Release Notes for Citrix ADC 12.1-59.16 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 12.1-59.16.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.

What's New

The enhancements and changes that are available in Build 12.1-59.16.

User Interface

  • Next/Previous navigation option for Web App Firewall Profile GUI page
    In Citrix ADC GUI, the Web App Firewall Profiles page now displays the Next/Previous navigation option to view more than 25 profiles in the list pane.

    Navigation: Security->Citrix Web App Firewall->Profiles
    [ NSUI-16487 ]
  • Citrix logo change
    Citrix now has a new logo that reflects its brand transformation. The Citrix ADC and Citrix Gateway GUI now reflect the new Citrix logo.
    [ NSUI-16210 ]

Fixed Issues

The issues that are addressed in Build 12.1-59.16.

Authentication, authorization, and auditing

  • The Citrix ADC appliance denies log on requests from mobile clients because the login schema validation fails. You must use the OAuthToken_Username_password.xml schema in your configuration.
    [ NSHELP-24318 ]
  • Citrix SSO QR scan fails for VPN virtual server configured on a non-default (443) port. This happens because of an issue with Native OTP settings. 
    [ NSHELP-24097 ]
  •  In some cases, the SAML assertion breaks when the attribute values have XML tags. This results in the failure of attribute extraction.
    [ NSHELP-23940 ]
  • The Citrix Workspace login fails when a Citrix ADC appliance is configured as an Identity Provider (IdP) for Citrix Workspace and a custom attribute extraction error occurs. 
    [ NSHELP-23843 ]
  • A Citrix ADC appliance fails to extract all the groups in an LDAP scenario for an AD user when the number of groups the user belongs to exceeds the limit of the group size.
    [ NSHELP-22959 ]
  • SAML authentication for the last factor fails when both the following conditions are met:
    * The Citrix ADC appliance is configured as SAML SP.
    * EPA is enabled on the VPN virtual server as pre-authentication policy and the RfWebUI theme is bound to the server.
    [ NSHELP-22932 ]
  • The session establishment fails when accessed from the Citrix Workspace app using Webview if preauthentication EPA is configured along with nFactor authentication.
    [ NSHELP-22845 ]
  • The login page for a Citrix ADC appliance is not displayed correctly when LDAP and SAML are configured as the primary authentication mechanism.
    [ NSHELP-22713 ]

Citrix ADC SDX Appliance

  • On a Citrix ADC SDX appliance running software version 13.0 build 64.x or 12.1 build 58.x, a user cannot download the backup of the appliance.
    [ NSSVM-3952 ]
  • Upgrading a Citrix ADC SDX appliance to release 12.1 build 56.x might return an exception because of file access issues.
     
    [ NSSVM-2994 ]
  • The SDX GUI might not be accessible after upgrading a Citrix ADC SDX appliance on which management LA and CLAGs are configured.

    [ NSHELP-24671 ]
  • The SNMP user details are not modified if you change the device profile of an ADC instance provisioned on a Citrix ADC SDX appliance.
    [ NSHELP-24488 ]
  • On a Citrix ADC SDX appliance, an ADC instance configured with an IPv6 address cannot be modified.
    [ NSHELP-24256 ]
  • An incorrect platform model string is displayed when you configure pooled licensing on the Citrix ADC SDX 8400, 8600, or 8015 appliances.
    [ NSHELP-24234 ]
  • On a Citrix ADC SDX appliance, link aggregation information of ADC instances might be lost due to a race condition between concurrent rediscoveries of ADC instances.
    [ NSHELP-23849 ]

