Release Notes for NetScaler 13.1-42.47 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the NetScaler release Build 13.1-42.47.


  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the security bulletin.

What’s New

The enhancements and changes that are available in Build 13.1-42.47.

Bot Management

  • Support to stop the IP reputation downloads in bot settings

    After you disable the IP reputation feature, set the Default Nonintrusive Profile to BOT_BYPASS in the NetScaler bot management settings. This configuration stops the IP reputation downloads.

    To change the bot management settings, navigate to Security > NetScaler bot Management > Change NetScaler bot Management Settings.

    [NSBOT-1050, NSHELP-34310, NSHELP-33835, NSHELP-34410]

  • New bot violations appear in the NetScaler ADM GUI

    The following bot violations are newly introduced in the NetScaler ADM GUI:

    • No user-agent header
    • Multiple user-agent headers

    An application server uses the user-agent header information to know more about an incoming request. Some bot requests can have multiple user-agent headers or no user-agent header. You can detect such bot violations using a NetScaler bot management profile. Then, use the NetScaler ADM GUI to monitor bot violations. For more information, see Violation categories.


NetScaler SDX Appliance

  • SD-WAN support is deprecated from the Management Service

    From release 13.1 build 42.x and later, SD-WAN support is deprecated from the NetScaler SDX appliance.


  • “Gateway” and “Nexthop” fields are optional while provisioning or editing the VPX

    In a NetScaler SDX appliance Management Service, the Gateway and Nexthop fields are no longer mandatory for provisioning, editing, taking backup, or restoring VPX when the following conditions are met:

    • Either of the following options is true:
      • “Manage through the internal network” is enabled for VPX.
      • VPX IP address is in the same subnet as the Management Service IP address.
    • VPX is provisioned with version 13.0-88.9 or 13.1-37.8, and their higher versions.

    For more information, see Provision NetScaler instances.


NetScaler Gateway

  • Support to enable DF bit propagation for EDT by default

    On the NetScaler Gateway appliance, the DF bit enforcement for the EDT path maximum transmission unit discovery (PMTUD) option is now enabled, by default. This option prevents EDT fragmentation that might result in performance degradation or failure to establish a session. Previously, this option was disabled, by default. Administrators had to enable the option using the ICA parameter settings.


NetScaler Web App Firewall

  • Use CLI or API to enable signatures in your NetScaler Web App Firewall

    You can now enable individual signatures in your NetScaler Web App Firewall through CLI commands or API calls. To do so, select signatures by their IDs or categories and then set actions. Earlier, you were able to enable signatures only by uploading a signature file.


    import appfw signature DEFAULT object_name -sigRuleId 1001 9882 2000 1250 810 -Enabled ON -Action LOG BLOCK

    import appfw signature DEFAULT object_name -sigCategory web-misc -Enabled ON -Action LOG BLOCK

    See, To add individual signatures by using CLI.


  • New match patterns for the NetScaler Web App Firewall signatures

    For the NetScaler Web App Firewall signatures, you can now select the following new match patterns:

    • Command Injection
    • SQL Injection Grammar
    • Command Injection Grammar

    The NetScaler Web App Firewall looks for the selected pattern and categorizes the attack.

    Note: You can modify the signature rule patterns only for the custom signatures.

    For more information, see Add signature rule patterns.


  • Configure global lists to bypass WAF or deny requests

    You can now configure global lists in a NetScaler Web App Firewall profile to bypass Web App Firewall or deny requests. If the incoming requests match the global bypass list, they skip the Web App Firewall in NetScaler. If the incoming requests match the global deny list, NetScaler Web App Firewall blocks those requests and applies the defined action.

    The bypass and deny lists support URL, IPv4, and IPv6 addresses. You can specify them using literals, PCRE, and expressions. For more information, see Manage global lists to bypass WAF or deny requests.


  • Simplified the NetScaler Web App Firewall profile creation to protect from CVEs

    Protect your NetScaler appliance by applying an appropriate signature in the NetScaler Web App Firewall. You might want to secure the appliance from CVEs without performing any other security checks. In this case, you can now create a profile that disables the remaining checks from the NetScaler Web App Firewall.

