Release Notes for Citrix ADC 13.1–9.60 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.1–9.60.


This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.

What’s New

The enhancements and changes that are available in Build 13.1–9.60.

Bot Management

IPv6 protocol support for IP reputation

The Citrix Web App Firewall’s IP reputation feature now supports the IPv6 protocol for policy configuration and enhanced security protection from bad IP addresses that send unwanted requests.

The following threat categories are supported for the IPv6 protocol.

  • Spam Sources
  • Windows Exploits
  • Web Attacks
  • Botnets
  • Scanners
  • Denial of Service
  • Reputation
  • Phishing
  • Proxy
  • Network
  • Cloud Providers
  • Mobile Threats
  • Tor Proxy

[ NSBOT-585 ]

Webroot public cloud service provider categories for Bot Signatures

The Citrix bot detection based on IP reputation technique is enhanced to detect if an incoming client is a public cloud IP address. The IP reputation feature must be enabled with the configuration of the bot management feature. The Citrix ADC appliance can use the Webroot public cloud service provider categories to validate client IP address against the cloud service provider IP address database for policy evaluation.

Following are the public cloud types that can be bound to a bot profile.

  • AWS
  • GCP
  • Azure
  • Oracle
  • IBM
  • Salesforce

[ NSBOT-50 ]

Citrix ADC SDX Appliance

Support for restoring an SDX appliance with a pooled license

Support is added for restoring a Citrix ADC SDX appliance that is using a pooled license. The license page has also been enhanced. You can now add and modify licenses from that page.

For more information, see

[ NSSVM-4750 ]

Users can now edit the admin profiles, on a Citrix ADC SDX appliance, to apply the new credentials on ADC instances.

For more information, see

[ NSSVM-4409 ]

Logs from the factory partition are now included in the ‘techsupport’ bundle to capture any factory reset history.

[ NSSVM-2190 ]

Citrix Gateway

EPA scan for whitelisted MAC addresses

You can configure an EPA scan for whitelisted MAC addresses without having to list all the IP addresses in the expression. Instead, you can use pattern sets for this configuration. Prior to Citrix ADC release 13.1, all the whitelisted MAC addresses had to be specified as part of an EPA expression.

[ CGOP-17928 ]

Citrix Web App Firewall

Support for additional security protection

Two new relaxation counters are added to support the following additional security checks. The data is used for tracking stale relaxations in the configuration.

  • Content-type protection
  • JSON Cmd Injection protection

[ NSWAF-6950 ]


New bandwidth and subscription-based local licenses for Citrix ADC BLX appliances

The following bandwidth-based subscription-based local licenses are now available for Citrix ADC BLX appliances.

  • Citrix ADC VPX/BLX Subscription 10 Mbps Standard, Advanced, Premium Edition
  • Citrix ADC VPX/BLX Subscription 100 Gbps Standard, Advanced, Premium Edition

For more information, see

[ NSNET-21527 ]

Metric collector support in Citrix ADX BLX appliances

Citrix ADX BLX appliances now support the Citrix ADC metrics collector feature.

[ NSNET-15095 ]


Support for Citrix ADC VPX configurations at the first boot of the Citrix ADC appliance on the VMware ESX hypervisor

You can now apply the Citrix ADC VPX configurations during the first boot of the Citrix ADC appliance on the VMware ESX hypervisor. Thereby in certain cases, a specific setup or VPX instance is brought up in much lesser time.

For more information, see

[ NSPLAT-21021 ]

VMware ESX 7.0 update 1d support on Citrix ADC VPX instance

The Citrix ADC VPX instance now supports the VMware ESX version 7.0 update 1d (Build 17551050).

[ NSPLAT-19667 ]


Policy Expression to Return URL Path with Suffix Stripped

The Citrix ADC now supports a new policy expression, HTTP.REQ.URL.STRIP_SUFFIX that returns the URL path with the suffix stripped.


URL: /testsite/file5.html

HTTP.REQ.URL.STRIP_SUFFIX returns the text as /testsite/file5

[ NSPOLICY-825 ]


Multipath TCP version 1 support

The Citrix ADC appliance now supports Multipath TCP (MPTCP) version 1 in addition to the existing support for MPTCP version 0. The MPTCP version 1 support is compliant with RFC 8684.

For more information, see

[ NSBASE-9237 ]

Support for gRPC health monitor

A Citrix ADC appliance now supports a gRPC health monitor for probing the server for gRPC health status. The gRPC health monitor checks the overall health of the gRPC service or the health of a particular service.

