Release Notes for Citrix ADC 12.1-56.22 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 12.1-56.22.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.

What's New

The enhancements and changes that are available in Build 12.1-56.22.

Authentication, authorization, and auditing

  • Title: Encryption of Citrix Gateway login information for nFactor authentication

    Citrix Gateway with nFactor authentication can encrypt the login request fields submitted by a client (browser or SSO apps) during the authentication process. The encrypted login request fields provide an extra layer of security to protect the users sensitive data from being disclosed.

    For details, see https://docs.citrix.com/en-us/citrix-adc/12-1/aaa-tm/multi-factor-nfactor-authentication.html
    [ NSHELP-19554 ]

Load Balancing

  • Title: Support to configure the ADC generated cookie attributes

    For Citrix ADC deployments, support is now added to insert additional cookie attributes to the cookies generated by Citrix ADC appliance. These additional cookie attributes help in enforcing the required policies for the ADC generated cookies based on the application access pattern.

    This feature can be used to prevent issues that can occur because of the Google Chrome upgrade (Google Chrome 80).

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/load-balancing/insert-cookie-attributes.html
    [ NSLB-6068 ]

Platform

  • Title: Support for Intel X722 10G NIC on the Linux-KVM platformĀ 

    A Citrix ADC VPX instance on the Linux-KVM platform now supports Intel X722 10G SR-IOV network interfaces.
    [ NSPLAT-13197 ]
  • Title: Option to enable or disable dom0 access
    You can now enable or disable access to SDX Control Domain (dom0). With dom0 access, a user can directly access the SDX appliance and also change the configuration. Previously, dom0 access was enabled by default. Upon upgrade to 12.1 56/13.0 xx from previous release, dom0 access will be disabled.
    To enable dom0 access, from the SDX GUI, navigate to System > Network Configuration. Under Appliance Supportability, check the Configure Applliance Supportability box.
    [ NSPLAT-11065 ]

Fixed Issues

The issues that are addressed in Build 12.1-56.22.

AppFlow

  • In a Citrix Gateway high availability setup, the appliance might crash if Gateway Insight is enabled.
    [ NSINSIGHT-2147 ]
  • Application launch failure records are not displayed in Citrix ADM if launch failure is due to DNS lookup failure on Citrix ADC.
    [ NSINSIGHT-1046 ]

Authentication, authorization, and auditing

  • Citrix ADC deployed as SAML SP might show a local logout page after user initiates the logout process.
    [ NSHELP-22067 ]
  • A Citrix ADC appliance skips the user to consider further groups in the following conditions:
    - A user is a direct member of the nested group.
    - A user is already a member of previous level groups.
    [ NSHELP-21945 ]
  • In a Citrix ADC high availability and cluster setup, a delay in freeing the memory space leads to piling up the memory.
    [ NSHELP-21917 ]
  • A Citrix ADC appliance might dump core upon receiving a RESET command from the client while the appliance is handling VPN traffic requests.
    [ NSHELP-21817 ]
  • Form based SSO fails if the FORMSSO policies contain empty name-value pair for DYNAMIC FORMSSO.
    [ NSHELP-21753 ]
  • A Citrix ADC appliance might crash during audit logging if the user authentication is prompted with an extra sign-in request such as a password change or a RADIUS challenge.
    [ NSHELP-21703 ]
  • A Citrix Gateway appliance configured as SAML IdP for Workspace login might occasionally return an HTTP 404 error during logout.
    [ NSHELP-21650 ]
  • A Citrix ADC appliance might crash with StoreFront AuthAction if the following conditions are met:
    - Password is changed post the expiry date.
    - Authentication is attempted from non-nFactor old VPN clients.
    [ NSHELP-21555 ]
  • The "saml:AttributeValue" tag is missing from the SAML assertion whenever "ns_saml_disable_comma_sep_attr_res nsapimgr" knob is enabled.
    [ NSHELP-21552 ]
  • A Citrix ADC appliance deployed for cross-domain Kerberos might fail to perform SSO if the kcdAccount parameter is configured using a keytab file.
    [ NSHELP-21406 ]
  • A Citrix ADC appliance configured as a forward proxy does not allow NTLM authentication with HTTP 1.0 clients.
    [ NSHELP-21349 ]
  • In rare cases, a Citrix Gateway appliance might crash when an invalid HTTP packet is received.
    [ NSHELP-21342 ]
  • When Citrix ADC is deployed as IdP for Citrix Workspace, users are not able to log on to Citrix Workspace.
    [ NSHELP-21324 ]
  • Full VPN does not work if the following conditions are met:

    - A Citrix ADC appliance is configured for nFactor authentication with SAML authentication being the last factor of authentication.
    - The appliance is bound to the RfWebUI portal theme.
    [ NSHELP-21157 ]
  • If Citrix ADC is configured for forms based SSO, and name-value pairs are specified in the configuration, these values are ignored if the values are absent in the form.
    [ NSHELP-21139 ]
  • In rare cases, nFactor log on fails if both of the following conditions are met:
    - Citrix ADC appliance is configured for certificate authentication with a fallback to LDAP.
    - The certificate authentication fails.
    [ NSHELP-21118 ]
  • A Citrix ADC appliance deployed as SAML might occasionally fail to perform SAML based logout.
    [ NSHELP-21093 ]
  • The SAML metadataURL parameter does not work after a Citrix ADC appliance is restarted.
    [ NSHELP-21006 ]
  • In rare cases, the Citrix Gateway appliance might fail when users are challenged for a one-time code.
    [ NSHELP-20967 ]
  • A Kerberos SSO might fail when a Citrix ADC appliance is deployed in a multi-domain environment (parent-child domain) and the users are in parent domain and services are in the child domain.
    [ NSHELP-20910 ]
  • In rare cases, a Citrix ADC appliance might crash while serving VPN traffic.
    [ NSHELP-20751 ]
  • A Citrix ADC appliance might fail to authenticate the Microsoft Outlook 2016 users if the password contains Umlaut characters.
    [ NSHELP-20682 ]
  • A Citrix ADC appliance might crash if the samlSigningCertName parameter is not configured in a samlAction command.
    [ NSHELP-20674 ]
  • A Citrix Unified Gateway appliance might fail when Gateway is configured as SAML IdP along with IdP chaining.

