Release Notes for Citrix ADC 12.1-61.19 Release
Notes
- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- Build 61.19 replaces Build 61.18
- Additional fix in this build: NSAUTH-10135
What's New
Citrix ADC SDX Appliance
Users cannot configure a tagged VLAN on the 50G and 100G interfaces of an ADC instance without explicitly specifying the allowed VLAN list on the interface from the Management Service. The issue is seen if the ADC instance is provisioned on one of the following Citrix ADC SDX platforms:
- SDX 15000-50G
- SDX 26000
- SDX 26000-50S
- SDX 26000-100G
[ NSSVM-3697 ]
Fixed Issues
AppFlow
When you bookmark a page and if you log out and log on again to Citrix ADM, the bookmarked page is not available under Favorites.
[ NSHELP-25742 ]
Authentication, authorization, and auditing
In some cases, a Citrix ADC appliance might crash when a user tries to configure a customized EULA login schema.
[ NSHELP-25570 ]
The Citrix ADC appliance crashes when FIPS certificate is configured for usercertdata.
[ NSHELP-25264 ]
In some cases, when Citrix ADC is used as an IdP to Citrix Cloud, Authentication, authorization, and auditingD crashes while performing nested group extraction activity in AD because of memory buffer overflow.
[ NSHELP-24884 ]
In a cluster setup, a Citrix ADC appliance might crash in certain cases while authenticating a user.
[ NSHELP-22871 ]
In some cases, SAML authentication breaks when the following conditions are met:
- The Citrix ADC appliance is configured as a SAML SP.
- "Domain drop-down" is configured as a factor on the Citrix ADC appliance.
- SAML policies are evaluated based on inputs from the "Domain drop-down" factor.
[ NSAUTH-10135 ]
In Citrix ADC GUI, whileconfiguring two factor authentication for management access,Login Schema node is not present under System node.
[ NSAUTH-5815 ]
Citrix ADC management access is restricted through the console if a user is locked.
[ NSAUTH-2821 ]
Caching
A Citrix ADC appliance might randomly crash if the following conditions are observed:
- Integrated caching feature is enabled.
- 100 GB or more memory is allocated for integrated caching.
[ NSHELP-20854 ]
CallHome
On the Citrix AC MPX 22000 platform, the show techsupport command incorrectly shows that the hard drive is not mounted.
[ NSHELP-24223 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, there might be a password mismatch between the Management Service and a VPX instance, if the following conditions occur simultaneously:
- The Management Service password is changed.
- The VPX instance is modified for any change, such as memory, CPU, and profile.
[ NSHELP-25709 ]
On a Citrix ADC SDX appliance, provisioning or restoring a VPX might fail if the allowed VLAN list on an interface or channel is more that 100 characters.
[ NSHELP-25702 ]
If you perform a factory reset on a Citrix ADC SDX appliance, the host ID of the appliance changes for the first time. The change happens if one of the following conditions is met:
1. You restore an appliance on which a link aggregation channel is configured on a management interface.
2. The link aggregation channel on a management interface is deleted.[ NSHELP-25670 ]
On a Citrix ADC SDX appliance, a user can sometimes view high memory usage events during monitoring of entities, such as services and service groups.
[ NSHELP-25668 ]
On a Citrix ADC SDX appliance, the Management Service host ID might change if you delete the link aggregation of the management interfaces. As a result, appliance licensing might be affected.
[ NSHELP-25636 ]
Citrix Gateway
In Citrix ADC GUI, theAdd tab present inAuthentication, authorization, and auditing Groups page does not allow editing theWeights field.
[ NSHELP-25200 ]
If an FQDN is used for configuring wiHome or StoreFront over an SSL connection, ECDHE ciphers are not negotiated during the boot-up process.
[ NSHELP-25144 ]
Redirection to ShareFile fails when Citrix Gateway is configured for RfWebUI theme.
[ NSHELP-25133 ]
The "show audit messages" command displays logs of all log levels instead of the configured log level after the clear config command is run.
[ NSHELP-24237 ]
The Citrix Gateway appliance might go down in an EDT proxy deployment if the "kill icaconnection" command is run while an EDT connection establishment is in progress.