The health check protocol is implemented by configuring gRPC parameters, gRPCHealthCheck, gRPCStatusCode, and gRPCServiceName in the HTTP2 monitor configuration. A client implementing the protocol queries the server for its status (healthy, not healthy, unknown, or service not implemented) and the server responds with a status message.

[ NSBASE-6455 ]

User Interface

Citrix ADC BLX check-in and check-out licensing

You can allocate licenses to Citrix ADC BLX appliances on-demand from Citrix Application Delivery Management (ADM). The ADM software stores and manages the licenses, which have a licensing framework that provides scalable and automated license provisioning.

A Citrix ADC BLX appliance can check out the license from the Citrix ADM when a Citrix ADC BLX appliance is deployed. When a Citrix ADC BLX appliance is removed or destroyed, the appliance checks back its license to the Citrix ADM software.

For more information, see

[ NSCONFIG-5777 ]

Usage of NITRO automation tools

Citrix ADM service connect now captures the usage of automation tools like such as Ansible, Terraform, or NITRO SDK.

[ NSCONFIG-4515 ]

Fixed Issues

The issues that are addressed in Build 13.1–9.60.

Authentication, authorization, and auditing

A Citrix ADC appliance might crash if the following conditions are met.

  1. The appliance is under memory pressure.
  2. Audit logging is enabled and set as INFO level.
  3. User authentication is in progress.

[ NSHELP-29053 ]

If a Citrix ADC appliance is configured for the SameSite cookie attribute and the Domain attribute for authentication, the authentication fails. This happens because the SameSite cookie attribute value and the Domain attribute are not separated by a semicolon.

[ NSHELP-28971 ]

A Citrix ADC appliance may crash if the following conditions are met.

  1. The appliance is under memory pressure.
  2. SAML is configured as one of the authentication methods.

[ NSHELP-28855 ]

An incorrect logout (/cgi/tmlogout) URL is returned when a VPN virtual server is configured as SAML SP. The issue happens because the incorrect logout URL is generated in the SAML metadata.

[ NSHELP-28726 ]

In some cases, in a multicore environment, a client browser fails to access the resources behind an Authentication, authorization, and auditing-TM virtual server.

[ NSHELP-28474 ]

In a Citrix ADC high availability setup, some authentications commands are displayed during CLI configuration as a result of a syncing issue.

[ NSHELP-28448 ]

If form SSO is enabled, the Citrix ADC appliance responds to a credential request from the back-end server by adding a form along with the content-type header. This addition leads to duplicate headers if one is already present.

[ NSHELP-28405 ]

The Citrix ADC appliance throws a server validation error if DualAuthOrPush.xml login schema is used.

[ NSHELP-28063 ]

SameSite cookie attributes are not added to the authentication cookies if a Citrix ADC appliance is configured for 401-based authentication.

[ NSHELP-27764 ]

In some cases, invalid credentials error message is displayed during the RADIUS authentication process. The error is seen when the Citrix ADC appliance is accessed from a client device using the Google Chrome browser.

[ NSHELP-27113 ]

The Citrix ADC appliance might crash during active directory group extraction if the distinguished name of an extracted group is NULL.

[ NSHELP-26899 ]

Incorrect SSO domain name is populated for logged in user if Authentication, authorization, and auditing.USER.DOMAIN is used in the expression.

[ NSHELP-26443 ]

In some cases, an NSB leak is observed in a Citrix ADC appliance when the SSO functionality is used with a proxy server.

[ NSHELP-25492 ]


An extra header information is sent in the cache response if the insertAge parameter is enabled in the set cache contentGroup command.

[ NSHELP-27772 ]

A Citrix ADC appliance might crash if the Max_age and s_maxage parameter values are not set dynamic in the cache control block.

[ NSHELP-27758 ]

A Citrix ADC appliance might crash if the following conditions are met:

  • Appliance is serving content from its integrated cache.
  • Cached content is revalidated.
  • New request comes to ADC from different client for the same cached object.

[ NSHELP-22596 ]

Citrix ADC SDX Appliance

On a Citrix ADC SDX appliance, the System is not under grace alarm is continuously generated instead of only once when the SDX license is not under the grace period.

[ NSHELP-28740 ]

The Management Service on a Citrix ADC SDX appliance displays the interface speed for SNMP managers in Kbps/Mbps instead of bits per second.

[ NSHELP-28724 ]

Community strings of SNMP v2 trap destinations are masked on a Citrix ADC SDX appliance.

[ NSHELP-28625 ]

On a Citrix ADC SDX appliance, you can modify the throughput of a VPX instance even after the pooled license grace period (30 days).

