayed in the show and stat commands is inconsistent.

[ NSHELP-28931 ]

In rare cases, the location database configuration might be missing from the configuration (ns.conf) file.

[ NSHELP-28570 ]

SQL or Oracle type monitors crash when the peer sends a request to reset the existing connection.

[ NSHELP-28478 ]

In a persistence-enabled deployment, an incorrect virtual server is stored during context save.

[ NSHELP-28342 ]

Persistence configuration for an LB group is lost after an HA failover or when the NetScaler appliance is rebooted.

[ NSHELP-28071 ]

The configured state of the default monitor shows as disabled even when the default monitor is bound to a service.

[ NSHELP-27669 ]


The following issue occurs after upgrading the appliance to NetScaler version 12.1 build 63.22:

  • The Extension Find API might not work after the upgrade.

[ NSHELP-29860 ]


A NetScaler appliance might crash if all of the following conditions are met:

  • A load balancing route is configured in a traffic domain on the appliance.
  • A clear config operation is performed on the appliance.

[ NSNET-23847 ]

In a large scale NAT44 setup, the NetScaler appliance might crash while receiving SIP traffic because of the following reason:

  • The LSN module does not find the service while decrementing the reference count or deleting the service.

[ NSHELP-29134 ]

In a Large scale NAT44 deployment, the NetScaler appliance might crash while receiving SIP traffic because of the following reason:

  • The LSN module accessed the memory location of an already deleted service.

[ NSHELP-28815 ]

In a NetScaler appliance with even number of packet engines (PE), the appliance incorrectly displays the status of active interfaces as inactive of a redundant interface set (LR channels). This issue does not impact any functionality of the NetScaler appliance.

[ NSHELP-28099 ]

The NetScaler appliance might not generate coldStart SNMP trap messages after a cold restart.

[ NSHELP-27917 ]


The ntpdate command crashes leading to a core dump.

[ NSHELP-29649 ]


A NetScaler MPX 7500 appliance crashes if an EXPORT cipher suite is used.

[ NSSSL-11294 ]

In rare cases, you might see a crash during DTLS processing on the following platforms:

  • MPX 5900
  • MPX/SDX 8900
  • MPX/SDX 15000
  • MPX/SDX 15000-50G
  • MPX/SDX 26000
  • MPX/SDX 26000-50S
  • MPX/SDX 26000-100G

[ NSHELP-29538 ]

In a high availability setup, the certificate type is not synchronized correctly between the primary and secondary nodes.

[ NSHELP-27589 ]

In a VPN deployment, the NetScaler appliance picks up an SSL session for session reuse from cache to communicate to the proxy or back-end server. It does this without matching the SNI received from the client to the SNI present in the cached session.

As a result, either the SNI is not sent or a different SNI is sent depending on the cached data.

[ NSHELP-27439 ]


Memory leak is observed in a NetScaler appliance when clearing the allocated memory for Intrusion Prevention System (IPS) resources.

[ NSHELP-29992 ]

Configuration operations that associate SSL profiles and SSL certificate keys with an HTTP QUIC virtual server, might fail on a NetScaler cluster deployment.

[ NSHELP-29655 ]

A second request on the same client connection fails if the following conditions are met:

  • clientSideMeasurements is enabled.
  • HEAD request is received.

[ NSHELP-29353 ]

In some scenarios, a NetScaler appliance might crash under the following conditions:

  • TCP jumbo frames are used.
  • Persistence is configured on a TCP load balancing virtual server.

[ NSHELP-29162 ]

A NetScaler appliance crashes if the following conditions are met:

  • The client-side measurements option is enabled on the AppFlow action.
  • The chunk headers fall on the packet boundary.

[ NSHELP-29049 ]

A NetScaler appliance resets a connection if the HTTP pipeline (one or multiple requests) size exceeds 128 KB. The issue occurs because the pipeline size is hard limited to 128 KB.

[ NSHELP-28846 ]

A NetScaler Intrusion Prevention System (IPS) observes an issue with the rewrite policy when inserting or modifying data if the following condition is met:

  • The NetScaler appliance sends data packets to the IPS server before the back-end server connection opens.

[ NSHELP-28496 ]

In a high availability setup, HA synchronization of admin partition configurations fails on the secondary node because of the following reason:

  • Low memory issues caused because of huge config loads on the secondary node

[ NSHELP-28409 ]

When a client resets a connection with multiple TCP streams, the server-side transaction record is not sent which results in L4 records missing for those data streams.

