Release Notes for NetScaler 13.1-45.64 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the NetScaler release Build 13.1-45.64.


  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 13.1-45.61 and later builds address the security vulnerabilities described in CTX477714.
  • Build 13.1-45.64 replaces Build 13.1-45.61 and Build 13.1-45.63. However, if you have upgraded to Build 13.1-45.61, you might see a loss of configuration. See CTX547038 for remediation steps.
  • Build 13.1-45.63 includes fixes for NSSSL-12761 and NSHELP-35058, along with all the enhancements and bug fixes available in Build 13.1-45.61.
  • Build 13.1-45.64 includes the fix for NSBASE-18162 (NSHELP-35288), along with all enhancements and bug fixes available in Build 13.1-45.63.

What’s New

The enhancements and changes that are available in Build 13.1-45.64.

NetScaler SDX Appliance

  • Additional checks during the upgrade of an SDX appliance

    Now, a NetScaler SDX appliance upgrade will not be allowed if the Secure Shell (SSH) connection from the Management Service to XenServer/Citrix Hypervisor fails.

    [ NSSVM-5114 ]

  • Enable or disable password complexity while creating admin profiles

    The NetScaler SDX appliance now supports enabling or disabling password complexity on the VPX instances by using the GUI or CLI.

    • When password complexity is enabled, the minimum required password length is 4 characters, which was 6 characters previously.
    • When password complexity is disabled, the minimum required password length is 1 character.

    [ NSSVM-4889 ]

NetScaler Web App Firewall

  • Configure proxy authentication for NetScaler Web App Firewall, bot, and IP reputation

    You can now configure proxy authentication for NetScaler Web App Firewall signature updates, bot signature updates, and reputation updates. Proxy authentication provides an additional layer of security for your appliance. The NetScaler appliance that has proxy authentication enabled authenticates itself with the proxy server before downloading the updates from the internet. This way you can protect your appliances from malicious downloads.
    To configure the proxy authentication, specify the proxy username and password in the settings of the following security features:

    [ NSWAF-9532 ]

  • The apache_mode attribute is deprecated

    The apache_mode attribute of the invalidPercentHandling parameter in the add appfw profile command is deprecated.

    [ NSWAF-4110 ]

Load Balancing

  • Increase in the maximum number of custom entries

    You can now add a maximum of 3000 custom location entries to specify the location qualifiers for IP address ranges. These entities are used in the GSLB static proximity method and in location match policies.

    For more information, see Add custom entries to a static proximity database.

    [ NSLB-9755 ]


  • Auto-configuration support for NetScaler BLX appliance

    The following auto-configuration features are added for the NetScaler BLX appliance:

    • You can configure the NetScaler BLX appliance to automatically add all the Linux host NIC ports as dedicated ports for the appliance. For this auto-configuration, you must set the blx-managed-host to 1 and comment both the lines containing the interface parameter in the NetScaler BLX configuration file (blx.conf). The appliance automatically adds all the Linux host NIC ports as dedicated ports to it. Also, the appliance automatically detects the DPDK compatible NIC ports and binds them to the DPDK VFIO module on the Linux host.
    • You can configure a NetScaler BLX appliance in dedicated mode to automatically set the NSIP address and the default gateway for the appliance. For this auto-configuration, you must set the blx-managed-host to 1 and comment the lines containing the ipaddress and default parameters in the NetScaler BLX configuration file (blx.conf). The appliance selects one of its dedicated NIC ports as a default port that has the gateway route with the highest precedence present on the Linux host. The default ports IP address and default gateway are set as the NSIP address and the default gateway for the NetScaler BLX appliance.

    [ NSNET-27468 ]

  • RHEL version 9.x support for NetScaler BLX appliances

    NetScaler BLX appliance is now supported on Red Hat Enterprise Linux (RHEL) version 9.x platforms.

    [ NSNET-27421 ]


  • Ability to use NSPEPI tool on the NetScaler BLX and CPX appliances

    The NSPEPI and check invalid configuration tools are now supported in the NetScaler CPX and BLX appliances.