[ NSHELP-28553 ]

Due to an upgrade in the Python version, loading the Python SDK of the Management Service might fail due to syntax errors.

[ NSHELP-27897 ]

On a Citrix ADC SDX appliance, the default value for raising the alarm on Hypervisor Disk Usage High is increased to 98%.

[ NSHELP-27854 ]

On a Citrix ADC SDX appliance, an interface that is part of a management channel is displayed along with the management channel if the following sequence of conditions is met:

  1. The VPX instance is part of a cluster.
  2. The management channel is created.

[ NSHELP-27487 ]

Citrix Gateway

The SSL VPN license bits are not set for VPX on the GCP Marketplace. As a result, Marketplace subscribers can’t use SSL VPN on GCP.

[ NSHELP-29107 ]

A Citrix ADC appliance might crash while processing the UDP traffic.

[ NSHELP-28802 ]

The Citrix ADC appliance might crash during the VPN logon if an AppFlow policy with the HTTP rule is bound to a Citrix Gateway.

[ NSHELP-28705 ]

The Citrix Gateway logon page might fail to load for 3G/tethered users.

[ NSHELP-28367 ]

In a rare case, the Citrix Gateway appliance might crash during transfer login when a freed session is accessed.

[ NSHELP-28022 ]

The Citrix ADC appliance crashes while processing the incoming Encapsulating Security Payload (ESP) traffic and the security association (SA) is not found.

[ NSHELP-27991 ]

You might observe issues with transfer login if SAML is configured as the last factor in nFactor authentication and classic EPA is also configured.

[ NSHELP-27983 ]

The Citrix ADC appliance might crash if both of the following conditions are met.

  • The appliance is deployed for ICA Proxy mode.
  • Gateway Insight feature for ICA flow is enabled.

[ NSHELP-27982 ]

In rare cases, the Citrix Gateway portal page does not display the Download button for the EPA plug-in on the Internet Explorer browser.

[ NSHELP-27849 ]

The Citrix Gateway appliance might crash if async is blocked and you modify the content switching policy configuration.

[ NSHELP-27570 ]

A Citrix ADC appliance might crash while processing the UDP traffic.

[ NSHELP-27536 ]

The personal bookmarks file of users cannot be copied from one Citrix Gateway appliance to another appliance.

[ NSHELP-27389 ]

The Citrix Gateway appliance might crash if an unknown VPN client option is set in the session policy.

[ NSHELP-27380 ]

Sometimes, the Citrix Gateway appliance might crash when accessing an invalid memory location.

[ NSHELP-27343 ]

The Citrix Gateway appliance reboots unexpectedly because of flooding of SSL VPN log messages in the local ns.log file when Gateway Insight is enabled.

[ NSHELP-27040 ]

The Citrix Gateway portal localization is not compatible with the Internet Explorer browser.

[ NSHELP-26822 ]

The Citrix Gateway GUI displays the message Invalid IP or Port when editing a VPN session profile.

[ NSHELP-26722 ]

The show audit messages output does not display the latest logs if you modify the syslog server in the global syslog parameters.

[ NSHELP-19430 ]

Citrix Web App Firewall

The Citrix Web App Firewall learning engine learns the field format rules only when a violation is observed.

[ NSWAF-7677 ]

A Citrix ADC appliance might crash if the following conditions are met:

  • Web App Firewall cookie proxy is enabled.
  • The session cookie and persistent cookie have the same name.

[ NSHELP-28181 ]

Load Balancing

If the parameter values of user monitor and built-in monitor related commands have a space in between the text, the parameter value gets truncated and the text following the space is ignored.


add lb monitor ftp_user USER -scriptName -scriptArgs `file=test.txt;username=NS user;password=test123` -dispatcherIP -dispatcherPort 3013`

In this example, the user name is set as NS user but only NS is sent and the text after it is truncated because of the space.

[ NSLB-8915 ]

The VPX primary and secondary sites crashed after configuring the GSLB service group with Autoscale enabled.

[ NSHELP-28530 ]

A Citrix ADC appliance in an HA setup loses connectivity because the NSB memory isn’t freed after sending the HTTP response during the HTTP probe monitoring.

[ NSHELP-28466 ]

Sometimes in a multi-PE system, the domain-based groups don’t recover to the UP state after a few failures in the system. This issue is due to a race condition between the CLI and internal monitors.

[ NSHELP-27965 ]

In some cases, a Citrix ADC appliance might crash when the show running configuration command is issued.