    [ NSHELP-20667 ]
  • A Citrix ADC appliance might fail in the following circumstances:
    - Citrix ADC appliance configured with OAuth or SAML IdP actions along with refreshing metadata information from an external source.
    - The configuration is changed while data is fetched from the external source or if authentication is in progress. The same issue is observed when you run a clear config command.
    [ NSHELP-20646 ]
  • In rare cases, authentication fails if the connection to the LDAP server is over HTTPS.
    [ NSHELP-20181 ]
  • When the active sync client sends HEAD request, the Citrix ADC appliance does not authenticate the 200 OK response.
    [ NSHELP-20125 ]
  • RBA access to cluster nodes gets interrupted because of DHT operation issue. Additional counters are added to handle this scenario.
    [ NSHELP-20028 ]
  • In rare cases, there might be memory leak issues when handling authentication, authorization, and auditing sessions.
    [ NSHELP-19703 ]
  • WebAuth authentication fails after multiple failovers on a Citrix Gateway appliance.
    [ NSHELP-19050 ]
  • The LDAP DN attribute fetched from the AD to Citrix ADC appliance is truncated if the attribute length is greater than 128 bytes.
    [ NSAUTH-7210 ]
  • In a Citrix ADC high availability and cluster setup, the appliance might crash when you upgrade the appliance from release 12.1 build 55.13 to release 12.1 build 55.18. The crash occurs if either Citrix Gateway or authentication, authorization, and auditing features are enabled on the appliance.
    [ NSAUTH-7153 ]
  • Protocol switching from HTTP to WebSockets fails when SSO is configured on a Citrix ADC appliance.
    [ NSAUTH-6354 ]

CallHome

  • In rare cases, the Call Home process might crash resulting in the appliance to restart. The issue occurs if a Call Home sub process uses the same internal process id (PID) of the previous sub process.
    [ NSHELP-20334 ]

Citrix ADC SDX Appliance

  • On a Citrix ADC SDX appliance, upgrade from release 12.1 build 56.22 to release 13.0 build 52.24 might fail.
    [ NSSVM-3159 ]
  • An incorrect interface is assigned to a new VPX instance. After some time, management interface 0/1 appears as enabled even though you have provisioned the instance with only management interface 0/2.
    [ NSHELP-21765 ]
  • When you add an LDAP server under SDX GUI > Configuration > System > Authentication > LDAP, special characters used in form input text box are not decoded before getting displayed. And, the "&" character in the Base DN field is replaced with "&".
    [ NSHELP-21488 ]
  • If you try to restart multiple VPX instances simultaneously, running on an SDX appliance, the channel and data interfaces for VPX instances disappear from the SDX Management Service.
    [ NSHELP-21124 ]
  • After you upgrade an SDX appliance, the SDX Management Service might not list ethernet interfaces. This happens if the post install process part of the upgrade is not successful.
    [ NSHELP-21068 ]
  • On an SDX appliance, you might occasionally see events with high CPU usage. This spike is seen because appliance backup is a CPU intensive process. The high CPU usage is temporary.
    [ NSHELP-21063 ]
  • The appliance loses the interface details when more than three instances are selected for reboot or shutdown.
    [ NSHELP-21040 ]
  • After upgrading to software version 11.1 and 12.1, the appliance might send nsNotifyRestart traps.
    [ NSHELP-18308 ]

Citrix Gateway

  • The Citrix Gateway appliance might crash if you attempt to print over full VPN tunnel when Intranet IP address is assigned.
    This issue is observed in HP printers that use hp-status and WSDAPI protocols.
    [ NSHELP-22191 ]
  • In a Citrix Gateway high availability setup, the secondary node might crash during core-to-core communication.
    [ NSHELP-21991 ]
  • The Windows VPN plug-in crashes if the plug-in clients language is set to Chinese.
    [ NSHELP-21946 ]
  • When EPA is configured in nFactor mode, messages related to EPA plug-in installation are not displayed in the VPN plug-in window.
    [ NSHELP-21939 ]
  • The Citrix ADC appliance might crash when configured for Advanced Clientless VPN.
    [ NSHELP-21819 ]
  • The Enterprise Web apps might display an error if the cookies were set and expire at the same time.
    [ NSHELP-21772 ]
  • The Citrix Gateway logon page becomes unresponsive if RfWebUI based custom themes or nFactor with custom themes are used.
    [ NSHELP-21763 ]
  • The Citrix Gateway appliance might crash if there are multiple cores and Intranet IP address is enabled with RfWebUI theme.
    [ NSHELP-21722 ]
  • A Citrix ADC appliance might crash when it tries to access the corrupt collector information.
    [ NSHELP-21653 ]
  • UDP applications performance might be affected sometimes because of traffic congestion.
    [ NSHELP-21599 ]
  • Sometimes, the Citrix ADC appliance might crash while handling server initiated connection.
    [ NSHELP-21532 ]
  • In some cases, the Citrix ADC appliance crashes because the core receives a packet to send to the client but the IIP information is not yet available.
    [ NSHELP-21522 ]
  • The VPN plug-in retains DNS suffixes that are added on Wi-Fi or Ethernet adapter while over the VPN connection.
    [ NSHELP-21492 ]
  • You cannot access links that start with "0https"¯ or "1https".
    [ NSHELP-21469 ]
  • App enumeration does not occur if the number of desktops is lesser than the number of apps.
    [ NSHELP-21377 ]
  • You cannot launch an application using advanced clientless VPN through bookmarks if the clientless VPN application's POST body contains html encoded ' (single quotes) or " (double quotes).
    [ NSHELP-21361 ]
  • In some cases, Citrix Gateway dumps core if the following conditions are met:

    - EDT Insight functionality is enabled for the Citrix Gateway appliance.
    - The appliance receives an out of order CGP BINDRESP packet from VDA.
    [ NSHELP-21296 ]
  • On some machines, the EPA prompt window buttons (YES, NO, ALWAYS) do not appear on the EPA plug-ins screen.
    [ NSHELP-21276 ]
  • In a Citrix Gateway high availability setup, the secondary node crashes during high availability synchronization if logging is enabled on Citrix Web App Firewall global.
    [ NSHELP-21254 ]
  • In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.
    [ NSHELP-21184 ]
  • If two or more client machines try to establish a VPN tunnel connection to the same gateway, the ping connectivity from one client machine to another machine fails.
    [ NSHELP-21169 ]
  • In a Citrix Gateway high availability setup, the secondary node crashes if a syslog policy is bound globally to Citrix Web App Firewall and one of the following conditions is met:
    - You perform a force failover.
    - You clear the configuration.
    [ NSHELP-21167 ]
  • Sometimes, the Citrix ADC appliance might crash during transfer login.
    [ NSHELP-21134 ]
  • Users cannot log on to Citrix Gateway if the VPN virtual server host name contains "cvpn" in its name.

