Release Notes for Citrix ADC 12.1-58.15 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 12.1-58.15.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 58.15 replaces Build 58.14
  • Build 58.15 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX281474.
  • Additional fix in this build: NSNET-18028

What's New

The enhancements and changes that are available in Build 12.1-58.15.

Citrix ADC SDX Appliance

  • Auto-upgrade of the built-in agent without initialization

    From Citrix ADC release 12.1 build 58.xx, Citrix ADC SDX appliance has built-in agents with ADM Service Connect functionality. The Citrix ADM built-in agent available on the ADC SDX appliance starts like an active daemon and communicates with ADM service. After communication with ADM service is established, the built-in agent auto-upgrades itself to the latest software version regularly.

    [ NSSVM-3852 ]
  • Citrix ADM service connect feature to enable auto-onboarding to Citrix ADM service

    The Citrix Application Delivery Management (ADM) service connect feature enables seamless onboarding of Citrix ADC SDX appliances onto Citrix ADM service. This feature lets the ADC SDX appliance automatically connect with ADM service and send system, usage, and telemetry data to ADM service. Using this data, you can get insights and recommendations for your Citrix ADC infrastructure, on Citrix ADM service.

    By default, the Citrix ADM service connect feature is enabled when you install or upgrade Citrix ADC SDX appliance.

    For more information, see the following topics:

    Note: The ADM service connect feature is now available on Citrix ADC instances and Citrix Gateway appliances, however, the corresponding functionality on Citrix ADM service is not yet available. Citrix will update this note when the corresponding functionality becomes available in ADM service so that you can leverage the complete benefit of this feature.

    [ NSSVM-3470 ]

Load Balancing

  • GSLB configuration sync on slave sites is not triggered when there is an MEP UP event for a site

    In a GSLB setup, configuration synchronization is no longer dependent on the MEP state. The configuration change is synced as long as there is connectivity to the remote sites irrespective of the MEP state.

    [ NSLB-4493 ]

User Interface

  • Next/Previous navigation option for Web App Firewall Profile GUI page

    In Citrix ADC GUI, the Web App Firewall Profiles page now displays the Next/Previous navigation option to view more than 25 profiles in the list pane.

    Navigation: Security->Citrix Web App Firewall->Profiles

    [ NSUI-16487 ]
  • Citrix ADM service connect feature to enable auto-onboarding to Citrix ADM service

    The Citrix Application Delivery Management (ADM) service connect feature enables seamless onboarding of Citrix ADC MPX, SDX, and VPX instances, and Citrix Gateway appliances onto Citrix ADM service. This feature lets the ADC instance or Gateway appliance automatically connect with ADM service and send system, usage, and telemetry data to ADM service. Using this data, you get insights and recommendations for your Citrix ADC infrastructure on Citrix ADM service.

    By default, the Citrix ADM service connect feature is enabled when you install or upgrade Citrix ADC MPX, SDX, and VPX instances or Citrix Gateway appliance.

    For more information, see the following topics:

    Note: The ADM service connect feature is now available on Citrix ADC instances and Citrix Gateway appliances, however, the corresponding functionality on Citrix ADM service is not yet available. Citrix will update this note when the corresponding functionality becomes available in ADM service so that you can leverage the complete benefit of this feature.

    [ NSCONFIG-3793 ]
  • Auto-upgrade of built-in agents without initialization

    From Citrix ADC release 12.1 build 57.xx and higher, the Citrix ADM built-in agent available on Citrix ADC instances communicates with ADM service without initialization on the respective ADC instance. After communication with ADM service is established, the built-in agent auto-upgrades to the latest software version regularly.

    Previously, you had to initialize the built-in agent on Citrix ADC instances, using mastools commands, to establish communication with ADM service, and for regular auto-upgrades.

    [ NSCONFIG-2875 ]

Fixed Issues

The issues that are addressed in Build 12.1-58.15.

Authentication, authorization, and auditing

  • If a Citrix ADC appliance is configured for the OTP login and the OTP field is left blank, the authentication fails. In such a scenario, the appliance logs the user password in ns.log leading to a security concern.

    [ NSHELP-24027 ]
  • A Citrix ADC appliance configured as an Identity Provider(IdP) for Citrix Workspace might crash when users are part of a large number of active directory groups.

    [ NSHELP-23899 ]
  • In some cases, the "ns.log" file in the Citrix ADC appliance gets incorrectly flooded with the following log messages "claims allowed in current loginschema".

    [ NSHELP-23593 ]
  • In rare cases, a Citrix ADC appliance crashes upon handling authentication request if a DUP-FREE (trying to free an already free resource) scenario arises.