    [ NSPOLICY-4872 ]


  • Continue SSL handshake with an unknown server name

    The NetScaler appliance now allows the SSL handshake to continue even for an unknown server name, and leaves the decision to the client to drop or complete the handshake.

    Earlier, the appliance terminated the SSL handshake when it received a client hello with an unknown server name.

    [ NSSSL-10918 ]


  • Compression support for HTTP PUT request methodrn
    A NetScaler appliance now compresses the HTTP response received from the server for the HTTP requests that use the PUT request method.

    [ NSHELP-32695 ]

  • Configure metrics collector export frequency

    By default, the metrics collector supports the export of time-series analytics data every 30 seconds. You can now configure it as a value from 30 to 300 seconds so that you can decide the interval for exporting the time-series analytics profile data from NetScaler.

    [ NSBASE-17561 ]

  • Support for direct export of audit logs to Splunk

    Audit logging enables you to log the NetScaler states and status information collected by various modules in NetScaler. You can export audit logs from NetScaler to Splunk and get meaningful insights helpful for troubleshooting. This feature enables you to use the HTTP event collector provided by Splunk to send audit logs over HTTP (or HTTPS) directly from your NetScaler to Splunk.

    [ NSBASE-17559 ]

  • Support for WebSocket HTTP/2 connection multiplexing

    The NetScaler appliance now supports multiplexing of WebSocket connections. WebSocket connections are supported over HTTP/2. You can enable the WebSocket connections using CLI or GUI.

    [ NSBASE-17307 ]

Fixed Issues

The issues that are addressed in Build 13.1-45.64.


  • Metrics collector in the NetScaler instance stops to respond intermittently. As a result, whenever the metrics collector stops to respond, one interval (30 seconds) of analytics data might not get exported.

    [ NSHELP-34048 ]

Authentication, authorization, and auditing

  • On some NetScaler appliances that have GSLB enabled, redirection from the authentication virtual server to the load balancing virtual server fails due to an invalid URL computation.

    [ NSHELP-33459 ]

  • When NetScaler is used as an OpenID provider (OAuth IdP) and GSLB is configured with it, OAuth authentication with the relying party (RP) fails during token validation which might result in an authentication failure at the OAuth Relaying Party (RP).

    [ NSHELP-33455 ]

  • The NetScaler appliance might crash when it is configured as a SAML service provider and the SSL certificates are updated.

    [ NSHELP-33243, NSHELP-32966, NSHELP-33242, NSHELP-34366 ]

  • OAuth authentication on a NetScaler appliance fails due to issues with token parsing.

    [ NSHELP-31573 ]

Bot Management

  • The NetScaler appliance attempts to download IP database data when the IP reputation feature is disabled.

    [ NSHELP-34488 ]


  • A NetScaler appliance might restart if the Max-Age value in the Cache-Control header for cached objects is modified in the back-end server.

    [ NSHELP-34078 ]

  • In a cluster setup, the cache global policy information displayed in GUI or CLI is incomplete when the cluster setup is accessed using the CLIP address.

    [ NSCACHE-521 ]

NetScaler SDX Appliance

  • A NetScaler SDX appliance might crash while trying to access “Core Allocation” from the Management Service dashboard.

    [ NSHELP-34537 ]

  • Sometimes, a NetScaler SDX appliance might not behave as expected if the Asymmetric Crypto Units (ACU) and Symmetric Crypto Units (SCU) that are assigned to a VPX instance are not a multiple of the packet engine (PE) core. That is, 1000* number-of-PE-cores.

    [ NSHELP-34389 ]

  • Management service(SVM) might crash while editing any of the properties on a VPX instance from the Management Service UI.

    [ NSHELP-34297 ]

  • When you try to change the supportability IP address in a NetScaler SDX appliance by navigating to Configuration > System > Setup Wizard > Management Network > edit supportability IP, it fails to save the changes. The changes get stuck when you click “yes” in the prompt. An undefined reference error is displayed in the browser.

    Fix: Check for the undefined object before referencing.

    [ NSHELP-34141 ]

NetScaler Gateway

  • After an upgrade, the NetScaler appliance might crash when HDX Insight is enabled.

    [ NSHELP-35058 ]

  • After an upgrade, the NetScaler appliance might crash when launching an RDP proxy connection.