[ NSHELP-27815 ]

In a cluster setup, when one or more nodes go to DOWN state, the backup node might fail to join the cluster node group. This failure causes some Citrix ADC features to fail.

[ NSHELP-27664 ]

A Citrix ADC appliance might not insert an appropriate packet identifier in the responses, when pipelined RADIUS requests are received. Due to this issue, the client receives an invalid response.

[ NSHELP-27391 ]

The GSLB configuration might be partially lost if the following conditions are met:

  • The Citrix ADC appliance is rebooted.
  • The ADNS service is configured with the same IP address as of the remote GSLB site.

[ NSHELP-26816 ]

When a large number of GSLB services are configured on multiple GSLB sites that have high network latency, GSLB services status might fail to get updated on the remote GSLB site.

[ NSHELP-23799 ]


The add URLF categorization command fails to update the database resulting in an internal error.

[ NSSWG-1315 ]

The Citrix ADC appliance might crash after resuming processing if the following conditions are met:

  • SSL forward proxy feature is used.
  • Protocol information for an SSL forward proxy request is received in multiple asynchronous packets. The appliance pauses the packet processing and resumes it after receiving all the protocol details for the request.

[ NSHELP-28447 ]

When an inline device sends a custom message followed by a reset, the Citrix ADC appliance resets the connection before forwarding the inline-device response to the client.

[ NSHELP-27676 ]


The Citrix ADC VPX instance might crash when the following conditions are met:

  • A high number of FTP data connections are present.
  • A failover happens on the Citrix ADC appliance.
  • A client or server side NATPCB connection is cleared out.

[ NSHELP-27816 ]

In a high availability setup, the dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:

  • A dynamic routing enabled SNIP address is bound to the shared VLAN in a non-default partition.

As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in a non-default partition

[ NSHELP-24000 ]


The Citrix ADC VPX instance in the AWS cloud crashes during the warm reboot of the Citrix ADC appliance.

[ NSPLAT-21979 ]

A Citrix ADC VPX instance with the software version 13.1 build 4.43 doesn’t support the C5n family of instances in the AWS cloud.

[ NSPLAT-21451 ]

On the Citrix ADC VPX instance on the Azure cloud and on the Microsoft Hyper-V server, in certain situations, congestion packet drops can occur on the transmit side of the Hyper-V virtual interface. These packet drops can stall the transmits from the Citrix ADC appliance.

[ NSHELP-28375 ]

On the Citrix ADC MPX 5900 and MPX 8900 platforms, an incorrect platform number appears on the LCD screen.

[ NSHELP-28207 ]

The status of the SDX platform appears as UNKNOWN in the LOM console. This is only a display issue and has no functional impact.

[ NSHELP-20009 ]


A Citrix ADC might crash if the FIX service type is used in Layer 2 and Layer 3 mode.

[ NSHELP-28468 ]

A Citrix ADC appliance might crash if the MATCHES() expression is used in the non-TCP-based protocol.

[ NSHELP-26062 ]


Adding a certificate-key pair might fail due to a memory allocation failure. As a result, the CA certificate-key pair lookup fails and the appliance crashes.

[ NSHELP-28197 ]

SSL handshake renegotiation might fail on Citrix ADC MPX platforms, if asynchronous policies are configured on the SSL virtual server.

[ NSHELP-27870 ]

The Citrix ADC appliance does not accept an OCSP response if it does not have the content length HTTP header.

[ NSHELP-27039 ]

The CA certificate name that issued the CRL is truncated to 32 characters, even though a certificate-key name can be up to 64 characters. This issue occurs because the CRL field has a limit of 32 characters.

[ NSHELP-26986 ]

On a Citrix ADC MPX/SDX 14000 FIPS appliance, you might see memory leaks when using the EDT configuration with an EDT datagram size > 1 K.

[ NSHELP-25375 ]


When a Citrix ADC instance is registered on Citrix ADM, port allocation errors are seen in the ADC counters.

[ NSHELP-28779 ]

After an upgrade to Citrix ADC version 13.0 build 64-x and later, too many warning logs with a message, Unexpected data received from the server on probe connection for SSL_BRIDGE service type - Server. is received.

[ NSHELP-28656 ]

A Citrix ADC appliance running release 13.0 build 82.x and later might crash, if ns mode pmtud is enabled and partitions are used.

[ NSHELP-28068 ]

If the header size received is greater than the maximum header table size, the appliance resets the table size as zero. As a result, HTTP2 requests fail after a few requests.