    [ NSHELP-23565 ]
  • VPN session policies bound to a Authentication, authorization, and auditing user or group are not applied if the Citrix ADC appliance is accessed by VPN client using webview nFactor authentication method.

    [ NSHELP-23526 ]
  • The Citrix ADC GUI under "System Global Authentication Policy Binding" page has the following errors:

    • Goto Expression field incorrectly displays"END" instead of "NEXT".
    • The bound next factor policy is not reflected under the "Next Factor" field.
    [ NSHELP-23474 ]
  • If a Citrix ADC appliance is configured for nFactor with no groups available in the last factor, then the groups pertaining to the previous factor are not incorporated to the final Authentication, authorization, and auditing session. This affects the group-based policies and the corresponding functionalities.

    [ NSHELP-23135 ]
  • In certain scenarios, authentication fails for custom login schemas.

    [ NSHELP-22929 ]
  • The AltEmailRegister.xml login schema used for alternate email ID registration does not work as intended.

    [ NSHELP-22912 ]
  • In a cluster setup, if the "set authentication radiusAction" command is run, the Citrix ADC appliancespecifies the network access server (NAS) IP address as 0.0.0.0 in access-requests sent to the RADIUS server.

    [ NSHELP-22580 ]
  • In rare cases, a Citrix ADC appliance dumps core when classic pre-authentication EPA policies are used in combination with nFactor advanced authentication policies.

    As a recommendation, Citrix suggests to migrate EPA as a factor in the nFactor authentication flow.

    [ NSHELP-22553 ]
  • In some cases, a Citrix ADC appliance crashes because of the memory corruption caused by a buffer overwrite for the list of OTP devices.

    [ NSHELP-22478 ]
  • In rare cases, a virtual server configured with front-end NTLM authentication causes the Citrix ADC appliance to dump core.

    [ NSHELP-22372 ]
  • Sometimes, the form-based SSO authentication fails for the first time if a Set-Cookie is contained in the HTTP response header of the HTML form.

    [ NSHELP-21740 ]
  • You cannot access Citrix ADC management console via GUI when special characters are used for the "nsroot" password.

    [ NSHELP-21630 ]
  • A Citrix ADC appliance might crash when policy infrastructure (PI) assignment action is used in an authentication policy.

    [ NSAUTH-5913 ]

Citrix ADC SDX Appliance

  • You cannot include a hash (%23) in community strings for SNMP managers and trap destinations configured on a Citrix ADC SDX appliance.

    [ NSHELP-23989 ]
  • If you take a backup of one SDX appliance, restoring the instances on another SDX appliance fails.

    [ NSHELP-23947 ]
  • On a Citrix ADC SDX 8900 appliance, the number of instances available for provisioning are reduced after you upgrade the appliance.

    [ NSHELP-23808 ]
  • If a VPX instance was provisioned on an old 11.1 build, update operations on the VPX instance using the SDX CLI fail if the following conditions are met:

    • The "Shell/SFTP/SCP Access" option was selected.
    • The "Add Instance Administration" option was not selected.
      These options were available under "Instance Administration."
    [ NSHELP-23683 ]
  • The SDX GUI might not be accessible after you upgrade a Citrix ADC SDX appliance to release 12.1 build 56.x.

    [ NSHELP-23637 ]
  • In some cases, the licenses are not read correctly by the Management Service after you restart a Citrix ADC SDX appliance.

    [ NSHELP-23619 ]
  • Upgrading a Citrix ADC SDX appliance to release 12.1 build 57.x might fail because a process in the Management Service is unresponsive.

    [ NSHELP-23612 ]
  • A VPX instance hosted on a Citrix ADC SDX 15000-50G or SDX 26000 appliance is unreachable from the Management Service after you change some properties, such as description and host name.

    [ NSHELP-23491 ]
  • If the IP address of a Citrix ADC SDX appliance that is configured using pooled licensing is changed in SDX, the Citrix ADM managing the SDX appliance continues to show the old SDX IP address.

    [ NSHELP-23490 ]
  • You will receive email notifications for a few categories in the following scenarios:

    • Event configuration is suppressed on the Citrix ADC SDX appliance.
    • Event configuration is updated on the Citrix ADC SDX appliance.
    [ NSHELP-22701 ]
  • Upgrading a Citrix ADC SDX appliance to release 12.1 build 56.x might timeout due to a latency in interprocess communication.

    [ NSHELP-22644 ]
  • On the Citrix ADC SDX appliance, a user with read-only permissions can transfer files to Management Service using a file transfer utility, such as SCP or SFTP.