    [ NSHELP-33420 ]

  • The Always On profile is unset in a VPN session action when the VPN session action is re-configured.

    [ NSHELP-33396 ]

  • After an upgrade, a NetScaler appliance might crash during the first HA synchronization.

    [ NSHELP-32957 ]

NetScaler Web App Firewall

  • The NetScaler appliance might crash during HA deployment, if the Web App Firewall signature rules contain any of the following objects:

    • Patsets
    • Datasets
    • String maps
    • Named expressions

    [ NSHELP-34338 ]

  • When exporting relaxation rules, the download takes more time and the file is not fully downloaded. This issue occurs if the file size is above 5MB.

    [ NSHELP-34044 ]

  • When the Web App Firewall policy is updated on the vserver, the following issues are observed:

    • The NetScaler GUI and CLI did not respond or took longer than usual.
    • The packet CPU utilization has increased to 100%
    • The number of persistence sessions has been increased.

    [ NSHELP-33975 ]

  • The JSON command injection relaxation rule might not work if it contains semicolon ( ; ) or a period (.) in the relaxation rule.

    [ NSHELP-33606 ]

Load Balancing

  • The NetScaler appliance crashes when the following conditions are met, and you unbind all the services and bind them again.

    • A load balancing virtual server is configured with the hash-based method.
    • Services are bound to this virtual server with priority.

    [ NSHELP-34314 ]

  • In an HA setup, the NetScaler appliance crashes when the service group that is bound to multiple vservers is removed.

    [ NSHELP-34029 ]

  • The following error might appear when adding or modifying a load balancing configuration on a NetScaler appliance:

    Configuration possibly inconsistent. Please check with the “show configstatus” command or reboot.

    This issue occurs when the set lb vserver command is used along with the HttpsRedirectUrl and RedirectFromPort parameters.

    [ NSHELP-33912 ]

  • In rare cases, nsmap crashes. As a result, some of the NetScaler appliances that use geolocation databases might not work as intended.

    [ NSHELP-33840 ]

  • If services are disabled and then enabled in a high availability setup, a few monitors might go to the SKIP_OFS state when a failover happens.

    [ NSHELP-33717 ]

  • The show cs vserver command does not display the rule parameter, even though the parameter is configured in the content switching policy and bound to the content switching virtual server.

    [ NSHELP-33506 ]

  • During connection mirroring, the NetScaler appliance crashes when the rewrite policy is greater than 30 bytes.

    [ NSHELP-32902 ]

  • An SNMP alert is generated even if the bandwidth usage is within the configured limit. This issue occurs when comparing two different data types and one of the parameters wraps around when incrementing.

    [ NSHELP-32509 ]

  • A NetScaler appliance with connection mirroring set up crashes when the jumbo packets are sent.

    [ NSHELP-31072 ]

  • The NetScaler VPX appliance crashes when the following conditions are met:

    1. The autosync option is used to synchronize the configuration with other GSLB sites.
    2. The incarnation number that is used to fetch the GSLB cache is a multiple of 1024.

    [ NSHELP-30075 ]

  • In a GSLB setup, the SSL certificate is missing from the subordinate sites. This issue occurs when the auto-sync option is enabled, and the subordinate sites have SSL certificates that are not available on the master site.

    [ NSHELP-29309 ]


  • When you run the “ns_hw_err.bash” script on the NetScaler appliance, the following error message appears:
    “error: can’t open file ‘’: [Errno 2] No such file or directory”

    [ NSHELP-32991 ]

  • In a cluster setup, the file auto-synchronization fails when the cluster IP address is configured in a subnet different than the subnet of the NSIP address.

    [ NSHELP-29988 ]


  • After you upgrade the ADC appliance to release 13.1 build 42.47, on some public cloud VPX deployments, you might observe the HTTP and TCP services flap between UP and DOWN states.

    [ NSPLAT-26310 ]

  • On an SDX appliance running the BMC firmware version 4.08, when you perform a single bundle upgrade from 13.0 build 84.X, the lights out management (LOM) firmware upgrade to 4.14 during the system boot up may get stuck intermittently and timeout after 30 minutes.