    In a NetScaler Web App Firewall profile, select the CVE option as defaults. With this option, you need to simply add and bind a signature. It automatically disables the remaining checks. Earlier, you had to manually disable the security checks from the profile one by one.

    For more information, see Creating Web App Firewall profiles.



  • Support for VMware vSphere 8.0.0b

    The NetScaler VPX instance now supports the VMware vSphere 8.0.0b (build 20513097).

    [ NSPLAT-25844 ]

  • Support for multiple services with the same Autoscaling group in public cloud

    For the back-end Autoscaling feature in public cloud, the NetScaler VPX instance now supports multiple services with the same autoscaling group. This feature is supported on Azure, AWS, and GCP clouds. In the NetScaler GUI, you can create different cloud profiles for different services (using different ports) with the same autoscaling group in cloud.

    Earlier, the NetScaler VPX instance support was limited to a single service per autoscaling group. You had to add different autoscaling groups for different services.


  • Support for Mellanox ConnectX-4 NIC with SR-IOV on VMware ESXi hypervisor

    The NetScaler VPX instance now supports Mellanox ConnectX-4 NIC with SR-IOV on VMware ESXi hypervisor.



  • Increase in the limit of patterns that can be bound to a pattern set

    In a NetScaler appliance, you can now bind 50000 patterns to a pattern set. With the pattern set file, only 10000 patterns can be bound to a pattern set. Also, If the pattern set is used in streaming, then only 5000 patterns can be bound to that pattern set. A pattern set for streaming is used in the rewrite action search parameter, HTTP body, or TCP payload based expression. Previously, you could only bind 5000 patterns to a pattern set.


  • Support for all the expressions associated with the UDP headers and payloads on the client side and the server side

    The following enhancements are done for UDP headers and payloads on the client side and server side:

    • Expressions associated with the UDP protocol are split into client side and server side expressions.
    • Earlier support was available only for client side expressions and the same expressions were used for the server side.
    • The UDP protocol now has support for server side expressions. This expression can be used to extract the UDP Source port, Destination port, Length, Checksum, and Payload.
    • The client side expressions are also enhanced to extract Length, Checksum, and Payload from a given UDP packet.
    • For backward compatibility, if a client side expression is used on the server side it continues to be supported. Citrix recommends you to use the server side expressions for the server side.

    For more information, see Expressions for TCP, UDP, and VLAN data.



  • Support for cross-signed certificate validation

    The NetScaler appliance now supports cross-signed certificate validation. If a certificate is signed by multiple issuers, the validation passes if there is at least one valid path to the root certificate.

    Earlier, if one of the certificates in the certificate chain was cross-signed and had multiple paths to the root certificate, the ADC appliance only checked for one path. And if that path was not valid, the validation failed.



  • Support for exporting metrics directly to Prometheus from the NetScaler appliance

    NetScaler now supports the direct export of metrics to Prometheus. With this feature, Prometheus pulls metrics directly from the NetScaler instances without the need for any external exporter. Previously, an exporter resource was required outside the appliance to export metrics from NetScaler to the Prometheus server.

    For more information, see Monitoring NetScaler and applications using Prometheus.


User Interface

  • 8 MB upload limit support for systemfile NITRO API

    The maximum upload limit for the systemfile NITRO API has been increased from 2 MB to 8 MB.


  • Support for 64-bit numerical value in NITRO API responses

    Earlier, the NetScaler appliance returned an unsigned integer or a long property-type value as a string in the NITRO API response because integer response was not supported for these types. Also, the appliance returned a double-data type stats-counter-rate value as an integer.

    The NITRO APIs now support 64-bit integers. This support enables the appliance to return the following in the NITRO API responses:

    • the exact integer value instead of a string for an unsigned integer or long integer data type.
    • the exact serialized counter rate value instead of an integer.

    A new query parameter largeintsupport has been introduced for enabling the 64-bit integers support in the NITRO APIs.

    When largeintsupport is set to yes in a NITRO API request, the NetScaler appliance returns the exact integer value, in the NITRO API response. The earlier functionality is retained when largeintsupport is set to no, which is also the default setting.