    [ NSHELP-21119 ]
  • The Citrix Gateway user interface does not refresh the page after an entity is unbound from the VPN virtual server.
    [ NSHELP-21085 ]
  • In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.
    [ NSHELP-21075 ]
  • If you have configured advanced clientless VPN access, SAP application bookmarks cannot be viewed properly if encoding, such as ('\x3a' or '&x3a' for ':'), is used in the Enterprise Web apps.
    [ NSHELP-21072 ]
  • A Citrix ADC appliance might crash and dump core if the memory allocation for client and server process control blocks fails.
    [ NSHELP-20961 ]
  • The Citrix ADC appliance might crash if the log level is set to "Debug" and the appliance is serving gateway traffic.
    [ NSHELP-20951 ]
  • The Citrix Gateway appliance might crash if the following conditions are met:
    - The client or server connection has a dangling pointer instead of a link.
    - The linked connection is already freed.
    - The appliance tries to flush the connection to free the link.
    [ NSHELP-20901 ]
  • Users cannot access internal resources even if VPN is successfully connected, but the DNS servers are not correctly configured for the Citrix Virtual Adapter.
    [ NSHELP-20892 ]
  • The apps configured on the StoreFront do not appear on the Citrix Gateway home page if all of the following conditions are met:
    - WiHome is configured.
    - Advanced clientless VPN access is enabled.
    - User logs on either from an Internet Explorer or Firefox.
    [ NSHELP-20888 ]
  • nFactor authentication fails if Online Certificate Status Protocol (OCSP) is enabled for device certificate check.
    [ NSHELP-20855 ]
  • The Citrix ADC appliance might become unresponsive if the appliance is configured for proxy EDT connections and there is a low memory condition.
    [ NSHELP-20761 ]
  • The Citrix virtual adapter remains connected even when the VPN machine is in sleep mode and a logout is triggered. Users must terminate the application or restart the VPN machine to gain access to the network.
    [ NSHELP-20755 ]
  • Configuration loss is detected if you bind both classic policy and advanced policy to an aaa user and an aaa user group.
    [ NSHELP-20744 ]
  • The Citrix ADC appliance might become unresponsive if HDX Insight is enabled and there is a low memory condition.
    [ NSHELP-20707 ]
  • In rare cases, the Citrix Gateway appliance crashes if Authentication, authorization, and auditing user session is transferred and Intranet IP is enabled.
    [ NSHELP-20680 ]
  • After you upgrade the Citrix ADC appliance to release 12.1 build 54.13 and later, the following message might appear when accessing the RDP resources.
    "error :not a privileged user"
    [ NSHELP-20678 ]
  • If proxy is specified in a traffic action and proxy is set to "NOPROXY," gateway sends monitor probes to 255.255.255.255:0.
    [ NSHELP-20617 ]
  • Users cannot access Microsoft Office documents from SharePoint over advanced clientless VPN access.
    [ NSHELP-20611 ]
  • A Citrix ADC appliance fails to decode rewritten URLs for clientless VPN if the URLs contain "%2E" in the FQDN.
    [ NSHELP-20603 ]
  • In case a Citrix ADC appliance is configured for nFactor authentication, upon RADIUS authentication failure, the Citrix ADM appliance incorrectly displays the failed authentication type as "LDAP".
    [ NSHELP-20440 ]
  • Users are incorrectly prompted to enter the user name and password when nFactor Logon form is customized to display the dynamic Logon Type menu and OAuth is selected from the list.
    [ NSHELP-20300 ]
  • In a cluster setup, when a CCO node is rebooted or upgraded, there might be a mismatch of Authentication, authorization, and auditing keys across the cluster. This can result in gateway authentication failures for the client.
    [ NSHELP-20294 ]
  • The Citrix ADC appliance might become unresponsive if HDX Insight is enabled.
    [ NSHELP-20280 ]
  • In a high availability setup, the secondary node crashes whenever an authentication, authorization, and auditing session or a VPN session containing SAML related information is propagated to the primary node.
    [ NSHELP-20230 ]
  • A memory leak is observed in a Citrix ADC appliance if Gateway Insight is enabled.
    [ NSHELP-19750 ]
  • In some cases, the external facing Citrix Gateway in a double-hop deployment with ICA Insight enabled, dumps core for a particular network traffic pattern.
    [ NSHELP-19487 ]
  • In rare cases, the Citrix ADC appliance might crash when a client plug-in sends data to another client plug-in.
    [ NSHELP-19002 ]
  • In a high availability setup, the secondary Citrix ADC appliance might experience memory leak issues if session reliability on a high availability setup is enabled.
    [ NSHELP-18549 ]

Citrix Web App Firewall

  • Requests coming from Tor proxy IP addresses are not blocked by the IP reputation Tor proxy category using CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(PROXY) policy expression.
    [ NSWAF-3611 ]
  • The Citrix ADC appliance blocks Closure URLs after two minutes if URL closure protection is enabled.
    [ NSWAF-3292 ]
  • A memory leak is observed on a Citrix ADC appliance if you enable StartURL Closure protection check.
    [ NSHELP-21472 ]
  • The "/var/" directory is full if:
    - Citrix ADC appliance is under stress.
    - Learning feature is enabled in the Citrix Web App Firewall profile.
    [ NSHELP-21378 ]
  • A Citrix ADC appliance might crash if a Web App Firewall profile uses APPFW_DROP and APPFW_RESET policy actions.
    [ NSHELP-21283 ]
  • A Citrix ADC appliance might crash when APPFW_DROP and APPFW_RESET are used as Web App Firewall policy actions.
    [ NSHELP-21220 ]
  • The Citrix ADC appliance might crash because of memory failure if the Citrix Web App Firewall feature is enabled.
    [ NSHELP-21201 ]
  • A Citrix ADC appliance might crash because of memory allocation failure.
    [ NSHELP-21071 ]
  • A Citrix ADC appliance might crash if the signature feature is enabled and a specific request pattern is detected.
    [ NSHELP-20884 ]
  • A Citrix ADC appliance resets the connection if an incoming GWT request has a query string in the URL.
    [ NSHELP-20564 ]
  • After an upgrade from build 12.0-58.15 to 12.0-62.8, the URL transformation feature is not working for some URLs. The issue is caused by incorrect canonicalization when rewriting URLs.
    [ NSHELP-20460 ]
  • A Citrix ADC appliance might crash if the following conditions are observed:
    - IP reputation policy expression is used in a load balancing virtual server of type TCP.
    - Security Insight is enabled.
    [ NSHELP-20410 ]
  • After an upgrade, if you bind a signature to the Web App Firewall profile, the appliance silently drops an incoming request.
    [ NSHELP-20201 ]
  • In a high availability setup, enabling IP reputation feature might result in high availability command propagation failures.
    [ NSHELP-20010 ]