Citrix Gateway

  • In a rare case, the Citrix ADC appliance crashes while printing debug logs if the server initiated connection session is already freed.
    [ NSHELP-24581 ]
  • You cannot use Scandinavian letters in the EULA after upgrading the Citrix ADC appliance from release 11.1 to 12.1.
    [ NSHELP-24394 ]
  • If you log on to Citrix Gateway and access Microsoft Excel via clientless VPN SharePoint, you are logged out of the session created for Microsoft Excel.
    [ NSHELP-24074 ]
  • The VPN plug-in cannot load the Citrix Gateway logon page if a port number is specified during login. This issue occurs only if nFactor authentication is configured for the virtual server on the appliance.
    [ NSHELP-23925 ]
  • The Citrix ADC appliance crashes if the "show vpn storeinfo" command is run repeatedly.
    [ NSHELP-23144 ]
  • The ICA Proxy application launch over SOCKS channel fails.
    [ NSHELP-23111 ]
  • Internet explorer-based web browsers do not display the arrow in the drop-down lists for X1 and RFWebUI themes.
    [ NSHELP-22623 ]
  • In a Citrix Gateway double hop high availability setup, the ICA connection might be lost after an HA failover.
    [ NSHELP-22444 ]
  • The Citrix Gateway appliance crashes while freeing up an SSL VPN session that was previously freed.
    [ NSHELP-21073 ]
  • The Citrix ADC appliance might crash when a net profile is added to a service.
    [ NSHELP-19569 ]
  • You can now configure the RfWebUI parameters such as loginFormTimeout and Session timeout by editing the plugins.xml.
    [ NSHELP-19221 ]

Citrix Web App Firewall

  • A Citrix ADC appliance might crash if the response side or XML security checks are enabled and log expressions are configured in a Web App Firewall profile.
    [ NSWAF-6466 ]
  • In a cluster configuration, an error message, "Communication error with aslearn" appears when the learning engine tries to view and reset the learned data.
    [ NSHELP-24584 ]
  • A Citrix ADC appliance might crash because of the null streaming context in XML processing and if the "multipleHeaderAction" parameter is set as "log". 
    [ NSHELP-24549 ]
  • Citrix Web App Firewall is unable to block the following SQL Keywords/XSS patterns:

    List of XSS patterns:

    onBeforeUpdate
     textInput
     CheckboxStateChange
     onclose
     onanimationstart
     onanimationend
     onanimationiteration
     ontransitionstart
     ontransitioncancel
     ontransitionend
     ontransitionrun
     onfullscreenchange
     onfullscreenerror
     onauxclick
     onpointerlockchange
     onpointerlockerror
     ScriptProcessorNode.onaudioprocess
     OfflineAudioContext.oncomplete
     GlobalEventHandlers.oninput
     onloadend
     DOMActivate
     DOMAttrModified
     DOMCharacterDataModified
     DOMFocusIn
     DOMFocusOut
     DOMMouseScroll
     DOMNodeInserted
     DOMNodeInsertedIntoDocument
     DOMNodeRemoved
     DOMNodeRemovedFromDocument
     DOMSubtreeModified
     DOMAttributeNameChanged
     DOMContentLoaded
     DOMElementNameChanged
     dragdrop
     dragexit
     draggesture
     overflow
     overflowchanged
     RadioStateChange

    List of SQL Keywords:

    xp_sqlmaint
     kill
     bulk
     external
     public
     raiserror
     reconfigure
     freetext
     freetexttable
     authorization
     replication
     backup
     restore
     restrict
     goto
     revert
     holdlock
     identity_insert
     collate
     system_user
     merge
     nocheck
     truncate
     updatetext
     waitfor
     print
     writetext
     exit
     order by
     benchmark

    Note: The auto-update for signature version 49 in Citrix ADC version 12.1 includes these SQL keywords/ XSS patterns.
    [ NSHELP-24185 ]
  • A Citrix ADC appliance might crash during the Web App Firewall XML validation check.
    [ NSHELP-23562 ]

Load Balancing

  • A Citrix ADC appliance might crash when trying to evaluate subscriber policies and gxSessionReporting is enabled.
    [ NSHELP-24159 ]
  • If connection mirroring does not synchronize PCB parameters, it might lead to loss of TCP options such as Maximum Segment Size (MSS) and Window Scaling.
    [ NSHELP-23990 ]
  • The statistics for a stream identifier do not show any graphs.
    [ NSHELP-22753 ]
  • In a cluster setup, ACL rules with VLAN settings do not take effect resulting in packets hitting other ACL rules.