    [ NSHELP-22638 ]
  • The NTP service of Citrix ADC SDX Management Service responds to NTP queries. However, Management Service does not have any option to configure restrictions for NTP queries.

    [ NSHELP-12246 ]

Citrix Gateway

  • The Citrix Gateway appliance might crash when adding a cookie_watch JavaScript while serving clientless VPN traffic.

    [ NSHELP-24096 ]
  • In rare cases, a Citrix Gateway appliance might crash while handling transfer logon or logout requests.

    [ NSHELP-23863 ]
  • SAP CFolders do not work as intended when accessed over advanced clientless VPN.

    [ NSHELP-23561 ]
  • If you use a French keyboard on a VPN plug-in, characters entered using CTRL+ALT do not work.

    [ NSHELP-23556 ]
  • If you have configured nFactor authentication with advanced policies and if the Gateway Insight feature is enabled, the following details are not reported to the Citrix Application Delivery Management system.

    • Device type
    • Browser type
    • Operating system
    • Device details
    [ NSHELP-23549 ]
  • In the Citrix Gateway Always On service mode, when the machine is rebooted, the tunnel is not established if an Intranet IP address is configured.

    [ NSHELP-23304 ]
  • Users cannot access resources over the VPN when the machines resume from sleep or hibernate state.

    [ NSHELP-23024 ]
  • When you reboot or power up a client Windows 10 machine, the Always On VPN plug-in 13.0 falls back to classic authentication even if nFactor authentication is configured.

    [ NSHELP-22795 ]
  • In rare cases, the Citrix ADC appliance might become unresponsive if the appliance is configured for EDT, and HDX Insight is enabled for EDT sessions.

    [ NSHELP-22640 ]
  • The logon screen for Windows might display incorrect fields if you configure a proxy on a client machine and if the proxy is not applicable to the VPN FQDN.

    [ NSHELP-22618 ]
  • In a multicore processor setup, the Citrix Gateway appliance crashes if the following two conditions are met:

    • Gateway Insight feature is enabled.
    • A request is received on a non-owner core.
    [ NSHELP-22524 ]
  • The Citrix Gateway appliance might crash while launching an app if the VDA FQDN resolution fails.

    [ NSHELP-22454 ]
  • In a Citrix Gateway setup with AlwaysOn feature enabled, AlwaysOn cannot establish a seamless VPN connection after a client is restarted.

    [ NSHELP-22420 ]
  • The Citrix Gateway appliance crashes if the ICA file length is greater than 2,048 characters and if Gateway Insight is enabled.

    [ NSHELP-22387 ]
  • The Citrix Gateway appliance might crash intermittently if a syslog policy is configured.

    [ NSHELP-22304 ]
  • In the Citrix ADC appliance GUI, you cannot unbind an authorization policy binding from an Authentication, authorization, and auditing group.

    [ NSHELP-22167 ]
  • The Web Interface feature might not work as intended after upgrading the Citrix ADC appliance.

    [ NSHELP-21899 ]
  • When the syslog server is configured through TCP, intermittently some logs are not sent to the syslog server.

    [ NSHELP-21624 ]
  • If you have configured clientless VPN (CVPN) on Citrix Gateway, the appliance might crash because of erroneous rewrite handling.

    [ NSHELP-21244 ]

Citrix Web App Firewall

  • POST requests with content-type "application/octet-stream" are not processed if Streaming is enabled without a signature set.

    [ NSHELP-22668 ]
  • A Citrix ADC appliance might strip off the response body if the response body signature rules are enabled.

    [ NSHELP-20872 ]
  • In a high availability setup, the Web App Firewall session in the secondary node is a stale session.

    [ NSHELP-20288 ]

Load Balancing

  • After upgrading a Citrix ADC appliance, the GSLB config sync might fail if the "/var/tmp/gslbsync" directory does not exist on the appliance.

    [ NSHELP-22796 ]
  • If some commands fail to run but a name server is configured successfully, the state of the name server stays DOWN.

    [ NSHELP-22750 ]
  • The Citrix ADC appliance might rarely crash when an integer value is truncated after series of operations related to Stream Identifier.

    [ NSHELP-22489 ]
  • The Citrix ADC appliance might run out of memory when a client sends packets at regular intervals but the first packet is blocked in the appliance. As a result, packets are queued up and the appliance runs out of memory to store the packets.

    [ NSHELP-20871 ]

Miscellaneous

  • Some commands present in the rc.netscaler file are not applied correctly after a Citrix ADC appliance is restarted because of which the appliance might not work as intended.