    [ NSPLAT-26148 ]

  • In an HA setup of NetScaler VPX instance on AWS cloud, the content in the “cloud-ha-daemon.log” file that is stored in the /var/log/ location is printed twice instead of once.

    [ NSPLAT-25687 ]

  • On a NetScaler SDX appliance, the VPX instances might operate with the minimum throughput value configured as part of burst mode even though sufficient throughput is available in the SDX appliance to handle bursts in traffic.

    [ NSHELP-33875, NSHELP-34667 ]

  • On the NetScaler MPX 9100, MPX 9100T, MPX 16000, and MPX 16000T platforms, the appliance might come up unlicensed if the license host ID changes.

    [ NSHELP-33745, NSHELP-33756, NSHELP-33801 ]


  • The commands for binding a certificate-key pair and ECC curve to an SSL service, service group, or internal service are not saved in the configuration (ns.conf).

    [ NSSSL-12761 ]

  • After upgrading to release 13.1 build 37.x, you might not be able to negotiate using the TLSv1.0 protocol even though the configuration has not changed.

    [ NSHELP-34345 ]


  • The HTTP responses compressed by the NetScaler appliance might cause failures in some HTTP(S) clients due to leading space characters added in the value of the Content-Length HTTP response header field.

    [ NSHELP-34660 ]

  • NetScaler appliance configured to log all HTTP headers crashes when an HTTP request or response is received with more than 20 long headers.

    [ NSHELP-34145 ]

  • The NetScaler appliance might crash if an AppFlow collector of type rest is configured in the admin partition.

    [ NSHELP-33600 ]

  • In NetScaler version 13.1 build 33.47 and later, you cannot enable or disable events, metrics, and audit log parameters using the GUI or CLI.

    [ NSHELP-33247 ]

  • A gRPC client fails to parse the gRPC status header, when the following condition is met:

    • The gRPC status header is added both in the leading header and the trailing header instead of adding only in the trailing header.

    [ NSHELP-31640 ]

  • A memory leak might occur in the NetScaler appliance if both the following conditions are met:

    • HTTP compression feature is enabled.
    • The connection is reset in the middle of the transaction.

    [ NSHELP-30631 ]

  • A Citrix ADC appliance might crash when an HTTP/2 enabled virtual server generates a response for an HTTP/2 request, instead of forwarding the request to the back-end service.

    [ NSBASE-18162, NSHELP-35288 ]

  • The header-only gRPC response from the NetScaler appliance to the clients does not contain the gRPC status and gRPC message.

    [ NSBASE-17802 ]

User Interface

  • If you are using Admin Partitions, you cannot delete an SSL certificate using the GUI.

    [ NSHELP-34429 ]

  • In the NetScaler GUI, the Bound To column in the Configure Content Switching Policy Binding page displays the string “CS Virtual Server” instead of the actual name of the content switching virtual server to which the policy is bound.

    [ NSHELP-34374 ]

  • Configuring Alternative service for an HTTP profile might fail when you use the NetScaler GUI.

    [ NSHELP-34304 ]

  • When binding the AppFW profile to the log expression, the state parameter is set to enabled by default. However, when the system is upgraded, the parameter is reset to disabled.

    [ NSHELP-34187 ]

  • The download of any core files that are present on the “Diagnostic” page (“System > Diagnostic”) of the NetScaler GUI might fail with an error.

    [ NSHELP-33644 ]

  • In the NetScaler GUI, when you click the edit button for a specific type SNMP trap, the details of a generic-type SNMP trap is displayed instead of the specific-type SNMP trap.

    [ NSHELP-33520 ]

  • The NITRO Python SDK GET by name calls fail with the error message “local variable ‘response’ referenced before assignment” for the following resources:

    • appfwhtmlerrorpage
    • appfwjsonerrorpage
    • appfwprotofile
    • appfwsignatures
    • appfwwsdl
    • appfwxmlerrorpage
    • appfwxmlschema
    • botsignature
    • responderhtmlpage

    [ NSHELP-32525 ]

  • In a cluster setup, the show HTTP monitor operation performed on the CLIP address does not display the multi-valued HTTP response codes.