[ NSHELP-23882 ]
- In a high availability setup, during Citrix ADC failover, icons of some of the apps in the /var/netscaler/logon folder are not visible.[ NSHELP-20573 ]
- The EPA plug-in screen becomes unresponsive on the second scan if Internet Explorer is used.[ NSHELP-20189 ]
Memory leak is observed if HDX Insight with advanced encryption is enabled.
[ CGOP-15689 ]
Citrix Web App Firewall
In a cluster configuration, the Citrix Web App Firewall aslearn data aggregation on the cluster coordinator node (CCO) fails when RPC nodes are secured.
[ NSWAF-6460 ]
In a cluster setup, you cannot modify or remove the rfcprofiles in the set or rm appfw rfcprofile command.
[ NSHELP-24222 ]
Load Balancing
When health monitoring is disabled, the service state for a dynamic autoscale service group IP address is not marked as UP.
[ NSHELP-25521 ]
The Citrix ADC appliance might crash if the association between Distributed Hash Table (DHT) entry and persistence session is deleted while freeing up the persistence session.
[ NSHELP-24213 ]
The custom location entries might be removed when you run the add locationfile or add locationfile6" commands in a high-availability setup.
[ NSHELP-23775 ]
- If a service group member is assigned a wildcard port (port *), the monitor details for that service group member can be viewed from the Monitor Details page.[ NSHELP-9409 ]
Networking
In a deterministic large scale NAT (LSN) setup, the following issue is observed after you upgrade the Citrix ADC appliance from release 11.1 to release 12.1 or release 13.0.
The NAT IP addresses and port blocks are allocated based on the "IPADDRS" allocation policy instead of "PORTS" allocation policy.
"PORTS" type was the only deterministic allocation policy present in release 11.1 by default without any configuration option.
"IPADDRS" type is set as the default deterministic allocation policy in release 12.1 or release 13.0.
So, a deterministic LSN configuration with "PORTS" allocation policy is converted to "IPADDRS" allocation policy during the Citrix ADC upgrade process.
As part of the fix, the default deterministic allocation policy is now set to "PORTS" in the following releases:
- Release 12.1 build 61.18 onwards
- Release 13.0 build 76.x onwards
[ NSNET-19469 ]
In a cluster setup, RNAT configurations for FTP data traffic might fail intermittently.
[ NSHELP-25566 ]
A Citrix ADC might crash if all of the following conditions are met:
- VMAC is configured on a non-default traffic domain.
- An IPv6 SNIP address is configured on the traffic domain.
- A ping probe is sent to the IPv6 SNIP address.
[ NSHELP-25553 ]
RNAT with "useproxyport" disabled might not work as expected for source ports that are numbered lesser than 1024.
[ NSHELP-25162 ]
In a high availability setup, the secondary node might crash after a restart if the following conditions are met:
- A large number of active LSN session are present in the primary node
- Pitboss process crashes and restarts during the synchronization process of these large number of LSN sessions in the secondary node
[ NSHELP-25068 ]
In a cluster CLAG setup, you might observe the following issues when the monitor probe of the new active node (passive to active) sends ND6 before the CLAG is UP:
- ND6 request from the new active node fails continuously.
- Some of the services owned by the new active node are down.
[ NSHELP-25010 ]
In a high availability setup, the SNMP module might crash repeatedly because of improper handling of data by the packet engines and internal networking modules.
This repeated crash of the SNMP module triggers HA failover.[ NSHELP-24434 ]
The following link load balancing route added in a non-default traffic domain is moved to the default traffic domain after you save and restart the appliance.
- add lb route 0.0.0.0 -td 1
[ NSHELP-24067 ]
IPv6 policy based routes (PBR6) on a Citrix AC appliance might not work as expected.
[ NSHELP-23161 ]
When you add a slave interface with jumbo MTU to link aggregation channel that is used as backplane, the following warning message incorrectly appears:
"The MTU for a backplane interface must be large enough to handle all packets. It must be equal to the (MTU value). If recommended value is not configurable, please review MTU of jumbo interfaces."
This is only a display issue, and there is no impact on the functionality.