    [ NSHELP-22507 ]

Networking

  • After an upgrade to Citrix ADC 12.1 build 58.x, any one command propagation failure from the CCO node might lead to complete propagation failure. As a result, the further commands might fail from CCO node to non-CCO nodes.

    [ NSNET-18028 ]
  • Deny ACL6 rules might drop IPv6 traffic for an established session.

    [ NSNET-11409 ]
  • When the L2 mode is enabled, the Citrix ADC appliance forwards the DHCP broadcast packets received in the default partition.

    [ NSHELP-23957 ]
  • In a high availability set up in INC mode, BFD sessions are lost after a failover.

    [ NSHELP-23648 ]
  • A packet with an invalid virtual MAC address as the destination address is wrongly classified as a packet havingthe Citrix ADC owned MAC address.

    [ NSHELP-22697 ]
  • In a cluster setup with retainConnectionsOnCluster option enabled, a cluster node might crash when it receives fragmented packets followed by non-fragmented packets.

    [ NSHELP-21674 ]
  • The Citrix ADC fails to install Intermediate System to Intermediate System (IS-IS) next-hop because of missing authentication (AUTH) information on the received large Link State PDUs (LSPs).

    [ NSHELP-21062 ]
  • In a cluster setup, the following behavior is observed when an ADNS service is bound to a node group:

    • RHI processing is not properly updated.
    • The IP address is not advertised.
    [ NSHELP-18567 ]

Platform

  • On the Citrix ADC SDX 26000-100G platform, the interface might not come up after you restart the appliance.

    [ NSPLAT-11985 ]
  • Upgrading a Citrix ADC SDX appliance to software version 12.1 might fail if the Citrix Hypervisor version is 6.1.

    [ NSHELP-24036 ]
  • In some cases, the network interfaces might not show up if a Citrix ADC SDX appliance crashes and restarts.

    [ NSHELP-23756 ]
  • In some cases on a Citrix ADC SDX appliance, configuring some virtual instances with 50G and 100G Mellanox interfaces exhausts the memory.

    [ NSHELP-23394 ]
  • On the Citrix ADC SDX 15000-50G platform, some files from the NIC dump might not be cleared from the /tmp directory when the Citrix Hypervisor support bundle is collected multiple times. These files might disrupt a successful reboot of the appliance.

    [ NSHELP-22903 ]

SSL

  • When a Citrix ADC appliance is configured to use SSL session tickets and client authentication is enabled, the appliance might crash when the clients send a large client certificate. For example, an RSA certificate containing 4096 bits key.

    [ NSHELP-21662 ]
  • OCSP signature verification fails when an empty extension is received in the "SingleResponse" field of the OCSP response.

    [ NSHELP-20997 ]

System

  • A Citrix ADC appliance might crash when detecting duplicate TCP retransmissions. The appliance crashes because of the divide-by-zero operation in the TCP congestion control algorithm.

    [ NSHELP-22693 ]
  • A Citrix ADC appliance might crash if the following conditions are observed:

    • Flash Cache is enabled.
    • The client connection is reset.
    • Client request in the queue to be serviced as part of the caching process.
    [ NSHELP-21872 ]
  • In a clustered setup, a Citrix ADC appliance might crash, if the following conditions are observed:

    • The connection is steered from the Flow Processor to the Flow Receiver.
    • TCP out-of-order packets are processed in the Time-Wait state.
    [ NSHELP-21792 ]
  • For synflood trap generation, if you do not reset the varbinding values, the appliance uses the old trap varbinding values instead of the current and threshold values.

    [ NSHELP-20653 ]
  • In Multi-path TCP (MPTCP) the si_cur_Clients and si_cur_clnt_ConnOpenEst counters are incremented twice.

    [ NSHELP-19896 ]

User Interface

  • A FIPS key created on a primary node is not synched to the secondary node using Enable SIM option in the Citrix ADC GUI.

    [ NSUI-16016 ]
  • A Citrix ADC appliance might crash when an internal process restarts for a maximum number of times.

    [ NSHELP-23378 ]
  • When you configure cookie consistency security settings in a Web App Firewall profile through Citrix ADC GUI, the following issues are observed:

    • GUI error is observed in the browser debugging console.
    • Selected settings do not get saved.
    [ NSHELP-23201 ]
  • Earlier, the Actions field listed both the Assignments and Rewrite Actions together but the Add/Edit functionality was only intended for Rewrite actions not for Assignments. Now we removed Add/Edit options and provided "Configure Assignments", "Configure Rewrite Actions" as hyperlinks to configure them independently.

    [ NSHELP-23095 ]
  • Only the last three digits of the year are displayed in "Up since (Local)" line of the "stat system" command.