    This issue occurs when you delete a virtual server on the cluster setup resulting in the cluster nodes not adding VLAN information on the steered packets.
    [ NSHELP-22103 ]
  • In a high availability (HA) setup, when the secondary node restarts, the primary node might crash during connection mirroring of sessions to the secondary node.
    [ NSHELP-21715 ]

Networking

  • In an admin partition setup, memory allocation might fail when you run the "set" command during an incorrect partition of memory resource.
    [ NSNET-17719 ]
  • If you run the “set appflow” command in a cluster setup, you might not be able to form a cluster.
    [ NSHELP-24220 ]
  • The following issues are observed related to BGP community strings in the Citrix ADC appliance:
    - When the appliance receives a BGP community string x:65535, the BGP session is disconnected.
    - When <bgp extended asn> capability is not enabled, the BGP daemon doesn't handle the combination of AS4_PATH attribute and certain community strings in a desired manner. This improper handling results in crash of BGP daemon.
    [ NSHELP-24119 ]
  • In a high availability setup, HA heartbeat packets might be lost during the "apply acls" operation for some ACL rules.
    [ NSHELP-23663 ]
  • BFD settings might not apply in a Citrix ADC appliance after you hard reboot the appliance several times.
    [ NSHELP-23471 ]
  • After entering and exiting the VTYSH shell in a Citrix ADC appliance, the symlink for '/nsconfig/syslog.conf' in '/etc/syslog.conf' might be removed. As a result, the changes in '/nsconfig/syslog.conf' are not reflected in '/etc/syslog.conf'.
    [ NSHELP-23200 ]
  • You might observe high CPU usage on a Citrix ADC appliance when it sends fragmented IPv6 packets.
    [ NSHELP-22699 ]
  • In a cluster setup, a Citrix ADC appliance might crash when it receives a node-to-node steered ICMP error message from the server. The crash occurs because the received packet does not contain the interface-related information.
    [ NSHELP-18401 ]

Platform

  • Upgrade on a Citrix ADC SDX appliance fails due to lack of space.
    Workaround:
    1. On an appliance running software version 13.0, switch to the shell prompt and type:
    sed -i.bak 's|vbd-list vm-uuid=\$dom0_uuid|vbd-list vdi-name-label="Dom0 Extra Storage"|g' /opt/xensource/libexec/sdx-boot/sdx-dom0-vbd-plug

    2. Log on to the Management Service GUI and reboot the appliance. Navigate to *System > System Administration* and click *Reboot Appliance*.

    3. Upgrade the appliance. Navigate to *System > System Administration* and click *Upgrade Appliance*.
    [ NSHELP-24066 ]
  • The Citrix ADC SDX 15000-50G on a reboot operation might fail to reboot completely, when all the 10G and 50G interfaces are configured as LACP channels with 9000 MTU. The 50G interfaces might also end up missing after reboot.
    1. Delete the 50G interface LACP channel.
    2. Restore each individual interface to 1500 MTU.
    3. Recreate the LACP channel with MTU 1500.
    [ NSHELP-23104 ]

Policies

  • A Citrix ADC appliance might crash if you configure the MATCHES_LOCATION() function in a policy expression and you start nstrace using a filter expression.
    [ NSHELP-22687 ]

SSL

  • In a NITRO call for a virtual server that has a profile bound to it, some entities of the virtual server, such as HSTS and OCSP_stapling that are part of the profile, are also displayed.
    [ NSSSL-6673 ]
  • In rare cases, a Citrix ADC appliance crashes if the following conditions are met:
    - An SSL virtual server receives a Client Hello message with the SSL record header split into two or more TCP packets.
    - A policy bound at client hello with a forward action specified returns true.
    - The TCP checksum of the packet, which completes the record header of Client Hello message, contains the 0xXX 0x16 pattern.
    [ NSHELP-23754 ]
  • A Citrix ADC appliance might crash if there are a large number of OCSP cached entries and you run the clear config command.
    [ NSHELP-22695 ]
  • Configuring empty CRLs for frequent updates exhausts the shared allocated memory on the Citrix ADC appliance.
    [ NSHELP-22166 ]
  • The Citrix ADC appliance might crash during an abbreviated (resumed) TLS 1.3 handshake if all of the following settings are applied to an SSL profile:

    - SNIHTTPHostMatch is set to CERT
    - TLSv1.3 is enabled
    - Session ticket is enabled.