[ NSHELP-20794 ]
Platform
A Citrix ADC VPX instance, on which NSVLAN and two link aggregation (LA) channels are configured, is not reachable when the following conditions are met:
- First LA channel is disabled.
- The VPX instance is rebooted.
[ NSPLAT-16082 ]
If a Citrix ADC instance uses ADM-based licensing, the Citrix ADC licensing might not work when the ADM version is lesser than the ADC version. Therefore, when you upgrade the ADC version, ensure the corresponding ADM version is the same as or higher than the current ADC version.
[ NSPLAT-15184 ]
Binding a VLAN to a link aggregation channel fails when the VLAN is associated with more than 40 partition-MAC addresses.
[ NSHELP-25308 ]
Upgrading a Citrix ADC SDX appliance might fail if the /var/sdx partition is not mounted in the Citrix Hypervisor.
[ NSHELP-24847 ]
Policies
A Citrix ADC appliance might crash if global scope variables are used in invalid HTTP requests.
[ NSHELP-25369 ]
A Citrix ADC appliance might crash if the following conditions are observed:
- The maximum header length of an HTTP profile is set as 61440 bytes.
- The policy expression "HTTP.REQ.URL" is processed on a request with a URL length greater than61440 bytes.
[ NSHELP-24476 ]
A Citrix ADC appliance might crash during ASYNC restoration after you try to bind a policy to a label at a priority in which another policy is already bound.
[ NSHELP-18493 ]
SSL
On the following Citrix ADC SDX platforms, the SSL card might go down if the external client uses ECDSA P224/521 curve for signature during SSL handshake for client authentication:
- SDX 11515/11520/11530/11540/11542
- SDX 22040/22060/22080/22100/22120
- SDX 24100/24150
- SDX 14000
- SDX 14000-40S
- SDX 14000-40G
- SDX 14000 FIPS
- SDX 25000
- SDX 25000A
[ NSSSL-9324 ]
If strong password option is enabled on a Citrix ADC appliance, password protected certificate-key pairs might not be added. With this fix, the password protected certificate-key pairs are always added successfully. However, downgrading to an earlier build causes the certificate-key configuration to be lost.
Also, in the NITRO API response for certificate-key pairs, the passplain variable is sent instead of the passcrypt variable.[ NSHELP-25675 ]
While using SSL forwarding on an MPTCP connection, the following counters display a large value:
- MPTCP session counter on the forwarded virtual server.
- Current client connection counter on the original virtual server.
When the connection is forwarded from the original virtual server to the forwarded virtual server, the MPTCP session counter on the forwarded virtual server is not incremented. However, when the MPTCP connection is freed, the counter is decremented. As a result, the value for the counter becomes negative.
When the connection is forwarded from the original virtual server to the forwarded virtual server, the current client connection counter on the original virtual server is incorrectly decremented. As a result, the value for the counter becomes negative.
The counter values are now calculated as follows:
Counter: Current client connections
- Value on the original virtual server: Regular TCP connections + MPTCP subflows in any state
- Value on the forwarded virtual server (SSL forwarding): Regular TCP connections in any state
Counter: Current client est connections
- Value on the original virtual server: Regular TCP connections + MPTCP subflows connections in established state
- Value on the forwarded virtual server (SSL forwarding): Regular TCP connections in the established state
Counter: Current Multipath TCP subflows
- Value on the original virtual server: MPTCP subflows connections only
- Value on the forwarded virtual server (SSL forwarding): 0 (Subflows are terminated at the original virtual server)
Counter: Current Multipath TCP sessions
- Value on the original virtual server: MPTCP sessions only
- Value on the forwarded virtual server (SSL forwarding): Forwarded MPTCP sessions (Decremented at the original virtual server and incremented here)
[ NSHELP-25555 ]
A Citrix ADC appliance does not propose ECDHE ciphers in the client hello message after you reboot the appliance and if the following conditions are met:
- The default profile is disabled.
- A secure monitor is bound to a non-SSL service.
[ NSHELP-24706 ]
The SSL handshake at the back end fails when the back-end server sends a single SSL record containing the following messages: 'Server Hello', 'Server Certificate', 'Server Key Exchange' and 'Server Hello Done'.