    [ NSHELP-22960 ]
  • Saved v/s Running config utility may display differences for 'bind serviceGroup' command even after saving the configuration.

    [ NSHELP-22459 ]
  • Adding a service group member directly is successful. However, the operation fails if you perform the following steps:

    1. Navigate to Traffic Management > Load Balancing > Service Groups.

    2. Select a service group and click Service Group Members.

    3. Right click one of the entries and select Add.

    4. In the Create Service Group Member, change the IP address and click Create.

    [ NSHELP-21925 ]
  • In a high availability setup, a synchronization issue might replace the secondary node's license file with the primary node's license file.

    The presence of the primary nodes license file cause a host ID mismatch for this file on the secondary node. Because of this host ID mismatch, all the Citrix ADC features are disabled when the secondary node takes over as primary after a failover.

    [ NSHELP-21871 ]
  • A Citrix ADC appliance becomes unstable if you use the -outfilename parameter in diffnsconfig command. As a result, the diffnsconfig output is large to completely fill the root disk.

    [ NSHELP-19345 ]
  • NITRO API (routerdynamicrouting) for fetching the ZebOS running configuration does not fetch the complete output for large configurations (more than 25 lines).

    [ NSCONFIG-3535 ]

Known Issues

The issues that exist in release 12.1-58.15.

AppFlow

  • HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.

    [ NSINSIGHT-943 ]

Authentication, authorization, and auditing

  • In some cases, addition of multiple EPA related authentication policies results in high management CPU.

    [ NSHELP-26281 ]
  • You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.

    [ NSHELP-26199 ]
  • The Citrix Gateway plug-in fails to launch if the following conditions are met:

    • Citrix Gateway appliance is configured as Full VPN only.
    • Authentication method is OAuth RP.

    [ NSHELP-26020 ]
  • The Citrix Gateway plug-in fails to launch if the following conditions are met:

    • Citrix Gateway appliance is configured as Full VPN only.
    • SSPR registration is configured as the last factor.
    [ NSHELP-25691 ]
  • A Citrix ADC appliance might crash if the following issues are observed:

    • Invalid memory allocation.
    • Web App Firewall is configured with form-based SSO authentication.
    [ NSHELP-24551 ]
  • SSO to StoreFront using Citrix ADC fails if the following conditions are met:

    • The Citrix ADC appliance is configured for multi-factor authentication.
    • Citrix ADC session times out before examining the configured authentication factors.
    [ NSHELP-21466 ]
  • Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.

    [ NSHELP-18844 ]
  • A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.

    [ NSHELP-18751 ]
  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

    [ NSHELP-563 ]
  • If you edit the authentication virtual server using the "End-to-end login test or Test End User Connection options from the Create Authentication LDAP Server page in the Citrix ADC GUI, an error message appears.
    Workaround: To edit the authentication virtual server by using the Citrix ADC GUI, navigate to Security > Authentication, authorization, and auditing Application Traffic > Authentication Virtual Servers.

    [ NSAUTH-6339 ]
  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

    [ NSAUTH-6106 ]
  • The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

    • The Test LDAP Reachability option is opened.
    • Invalid login credentials are populated and submitted.
    • Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.

    [ NSAUTH-2147 ]

Citrix ADC SDX Appliance

  • On the Citrix ADC SDX 8400/8600 platform, health monitoring might display crypto errors.

    [ NSHELP-26500 ]
  • In some cases, a Citrix ADC SDX appliance might create core dumps while taking a backup.

    [ NSHELP-26345 ]
  • On a Citrix ADC SDX appliance,the "geodb" details in the ADC instances are not collected when you take a backup of the appliance.

    [ NSHELP-26190 ]
  • If you initiate the deletion of a Citrix ADC instance while the instance is being provisioned, the FIPS partition entry for the deleted instance might still be present in the database.

    [ NSHELP-25909 ]
  • Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:

    • Throughput allocation mode is burst.
    • There is a large difference between the throughput and the maximum burst capacity.
    [ NSHELP-21992 ]
  • SNMPv3 queries work only for a few minutes after changing the password.

    [ NSHELP-19313 ]
  • SNMPwalk application fails if an SNMPv3 user bound to an SNMPv3 trap destination has an authentication failure (incorrect password, community or key).

    [ NSHELP-18541 ]

Citrix Gateway

  • The VPN plug-in for Windows does not cache the user selected device certificate while performing advanced authentication. As a result, users are prompted with all certificates on a subsequent logon attempt.

    [ NSHELP-26432 ]
  • The Citrix Gateway appliance crashes when a server initiated connection sends data packets after the connection is closed.