[ NSHELP-27977 ]

The AppFlow collector pointer referenced by the analytics profile is corrupted.

[ NSHELP-27924 ]

If ADM has pending transactions in the queue, it reports randomly a critical alert for high memory usage.

[ NSHELP-27913 ]

TCP zombie timeout flushes active server or client connections because of the half-close timeout on the faster side of the connection.

[ NSHELP-27502 ]

The connection chaining TCP option gets added to the Citrix ADC RPC connections. The issue causes an interoperability issue with GSLB sites communication.

[ NSHELP-27417 ]

Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.

[ NSHELP-27410 ]

A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.

[ NSHELP-27179 ]

The NSWL client occasionally logs data multiple times from the packet engine (PE-0), whereas, logs from other packet engines are skipped.

[ NSHELP-27138 ]

A Citrix ADC appliance might crash if the following conditions are met:

  • When handling Logstream metadata records.
  • AppFlow feature is enabled.

[ NSHELP-26942 ]

A mismatch in Logstream records is observed in the Citrix ADC appliance and the data loader.

[ NSHELP-25796 ]

User Interface

For a virtual server, when you edit any parameter under Traffic Settings in the Citrix ADC GUI (version 13.1 build 4.43), the following error message appears:

Invalid argument [pq]

[ NSHELP-29492 ]

The following issue is observed if any operation is performed that reads the ns.conf file. For example, show ns saved config.

  • The HTTPD process might freeze causing the GUI and NITRO API to become inaccessible.

[ NSHELP-28249 ]

When you deselect the secure option for an RPC node in the ADC GUI, the following error message appears:

Argument pre-requisite missing [validateCert, secure==YES]

[ NSHELP-28239 ]

In a cluster setup, singleton or global entities with two or more passwords might fail on a node during a config synchronization process because of the following reason:

  • If the first password in the sequence is skipped, the subsequent password decryption fails on the synchronizing node. The decryption fails because it looks for the CCOs local key, which is not present on the synchronizing node.

[ NSHELP-28035 ]

After upgrading a high availability setup or a cluster setup to release 13.0 build 74.14 or later, config synchronization might fail because of the following reason:

  • Both ssh_host_rsa_key private and public keys are an incorrect pair.

[ NSHELP-27834 ]

In a high availability setup, a Citrix ADC appliance might crash during a system user authentication process, if the following condition is met:

  • The password hash computation takes more time to miss five heartbeats.

[ NSHELP-27066 ]

Load balancing server statistics details are misaligned in the Citrix ADC GUI dashboard.

[ NSHELP-20752 ]

Unbinding the rate-limiting URL from a bot profile results in an internal database error.

[ NSCONFIG-6231 ]

The Citrix ADC appliance incorrectly returns Zero for some of the GSLB and statistics parameters in the NITRO API calls.

[ NSCONFIG-6104 ]

A Citrix ADC appliance enabled in CLI color mode, displays the CLI success text messages in white color instead of showing it in green color.

[ NSCONFIG-5689 ]

If a Citrix ADC BLX appliance is licensed using Citrix ADM, licensing might fail after upgrading the appliance to release 13.0 build 83.x.

[ NSCONFIG-4834 ]

Video Optimization

A Citrix ADC appliance might crash because of memory allocation failure with the video optimization feature enabled.

[ NSHELP-28752 ]

Known Issues

The issues that exist in release 13.1–9.60.


HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.


Authentication, authorization, and auditing

In rare cases, the Citrix ADC appliance might crash due to an incorrect log position.

[ NSHELP-29267 ]

The Authentication, authorization, and auditing.USER.ATTRIBUTE expression might give an empty value in a multi-core Citrix ADC appliance when the user password is changed on expiry.

[ NSHELP-28419 ]

In some cases, memory leak is observed in a Citrix ADC appliance if the SSO functionality is used with a proxy server.

[ NSHELP-27744 ]

The Citrix ADC appliance crashes if both of the following conditions are met.

  • Email OTP is configured
  • Email server does not respond or there is a network issue with the email server

[ NSHELP-26137 ]

A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

[ NSHELP-563 ]

The DualAuthPushOrOTP.xml LoginSchema does not appear correctly in the login schema editor screen of the Citrix ADC GUI.

[ NSAUTH-6106 ]

ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command. show adfsproxyprofile <profile name>


Connect to the primary active Citrix ADC in the cluster and run the show adfsproxyprofile <profile name> command. It would display the proxy profile status.

[ NSAUTH-5916 ]

The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

  • The Test LDAP Reachability option is opened.
  • Invalid login credentials are populated and submitted.
  • Valid login credentials are populated and submitted.