Fixed Issues

The issues that are addressed in Build 13.1-42.47.

Authentication, authorization, and auditing

  • When a NetScaler appliance is upgraded, users cannot access the NetScaler appliance using RADIUS authentication.


  • On the NetScaler GUI, the Response Policies section on the Authentication Virtual Server page does not display the responder type cache policies.


  • Gateway authentication via CWA client or native VPN clients might fail because of missing strings in the ns_aaa_relaystate_param_whitelist patset.


  • Kerberos SSO impersonation with advanced encryption types might fail when an incorrect user principal name is used in the SSO credentials.

    [NSHELP-32890, NSHELP-34087]

Bot Management

  • NetScaler appliance crashes while processing a bot signature if the format of the signature file is invalid.


  • In the NetScaler GUI, the user-defined bot signature displays an incorrect base version.


NetScaler SDX Appliance

  • When you upgrade a NetScaler SDX appliance, in rare cases the following incorrect event appears in the Management Service GUI:

    “SVM version and Hypervisor version are not compatible”


NetScaler Gateway

  • A NetScaler Gateway appliance crashes when evaluating a policy for a VPN URL.

    [NSHELP-33683, CGOP-20369, NSHELP-34002, NSHELP-34030, NSHELP-34052, NSHELP-34076, NSHELP-34077, NSHELP-34100, NSHELP-34151, NSHELP-34180, NSHELP-34243, NSHELP-34276, NSHELP-34327, NSHELP-34402]

  • After upgrading a NetScaler appliance, the RDP proxy URLs do not work with the X1 portal theme and the message
    “Http/1.1 Object Not Found” appears.

    [NSHELP-33676, NSHELP-33845, NSHELP-33921, NSHELP-34032]

  • When a NetScaler appliance is upgraded, the appliance might crash while processing the UDP traffic.

    [NSHELP-33417, NSHELP-34031]

  • After upgrading a NetScaler appliance, the RDP proxy URLs become inaccessible and the error message “Http/1.1 Object Not Found” appears. This issue occurs when the custom parameters of the RDP URLs contain spaces.


  • In a NetScaler Gateway high availability setup, the primary and the secondary appliances might crash during a failover.

    [NSHELP-33198, NSHELP-33483]

  • Some of the VPN sessions might get cleared or removed from the secondary ADC appliance after a failover.


  • The NetScaler Gateway appliance might crash if HDX Insight is enabled and a user logs in to StoreFront immediately after logging out.

    [NSHELP-32907, NSHELP-33079, NSHELP-33289]

  • In a rare case, the NetScaler appliance might crash while fetching a STA monitor in a VPN deployment.


  • After upgrading a NetScaler Gateway appliance, the Configuration > Integrate with NetScaler products section is not displayed in the NetScaler GUI.


  • The EPA scan to check the CA certificate of a client device fails on the NetScaler appliance when the CA certificates are of different domains.


  • Citrix EPA plug-in for macOS crashes when GSLB is enabled on a NetScaler appliance.


NetScaler Web App Firewall

  • In the NetScaler Web App Firewall, when you enable the streaming and field consistency checks, it delays the transfer of the payload to the origin server. As a result, the POST method for the payload fails.


  • The cookie hijacking redirect drops the query parameters from the request URL. As a result, the redirected request might fail.

    [NSHELP-33633, NSHELP-33812]

Load Balancing

  • The secondary node might crash if you use the same GSLB virtual server as the backup for multiple GSLB virtual servers.

    [NSHELP-33400, NSHELP-34247]

  • The NetScaler appliance does not respond with the correct service IP address for GSLB domain query if the following settings are configured on the GSLB virtual server:

    1. ECS option is enabled.
    2. Static proximity is configured as the load balancing method.



  • In a high availability setup in INC mode, when there is an HA version mismatch, the secondary node might learn invalid routes from the primary node.


  • In a NetScaler appliance with OSPF routing configured, the default route is not installed even when the OSPF default route LSA is present.


  • The nstrace of a few incoming packets of an SSH session might incorrectly display a different receiving interface number and VLAN ID when all of the following conditions are met:

    • ECMP routes for the client of the SSH session are present on the NetScaler appliance.
    • SSH session is idle for a few seconds.