[ NSHELP-24615 ]
A Citrix ADC appliance closes a DTLS session by sending an alert if the maximum retry timeout value is reached.
[ NSHELP-24560 ]
A Citrix ADC appliance might not propose ECDHE ciphers in the client hello message if the following conditions are met:
- HA synchronization is in progress.
- Monitor probes are sent before the synchronization is complete.
[ NSHELP-24355 ]
A Citrix ADC appliance does not propose ECDHE ciphers in the client hello message after you reboot the appliance and if the following conditions are met:
- The default profile is enabled.
- A secure monitor is bound to a non-SSL service.
[ NSHELP-24037 ]
After you add an SSL_TCP virtual server and attach an SSL profile to it, the "redirectPortRewrite" setting might be incorrectly enabled. As a result, there might be some configuration loss in a future upgrade.
The redirectPortRewrite setting is valid only for an HTTP virtual server.
[ NSHELP-22984 ]
When the "forward" ssl action is triggered, the counter "Current Client Est connections" incorrectly shows a large value in the output of statistics for the virtual server to which traffic is forwarded.
[ NSHELP-22825 ]
System
When a Citrix ADC appliance initiates a connection to the back-end server for "CONNECT" requests sent at a high rate, the following conditions are observed:
- The back-end server sends a bad ACK to the appliance.
- The appliance does not retry connection initiation.
- Client connections become unresponsive.
[ NSHELP-25925 ]
A lightweight CPX instance might crash if you use an analytics profile without setting the collector.
[ NSHELP-25239 ]
Configure HTTP/2 Initial Connection Window Size
As per RFC 7540, the flow-control window for HTTP2 stream and connection must be initializedto 64K (65535) octets, and any change to this value must be communicated to the peer. The ADC appliance communicates the change in flow-control window size as follows:
- Using the SETTINGS frame for the stream level flow-control window.
- Using the WINDOW_UPDATE frame for the connection level flow-control window.
In an HTTP profile, you can configure the http2InitialWindowSize parameter to set the initial window size at the stream level.
Because of an internal system error, the ADC appliance initializes the flow-control window for the connection also with the value configured for "http2InitialWindowSize". When there is a change in the configured flow-control window for the stream, the ADC appliance communicates to the peer using the SETTINGS frame. But the ADC appliance fails to communicate the change in the flow-control window for the connection using the WINDOW_UPDATE frame. This leads to a connection freeze.
To overcome the issue, the http2InitialConnWindowSize parameter (in bytes) is now added to control the connection level flow-control window.By using separate configurable parameters namely "http2InitialWindowSize" and "http2InitialConnWindowSize", you can nowconfigure the flow-controlwindow size at both stream and connection levels.
ConfigureHTTP/2 initial connection-levelflow-control window size parameter by using the CLI
At the command prompt, type:
"set httpprofile p1 -http2InitialConnWindowSize <window-size>"
Where, http2InitialConnWindowSize is the initial window size for connection level flow control, in bytes.
Default value: 65535
Minimum value: 65535
Maximum value: 67108864[ NSHELP-25155 ]
AfteranSSL handshake, iftheCitrix ADC appliancesendsSETTINGS and SETTINGS-ACK frames after H2 negotiation, the followingissuesare observed:
- Latency issue of 100ms (by default) is seen at the SSL layer when encrypting data less than 8k.
- The TCP PUSH flag is not set on these frames.
[ NSHELP-25148 ]
HTTP/2 flag mismanagement decrements few TCP counters to a negative value for both HTTP/2 and non-HTTP/2 streams.
[ NSHELP-25031 ]
In a cluster setup, the validation of default values in surge protection is handled differently on the database and packet engine.
[ NSHELP-24455 ]
When you enable Appflow on an ADC instance, the ADM does not display HDX Insight of that instance. This issue occurs because ADM fails to process the Logstream data received from the instance.
[ NSHELP-24227 ]
Deleting a TCP profile bound to a content switching virtual server leads to a configuration inconsistency in the cluster database.
[ NSHELP-24004 ]
A Citrix ADC appliance might crash while clearing the configuration when it tries to access the ICAP server details. The server details information is not removed from the monitor list when the ICAP content inspection configuration is cleared.