Close and open the Test LDAP Reachability option.

[ NSAUTH-2147 ]


A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

[ NSHELP-22942 ]

Call Home

Call Home registration might fail for Citrix ADC MPX appliances using pooled licensing. The registration fails because Call Home uses an incorrect serial number for registering the appliances with the Citrix Support Server.

[ NSHELP-28667 ]

Citrix ADC SDX Appliance

On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.

[ NSSVM-4333 ]

On a Citrix ADC SDX appliance, the Management Service does not send syslog or email notifications if the power supply, voltage, or disk failures occur more than once.

[ NSHELP-29443 ]

Citrix Gateway

When split tunnel is set to Reverse, DNS resolution for the intranet domains fails.

[ NSHELP-29371 ]

In a high availability setup with TCP SYSLOG configuration, a node might crash during HA failover or during clear config operation.

[ NSHELP-29251 ]

In the Citrix Gateway portal page, the RDP proxy link icon does not change with the RfWebUI portal theme.

[ NSHELP-28974 ]

In some cases, the server validation code fails when the server certificate is trusted. As a result, end users cannot access the gateway.

[ NSHELP-28942 ]

Sometimes, after disconnecting the VPN, the DNS resolver fails to resolve the host names, because the DNS suffixes are removed during VPN disconnection.

[ NSHELP-28848 ]

After you upgrade the Citrix Gateway appliance to version 13.0, the proxy configuration in a session profile does not work as intended. The Proxy connection is bypassed for non-HTTP NS proxy configured.

Example: add vpn sessionAction-proxy NS -httpProxy -sslProxy

In this example, -httpProxy works as intended but -sslProxy does not work.

[ NSHELP-28640 ]

Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

[ NSHELP-28551 ]

Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

[ NSHELP-28404 ]

The Windows plug-in might crash during authentication.

[ NSHELP-28394 ]

Access to StoreFront through a VPN virtual server fails if StoreFront is accessed through a backup load balancing virtual server.

[ NSHELP-27852 ]

The Citrix Gateway appliance might crash when reconnecting to an existing ICA session.

[ NSHELP-27441 ]

You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.

With this fix, you can now unbind the authorization policy by using the GUI.

[ NSHELP-27064 ]

The Citrix ADC appliance crashes if either of the following conditions occur:

  • The syslog action is configured with the domain name and you clear the configuration by using the GUI or the CLI.
  • High availability synchronization happens on the secondary node.


Create syslog action with syslog server’s IP address instead of syslog server’s domain name.

[ NSHELP-25944 ]

In a high availability setup, VPN user sessions get disconnected if the following condition is met:

  • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.


Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

[ NSHELP-25598 ]

EPA plug-in for Windows does not use the local machine’s configured proxy and connects directly to the gateway server.

[ NSHELP-24848 ]

The Gateway Insight does not display accurate information on the VPN users.

[ NSHELP-23937 ]

VPN plug-in doesn’t establish tunnel after Windows logon, if the following conditions are met:

  • Citrix Gateway appliance is configured for Always On feature
  • The appliance is configured for certificate based authentication with two factor authentication off

[ NSHELP-23584 ]

Sometimes while browsing through schemas, the error message Cannot read property 'type' of undefined appears.

[ NSHELP-21897 ]

If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to apply the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

[ CGOP-19355 ]

Application launch failure due to an invalid STA ticket is not reported in Gateway Insight.

[ CGOP-13621 ]

The Gateway Insight report incorrectly displays the value Local instead of SAML in the Authentication Type field for SAML error failures.

[ CGOP-13584 ]

In a high availability setup, during the Citrix ADC failover, the SR count increments instead of the failover count in Citrix ADM.

[ CGOP-13511 ]

While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

[ CGOP-13050 ]

The text Home Page in the Citrix SSO app > Home page is truncated for some languages.

[ CGOP-13049 ]

An error message appears when you add or edit a session policy from the Citrix ADC GUI.

[ CGOP-11830 ]

In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

[ CGOP-7269 ]

In a cluster deployment, if you run force cluster sync command on a non-CCO node, the ns.log file contains duplicate log entries.

[ CGOP-6794 ]

Citrix Web App Firewall

The bot device fingerprint post URL might fail if the bot management policy is enabled on a load balancing virtual server of type SSL.

[ NSHELP-29198 ]

A Citrix ADC appliance might crash if the following modules are enabled:

  • Web App Firewall with advanced security checks.
  • Appqoe.