Clustering

  • When you execute the show techsupport -scope cluster command, the following error is displayed for all the Citrix ADC SDX appliances:

    "This is a low bandwidth instance"¯
    [ NSHELP-20666 ]

Load Balancing

  • A Citrix ADC appliance crashes when a set command is issued on a CNAME-based GSLB service.
    [ NSLB-5433 ]
  • When the configuration difference between GSLB sites is huge and the autosync is enabled, the filesystem might get full. The following error message is displayed:

    write failed, filesystem is full.
    [ NSHELP-21796 ]
  • During high availability synchronization, the connectivity to a secondary device might be lost when pooled license is configured.
    [ NSHELP-21556 ]
  • In a cluster setup, the configuration for diameter identity is lost when a node is upgraded to a newer version.
    [ NSHELP-21444 ]
  • For the requests from NAT-aware clients, the Citrix ADC appliance might crash when the media section in Session Description Protocol (SDP) payload contains the NAT IP address.
    [ NSHELP-21438 ]
  • The Citrix ADC appliance might crash during GSLB synchronization. This issue occurs when the set gslb service¯ command is executed on a non-existent GSLB service.
    [ NSHELP-21304 ]
  • After connection failover, when the secondary appliance becomes the new primary appliance, packet loss is observed.
    [ NSHELP-21155 ]
  • In a GSLB setup with gateway deployment, the Citrix ADC appliance might fail to resolve the domain name for a GSLB service in the following condition:
    When the primary load balancing virtual server is DOWN, even if the backup load balancing virtual server is UP.
    [ NSHELP-21061 ]
  • After you upgrade the Citrix ADC appliance from release 11.1 build 56.19 to release 12.1 build 53.12, the effective state of the GSLB service is set to DOWN even though the load balancing virtual server is UP.
    [ NSHELP-21025 ]
  • The Citrix ADC appliance might crash intermittently if device watchdog request
    (DWR) probing is enabled for Policy and Charging Rules Function (PCRF), and the PCRF becomes unreachable.

    [ NSHELP-20827 ]
  • A Citrix ADC appliance might show spikes in memory usage if a secure HTTP monitor is configured and the response size is large.
    [ NSHELP-20712 ]
  • For a GSLB setup in a cluster, when you run the set rpcnode¯ command, the Source IP address in a RPC node changes to the NSIP address. Therefore, GSLB uses the NSIP address instead of SNIP address while initiating a MEP connection.
    [ NSHELP-20552 ]
  • A Citrix ADC appliance might crash if traffic domain is configured on a load balancing virtual server of type SIP.
    [ NSHELP-20286 ]
  • The Citrix ADC appliance might crash when persistence is enabled in the IPv6 high availability setup.
    [ NSHELP-20219 ]
  • A Citrix ADC appliance crashes if the virtual server is of type ANY and spillover persistence is enabled on the virtual server.

    [ NSHELP-19540 ]

Networking

  • In a cluster topology, on node upgrade or downgrade, the "set snmp mib" command for non-cco nodes is failing. This results in a configuration loss.
    [ NSNET-14562 ]
  • An issue is observed if you set the GUI option as secureonly on CLIP while the issue is not observed on the NSIP address.
    The issue is observed only when you trigger the "set ns ip gui" configuration.
    [ NSNET-14364 ]
  • The CLI of a Citrix ADC appliance displays unwanted debug messages when the appliance processes IPv6 fragmented packets.
    [ NSNET-12704 ]
  • In a Citrix ADC cluster setup with IPv4 and IPv6 policy-based backplane steering (PBS) configurations, ICMPv6 error packets might loop between the cluster nodes when all of the following conditions are true:

    - The inner IP packets of the ICMPv6 error packets have the same IP tuple as in one of the active TCP sessions.
    - A different IPv4 mapped address is present on each cluster node for the same IPv6 address.
    [ NSHELP-21815 ]
  • For no-limit admin partitions, the memory check during allocation is disabled.
    [ NSHELP-21775 ]
  • In a high availability setup in INC mode, after a failover, the new secondary node might not withdraw the default route (learned from other BGP peers) that it advertised when it was functioning as primary. Because of this issue, the data traffic can arrive on the new secondary node as well.
    [ NSHELP-21720 ]
  • In an OpenStack, the command propagation might fail under the following condition:

    When you remove a node from the 3-node cluster, if you get an older heartbeat from the removed node.
    [ NSHELP-21432 ]
  • "sh IP BGP summary"¯ command on the VTYSH command line incorrectly displays the 32 bit ASN values as negative values.
    [ NSHELP-21234 ]
  • On a Citrix ADC appliance, management connections to IPv6 Subnet IP addresses might get reset when you perform the clear config basic operation.
    [ NSHELP-21206 ]
  • During the set partition¯ operation, the maximum memory of the partition is now increased up to NS_SYS_MEM_FREE() only. Earlier, it was increased up to the maximum memory available so that the configured partition is not lost after rebooting the Citrix ADC appliance.
    [ NSHELP-21159 ]
  • A Citrix ADC appliance that is deployed on the transit node, might restart while processing the fragmented Encapsulating Security Payload (ESP) packets.
    [ NSHELP-20925 ]
  • The BGP daemon might display duplicate warning messages for a route removed from the Citrix ADC routing table.
    [ NSHELP-20906 ]
  • After a system restart, the Citrix ADC appliance advertises routes with a reduced metric for 180 seconds.
    [ NSHELP-20842 ]
  • The Citrix ADC appliance might not update ECMP routes properly when multiple BGP
    sessions go to "DOWN" state simultaneously.
    [ NSHELP-20664 ]
  • The Citrix ADC appliance might skip Policy-based routes (PBR) rules for outgoing monitor packets of type UDP and ICMP.
    [ NSHELP-20545 ]
  • An existing route relies on the presence of this subnet¯ error message is seen, if all of the below conditions occur:
    - Two or more SNIP addresses with the first octet greater than 127 are added
    - A route for the SNIP addresses is added on that network
    - You try to delete any one of the added SNIP addresses
    [ NSHELP-20492 ]
  • A Citrix ADC appliance, acting as a proxy server, might apply a PBR rule based on Layer 2 information to a traffic even though the traffic does not match the PBR rule.
    [ NSHELP-20317 ]
  • In a single-node cluster, sometimes, you cannot SSH to CLIP under the following conditions:

    - USIP mode is enabled.
    - State of the cluster node is set to passive.
    [ NSHELP-20210 ]
  • For traffic accessing a load balancing setup through a Citrix ADC Access Gateway, the Citrix ADC appliance might apply MAC Based Forwarding (MBF) on this traffic even without properly adding the Layer 2 information to the connection table entry.
    [ NSHELP-20064 ]
  • The BGP daemon on a Citrix ADC appliance might incorrectly install learned routes with next-hops as 0.0.0.0/0.
    [ NSHELP-19900 ]
  • The ADC appliance might not update the ECMP routes in an optimised way when an associated interface is disabled, or an associated IP address is deleted.
    [ NSHELP-19891 ]
  • On restarting the Citrix ADC appliance, default route is originated before the IP address of the interface is populated. Because of this issue, the next hop of a route is set to NULL leading to a martian error.
    [ NSHELP-16407 ]
  • A high CPU usage is observed on a Citrix ADC appliance or in a cluster setup if show ns ip¯ command displays many IP addresses.
    [ NSHELP-11193 ]

NSOTHER

  • The Citrix ADC appliance might become unresponsive if you remove the AppFlow action while traffic is flowing through the appliance.
    [ NSHELP-20523 ]
  • In some cases, Citrix ADC GUI becomes inaccessible while trying to download the core files using the GUI. This happens because the CPU usage increases to 100%, leading to a memory swap failure.


    [ NSHELP-20430 ]

NSSWG

  • Memory management error is observed on clustered and high availability configurations which stop Citrix ADC GUI HTTPS access and null appflow URL filtering records.
    [ NSSWG-1220 ]
  • URL filtering categorization fails if an incoming URL has a double slash after the domain name. The "http://" scheme is prepended. For example, www.example.com//index.html
    [ NSSWG-1082 ]

Platform

  • Config wipe scripts fail on some Citrix ADC platforms. With this fix, the date code of the scripts is updated to 01/14/20 and all platforms are supported.
    [ NSPLAT-13498 ]
  • Tx stalls can occur on Citrix ADC MPX appliances that use 10G IXGBE ports and Citrix ADC SDX appliances that use 10G IXGBEVF ports.
    [ NSPLAT-13338 ]
  • In some cases, provisioning a VPX instance on a Citrix ADC SDX appliance containing Intel Coleto chips might fail because the SSL Coleto chip initialization failed.
    [ NSHELP-22033 ]
  • On the ADC SDX 14000 and 15000 appliances, traffic loss of up to 9 seconds is observed if the following conditions are met:
    - 10G ports are connected using the LA channel to two Cisco switches that are configured in VPC setup as active or passive
    - The link to active or primary Cisco switch bounces.
    [ NSHELP-21875 ]
  • In a cluster setup, when the 50G port of a MPX 15000 appliance is configured as part of the backplane, the MTU of the 50G port is set to zero instead of 1578.
    [ NSHELP-21113 ]
  • In some cases, when you restart one or more VPX instances on a Citrix ADC SDX appliance containing Fortville NICs, LACP on the interfaces might go to the 'defaulted' state.
    [ NSHELP-21091 ]
  • The Citrix ADC VPX appliance crashes on Azure while initializing a NIC resource. The crash leads to a kernel dump on the boot up process. This issue occurs when there is a delay in response to certain messages that the driver needs to send to the backend hypervisor as part of the initialization process. This delay is observed in the Mellanox Connectx3 and Connectx4 platforms. The fix is to increase the timeout value so that the driver waits for a longer duration to receive the response.
    [ NSHELP-21034 ]
  • In some cases, the SDX 14000 appliance might become unresponsive and needs reboot.
    [ NSHELP-21017 ]

  • In the VPX deployment on Cisco CSP 2100 platform, occasionally packets might get dropped when more than one virtual function (VF) is created out of the physical network interface card (pNIC).
    [ NSHELP-20991 ]
  • Tx stall might be observed on appliances contain Fortville interfaces if a packet spans more than eight descriptors. The stall might cause the interface to go into error-disabled state.
    [ NSHELP-20800 ]
  • On SDX platforms with Fortville interfaces, the 10G & 40G Fortville interfaces can run into TX stalls when Jumbo is enabled on them.
    [ NSHELP-20605 ]
  • On the Citrix ADC MPX platform, a 50G port that is a member of a link aggregation group continues to be DOWN if the following actions are performed:

    1. The 50G port is disabled.
    2. The port on the peer switch is disabled.
    3. The port on the peer switch is enabled.
    4. The 50G port is enabled.

    The 50G port does not come up even after it is enabled. As a result, traffic cannot pass through the 50G port.
    [ NSHELP-20529 ]

Policies

  • A Citrix ADC appliance might crash if there are few network buffers when rewriting chunked data.
    [ NSHELP-20847 ]