[ NSHELP-28281 ]

In a TCP connection, the NetScaler appliance might drop a FIN packet, received from a server, instead of forwarding it to the client if all of the following conditions are met:

  • TCP buffering is enabled.
  • The server sends the FIN packet and the data packet separately.

[ NSHELP-27274 ]

In a cluster setup, the set ratecontrol command works only after restarting the NetScaler appliance.

[ NSHELP-21811 ]

When a NetScaler appliance receives an out-of-order TCP packet with the FIN flag set, the following issues might be observed:

  • The NetScaler appliance sends an incorrect SACK, which says the appliance received a 2 bytes instead of a 1 byte out-of-order TCP packet.
  • The NetScaler appliance does not acknowledge the TCP FIN packet by receiving in-order TCP packets.

[ NSBASE-15735 ]

User Interface

You can accidentally unlink an SSL certificate because there is no prompt for confirmation. With this fix, when the user clicks a linked certificate, it prompts for a confirmation before unlinking a certificate.

[ NSUI-17897 ]

Modifying an ACL based RNAT rule, which already has connection failover enabled, by using the NetScaler GUI might fail with the following error:

  • Invalid argument value [connfailover]

[ NSHELP-29243 ]

While configuring or checking SSL certificates using the NetScaler GUI, the error Directory doesn't exist might appear. This issue occurs when a file name with two consecutive dots (..) exists in the SSL folder /nsconfig/ssl.

[ NSHELP-28589 ]

In a high availability setup, HA synchronization might fail for a built-in policy pattern set binding, if the built-in policy pattern set was modified on the primary node.

[ NSHELP-28460 ]

When you deselect the secure option for RPC node in the ADC GUI, the following error message appears:

Argument pre-requisite missing [validateCert, secure==YES]

[ NSHELP-28239 ]

When the user tries to change the page size of a list in the side panel views, the page gets distorted.

[ NSHELP-28220 ]

An extra backslash character is incorrectly introduced if special characters are used within arguments in some SSL commands, such as create ssl rsakey and create ssl cert.

[ NSHELP-27378 ]

ping or ping6 command with interface (-I) option might fail with the following error:

  • interface option not supported

[ NSHELP-26962 ]

Known Issues

The issues that exist in release 13.1–17.42.


HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.


Authentication, authorization, and auditing

A NetScaler appliance does not authenticate duplicate password login attempts and prevents account lockouts.

[ NSHELP-563 ]

The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of NetScaler GUI.

[ NSAUTH-6106 ]

ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command. show adfsproxyprofile <profile name>


Connect to the primary active NetScaler in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.

[ NSAUTH-5916 ]

The Configure Authentication LDAP Server page on the NetScaler GUI becomes unresponsive if you pursue the following steps:

  • The Test LDAP Reachability option is opened.
  • Invalid login credentials are populated and submitted.
  • Valid login credentials are populated and submitted.


Close and open the Test LDAP Reachability option.

[ NSAUTH-2147 ]


A NetScaler appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

[ NSHELP-22942 ]

NetScaler SDX Appliance

On a NetScaler SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.

[ NSSVM-4333 ]

NetScaler Gateway

In some cases, the server validation code fails when the server certificate is trusted. As a result, end users cannot access the gateway.

[ NSHELP-28942 ]

In a NetScaler Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.

[ NSHELP-28856 ]

Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

[ NSHELP-28551 ]

Sometimes, a user is logged out of NetScaler Gateway within a few seconds when the client idle timeout is set.

[ NSHELP-28404 ]

In a high availability setup, VPN user sessions get disconnected if the following condition is met:

  • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.


Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

[ NSHELP-25598 ]

The Gateway Insight does not display accurate information on the VPN users.

[ NSHELP-23937 ]

VPN plug-in doesn’t establish tunnel after Windows logon, if the following conditions are met:

  • NetScaler Gateway appliance is configured for Always On feature
  • The appliance is configured for certificate based authentication with two factor authentication off

[ NSHELP-23584 ]

Sometimes while browsing through schemas, the error message Cannot read property 'type' of undefined appears.

[ NSHELP-21897 ]

If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to NetScaler Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

[ CGOP-19355 ]

Application launch failure due to invalid STA ticket is not reported in Gateway Insight.

[ CGOP-13621 ]

The Gateway Insight report incorrectly displays the value Local instead of SAML in the Authentication Type field for SAML error failures.