[ NSHELP-28251 ]

Load Balancing

In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

[ NSLB-7679 ]

Incremental synchronization fails for the add dns action and add location commands with policy expressions that contain wildcards.

[ NSHELP-29301 ]

The state of the service group displayed in the show and stat commands is inconsistent.

[ NSHELP-28931 ]

If a ZONE type DNS record is available for the parent domain, query for the child domain with an existing NS record results in parent domain SOA record instead of child domain NS record.

[ NSHELP-28793 ]

The serviceGroupName format in the entityofs trap for the service group is as follows: <service(group)name>?<ip/DBS>?<port>

In the trap format, the service group is identified by an IP address or a DBS name and port. The question mark (?) is used as a separator. The Citrix ADC sends the trap with the question mark (?). The format appears the same in the Citrix ADM GUI. This is the expected behavior.

[ NSHELP-28080 ]


When a forced synchronization takes place in a high availability setup, the appliance runs the set urlfiltering parameter command in the secondary node. As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the TimeOfDayToUpdateDB parameter.

[ NSSWG-849 ]

Citrix ADC CPX instance, running on a Linux system with 64-bit architecture and 1 TB of file storage, can load certificate and key files now.

[ NSHELP-28986 ]

A Citrix ADC appliance might restart due to management CPU stagnation if a connectivity issue occurs with the URL Filtering third party vendor.

[ NSHELP-22409 ]


A Citrix ADC appliance might crash if all of the following conditions are met:

  • A load balancing route is configured in a traffic domain on the appliance.
  • A clear config operation is performed on the appliance.

[ NSNET-23847 ]

After an upgrade from Citrix ADC BLX appliance 13.0 61.x build to 13.0 64.x build, settings on the BLX configuration file are lost. The BLX configuration file is then reset to default.

[ NSNET-17625 ]

The following interface operations are not supported for Intel X710 10G (i40e) interfaces on a Citrix ADC BLX appliance with DPDK:

  • Disable
  • Enable
  • Reset

[ NSNET-16559 ]

On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file (/etc/blx/blx.conf) settings. This issue occurs because mawk, which is present by default on Debian based Linux systems, does not run some of the awk commands present in the blx.conf file.


Install gawk before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install gawk:

  • apt-get install gawk

[ NSNET-14603 ]

Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable


Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

  • dpkg --add-architecture i386
  • apt-get update
  • apt-get dist-upgrade
  • apt-get install libc6:i386

[ NSNET-14602 ]

In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

[ NSNET-5233 ]

In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

  • The LSN module does not find the service while decrementing the reference count or deleting the service.

[ NSHELP-29134 ]

When an admin partition memory limit is changed in the Citrix ADC appliance, the TCP buffering memory limit gets automatically set to the admin partition new memory limit.

[ NSHELP-21082 ]


The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:

  1. During the first boot of the Citrix ADC appliance, you do not save the prompted password.
  2. Then, you reboot the Citrix ADC appliance.

[ NSPLAT-22013 ]

When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:

  • 13.1-4.x
  • 13.0–82.31 and later
  • 12.1–62.21 and later

The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:

  • Any 11.1 build
  • 12.1–62.21 and earlier
  • 13.0-81.x and earlier

[ NSPLAT-21691 ]

Provisioning a VPX instance with version 12.0 XVA fails on a Citrix ADC SDX appliance running version 13.1.

Only VPX versions 12.1 and later are supported. Upgrade the VPX version before upgrading the SBI to version 13.1.

[ NSPLAT-21442 ]

In a cluster setup on a Citrix ADC SDX appliance, there is a CLAG MAC mismatch on the second node and CLIP if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You add another VPX instance to the cluster and CLAG setup.

As a result, traffic to the VPX instance stops.

[ NSPLAT-21049 ]

In a cluster setup on a Citrix ADC SDX appliance, the first node goes DOWN because of a MAC address mismatch on the CLIP and MAC table, if the following conditions are met:

  • The CLAG is created on a Mellanox NIC.
  • You remove the second node from the cluster.

[ NSPLAT-21042 ]

When you delete an Autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the rm cloudprofile command to delete the profile.

[ NSPLAT-4520 ]

In a high availability setup on Azure, upon logon to the secondary node through the GUI, the first-time user (FTU) screen for Autoscale cloud profile configuration appears. Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile must be always configured on the primary node.