SSL

  • In some cases, the following appliances might crash while running SSL traffic:
    - MPX 59xx
    - MPX/SDX 89xx
    - MPX/SDX MPX 26xxx
    - MPX/SDX 26xxx-50S
    - MPX/SDX 26xxx-100G
    - MPX/SDX 15xxx-50G
    [ NSSSL-7606 ]
  • The forward action in SSL policy did not allow virtual server of type SSL_TCP. With this fix, you can forward SSL traffic based on SSL policy to an SSL_TCP virtual server. This feature helps customers who want SSL offloading but do not want to parse application data for the forwarded connection.
    [ NSSSL-7133 ]
  • The Citrix ADC appliance might crash while running the SSL forward action at REQUEST bind point. With this fix, you cannot bind a policy with action type FORWARD to REQUEST bind point.
    [ NSSSL-6688 ]
  • The Citrix ADC appliance might crash under heavy traffic if both syslogging and DTLS are enabled on a VPN virtual server.
    [ NSHELP-22195 ]
  • Information about the SSL profile bound to a load balancing monitor is lost if default SSL profile is enabled and the appliance reboots.
    [ NSHELP-21321 ]
  • Policy-based client authentication with mandatory certificate verification fails if client authentication with optional client-certificate is also configured on the virtual server.
    [ NSHELP-21190 ]
  • The incorrect ciphers exported from the Citrix ADC appliance is causing the Citrix ADM to display the same incorrect cipher information.
    [ NSHELP-21177 ]
  • There is a discrepancy in memory allocation on partitioned Citrix ADC MPX appliances containing Intel Coleto chips.
    [ NSHELP-20853 ]
  • The DTLS handshake might fail if DTLS record fragments are received out of order.
    [ NSHELP-20703 ]
  • A Citrix ADC VPX appliance might crash if ChaChaPoly cipher is used and the client sends a truncated record to the appliance.
    [ NSHELP-20684 ]
  • If your ADC appliance is integrated with an unsupported version of Thales HSM, the appliance crashes after generating the HSM key and certificate, installing the certificate-key pair on the appliance, and binding it to the SSL virtual server. With this fix, the appliance reports an error instead of crashing.
    [ NSHELP-20352 ]
  • For SNI enabled sessions, the ADC appliance can control how the host header is validated. A new parameter SNIHTTPHostMatch¯ is added to SSL profile and SSL global parameters to have better control on this validation. This parameter can take three values; CERT, STRICT, and NONE. SNI must be enabled on the SSL virtual server or the profile bound to the virtual server, and the HTTP request must contain the host header.
    [ NSHELP-13370 ]

System

  • In a clustered setup, a Citrix ADC appliance might crash, if the following conditions are observed:
    - The connection is steered from the Flow Processor to the Flow Receiver.
    - TCP out-of-order packets are processed in the Time-Wait state.
    [ NSHELP-21792 ]
  • Analytics reports do not appear on the Citrix ADM GUI if you:
    1. Install ADM 12.1.52.15 or later.
    2. Select Logstream transport mode to configure analytics on instances.
    [ NSHELP-21618 ]
  • In the ADM GUI, under Analytics > HDX Insight > Users, when you click a specific user, all the users' active sessions and active applications are displayed instead of the sessions and applications specific to the selected user.
    [ NSHELP-21561 ]
  • A Citrix ADC appliance does not reset HTTP/2 streams on a client connection with an HTTP/2 RST_STREAM after an idle timeout.

    [ NSHELP-21537 ]
  • A client connection becomes unresponsive if you enable multiplexing in an HTTP/2 profile on a Citrix ADC appliance.
    [ NSHELP-21434 ]
  • A Citrix ADC appliance does not forward a response to the client if it contains both trailer and content-length headers.
    [ NSHELP-21427 ]
  • A Citrix ADC appliance might crash if there is a memory allocation failure for HTTP/2 secure monitor.
    [ NSHELP-21400 ]
  • A Citrix ADC appliance might crash if appQoE action fails.
    [ NSHELP-21393 ]
  • An HTTP transaction might fail if a Citrix ADC appliance sends an HTTP/2 request with multiple cookie name-value pairs to the back-end server.
    [ NSHELP-21373 ]
  • A Citrix ADC appliance might crash if it receives an HTTP/1.1 request with an HTTP/2.0 version in it. For any client request with an HTTP/2.0 version, the appliance considers it as an HTTP/2.0 request and processes it. This leads to a crash.
    [ NSHELP-21187 ]
  • A Citrix ADC appliance might crash if Appflow Client-Side Measurements is enabled when serving large HTTP responses.
    [ NSHELP-21099 ]
  • In a cluster setup, the Citrix ADC appliance might crash for a new MPTCP connection, if the 4 tuples are reused with a different MPTCP key before the original connection has timed out on the Citrix ADC appliance.
    [ NSHELP-20844 ]
  • An AppFlow policy bound to a VPN virtual server that is behind a content switching virtual server is not applied.
    [ NSHELP-20816 ]
  • A Citrix ADC appliance resets an MPTCP subflow if it receives a plain acknowledgment before the subflow is confirmed as MTPCP.
    [ NSHELP-20649 ]
  • A Citrix ADC appliance resets MPTCP subflows if a subflow is alive and active for more than the idle timeout period.
    [ NSHELP-20648 ]
  • A Citrix ADC appliance might crash if one SYN buffers are properly freed while the other buffer is removed and not freed in the retransmission queue.
    [ NSHELP-20424 ]
  • In a cluster setup, if timestamp is enabled, some of the requests sent to the server might be dropped.
    [ NSHELP-20394 ]
  • In a cluster setup, a Citrix ADC appliance might restart if logstream is enabled.
    [ NSHELP-20008 ]
  • A Citrix ADC appliance might reboot if the AppFlow collector closes in Logstream transport mode.
    [ NSHELP-19837 ]
  • In client IP header insertion (for example, -X-Forwarded-for) if the IP address to be inserted is not as long as the buffer, the header pads spaces at the end of the client IP address.
    [ NSHELP-10079 ]
  • A Citrix ADC appliance with connection chaining and SSL enabled might send more MTU data.
    [ NSHELP-9411 ]
  • A TCP transaction delay is observed if a Citrix ADC appliance is unable to use the TCP connection to connect to the back-end server. In this case, the appliance opens a new connection to forward the client requests to the back-end server after some waiting period. The waiting period ranges from 400 ms to 600 ms.
    [ NSHELP-9118 ]
  • A Citrix ADC appliance might crash if you use pitboss for monitoring the metrics-collector.
    [ NSBASE-9743 ]
  • The show connectiontable command displays a few entries that do not satisfy the mentioned filter in the following conditions:
    - Command is run under high traffic.
    - Command is used with an IP or port filter.
    [ NSBASE-9509 ]
  • A Citrix ADC appliance might crash because of memory allocation failure in a TCP timestamp scenario. As a result, the appliance resets the client connection.
    [ NSBASE-9297 ]

User Interface

  • The Citrix ADC pooled capacity licensing might fail if latency is high between ADC and ADM. This issue occurs if latency is greater than 200 ms.