[ CGOP-13584 ]

In a high availability setup, during NetScaler failover, SR count increments instead of the failover count in NetScaler ADM.

[ CGOP-13511 ]

While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

[ CGOP-13050 ]

The text Home Page in the Citrix SSO app > Home page is truncated for some languages.

[ CGOP-13049 ]

An error message appears when you add or edit a session policy from the NetScaler GUI.

[ CGOP-11830 ]

In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

[ CGOP-7269 ]

In a cluster deployment, if you run force cluster sync command on a non-CCO node, the ns.log file contains duplicate log entries.

[ CGOP-6794 ]

Load Balancing

In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

[ NSLB-7679 ]

The serviceGroupName format in the entityofs trap for the service group is as follows: <service(group)name>?<ip/DBS>?<port>

In the trap format, the service group is identified by an IP address or a DBS name and port. The question mark (?) is used as a separator. The NetScaler sends the trap with the question mark (?). The format appears the same in the NetScaler ADM GUI. This is the expected behavior.

[ NSHELP-28080 ]


When a forced synchronization takes place in a high availability setup, the appliance runs the set urlfiltering parameter command in the secondary node. As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the TimeOfDayToUpdateDB parameter.

[ NSSWG-849 ]

A NetScaler appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

[ NSHELP-22409 ]


A NetScaler BLX appliance with DPDK might fail to restart if all of the following conditions are met:

  • The NetScaler BLX appliance is allocated with a low number of hugepages. For example, 1G.
  • The NetScaler BLX appliance is allocated with a high number of worker-process. For example, 28.

The issue is logged as an error message in /var/log/ns.log:

  • BLX-DPDK:DPDK Mempool could Not be Initialized for PE-x

Note: x is a number <= number of worker-processes.


Allocate a high number of hugepages and then restart the appliance.

[ NSNET-25173 ]

A NetScaler BLX appliance with DPDK might fail to restart if the following condition is met:

  • The NetScaler BLX appliance is allocated with a high number of hugepages. For example, 16 GB.

The issue is logged as an error message in /var/log/ns.log:

  • EAL: rte_mem_virt2phy(): cannot open /proc/self/pagemap: Too many open files


Use one of the following workarounds for this issue:

  • Increase the open file limit on the Linux host by using either the ulimit command or editing the limits.conf file.
  • Reduce the number of allocated hugepages.

[ NSNET-24727 ]

A NetScaler BLX appliance in DPDK mode might take a little longer to restart because of the DPDK easiness functionality.

[ NSNET-24449 ]

After an upgrade from NetScaler BLX appliance 13.0 61.x build to 13.0 64.x build, settings on the BLX configuration file are lost. The BLX configuration file is then reset to default.

[ NSNET-17625 ]

The following interface operations are not supported for Intel X710 10G (i40e) interfaces on a NetScaler BLX appliance with DPDK:

  • Disable
  • Enable
  • Reset

[ NSNET-16559 ]

On a Debian based Linux host (Ubuntu version 18 and later), a NetScaler BLX appliance is always deployed in shared mode irrespective of the BLX configuration file (/etc/blx/blx.conf) settings. This issue occurs because mawk, which is present by default on Debian based Linux systems, does not run some of the awk commands present in the blx.conf file.


Install gawk before installing a NetScaler BLX appliance. You can run the following command in the Linux host CLI to install gawk:

  • apt-get install gawk

[ NSNET-14603 ]

Installation of a NetScaler BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable


Run the following commands in the Linux host CLI before installing a NetScaler BLX appliance:

  • dpkg –add-architecture i386
  • apt-get update
  • apt-get dist-upgrade
  • apt-get install libc6:i386

[ NSNET-14602 ]

In some cases of FTP data connections, the NetScaler appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

[ NSNET-5233 ]

When an admin partition memory limit is changed in NetScaler appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

[ NSHELP-21082 ]


The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and NetScaler VPX on-premises. Both of these issues are caused when the following conditions are met:

  1. During the first boot of the NetScaler appliance, you do not save the prompted password.
  2. Subsequently, you reboot the NetScaler appliance.