    [ NSCONFIG-7107 ]

Known Issues

The issues that exist in release 13.1-45.64.

Authentication, authorization, and auditing

  • The NetScaler appliance might crash when the authentication virtual server is used in a non-default partition.

    [ NSHELP-32054 ]

  • Administrators cannot perform custom logging for authentication failures that happen due to invalid credentials. This issue occurs because the NetScaler responder policies fail to detect errors for login failures.

    [ NSAUTH-11151 ]

  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    show adfsproxyprofile <profile name>

    Workaround: Connect to the primary active NetScaler in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.

    [ NSAUTH-5916 ]

  • The Configure Authentication LDAP Server page on the NetScaler GUI becomes unresponsive if you pursue the following steps:

    • The Test LDAP Reachability option is opened.
    • Invalid login credentials are populated and submitted.
    • Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.

    [ NSAUTH-2147 ]

NetScaler Gateway

  • Intranet resources overlapping with a spoofed IP address range cannot be accessed with split-tunnel set to OFF on the Citrix Secure Access client.

    [ NSHELP-34334 ]

  • Always-On VPN connection fails intermittently on start up due to Gateway server reachability.

    [ NSHELP-33500 ]

  • If the Citrix Secure Access related registry values are greater than 1500 characters, then the log collector fails to gather the error logs.

    [ NSHELP-33457 ]

  • When using Windows Filtering Platform (WFP) driver, sometimes intranet access does not work after the VPN is reconnected.

    [ NSHELP-32978 ]

  • The Citrix Secure Access client, version and later, fails to upgrade to later versions for users with no administrative privileges. This issue is applicable only if the Citrix Secure Access client upgrade is done from a NetScaler appliance.

    [ NSHELP-32793 ]

  • When users click the Home Page tab on the Citrix Secure Access screen for Windows, the page displays the connection refused error.

    [ NSHELP-32510 ]

  • On a Mac device using Chrome, the VPN extension crashes while accessing two FQDNs.

    [ NSHELP-32144 ]

  • In some cases, empty proxy settings in NetScaler Gateway 13.0 or 13.1 causes Citrix SSO to create improper proxy settings.

    [ NSHELP-31970 ]

  • Direct connections to the resources outside of the tunnel established by Citrix Secure Access might fail if there is a significant delay or congestion.

    [ NSHELP-31598 ]

  • Customized EPA failure log message is not displayed on the NetScaler Gateway portal. Instead, the message “internal error” is displayed.

    [ NSHELP-31434 ]

  • Sometimes, the Windows auto logon does not work when a user logs into the windows machine in an Always-On service mode. The machine tunnel does not transition to the user tunnel and the message “Connecting…” is displayed in the VPN plug-in UI.

    [ NSHELP-31357, CGOP-21192, NSHELP-34211 ]

  • When Always on is configured, the user tunnel fails because of the incorrect version number ( in the aoservice.exe file.

    [ NSHELP-30662 ]

  • Users cannot connect to the NetScaler Gateway appliance after changing the ‘networkAccessOnVPNFailure’ always on profile parameter from ‘fullAccess’ to ‘onlyToGateway`.

    [ NSHELP-30236 ]

  • The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully. To fix this issue, the following registry value is introduced.

    HKLMSoftwareCitrixSecure Access ClientSecureChannelResetTimeoutSeconds
    Type: DWORD

    By default, this registry value is not set or added. When the value of “SecureChannelResetTimeoutSeconds” is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).

    [ NSHELP-30189 ]

  • The Windows VPN client does not honor the ‘SSL close notify’ alert from the server and sends the transfer login request on the same connection.

    [ NSHELP-29675 ]

  • Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

    [ NSHELP-28551 ]

  • Sometimes, a user is logged out of NetScaler Gateway within a few seconds when the client idle timeout is set.

    [ NSHELP-28404 ]

  • VPN plug-in doesn’t establish tunnel after Windows logon, if the following conditions are met:

    • NetScaler Gateway appliance is configured for Always On feature
    • The appliance is configured for certificate based authentication with two factor authentication “off”

    [ NSHELP-23584 ]

  • Sometimes while browsing through schemas, the error message “Cannot read property ‘type’ of undefined” appears.