    The Citrix ADC licensing client attempts repeatedly to check out the licenses from ADM. In a high availability and cluster setup, licensing configurations are unnecessarily reapplied whenever synchronization is triggered. Propagation and synchronization of the pooled licensing commands are disabled. Each node must be licensed independently by logging in to the NSIP of the node. You can execute only show commands on the Cluster IP.
    [ NSUI-14868 ]
  • A vCPU license is not applied on a warm reboot if it is configured on a Citrix ADC appliance running software versions 12.1.55.13 or 12.1.55.18.
    [ NSUI-14844 ]
  • After upgrading to build 12.1-55.x, the appliance might boot up unlicensed if pool licensing is configured. As a result, all the features are disabled and any configuration that is license dependent is missing in the running configuration. Perform a warm reboot to restore the pool license and the configuration.
    Caution: Do not run "save config" or force an HA failover on an unlicensed appliance.
    [ NSUI-7869 ]
  • For Python applications using Citrix ADC NITRO API SDK, GET operation to a Citrix ADC appliance might display values of some parameters even when the appliance has not sent these values.
    [ NSHELP-20655 ]
  • After an upgrade, the Citrix ADC GUI home page does not load for admins with superuser group permission.
    [ NSHELP-20638 ]
  • If you access the Syslog GUI page, the following error message appears: "Cannot read property '0' of undefined".
    [ NSHELP-20574 ]
  • You cannot search for an entity using the search filter in the ADC GUI if the entity name contains a space.
    [ NSHELP-20506 ]
  • During a partition deployment, a partitioned appliance might crash if you run the "uiinternal" commands and then "clear config" in the default partition.
    [ NSHELP-20247 ]
  • If the SDX appliance is in grace period for pooled licensing, the remaining grace period shows zero instead of 30 days.
    [ NSHELP-19615 ]
  • Some Citrix ADC commands fail intermittently with an error message, "Name conflicts with an existing service or service group member name". This issue occurs when the Citrix ADC appliance restarts because of an internal error.
    [ NSHELP-18339 ]

Video Optimization

  • A Citrix ADC appliance might crash because of memory corruption.
    [ NSVIDEOOPT-912 ]

Known Issues

The issues that exist in release 12.1-56.22.

AppFlow

  • HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.
    [ NSINSIGHT-943 ]

Authentication, authorization, and auditing

  • You cannot access Citrix ADC management console via GUI when special characters are used for the "nsroot" password.
    [ NSHELP-21630 ]
  • Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.
    [ NSHELP-18844 ]
  • A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.
    [ NSHELP-18751 ]
  • A Citrix ADC appliance configured for NetScaler Authentication, authorization, and auditing might become unresponsive if the following conditions are met:
    The samlAction parameter is configured.
    The back-end server is unreachable.
    [ NSHELP-8220 ]
  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.
    [ NSHELP-563 ]
  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
    [ NSAUTH-6106 ]
  • The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:
    - The Test LDAP Reachability option is opened.
    - Invalid login credentials are populated and submitted.
    - Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.
    [ NSAUTH-2147 ]

Citrix ADC SDX Appliance

  • Upgrading a Citrix ADC SDX appliance to release 12.1 build 56.x might timeout due to a latency in interprocess communication.
    [ NSHELP-22644 ]
  • Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:
    - Throughput allocation mode is burst.
    - There is a large difference between the throughput and the maximum burst capacity.
    [ NSHELP-21992 ]
  • The NTP service of Citrix ADC SDX Management Service responds to NTP queries. However, Management Service does not have any option to configure restrictions for NTP queries.

    Workaround: Manually modify /flash/mpsconfig/ntp.conf, and then from Management Service enable NTP Synchronization again to make the change effective. However, this change is lost if the NTP server configurations are changed.
    [ NSHELP-12246 ]

Citrix Gateway

  • In a Citrix Gateway double hop high availability setup, the ICA connection might be lost after an HA failover.
    Workaround: Change the FQDN to the IP address of the next hop server.
    [ NSHELP-22444 ]
  • In a Citrix Gateway high availability setup, the secondary node might crash during a failover when syslog policy is configured.
    [ NSHELP-22332 ]
  • The Citrix Gateway appliance might crash intermittently if a syslog policy is configured.
    [ NSHELP-22304 ]
  • The Linux VPN client might crash if you download a large file (approximately 3 GB).
    [ NSHELP-22032 ]
  • The Web Interface feature might not work as intended after upgrading the Citrix ADC appliance.
    [ NSHELP-21899 ]
  • When the syslog server is configured through TCP, intermittently some logs are not sent to the syslog server.
    [ NSHELP-21624 ]
  • An error is seen intermittently while trying to modify or delete a syslog action.
    [ NSHELP-21562 ]
  • If you have configured clientless VPN (CVPN) on Citrix Gateway, the appliance might crash because of erroneous rewrite handling.
    [ NSHELP-21244 ]
  • If reverse split tunneling is enabled, intranet routes are either added with wrong prefix values or not added at all.
    [ NSHELP-20825 ]
  • Device certificate is not supported with Citrix SSO for macOS when it is added as part of the nFactor scans.
    [ NSHELP-20722 ]
  • VPN is sometimes frozen after macOS wakes from sleep.
    [ NSHELP-20656 ]
  • The EPA plug-in screen becomes unresponsive on the second scan if Internet Explorer is used.
    [ NSHELP-20189 ]
  • The Citrix ADC appliance might crash when a net profile is added to a service.
    [ NSHELP-19569 ]
  • SYSLOG log messages get truncated after 1024 bytes.
    [ NSHELP-19484 ]
  • You can now configure the RfWebUI parameters such as loginFormTimeout and Session timeout by editing the plugins.xml.
    [ NSHELP-19221 ]
  • SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).
    Workaround: Use an IP address for VDA.

    [ NSHELP-8549 ]
  • An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.
    [ NSHELP-7872 ]
  • Application launch failure due to invalid STA ticket is not reported in Gateway Insight.
    [ CGOP-13621 ]
  • The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).
    Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.
    [ CGOP-13532 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
    [ CGOP-13511 ]
  • In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.
    [ CGOP-7269 ]
  • In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.
    [ CGOP-6794 ]

Citrix Web App Firewall

  • NetScaler Application Firewall AppFw Field Format learned Data is different from the Export Learned Data. When aslearn configured learned data is deployed and the field types reaches aslearn supported limit, the get learnt data will not able to display total learnt data.
    [ NSHELP-18077 ]

Clustering

  • In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.
    [ NSHELP-20366 ]

Load Balancing

  • In a cluster setup, ACL rules with VLAN settings do not take effect resulting in packets hitting other ACL rules.