    [ NSHELP-22126 ]
  • A partitioned Citrix ADC appliance might not respond as expected if you perform the following actions:
    1) Create two OCSP responders in different partitions.
    2) Clear the config in one partition.
    3) Remove the OCSP responder in the other partition.
    [ NSHELP-20861 ]

System

  • A Citrix ADC appliance might not optimize and compress large objects such as Javascript or CSS if front end optimization is enabled.
    [ NSHELP-24041 ]
  • If a service, representing an inline device, is down when traffic is being inspected, a resource is not freed properly. The Citrix ADC appliance crashes when this freed resource is accessed again.
    [ NSHELP-23145 ]
  • The Citrix ADC MPX 26000-100G appliance might become unresponsive if the aggregator process becomes unstable.
    [ NSBASE-11747 ]

User Interface

  • After an upgrade to Citrix ADC 13.0 build 56.x Citrix Web App Firewall regex evaluators do not work as expected. 
    [ NSHELP-24212 ]
  • Multi-Factor(nFactor) login does not work using the Citrix ADC GUI. After the first factor login, the next factor login input does not work.
    [ NSHELP-24078 ]
  • The Citrix ADC GUI does not display the "Top CLIENT.UDP.DNS.DOMAIN" statistical data in graphical format for the selected stream identifier.
    [ NSHELP-23777 ]
  • After executing the "saveconfig - all" command, the last saved time for the admin partitions is not accurately updated.
    [ NSHELP-23740 ]
  • In Citrix ADC GUI, the Web App Firewall Profiles page does not have the next or previous navigation options to view more than 25 profiles in the list pane.

    Navigation: Security->Citrix Web App Firewall->Profiles
    [ NSHELP-22622 ]
  • The "nsconfigaudit" config diff tool does not maintain the order of commands within the same resource group when generating the corrective commands.
    [ NSHELP-21791 ]
  • The Citrix Gateway appliance sends duplicate RADIUS access-requests to the RADIUS authentication service for each logon to the appliance.
    [ NSHELP-11148 ]
  • On a Citrix ADC MPX appliance, to transition the pooled capacity license to a perpetual license, you must first remove the pooled licensing configuration and then remove the pooled capacity license.
    [ NSCONFIG-4167 ]

Known Issues

The issues that exist in release 12.1-59.16.

AppFlow

  • HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.
    [ NSINSIGHT-943 ]

Authentication, authorization, and auditing

  • SSO to StoreFront using Citrix ADC fails if the following conditions are met:
    - The Citrix ADC appliance is configured for multi-factor authentication.
    - Citrix ADC session times out before examining the configured authentication factors.
    [ NSHELP-21466 ]
  • An FQDN in the SSL certificate might crash in a Citrix ADC appliance because of a buffer overflow.
    [ NSHELP-20476 ]
  • Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.
    [ NSHELP-18844 ]
  • A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.
    [ NSHELP-18751 ]
  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.
    [ NSHELP-563 ]
  • If you edit the authentication virtual server using the "End-to-end login test” or “Test End User Connection” options from the Create Authentication LDAP Server page in the Citrix ADC GUI, an error message appears.
    Workaround: To edit the authentication virtual server by using the Citrix ADC GUI, navigate to Security > Authentication, authorization, and auditing – Application Traffic > Authentication Virtual Servers.
    [ NSAUTH-6339 ]
  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
    [ NSAUTH-6106 ]
  • The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:
    - The Test LDAP Reachability option is opened.
    - Invalid login credentials are populated and submitted.
    - Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.
    [ NSAUTH-2147 ]

Caching

  • A Citrix ADC appliance might randomly crash if the following conditions are observed:
    * Integrated caching feature is enabled.
    * 100 GB or more memory is allocated for integrated caching.