    [ NSHELP-26431 ]
  • Sometimes, the Citrix ADC appliance crashes when a trace is started either from the GUI or the CLI.

    [ NSHELP-26249 ]
  • The Citrix ADC appliance might crash if the "rdpLinkAttribute" attribute size is greater than 64 characters.

    [ NSHELP-26068 ]
  • The gateway plug-in for Windows maintains the existing proxy exception list even if the list gets overflow because of the browser limit on the Internet Explorer proxy exception list.

    [ NSHELP-25578 ]
  • The packet engine crashes while fetching an ICA connection entry when you run the show icaconnection command. This crash happens because the ICA connection information in the ICA connection list is stale.

    [ NSHELP-25420 ]
  • The UrlName parameter is appended to the session and other policy bindings when classic VPN URL is also bound leading to configuration addition on save and reboot.

    [ NSHELP-25072 ]
  • Citrix Gateway crashes while decoding the CVPNv2 packet because of incorrect string termination.

    [ NSHELP-24718 ]
  • A delay in the response from StoreFront servers might result in slow Citrix Gateway GUI related operations or "timed out at dispatch_netsvc" error messages.

    [ NSHELP-24437 ]
  • A new, optimized pattern set, "ns_cvpn_v2_fast_regex_light_ver",is introduced for high CPU alerts. If a spike in CPU is intermittently observed with the default pattern set"ns_cvpn_v2_fast_regex", you can switch to the new pattern set.

    [ NSHELP-24085 ]
  • The Gateway Insight does not display accurate information on the VPN users.

    [ NSHELP-23937 ]
  • Citrix ADM displays incorrect bandwidth used by users when connected to VPN.

    [ NSHELP-23855 ]
  • HDX Insight data is not observed in Director for individual sessions. The issue is seen when NetScaler App Experience (NSAP) sessions are established.

    [ NSHELP-23834 ]
  • Packet drops are observed when a UDP application server sends packets that are larger than MTU and if the packets are fragmented.

    [ NSHELP-23770 ]
  • VPN plug-in doesn't establish tunnel after Windows logon, if the following conditions are met:

    • Citrix Gateway appliance is configured for Always On feature
    • The appliance is configured for certificate based authentication with two factor authentication "off"
    [ NSHELP-23584 ]
  • The UDP/ICMP/DNS based authorization policy denials for VPN do not show up in the ns.log file.

    [ NSHELP-23410 ]
  • False launch failures of applications are reported in Gateway Insight. The launch failures are reported when there are no app or desktop launches.

    [ NSHELP-23047 ]
  • In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.

    [ NSHELP-22349 ]
  • If reverse split tunneling is enabled, intranet routes are either added with wrong prefix values or not added at all.

    [ NSHELP-20825 ]
  • A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:

    • SplitTunnel is set to ON.
    • IP address pool (Intranet IP) option is set to NoSpillOver.
    [ NSHELP-20584 ]
  • In Analytics > Gateway Insight, under Authentication, it displays an incorrect Authentication Type. This issue occurs when you configure NO_AUTHN action in the ADC instance.

    [ NSHELP-20117 ]
  • SYSLOG log messages get truncated after 1024 bytes.

    [ NSHELP-19484 ]
  • In some cases, a Citrix ADC appliance might dump core during a user logout session.

    [ NSHELP-19470 ]
  • SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).
    Workaround: Use an IP address for VDA.

    [ NSHELP-8549 ]
  • An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.

    [ NSHELP-7872 ]
  • While adding an authentication virtual server using the XenApp and XenDesktop wizard,test connectivity for that authentication server fails.

    [ CGOP-16792 ]
  • Application launch failure due to invalid STA ticket is not reported in Gateway Insight.

    [ CGOP-13621 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

    [ CGOP-13511 ]
  • In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]
  • In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.

    [ CGOP-6794 ]
  • If a Windows user name has non-ASCII characters, the user is unable to collect logfiles by using the Collect Log button.

    [ CGOP-3359 ]

Citrix Web App Firewall

  • When aslearn configured learned data is deployed and if the field types reach a threshold, the total learned data is not displayed correctly. As a result, theField Format learned data is not as same as the exported learned data.

    [ NSHELP-18077 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]
  • In rare cases, the Citrix ADC appliance might crash while processing plain ACK packets that are received from a GSLB remote site.

    [ NSHELP-25886 ]
  • When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.

    [ NSHELP-24329 ]
  • The packet engines (NSPPE) might crash when it receives the first RTSP data packet with an incomplete header, followed by an ACK before receiving the complete header.