  • The loading of SNMP MIB file to a network morning tool might fail because the SNMP trap name dataStreamRateLimitHit in the file is not in camel case.


  • In a large scale NAT 64 setup, the NetScaler appliance might crash because of an internal packet engine mismatch issue.


  • In a GSLB setup with one of the GSLB site IP address is configured in an admin partition, ARP requests for this GSLB site IP address from upstream routers fails to reach the admin partition. This issue occurs when all of the following conditions are met:

    • A shared VLAN is bound to the admin partition.
    • A SNIP IP address, say SNIP-1, in the same subnet as the GSLB site IP address is present on the shared VLAN.
    • Another SNIP IP address, say SNIP-2, in the same subnet as the GSLB site IP address is added and SNIP-1 is removed.



  • For a NetScaler VPX release 13.1 build 37.38 on VMware ESX hypervisor with VMXNET3 interfaces, you see the following behavior in the HA setup:

    The NetScaler VPX HA pair is not configured because the communication between the HA nodes is not established. As a result, the peer node status is displayed as UNKNOWN.


  • When you provide preboot user data in an OVF template from the ESX vSphere client, the ESXi host does not apply the preboot configuration.

    [NSPLAT-24233, NSPLAT-25551]

  • DNS resolution fails if you configure more than three DNS server names in the DHCP option set in AWS VPC. This issue is seen in NetScaler VPX instances with releases earlier than 13.1 build 42.x.


  • On the NetScaler SDX 8015/8400/8600 platform, you might see increased memory consumption on Xen Server.


  • You might experience transmit stalls on a NetScaler SDX appliance with a 10G interface when heavy traffic is sent on this interface.



  • A virtual server crashes due to a failed TLS1.3 connection, because the NetScaler appliance runs out of memory and a memory allocation request fails during the start of a TLS 1.3 handshake.

    With this fix, the TLS 1.3 connection fails but the appliance does not crash.


  • A virtual server may incorrectly terminate a TLS 1.3 handshake with a decrypt_error alert if the following conditions are met:

    • The client is authenticating with a certificate.
    • The virtual server is configured to perform a certificate status check using OCSP or a CRL.
    • The client sends both Certificate and CertificateVerify messages in the same TLS record.


  • After unbinding the DEFAULT cipher, when you disable a protocol version on a virtual server and later try to bind a cipher with this protocol listed in the description, the following error message appears.

    No usable ciphers configured on the SSL vserver/service

    This message is incorrect because the cipher is supported with other protocols that are enabled on the virtual server. For example,

    Cipher Name: TLS1-ECDHE-RSA-AES256-SHA
    Description: SSLv3 Kx=ECC-DHE Au=RSA Enc=AES(256) Mac=SHA1 HexCode=0xc014

    This cipher is supported for all the protocols starting from SSLv3 (SSLv3, TLS1, TLS11, TLS12). When you disable SSLv3 on a virtual server and then try to bind this cipher to that virtual server, the warning appears even though TLS1, TLS11, TLS12 protocols are still enabled on the virtual server.

    With this fix, the warning appears only when a cipher is not supported for the configuration.


  • The NetScaler appliance does not allow configuring certificates with a notBefore date older than 1970.


  • The NetScaler appliance might crash if the following conditions are met:

    • A client sends TLS1.3 early data in the Client Hello message to an SSL Insight virtual server.
    • ECDHE ciphers are enabled on this virtual server.



  • Customer applications that are not RFC compliant (RFC 7230) might fail after an upgrade to NetScaler 13.1. This failure occurs because of a mandatory compliance check that is enforced on the NetScaler appliance to comply with RFC 7230.

    As part of the fix, this specific compliance check is moved under the HTTP profile parameter “-markRfc7230NonCompliantInval. Customers can disable this compliance check that was previously enforced.


  • A NetScaler appliance might crash when both of the following conditions are met:

    • The content inspection device sends a reset (RST) response to the ADC appliance and one of the Intrusion Prevention System (IPS) resources is not cleared properly.
    • The same IPS resource is accessed in further transactions.