    [ NSHELP-21897 ]

  • In a NetScaler cluster setup, HDX Insight and Gateway Insight cannot be enabled simultaneously.

    [ CGOP-23570 ]

  • The Windows OS option is not listed in the Expression Editor drop-down list for pre-authentication policies and authentication actions on the NetScaler GUI. However, if you have already configured the Widows OS scan on a previous NetScaler build using the GUI or the CLI, the upgrade does not impact the functionality. You can use the CLI to make changes, if required.


    Use the CLI commands for the configuration.

    • To configure advanced EPA action in nFactor authentication, use the following command.
      add authentication epaAction adv_win_scan -csecexpr “sys.client_expr(“sys_0_WIN-OS_NAME_anyof_WIN-10[COMMENT: Windows OS]”)”
    • To configure a classic pre-authentication action, use the following commands.
      add aaa preauthenticationaction win_scan_action ALLOW
      add aaa preauthenticationpolicy win_scan_policy “CLIENT.SYSTEM(‘WIN-OS_NAME_anyof_WIN-10[COMMENT: Windows OS]’) EXISTS” win_scan_action

    [ CGOP-22966 ]

  • If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to NetScaler Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

    [ CGOP-19355 ]

  • The Gateway Insight report incorrectly displays the value “Local” instead of “SAML” in the Authentication Type field for SAML error failures.

    [ CGOP-13584 ]

  • In a high availability setup, during NetScaler failover, SR count increments instead of the failover count in NetScaler ADM.

    [ CGOP-13511 ]

  • When an ICA connection is launched from a MAC receiver version or Citrix Virtual Apps and Desktops version 7.18, HDX Insight feature is disabled.

    [ CGOP-13494 ]

  • When EDT Insight feature is enabled, sometimes audio channels might fail during network discrepancy.

    [ CGOP-13493 ]

  • While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

    [ CGOP-13050 ]

  • The text “Home Page” in the Citrix SSO app > Home page is truncated for some languages.

    [ CGOP-13049 ]

  • An error message appears when you add or edit a session policy from the NetScaler GUI.

    [ CGOP-11830 ]

  • In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]

  • The serviceGroupName format in the entityofs trap for the service group is as follows:

    In the trap format, the service group is identified by an IP address or a DBS name and port. The question mark (“?”) is used as a separator. The NetScaler sends the trap with the question mark (“?”). The format appears the same in the NetScaler ADM GUI. This is the expected behavior.

    [ NSHELP-28080 ]


  • When a forced synchronization takes place in a high availability setup, the appliance executes the “set urlfiltering parameter” command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the “TimeOfDayToUpdateDB” parameter.

    [ NSSWG-849 ]

  • AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.

    [ NSHELP-31836 ]

  • A NetScaler appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

    [ NSHELP-22409 ]


  • In a NetScaler BLX appliance with DPDK support, tagged VLANs are not supported for DPDK Intel i350 NIC ports. This is observed as it is a known issue present on the DPDK driver.

    [ NSNET-25299 ]

  • A NetScaler BLX appliance with DPDK might fail to restart if all of the following conditions are met:

    • The NetScaler BLX appliance is allocated with a low number of “hugepages”. For example, 1G.
    • The NetScaler BLX appliance is allocated with a high number of worker-process. For example, 28.

    The issue is logged as an error message in “/var/log/ns.log”:

    • “BLX-DPDK:DPDK Mempool could Not be Initialized for PE-x”

    Note: x is a number <= number of worker-processes.

    Workaround: Allocate a high number of “hugepages” and then restart the appliance.

    [ NSNET-25173 ]

  • A NetScaler BLX appliance in DPDK mode might take a little longer to restart because of the DPDK easiness functionality.