    [ NSHELP-22099 ]
  • In a cluster setup, the set ratecontrol commandworksonlyafterrestartingthe Citrix ADC appliance.

    Workaround: Use the nsapimgr_wr.sh -ys icmp_rate_threshold=<new value>command.

    [ NSHELP-21811 ]
  • In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.

    [ NSHELP-21425 ]
  • When you execute the "set service <servicename>" command, the following error message is displayed:
    "IP Address cannot be set on a domain based server."

    This error message is displayed when the server is configured with a name greater than 32 characters.

    [ NSHELP-20939 ]
  • In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

    [ NSHELP-20406 ]
  • Redirecting an HTTPS URL fails if the URL contains the % special character.

    [ NSHELP-19993 ]

Miscellaneous

  • When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.

    [ NSSWG-849 ]
  • A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URLFiltering third party vendor.

    [ NSHELP-22409 ]
  • In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.

    [ NSHELP-20366 ]

Networking

  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

    [ NSNET-5233 ]
  • In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or staysecondary option set.

    [ NSNET-1646 ]
  • In a high availability setup, the secondary node might crash after a restart if the following conditions are met:

    • A large number of active LSN sessions are present in the primary node.
    • The Pitboss process restarts packet engines when synchronizing a large number of LSN sessions in the secondary node.
    [ NSHELP-26257 ]
  • A Citrix ADC appliance might crash, if the following conditions are present:

    • IPv6 link load balancing (LLB6) configuration has persistency option enabled.
    • Some IPv6 dummy connections are created for this LLB6 configuration
    [ NSHELP-25695 ]
  • Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.

    [ NSHELP-25105 ]
  • For a PBR6 rule with no direct route to the next hop, the Citrix ADC appliance might incorrectly discard RNAT6 processed packets with an error.

    [ NSHELP-24632 ]
  • A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.

    [ NSHELP-24623 ]
  • For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.

    [ NSHELP-24034 ]
  • If an INAT rule is added for a VIP address, the Citrix ADC appliance incorrectly allows the addition of a load balancing configuration in which the virtual server is of type ANY and is set with the same VIP address.

    [ NSHELP-21288 ]
  • In a high availability (HA) setup, if Gratuitous ARP (GARP) is disabled, the upstream router might not direct the traffic to the new primary after an HA failover.

    [ NSHELP-20796 ]

Platform

  • A Citrix ADC VPX instance crashes when frequent link flaps are seen on 50G and 100G interfaces.

    [ NSPLAT-16852 ]
  • When NetScaler licenses hosted on NetScaler MAS expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.

    [ NSPLAT-6417 ]
  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the "rm cloudprofile" command to delete the profile.

    [ NSPLAT-4520 ]
  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.

    [ NSPLAT-4451 ]
  • On a Citrix ADC SDX appliance, traffic to the ADC instance might be interrupted when the interface link flaps and interface reset occurs simultaneously.

    [ NSHELP-26307 ]
  • On a Citrix ADC SDX appliance, a VPX instance might fail to boot when provisioned with 24 interfaces due to inadequate shared memory allocation.

    [ NSHELP-25912 ]
  • On a Citrix ADC SDX 15000-50G appliance, in cases of a brief surge of data traffic not directed to any of the ADC VPX instances, the following issue might happen:

    • The LACP link on 10G ports might flap intermittently or go down permanently.

    Workaround:
    1. Find out the internal ethX port corresponding to the 10G port
    2. Run the following command on the Citrix Hypervisor shell prompt: ethtool -G ethX rx 4096 tx 512
    3. Review traffic profile to block off unwanted traffic on the switch side

    [ NSHELP-25561 ]

Policies

  • A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.

    [ NSPOLICY-1462 ]
  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267 ]
  • Policy string map might not work if UTF-8 characters are used in key text.

    [ NSHELP-25357 ]

SSL

  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.

    [ NSSSL-4001 ]
  • In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.

    [ NSSSL-3402 ]
  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

    [ NSSSL-3184 ]
  • You cannot bind two certificates with public keys signed by different algorithms (for example, RSA and ECDSA) to a virtual server, as an SNI certificate if the domain name is the same.

    [ NSSSL-2560 ]
  • In a cluster setup, you might observe the following issues:

    • Missing command for the default certificate-key pair binding to the SSL internal services on the CLIP. However, if you upgrade from an older build you might have to bind the default certificate-key pair to the affected SSL internal services on the CLIP.
    • Configuration discrepancy between the CLIP and the nodes for the default set command to the internal services.
    • Missing default cipher bind command to the SSL entities in the output of the show running config command run on a node. The omission is only a display issue and has no functional impact. The binding can be viewed using the show ssl <entity> <name> command.
    [ NSHELP-25764 ]
  • A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.