  • In some cases, a NetScaler appliance might crash while processing a corrective acknowledgment sent by a server connection that is in the TIME_WAIT state.


  • A NetScaler appliance might crash when it tries to access resources on the freed ICAP. This condition happens when the ICAP is in response modification (RESPMOD) mode.


  • The NetScaler appliance is unable to send Logstream data from partitions consistently.


  • The NetScaler appliance aborts the connection when it fails to parse the chunked value. This issue occurs when the Transfer-Encoding header has multiple values and Chunked is not the first value.


  • The NetScaler appliance might crash if it processes a corrective ACK packet related to a server-side TCP connection.


  • The NetScaler appliance configured with an SSL service crashes when the appliance receives a TCP FIN control packet followed by a TCP RESET control packet.


User Interface

  • When you create a NetScaler Web App Firewall profile of the JSON type and try to update the Profile Settings, the JSON Error Object displays an empty list.


  • A system user account bound to a set of admin partitions might not be able to access the default partition through the NITRO APIs even if the Allow Default Partition option is enabled as part of the system global settings.


  • The link for NetScaler bot management profiles incorrectly appears in the Traffic Management > Content Switching page. When you click on that link, it renders a blank page. This issue occurs if you bind a bot policy to the content-switching virtual server.


  • Logging on to the NetScaler GUI fails if your user name or domain name has a special character.


  • When you clear the running NetScaler configurations, the NetScaler management session created by a classic TACACS configuration is disconnected even when the RBAconfig parameter is set to NO.


  • When a user views the binding on a content switching policy, the content switching virtual server details are not displayed in the same row under Show Bindings.


  • Support for power off option in the shutdown NITRO API

    The shutdown NITRO API now supports the “-p now” option to shut down and power off a NetScaler appliance.


    In the following example of a curl request, the shutdown NITRO API is used with the “-p now” option to shut down and power off a NetScaler appliance having the IP address

    curl -v -X POST -H Content-Type: application/json -u nsroot:examplepassword []( -d '{"shutdown": {"args":"-p now"}}'


  • After you create a profile for NetScaler Web App Firewall and try to generate the configuration report of the application firewall in System > Reports, the following error appears:

    “Failed to load PDF document.”


  • In the cluster setup, the TFTP option is not displayed in the Protocol list, when creating a virtual server using the NetScaler GUI.


  • On the NetScaler GUI, the System Log Files page (Configuration > System > Auditing > Syslog messages) and the Logs page (Configuration > Authentication > Logs) fail to load the log files.


  • On the NetScaler GUI, the Saved vs Running configuration screen (System > Diagnostics) incorrectly displays HTML tags instead of displaying plain text.


  • While viewing the policies bound to a content switching policy label in the NetScaler GUI, only 25 policies are displayed even though there are more policies bound to that policy label.


Known Issues

The issues that exist in release 13.1-42.47.


  • HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.


Authentication, authorization, and auditing

  • Administrators cannot perform custom logging for authentication failures that happen due to invalid credentials. This issue occurs because the NetScaler responder policies fail to detect errors for login failures.


  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    show adfsproxyprofile <profile name>

    Workaround: Connect to the primary active NetScaler in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.


  • The Configure Authentication LDAP Server page on the NetScaler GUI becomes unresponsive if you pursue the following steps:

    • The Test LDAP Reachability option is opened.
    • Invalid login credentials are populated and submitted.
    • Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.


NetScaler SDX Appliance

  • Packet drops are seen on a VPX instance hosted on a NetScaler SDX appliance if the following conditions are met:

    • Throughput allocation mode is burst.
    • There is a large difference between the throughput and the maximum burst capacity.


NetScaler Gateway

  • If the Citrix Secure Access related registry values are greater than 1500 characters, then the log collector fails to gather the error logs.


  • When using Windows Filtering Platform (WFP) driver, sometimes intranet access does not work after the VPN is reconnected.


  • The Citrix Secure Access client, version and later, fails to upgrade to later versions for users with no administrative privileges. This issue is applicable only if the Citrix Secure Access client upgrade is done from a NetScaler appliance.


  • When users click the Home Page tab on the Citrix Secure Access screen for Windows, the page displays the connection refused error.