[ NSPLAT-22013 ]

When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the NetScaler appliances. This issue is fixed for the following NetScaler versions:

  • 13.1-4.x
  • 13.0–82.31 and later
  • 12.1–62.21 and later

The python packages are not installed, when you downgrade the NetScaler versions from 13.1-4.x to any of the following versions:

  • Any 11.1 build
  • 12.1–62.21 and earlier
  • 13.0-81.x and earlier

[ NSPLAT-21691 ]

In a cluster setup on a NetScaler SDX appliance, there is a CLAG MAC mismatch on the second node and CLIP if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You add another VPX instance to the cluster and CLAG setup.

As a result, traffic to the VPX instance stops.

[ NSPLAT-21049 ]

In a cluster setup on a NetScaler SDX appliance, the first node goes DOWN because of a MAC address mismatch on CLIP and MAC table, if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You remove the second node from the cluster.

[ NSPLAT-21042 ]

When you delete an Autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the rm cloudprofile command to delete the profile.

[ NSPLAT-4520 ]

In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for Autoscale cloud profile configuration appears. Workaround: Skip the screen, and log on to the primary node to create the cloud profile. Always configure the cloud profile on the primary node.

[ NSPLAT-4451 ]

The HA failover for NetScaler VPX instance on the GCP and AWS cloud fails when the password of an RPC node contains a special character.

[ NSHELP-28600 ]


Connections might hang if the size of processing data is more than the configured default TCP buffer size.Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

[ NSPOLICY-1267 ]


On a heterogeneous cluster of NetScaler SDX 22000 and NetScaler SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.


  1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
  2. Save the configuration.

[ NSSSL-9572 ]

You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

[ NSSSL-6478 ]

You can create multiple Azure Application entities with the same client ID and client secret. The NetScaler appliance does not return an error.

[ NSSSL-6213 ]

The following incorrect error message appears when you remove an HSM key without specifying Key Vault as the HSM type. ERROR: crl refresh disabled

[ NSSSL-6106 ]

Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

[ NSSSL-4427 ]

An incorrect warning message, Warning: No usable ciphers configured on the SSL vserver/service, appears if you try to change the SSL protocol or cipher in the SSL profile.

[ NSSSL-4001 ]

An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

[ NSSSL-3184 ]


The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

[ NSHELP-21240 ]

The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

[ NSHELP-10972 ]

An issue is observed in generating the PCI DSS reports on the NetScaler GUI (Navigation: System > Reports > Generate PCI DSS Report).

[ NSBASE-16225 ]

Client IP and Server IP are inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

[ NSBASE-8506 ]

The NetScaler appliance drops packets that contain custom HTTP headers with a dot (“.”) character in the header name field. This action occurs because the allowOnlyWordCharactersAndHyphen parameter is enabled by default in the default HTTP profile.

Workaround: Disable allowOnlyWordCharactersAndHyphen in the default HTTP profile. However, Citrix recommends that you keep it enabled.

[ NSBASE-16722 ]

User Interface

For the MQTT Rewrite feature, you cannot delete an expression using the Expression Editor in the GUI.


Use the add or edit action command of type MQTT through the CLI.

[ NSUI-18049 ]

In NetScaler GUI, the Help link present under the Dashboard tab is broken.

[ NSUI-14752 ]

Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.


Configure cloudbridge connectors by adding IPsec profiles, IP tunnels, and PBR rules by using the NetScaler GUI or CLI.

[ NSUI-13024 ]

If you create an ECDSA key by using the GUI, the type of curve is not displayed.

[ NSUI-6838 ]

Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

[ NSHELP-20988 ]

When you downgrade a NetScaler appliance version 13.0-71.x to an earlier build, some NITRO APIs might not work because of the file permission changes.


Change permission for /nsconfig/ns.conf to 644.

[ NSCONFIG-4628 ]

If you (system administrator) perform all the following steps on a NetScaler appliance, the system users might fail to log in to the downgraded NetScaler appliance.

  1. Upgrade the NetScaler appliance to one of the builds:

    • 13.0 52.24 build
    • 12.1 57.18 build
    • 11.1 65.10 build
  2. Add a system user, or change the password of an existing system user, and save the configuration, and
  3. Downgrade the NetScaler appliance to any older build.

To display the list of these system users by using the CLI: At the command prompt, type:

query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]


To fix this issue, use one of the following independent options:

  1. If the NetScaler appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the NetScaler appliance using a previously backed up configuration file (ns.conf) of the same release build.
  2. Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
  3. If none of the above options work, a system administrator can reset the system user passwords.

For more information, see

[ NSCONFIG-3188 ]

Release Notes for NetScaler 13.1–17.42 Release