    Workaround: Allocate less than 100 GB of memory. 
    [ NSHELP-20854 ]

CallHome

  • On the Citrix AC MPX 22000 platform, the “show techsupport” command incorrectly shows that the hard drive is not mounted.
    [ NSHELP-24223 ]

Citrix ADC SDX Appliance

  • Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:
    - Throughput allocation mode is burst.
    - There is a large difference between the throughput and the maximum burst capacity.
    [ NSHELP-21992 ]
  • SNMPv3 queries work only for a few minutes after changing the password.
    [ NSHELP-19313 ]
  • SNMPwalk application fails if an SNMPv3 user bound to an SNMPv3 trap destination has an authentication failure (incorrect password, community or key).
    [ NSHELP-18541 ]

Citrix Gateway

  • Citrix SSO for iOS and macOS fails to transfer logon if classic authentication is enabled.
    [ NSHELP-24491 ]
  • The Gateway Insight does not display accurate information on the VPN users.
    [ NSHELP-23937 ]
  • The Citrix Gateway appliance might go down in an EDT proxy deployment if the "kill icaconnection" command is run while an EDT connection establishment is in progress.
    [ NSHELP-23882 ]
  • The UDP/ICMP/DNS based authorization policy denials for VPN do not show up in the ns.log file.
    [ NSHELP-23410 ]
  • When manual proxy is configured on a local machine, the user tunnel cannot be established automatically after a service tunnel is established.
    [ NSHELP-22831 ]
  • In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.
    [ NSHELP-22349 ]
  • If reverse split tunneling is enabled, intranet routes are either added with wrong prefix values or not added at all.
    [ NSHELP-20825 ]
  • Device certificate is not supported with Citrix SSO for macOS when it is added as part of the nFactor scans.
    [ NSHELP-20722 ]
  • A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:
    - SplitTunnel is set to ON.
    - IP address pool (Intranet IP) option is set to NoSpillOver.
    [ NSHELP-20584 ]
  • In a high availability setup, during Citrix ADC failover, icons of some of the apps in the /var/netscaler/logon folder are not visible.
    [ NSHELP-20573 ]
  • The EPA plug-in screen becomes unresponsive on the second scan if Internet Explorer is used.
    [ NSHELP-20189 ]
  • SYSLOG log messages get truncated after 1024 bytes.
    [ NSHELP-19484 ]
  • SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).
    Workaround: Use an IP address for VDA.

    [ NSHELP-8549 ]
  • An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.
    [ NSHELP-7872 ]
  • Application launch failure due to invalid STA ticket is not reported in Gateway Insight.
    [ CGOP-13621 ]
  • The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).
    Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.
    [ CGOP-13532 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
    [ CGOP-13511 ]
  • In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.
    [ CGOP-7269 ]
  • In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.
    [ CGOP-6794 ]
  • If a Windows user name has non-ASCII characters, the user is unable to collect logfiles by using the Collect Log button.
    [ CGOP-3359 ]
  • The Citrix SSO app automatically selects a client or a device certificate for authentication if only one of them is present in the keychain.
    [ CGOP-251 ]
  • The Endpoint Analysis scan to check if antiphishing is enabled is now supported on Citrix SSO.

    [ CGOP-249 ]
  • In the Citrix SSO app for macOS, the EULA checkbox is not cleared, by default.
    [ CGOP-245 ]
  • Citrix SSO app does not display proper error messages when maximum number of users is reached.
    [ CGOP-231 ]

Citrix Web App Firewall

  • The Citrix Web App Firewall cookie consistency check removes the SameSite cookie attribute in the response sent by the back-end server.
    [ NSHELP-24313 ]
  • When aslearn configured learned data is deployed and if the field types reach a threshold, the total learned data is not displayed correctly. As a result, the Field Format learned data is not as same as the exported learned data.
    [ NSHELP-18077 ]

Clustering

  • In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.
    [ NSHELP-20366 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.
    [ NSLB-7679 ]
  • The Citrix ADC appliance might crash if the association between Distributed Hash Table (DHT) entry and persistence session is deleted while freeing up the persistence session.
    [ NSHELP-24213 ]
  • The custom location entries might be removed when you run the “add locationfile” or “add locationfile6" commands in a high-availability setup.
    [ NSHELP-23775 ]
  • The packet engines (NSPPE) might crash when it receives the first RTSP data packet with an incomplete header, followed by an ACK before receiving the complete header.
    [ NSHELP-22099 ]
  • A Citrix ADC appliance might crash when DNS logging is enabled and a malformed DNS query is received.
    [ NSHELP-21959 ]
  • In a cluster setup, the “set ratecontrol” command works only after restarting the Citrix ADC appliance.