[ NSPLAT-4451 ]

The Citrix ADC VPX instances that use the VMXNET3 driver might randomly crash if the instance is running on one of the following Citrix ADC builds:

  • Citrix ADC 13.1 build 4.x
  • Citrix ADC 13.1 build 9.x

[ NSHELP-29120 ]


Connections might hang if the size of processing data is more than the configured default TCP buffer size.Workaround: Set the TCP buffer size to the maximum size of data that needs to be processed.

[ NSPOLICY-1267 ]


On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.


  1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, set ssl vserver <name> -SSL3 DISABLED.
  2. Save the configuration.

[ NSSSL-9572 ]

You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

[ NSSSL-6478 ]

You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

[ NSSSL-6213 ]

The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type. ERROR: crl refresh disabled

[ NSSSL-6106 ]

Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

[ NSSSL-4427 ]

An incorrect warning message, Warning: No usable ciphers configured on the SSL vserver/service, appears if you try to change the SSL protocol or cipher in the SSL profile.

[ NSSSL-4001 ]

An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

[ NSSSL-3184 ]

In a high availability setup, the certificate type is not synchronized correctly between the primary and secondary nodes.

[ NSHELP-27589 ]


When a Citrix ADC appliance receives an HTTP/2 GOWAY frame from a client, it incorrectly resets all streams with stream ID greater than the promised ID (last peer initiated stream identifier).

[ NSHELP-29328 ]

The X-Forwarder header is not added to some requests sent from the Citrix ADC appliance to the back-end server.

[ NSHELP-29142 ]

A Citrix ADC appliance crashes if the following conditions are met:

  • The client-side measurements option is enabled on the AppFlow action.
  • The chunk headers fall on the packet boundary.

[ NSHELP-29049 ]

In a high availability setup, HA synchronization of admin partition configurations fails on the secondary node because of the following reason:

  • Low memory issues caused because of huge config loads on the secondary node

[ NSHELP-28409 ]

In a TCP connection, the Citrix ADC appliance might drop a FIN packet, received from a server, instead of forwarding it to the client if all of the following conditions are met:

  • TCP buffering is enabled.
  • The server sends the FIN packet and the data packet separately.

[ NSHELP-27274 ]

Pitboss failure occurs when looping a large number of packets in the retransmission queue.

[ NSHELP-26071 ]

The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

[ NSHELP-21240 ]

The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

[ NSHELP-10972 ]

In a Citrix ADC appliance with admin partitions, nstrace utility might not run properly in a non-default partition

[ NSBASE-15738 ]

When processing large streams of gRPC traffic, the TCP advertised window increases exponentially leading to high memory usage.

[ NSBASE-15447 ]

Client IP and Server IP are inverted in the HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

[ NSBASE-8506 ]

User Interface

In the Citrix ADC GUI, the Help link present under the Dashboard tab is broken.

[ NSUI-14752 ]

Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.


Configure cloudbridge connectors by adding IPsec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

[ NSUI-13024 ]

If you create an ECDSA key by using the GUI, the type of curve is not displayed.

[ NSUI-6838 ]

While configuring or checking SSL certificates using the Citrix ADC GUI, the error Directory doesn't exist might appear. This issue occurs when a file name with two consecutive dots (..) exists in the SSL folder /nsconfig/ssl.


Delete or move these files from the /nsconfig/ssl folder.

[ NSHELP-28589 ]

In a high availability setup, HA synchronization might fail for a built-in policy pattern set binding, if the built-in policy pattern set was modified on the primary node.

[ NSHELP-28460 ]

When the user tries to change the page size of a list in the side panel views, the page gets distorted.

[ NSHELP-28220 ]

Ping or ping6 command with interface (-I) option might fail with the following error:

  • interface option not supported

[ NSHELP-26962 ]

Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

[ NSHELP-20988 ]

When you downgrade a Citrix ADC appliance version 13.0-71.x to an earlier build, some NITRO APIs might not work because of the file permission changes.


Change permission for /nsconfig/ns.conf to 644.

[ NSCONFIG-4628 ]

If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

  1. Upgrade the Citrix ADC appliance to one of the builds:

    • 13.0 52.24 build
    • 12.1 57.18 build
    • 11.1 65.10 build
  2. Add a system user, or change the password of an existing system user, and save the configuration, and
  3. Downgrade the Citrix ADC appliance to any older build.

To display the list of these system users by using the CLI: At the command prompt, type:

query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]


To fix this issue, use one of the following independent options:

  • If the Citrix ADC appliance is not yet downgraded (step 3 in the earlier mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
  • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
  • If none of the above options work, a system administrator can reset the system user passwords.

For more information, see

[ NSCONFIG-3188 ]

Release Notes for Citrix ADC 13.1–9.60 Release