    [ NSHELP-24201 ]
  • In a cluster setup, an invalid "bind ssl certkey" command is added to the ns.conf file when you save the configuration. The invalid command is added if a CRL distribution point extension is part of a certificate on the Citrix ADC appliance.

    [ NSHELP-23963 ]
  • A Citrix ADC appliance might crash if the following conditions are met:

    • A certificate-key pair is added with the expiry monitor option enabled.
    • The certificate date is earlier than 01/01/1970.
    [ NSHELP-22934 ]

System

  • If an AppFlow collector of type Rest is used in an analytics profile, the Citrix ADC appliance might fail during the removal of the profile.

    [ NSHELP-26299 ]
  • A Citrix ADC appliance might crash when the AppFlow collector is in a different subnet than the SNIP.

    [ NSHELP-26008 ]
  • A content switching virtual server displays an incorrect request and response byte count with MPTCP traffic.

    [ NSHELP-25731 ]
  • The HTML page might not load when the AppFlow Client-Side Measurements and Rewrite features are enabled.

    [ NSHELP-24043 ]
  • RNAT configuration does not work with HTTP/2 connections if the appliance uses theRNAT IP address for server-side (both http2 and http1.1) connections.

    [ NSHELP-23783 ]
  • For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output.For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.

    [ NSHELP-22684 ]
  • When the Intrusion Prevention System (IPS) is processing data before the cache module, the PayloadInfo variable is not cleared properly. Eventually, when the cache module accesses the variable it causes a Citrix ADC appliance to crash.

    [ NSHELP-21907 ]
  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

    [ NSHELP-21240 ]
  • When a Citrix ADC appliance sends a "tcpSynFloodAttack" SNMP trap, the "unackSynCount" log message has string characters instead of integer values.

    [ NSHELP-20401 ]
  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

    [ NSHELP-10972 ]
  • Segmentation errors or duplicate free might cause a Citrix ADC appliance to crash if the following conditions are met:

    • HTTP profilebound to a backend service has HTTP2 enabled and HTTP2 direct disabled.
    • Multiple HTTP CONNECT requests are sent from the client over HTTP/2 streams to a virtual server of HTTP type.
    [ NSBASE-13582 ]
  • A few AppFlow records containing IPFIX information might be abnormal.

    [ NSBASE-11686 ]
  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

    [ NSBASE-8506 ]
  • ICAP support for Citrix ADC

    A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.

    For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html

    [ NSBASE-825 ]

User Interface

  • In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.

    [ NSUI-14752 ]
  • The Global Binding and Show Binding options are not working on the Content Inspection Policy GUI page. As an alternative, you can configure these parameters through the command interface.

    [ NSUI-13193 ]
  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.

    [ NSUI-6838 ]
  • When you configure IP reputation using advanced policy expressions, the "TOR_PROXY" threat category is missing in the Expression Editor GUI.

    [ NSHELP-25654 ]
  • Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.

    [ NSHELP-24195 ]
  • A Citrix ADC appliance might crash if the /tmp directory is full.

    [ NSHELP-21809 ]
  • Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

    [ NSHELP-20988 ]
  • A Citrix ADC appliance does not support addition of CRL files greater than 2 MB using NITRO APIs.

    [ NSHELP-20821 ]
  • The Citrix ADC command interface and the GUI do not display the system time parameter setting for few SNMP alarms.

    [ NSHELP-19958 ]
  • The top-level page title is missing on all security check GUI pages.

    [ NSHELP-18607 ]
  • In a cluster setup, when you start a new trace (System > Diagnostics > Start new trace), the start trace operation succeeds. But the GUI, incorrectly displays the following error:
    Trace not started

    [ NSHELP-18566 ]
  • In a cluster setup, the certificate-key pair might sync to the non-CCO nodes with some delay. As a result, it is possible that the certificate-key pair is added to the CCO node but fails on the non-CCO nodes with no error message.

    [ NSHELP-12037 ]
  • The connection between the ADC instance and ADM service is lost when the following conditions are met:

    • The instance is added to ADM service using a built-in agent.
    • The instance is upgraded using the -Y option or from the ADM GUI. In both cases, the built-in agent doesn't restart. The -Y option provides Yes as an answer to all upgrade-related questions that appear on the CLI or GUI.
    [ NSCONFIG-4368 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:

    • 13.0 52.24 build
    • 12.1 57.18 build
    • 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"

    Workaround:

    To fix this issue, use one of the following independent options:

    • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

    [ NSCONFIG-3188 ]