    This issue occurs when you delete a virtual server on the cluster setup resulting in the cluster nodes not adding VLAN information on the steered packets.
    [ NSHELP-22103 ]
  • The packet engines (NSPPE) might crash when it receives the first RTSP data packet with an incomplete header, followed by an ACK before receiving the complete header.
    [ NSHELP-22099 ]
  • In a high availability (HA) setup, when the secondary node restarts, the primary node might crash during connection mirroring of sessions to the secondary node.
    [ NSHELP-21715 ]
  • In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.
    [ NSHELP-21425 ]
  • The Citrix ADC appliance sends a reset to the client intermittently because the MySQL virtual server is not able to select a backend server.
    [ NSHELP-20608 ]
  • In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.
    [ NSHELP-20406 ]

Networking

  • A partitioned Citrix ADC appliance might crash if you enable Video Optimization on a partition and later remove the partition on the appliance.
    [ NSNET-10199 ]
  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
    [ NSNET-5233 ]
  • The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:
    ERROR: Operation timed out
    ERROR: Communication error with the packet engine
    [ NSNET-4312 ]
  • In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or staysecondary¯ option set.
    [ NSNET-1646 ]
  • The Citrix ADC appliance might fail during a NAT64 translation of a received IPv6 request packet if the following condition is true:

    The last 32 bits of the destination IPv6 address, which is the translated destination IPv4 address, is greater than 240.0.0.0 (falls in reserved IP range).

    Workaround: Add an ACL to deny such packets.
    [ NSHELP-22742 ]
  • In a cluster setup with retainConnectionsOnCluster option enabled, a cluster node might crash when it receives fragmented packets followed by non-fragmented packets.
    [ NSHELP-21674 ]
  • The Citrix ADC fails to install Intermediate System to Intermediate System (IS-IS) next-hop because of missing authentication (AUTH) information on the received large Link State PDUs (LSPs).
    [ NSHELP-21062 ]
  • In a high availability (HA) setup, if Gratuitous ARP (GARP) is disabled, the upstream router might not direct the traffic to the new primary after an HA failover.
    [ NSHELP-20796 ]
  • When you add a slave interface with jumbo MTU to link aggregation channel that is used as backplane, the following warning message incorrectly appears:

    "The MTU for a backplane interface must be large enough to handle all packets. It must be equal to the (MTU value). If recommended value is not configurable, please review MTU of jumbo interfaces."

    This is only a display issue, and there is no impact on the functionality.
    [ NSHELP-20794 ]

  • In a cluster setup, a Citrix ADC appliance might crash when it receives a node-to-node steered ICMP error message from the server. The crash occurs because the received packet does not contain the interface-related information.
    [ NSHELP-18401 ]
  • When the Citrix ADC appliance is cleaning up large number of server connections as part of remove command, the Pitboss process might restart. This Pitboss restart might cause the ADC appliance to crash.
    [ NSHELP-136 ]

NSSWG

  • When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.
    [ NSSWG-849 ]

Platform

  • On the Citrix ADC SDX 26000-100G platform, the interface might not come up after you restart the appliance.

    Workaround: Ensure auto negotiation is set to ON. To check and edit the auto negotiation status, navigate to SDX GUI > System > Interfaces.
    [ NSPLAT-11985 ]
  • When NetScaler licenses hosted on NetScaler MAS expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.
    [ NSPLAT-6417 ]
  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the "rm cloudprofile" command to delete the profile.
    [ NSPLAT-4520 ]
  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.
    [ NSPLAT-4451 ]
  • After upgrading a Citrix ADC SDX appliance from release 12.1 build 55.x to release 12.1 build 56.x, editing a VPX instance might fail resulting in LACP flaps.
    [ NSHELP-23136 ]

Policies

  • The Citrix ADC appliance now allows all string and character literals which include binary characters. However, the UTF-8 character sets still require the string and character literals to be a valid UTF-8.

    Previously, the appliance allowed only valid UTF-8 string and character literals. This was true for both UTF-8 and binary (ASCII) character sets. However, this did not allow some binary string and character literals which meant that some valid expressions related to binary content cannot be written.

    Example:

    CLIENT.TCP.PAYLOAD(100).CONTAINS("\xff\x02")
    [ NSPOLICY-2362 ]
  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
    [ NSPOLICY-1267 ]

SSL

  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
    [ NSSSL-4001 ]
  • In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.
    [ NSSSL-3402 ]
  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
    [ NSSSL-3184 ]
  • In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
    [ NSSSL-3161 ]
  • A Citrix ADC appliance might crash if the following conditions are met:
    - A certificate-key pair is added with the expiry monitor option enabled.
    - The certificate date is earlier than 01/01/1970.
    [ NSHELP-22934 ]
  • A partitioned Citrix ADC appliance might not respond as expected if you perform the following actions:
    1) Create two OCSP responders in different partitions.
    2) Clear the config in one partition.
    3) Remove the OCSP responder in the other partition.
    [ NSHELP-20861 ]
  • In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.
    [ NSHELP-13466 ]

System

  • A Citrix ADC appliance might crash during deployment if the following conditions are observed:
    - Multipath TCP (MPTCP) is enabled with MBF and PMTUD
    - MPTCP traffic is received and the response causes ICMP Fragmentation Needed error.
    [ NSHELP-22418 ]
  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.
    [ NSHELP-21240 ]
  • High memory usage is observed if you enable HTTP/2 feature and if there is a large file download (if the file size is greater than or equal to one GB). The issue occurs with slow clients if the downloaded data buffers leading to an excessive resource utilization.
    [ NSHELP-20531 ]
  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.
    [ NSHELP-10972 ]
  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.
    [ NSBASE-8506 ]
  • Title: ICAP support for Citrix ADC
    A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.

    For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html
    [ NSBASE-825 ]

User Interface

  • In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.
    [ NSUI-14752 ]
  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.
    [ NSUI-6838 ]
  • After adding the vCPU license to a VPX appliance, the VPX model ID appears incorrectly in the VPX GUI under the License and CLI in show license¯ command output.
    [ NSHELP-19613 ]
  • A Citrix ADC appliance becomes unstable if you use the -outfilename parameter in diffnsconfig command. As a result, the diffnsconfig output is large to completely fill the root disk.
    [ NSHELP-19345 ]
  • The top-level page title is missing on all security check GUI pages.
    [ NSHELP-18607 ]

Video Optimization

  • A Citrix ADC appliance might crash because of a corrupted hash entry in the memory.
    [ NSHELP-22066 ]