  • On a Mac device using Chrome, the VPN extension crashes while accessing two FQDNs.


  • In some cases, empty proxy settings in NetScaler Gateway release 13.0 or 13.1 causes Citrix SSO to create improper proxy settings.


  • Debug logging control for Citrix Secure Access client is now independent of NetScaler Gateway and it can be enabled or disabled from the plug-in UI for both machine and user tunnel.


  • Direct connections to the resources outside of the tunnel established by Citrix Secure Access might fail if there is a significant delay or congestion.


  • Customized EPA failure log message is not displayed on the NetScaler Gateway portal. Instead, the message “internal error” is displayed.


  • Sometimes, the Windows auto logon does not work when a user logs into the windows machine in an Always-On service mode. The machine tunnel does not transition to the user tunnel and the message “Connecting…” is displayed in the VPN plug-in UI.

    [NSHELP-31357, CGOP-21192, NSHELP-34211]

  • When Always on is configured, the user tunnel fails because of the incorrect version number ( in the aoservice.exe file.


  • Users cannot connect to the NetScaler Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`.


  • The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully. To fix this issue, the following registry value is introduced.

    HKLMSoftwareCitrixSecure Access ClientSecureChannelResetTimeoutSeconds
    Type: DWORD

    By default, this registry value is not set or added. When the value of “SecureChannelResetTimeoutSeconds” is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).


  • The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection.


  • Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.


  • Sometimes, a user is logged out of NetScaler Gateway within a few seconds when the client idle timeout is set.


  • VPN plug-in doesn’t establish tunnel after Windows logon, if the following conditions are met:

    • NetScaler Gateway appliance is configured for Always On feature
    • The appliance is configured for certificate-based authentication with two factor authentication “off”


  • Sometimes while browsing through schemas, the error message “Cannot read property ‘type’ of undefined” appears.


  • In a NetScaler cluster setup, HDX Insight and Gateway Insight cannot be enabled simultaneously.


  • The Windows OS option is not listed in the Expression Editor drop-down list for pre-authentication policies and authentication actions on the NetScaler GUI. However, if you have already configured the Widows OS scan on a previous NetScaler build using the GUI or the CLI, the upgrade does not impact the functionality. You can use the CLI to make changes, if required.


    Use the CLI commands for the configuration.

    • To configure advanced EPA action in nFactor authentication, use the following command.
      add authentication epaAction adv_win_scan -csecexpr “sys.client_expr(“sys_0_WIN-OS_NAME_anyof_WIN-10[COMMENT: Windows OS]”)”
    • To configure a classic pre-authentication action, use the following commands.
      add aaa preauthenticationaction win_scan_action ALLOW
      add aaa preauthenticationpolicy win_scan_policy "CLIENT.SYSTEM('WIN-OS_NAME_anyof_WIN-10[COMMENT: Windows OS]') EXISTS" win_scan_action


  • If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to NetScaler Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that is not available in the 12.1 release.


  • The Gateway Insight report incorrectly displays the value “Local” instead of “SAML” in the Authentication Type field for SAML error failures.


  • In a high availability setup, during NetScaler failover, SR count increments instead of the failover count in NetScaler ADM.


  • When an ICA connection is launched from a MAC receiver version or Citrix Virtual Apps and Desktops version 7.18, HDX Insight feature is disabled.


  • When EDT Insight feature is enabled, sometimes audio channels might fail during network discrepancy.


  • While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.


  • The text “Home Page” in the Citrix SSO app > Home page is truncated for some languages.


  • An error message appears when you add or edit a session policy from the NetScaler GUI.


  • In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.


Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.


  • The serviceGroupName format in the entityofs trap for the service group is as follows:

    In the trap format, the service group is identified by an IP address or a DBS name and port. The question mark (“?”) is used as a separator. The NetScaler sends the trap with the question mark (“?”). The format appears the same in the NetScaler ADM GUI. This is the expected behavior.



  • When a forced synchronization takes place in a high availability setup, the appliance executes the set urlfiltering parameter command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the “TimeOfDayToUpdateDB” parameter.


  • AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.


  • A NetScaler appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.