    Workaround: Use the “nsapimgr_wr.sh -ys icmp_rate_threshold=<new value>” command.
    [ NSHELP-21811 ]
  • In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.
    [ NSHELP-21425 ]
  • When you execute the "set service <servicename>" command, the following error message is displayed:
    "IP Address cannot be set on a domain based server."

    This error message is displayed when the server is configured with a name greater than 32 characters.
    [ NSHELP-20939 ]
  • The Citrix ADC appliance sends a reset to the client intermittently because the MySQL virtual server is not able to select a backend server.
    [ NSHELP-20608 ]
  • In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.
    [ NSHELP-20406 ]
  • Redirecting an HTTPS URL fails if the URL contains the % special character.
    [ NSHELP-19993 ]

Miscellaneous

  • When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.
    [ NSSWG-849 ]
  • A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URLFiltering third party vendor.
    [ NSHELP-22409 ]

Networking

  • A partitioned Citrix ADC appliance might crash if you enable Video Optimization on a partition and later remove the partition on the appliance.
    [ NSNET-10199 ]
  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
    [ NSNET-5233 ]
  • In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or “staysecondary” option set.
    [ NSNET-1646 ]
  • A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.
    [ NSHELP-24623 ]
  • For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.
    [ NSHELP-24034 ]
  • IPv6 policy based routes (PBR6) on a Citrix AC appliance might not work as expected.
    [ NSHELP-23161 ]
  • If an INAT rule is added for a VIP address, the Citrix ADC appliance incorrectly allows the addition of a load balancing configuration in which the virtual server is of type ANY and is set with the same VIP address.
    [ NSHELP-21288 ]
  • In a high availability (HA) setup, if Gratuitous ARP (GARP) is disabled, the upstream router might not direct the traffic to the new primary after an HA failover.
    [ NSHELP-20796 ]
  • When you add a slave interface with jumbo MTU to link aggregation channel that is used as backplane, the following warning message incorrectly appears:

    "The MTU for a backplane interface must be large enough to handle all packets. It must be equal to the (MTU value). If recommended value is not configurable, please review MTU of jumbo interfaces."

    This is only a display issue, and there is no impact on the functionality.
    [ NSHELP-20794 ]

Platform

  • The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:
    ERROR: Operation timed out
    ERROR: Communication error with the packet engine
    [ NSPLAT-17546 ]
  • A Citrix ADC VPX instance, on which NSVLAN and two link aggregation (LA) channels are configured, is not reachable when the following conditions are met:
    - First LA channel is disabled.
    - The VPX instance is rebooted.
    [ NSPLAT-16082 ]
  • If a Citrix ADC instance uses ADM-based licensing, the Citrix ADC licensing might not work when the ADM version is lesser than the ADC version. Therefore, when you upgrade the ADC version, ensure the corresponding ADM version is the same as or higher than the current ADC version.
    [ NSPLAT-15184 ]
  • When NetScaler licenses hosted on NetScaler MAS expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.
    [ NSPLAT-6417 ]
  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the "rm cloudprofile" command to delete the profile.
    [ NSPLAT-4520 ]
  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.
    [ NSPLAT-4451 ]

Policies

  • A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.
    [ NSPOLICY-1462 ]
  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
    [ NSPOLICY-1267 ]

SSL

  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
    [ NSSSL-4001 ]
  • In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.
    [ NSSSL-3402 ]
  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
    [ NSSSL-3184 ]
  • In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
    [ NSSSL-3161 ]
  • You cannot bind two certificates with public keys signed by different algorithms (for example, RSA and ECDSA) to a virtual server, as an SNI certificate if the domain name is the same.
    [ NSSSL-2560 ]
  • A Citrix ADC appliance does not propose ECDHE ciphers in the client hello message after you reboot the appliance and if the following conditions are met:
    - The default profile is disabled.
    - A secure monitor is bound to a non-SSL service.
    [ NSHELP-24706 ]
  • The SSL handshake at the back end fails when the back-end server sends a single SSL record containing the following messages: 'Server Hello', 'Server Certificate', 'Server Key Exchange' and 'Server Hello Done'.
    [ NSHELP-24615 ]
  • A Citrix ADC appliance closes a DTLS session by sending an alert if the maximum retry timeout value is reached.
    [ NSHELP-24560 ]
  • A Citrix ADC appliance might not propose ECDHE ciphers in the client hello message if the following conditions are met:
    - HA synchronization is in progress.
    - Monitor probes are sent before the synchronization is complete.
    [ NSHELP-24355 ]
  • A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.
    [ NSHELP-24201 ]
  • A Citrix ADC appliance does not propose ECDHE ciphers in the client hello message after you reboot the appliance and if the following conditions are met:

    - The default profile is enabled.
    - A secure monitor is bound to a non-SSL service.
    [ NSHELP-24037 ]
  • In a cluster setup, an invalid "bind ssl certkey" command is added to the ns.conf file when you save the configuration. The invalid command is added if a CRL distribution point extension is part of a certificate on the Citrix ADC appliance.
    [ NSHELP-23963 ]
  • A Citrix ADC appliance might crash if the following conditions are met:
    - A certificate-key pair is added with the expiry monitor option enabled.
    - The certificate date is earlier than 01/01/1970.
    [ NSHELP-22934 ]
  • In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.
    [ NSHELP-13466 ]

System

  • An HTTP/2 connection becomes unresponsive if the "http2InitialWindowSize" parameter value is set to 131070 or any value greater than 131070.
    Workaround: Set the parameter value to less than 131070.
    [ NSHELP-25155 ]
  • For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output. For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.
    [ NSHELP-22684 ]
  • When the Intrusion Prevention System (IPS) is processing data before the cache module, the “PayloadInfo” variable is not cleared properly. Eventually, when the cache module accesses the variable it causes a Citrix ADC appliance to crash.
    [ NSHELP-21907 ]
  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.
    [ NSHELP-21240 ]
  • When a Citrix ADC appliance sends a "tcpSynFloodAttack" SNMP trap, the "unackSynCount" log message has string characters instead of integer values.
    [ NSHELP-20401 ]
  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.
    [ NSHELP-10972 ]
  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.
    [ NSBASE-8506 ]
  • ICAP support for Citrix ADC A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.

    For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html
    [ NSBASE-825 ]

User Interface

  • In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.
    [ NSUI-14752 ]
  • The Global Binding and Show Binding options are not working on the Content Inspection Policy GUI page. As an alternative, you can configure these parameters through the command interface.
    [ NSUI-13193 ]
  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.
    [ NSUI-6838 ]
  • A Citrix ADC appliance might crash if the /tmp directory is full.
    [ NSHELP-21809 ]
  • You can now set client authentication to optional, in the SSL parameters of a virtual server, using the GUI. Earlier, client authentication changed to mandatory if you used the GUI to change any SSL parameters.
    [ NSHELP-21060 ]
  • The Citrix ADC command interface and the GUI do not display the system time parameter setting for few SNMP alarms.
    [ NSHELP-19958 ]
  • The top-level page title is missing on all security check GUI pages.
    [ NSHELP-18607 ]
  • In a cluster setup, when you start a new trace (System > Diagnostics > Start new trace), the start trace operation succeeds. But the GUI, incorrectly displays the following error:
    “Trace not started”
    [ NSHELP-18566 ]
  • A Citrix ADC appliance incorrectly logs "Not logged in" error message when you access the reporting tab in Citrix ADC GUI.

    Example:

     "Jul 21 11:20:14 <<a href="http://local0.info/"> local0.info</a>> 203.0.113.18 07/21/2016:08:20:14 GMT T1100-16-2 0-PPE-10 : default UI CMD_EXECUTED 290 0 :  User (null) - Remote_ip  - Command "show ns hardware" - Status "ERROR: Not logged in" "
    [ NSHELP-12534 ]
  • In a cluster setup, the certificate-key pair might sync to the non-CCO nodes with some delay. As a result, it is possible that the certificate-key pair is added to the CCO node but fails on the non-CCO nodes with no error message.
    [ NSHELP-12037 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:
    * 13.0 52.24 build
    * 12.1 57.18 build
    * 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"

    Workaround:

    To fix this issue, use one of the following independent options:
    * If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    * Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    * If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
    [ NSCONFIG-3188 ]