    [ NSNET-24449 ]

  • The following interface operations are not supported for Intel X710 10G (i40e) interfaces on a NetScaler BLX appliance with DPDK:

    • Disable
    • Enable
    • Reset

    [ NSNET-16559 ]

  • Installation of a NetScaler BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

    “The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable”

    Workaround: Run the following commands in the Linux host CLI before installing a NetScaler BLX appliance:

    • dpkg –add-architecture i386
    • apt-get update
    • apt-get install libc6:i386

    [ NSNET-14602 ]

  • In some cases of FTP data connections, the NetScaler appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

    [ NSNET-5233 ]

  • The NetScaler appliance might not generate “coldStart” SNMP trap messages after a cold restart.

    [ NSHELP-27917 ]

  • When an admin partition memory limit is changed in NetScaler appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

    [ NSHELP-21082 ]


  • Some python packages are not installed, when you downgrade the NetScaler appliance from 13.1-4.x version and higher versions to any of the following versions:

    • Any 11.1 build
    • 12.1-62.21 and earlier
    • 13.0-81.x and earlier

    [ NSPLAT-21691 ]

  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the “rm cloudprofile” command to delete the profile.

    [ NSPLAT-4520 ]

  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.

    [ NSPLAT-4451 ]

  • The NetScaler appliance crashes if VRID is bound to an LA channel that does not have member interfaces configured.

    Workaround: Configure the member interfaces for an LA channel before binding VRID to the LA channel.

    [ NSPLAT-26707 ]


  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267 ]


  • On a heterogeneous cluster of NetScaler SDX 22000 and NetScaler SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.


    1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
    2. Save the configuration.

    [ NSSSL-9572 ]

  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

    [ NSSSL-6478 ]

  • You can create multiple Azure Application entities with the same client ID and client secret. The NetScaler appliance does not return an error.

    [ NSSSL-6213 ]

  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled

    [ NSSSL-6106 ]

  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427 ]

  • An incorrect warning message, “Warning: No usable ciphers configured on the SSL vserver/service,” appears if you try to change the SSL protocol or cipher in the SSL profile.

    [ NSSSL-4001 ]

  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

    [ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]


  • High RTT is observed for a TCP connection if the following condition is met:

    • a high maximum congestion window (>4 MB) is set
    • TCP NILE algorithm is enabled

    For a NetScaler appliance to use the NILE algorithm for congestion control, the conditions must exceed the slow start threshold, which is coupled with the maximum congestion window

    So, until the maximum configured congestion window is reached, the NetScaler continues to accept data and ends up with high RTT.

    [ NSHELP-31548 ]

  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

    [ NSHELP-21240 ]

  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

    [ NSHELP-10972 ]

  • In rare case scenarios, the streams that were created before HTTP/2 WebSocket stream was created might get terminated when the WebSocket’s server-side connection closes.

    This issue occurs because the NetScaler appliance does not support connection multiplexing for HTTP/2 WebSocket.

    Workaround: Disable connection multiplexing for the related HTTP2 profile by using the following command:

    “set httpProfile <name> [-conMultiplex ( ENABLED DISABLED )]”

    [ NSBASE-17449 ]

  • In a cluster deployment, if you run “force cluster sync” command on a non-CCO node, the ns.log file contains duplicate log entries.

    [ NSBASE-16304, NSGI-1293 ]

  • When you install NetScaler ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.

    Workaround : Reboot the Management pod.

    [ NSBASE-15556 ]

  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

    [ NSBASE-8506 ]

User Interface

  • In NetScaler GUI, the “Help” link present under the “Dashboard” tab is broken.

    [ NSUI-14752 ]

  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the NetScaler GUI or CLI.

    [ NSUI-13024 ]

  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.

    [ NSUI-6838 ]

  • In a high availability setup of NetScaler BLX appliances, the primary node might become unresponsive blocking any CLI or API request.

    Workaround: Restart the primary node.

    [ NSCONFIG-6601 ]

  • If you (system administrator) perform all the following steps on a NetScaler appliance, the system users might fail to log in to the downgraded NetScaler appliance.

    1. Upgrade the NetScaler appliance to one of the builds
      • 13.0 52.24 build
      • 12.1 57.18 build
      • 11.1 65.10 build
    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the NetScaler appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]

    Workaround: To fix this issue, use one of the following independent options:

    • If the NetScaler appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the NetScaler appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see

    [ NSCONFIG-3188 ]

Release Notes for NetScaler 13.1-45.64 Release