  • In a NetScaler BLX appliance with DPDK support, tagged VLANs are not supported for DPDK Intel i350 NIC ports. This is observed as it is a known issue present on the DPDK driver.


  • A NetScaler BLX appliance with DPDK might fail to restart if all of the following conditions are met:

    • The NetScaler BLX appliance is allocated with a low number of hugepages. For example, 1G.
    • The NetScaler BLX appliance is allocated with a high number of worker-process. For example, 28.

    The issue is logged as an error message in “/var/log/ns.log”:

    • BLX-DPDK:DPDK Mempool could Not be Initialized for PE-x

    Note: x is a number <= number of worker-processes.

    Workaround: Allocate a high number of hugepages and then restart the appliance.


  • A NetScaler BLX appliance in DPDK mode might take a little longer to restart because of the DPDK easiness functionality.


  • The following interface operations are not supported for Intel X710 10G (i40e) interfaces on a NetScaler BLX appliance with DPDK:

    • Disable
    • Enable
    • Reset


  • Installation of a NetScaler BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

    The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable

    Workaround: Run the following commands in the Linux host CLI before installing a NetScaler BLX appliance:

    • dpkg --add-architecture i386
    • apt-get update
    • apt-get install libc6:i386


  • In some cases of FTP data connections, the NetScaler appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.


  • The NetScaler appliance might not generate “coldStart” SNMP trap messages after a cold restart.


  • When an admin partition memory limit is changed in NetScaler appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.



  • Some python packages are not installed, when you downgrade the NetScaler appliance from 13.1-4.x version and higher versions to any of the following versions:

    • Any 11.1 build
    • 12.1-62.21 and earlier
    • 13.0-81.x and earlier


  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the rm cloudprofile command to delete the profile.


  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.



  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.



  • On a heterogeneous cluster of NetScaler SDX 22000 and NetScaler SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.


    1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
    2. Save the configuration.


  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.


  • You can create multiple Azure Application entities with the same client ID and client secret. The NetScaler appliance does not return an error.


  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled


  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)


  • An incorrect warning message, “Warning: No usable ciphers configured on the SSL vserver/service,” appears if you try to change the SSL protocol or cipher in the SSL profile.


  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

    [NSSSL-3184, NSSSL-1379, NSSSL-1394]


  • High RTT is observed for a TCP connection if the following condition is met:

    • a high maximum congestion window (>4 MB) is set
    • TCP NILE algorithm is enabled

    For a NetScaler appliance to use the NILE algorithm for congestion control, the conditions must exceed the slow start threshold, which is coupled with the maximum congestion window

    So, until the maximum configured congestion window is reached, the NetScaler continues to accept data and ends up with high RTT.


  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.


  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.


  • In rare case scenarios, the streams that were created before HTTP/2 WebSocket stream was created might get terminated when the WebSocket’s server-side connection closes.

    This issue occurs because the NetScaler appliance does not support connection multiplexing for HTTP/2 WebSocket.

    Workaround: Disable connection multiplexing for the related HTTP2 profile by using the following command:

    set httpProfile <name> [-conMultiplex ( ENABLED | DISABLED )]


  • In a cluster deployment, if you run “force cluster sync” command on a non-CCO node, the ns.log file contains duplicate log entries.

    [NSBASE-16304, NSGI-1293]

  • When you install NetScaler ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.

    Workaround : Reboot the Management pod.


  • Client IP and Server IP are inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.


User Interface

  • In NetScaler GUI, the “Help” link present under the “Dashboard” tab is broken.


  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the NetScaler GUI or CLI.


  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.


  • In a high availability setup, VPN user sessions get disconnected if the following condition is met:

    • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.

    Workaround: Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).


  • If you (system administrator) perform all the following steps on a NetScaler appliance, the system users might fail to log in to the downgraded NetScaler appliance.

    1. Upgrade the NetScaler appliance to one of the builds
      • 13.0 52.24 build
      • 12.1 57.18 build
      • 11.1 65.10 build
    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the NetScaler appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]

    Workaround: To fix this issue, use one of the following independent options:

    • If the NetScaler appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the NetScaler appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see /en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html.


Release Notes for NetScaler 13.1-42.47 Release