[ NSHELP-23945 ]
A Citrix ADC appliance might incorrectly send RST_STREAM frame for successfully completed transaction streams for HTTP/2 connections.
[ NSHELP-22969 ]
Enabling metrics collector in the default partition might fail if it is already enabled in the admin partition setup.
[ NSBASE-12623 ]
User Interface
Single or multiple commands in a NITRO API request to a Citrix ADC appliance might fail causing the following issues in the appliance:
- Memory corruption
- HTTPD process crash
[ NSHELP-25997 ]
The diff ns config command displays an ERROR: Failed to get UID for command: apply ns pbr6 error message. It happens when the apply ns pbr6 command is saved in ns.conf or running-config files.
[ NSHELP-25373 ]
HTTPD daemon might crash and generate core files while running the Qualys authenticated vulnerability scan.
[ NSHELP-25000 ]
On a Citrix ADC SDX platform, the following error message appears while loading the GUI:
Operation not supported by device[Pooled licensing not supported on this platform][ NSHELP-24474 ]
All checkboxes get automatically cleared when you try to modify a security check on the Citrix Web App Firewall Profile page. The intermittent issue occurs randomly on the GUI.
[ NSHELP-24409 ]
- You can now set client authentication to optional, in the SSL parameters of a virtual server, using the GUI. Earlier, client authentication changed to mandatory if you used the GUI to change any SSL parameters.[ NSHELP-21060 ]
A Citrix ADC appliance incorrectly logs "Not logged in" error message when you access the reporting tab in Citrix ADC GUI.
Example:
"Jul 21 11:20:14 <<a href="http://local0.info/"> local0.info</a>> 203.0.113.18 07/21/2016:08:20:14 GMT T1100-16-2 0-PPE-10 : default UI CMD_EXECUTED 290 0 : User (null) - Remote_ip - Command "show ns hardware" - Status "ERROR: Not logged in" "
[ NSHELP-12534 ]
After you upgrade the Citrix ADC appliance to release 13.0 build 64.35 and later or release 12.1 build 61.18 and later, the Secure option for all the RPC nodes is turned ON by default. This option secures the communication between the ADC nodes in the high availability, cluster, and GSLB deployments, which use the port number 3008 and 3009. If the firewall between the ADC nodes blocks the port number 3008, 3009, or both, unblock the ports and proceed. Otherwise, configuration synchronization, configuration propagation, and MEP synchronization might fail. You can change this option anytime using the CLI or the GUI.
[ NSCONFIG-2702 ]
Video Optimization
The Gx interface containing AppFlow records has a wrong timestamp when receiving CCA-T diameter messages. The issue might occur if the following conditions are met:
- idleTTL parameter in the set subscriber parameter command is set to non-zero.
- gxSessionReporting parameter in the set appflow param command is enabled.
[ NSHELP-24099 ]
Known Issues
AppFlow
- HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.[ NSINSIGHT-943 ]
Authentication, authorization, and auditing
In some cases, addition of multiple EPA related authentication policies results in high management CPU.
[ NSHELP-26281 ]
You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.
[ NSHELP-26199 ]
The Citrix Gateway plug-in fails to launch if the following conditions are met:
- Citrix Gateway appliance is configured as Full VPN only.
- Authentication method is OAuth RP.
[ NSHELP-26020 ]
The Citrix Gateway plug-in fails to launch if the following conditions are met:
- Citrix Gateway appliance is configured as Full VPN only.
- SSPR registration is configured as the last factor.
[ NSHELP-25691 ]
A Citrix ADC appliance might crash if the following issues are observed:
- Invalid memory allocation.
- Web App Firewall is configured with form-based SSO authentication.
[ NSHELP-24551 ]
- SSO to StoreFront using Citrix ADC fails if the following conditions are met:
- The Citrix ADC appliance is configured for multi-factor authentication.
- Citrix ADC session times out before examining the configured authentication factors.
[ NSHELP-21466 ]
- Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.[ NSHELP-18844 ]
- A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.[ NSHELP-18751 ]
- A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[ NSHELP-563 ]
- If you edit the authentication virtual server using the "End-to-end login test or Test End User Connection options from the Create Authentication LDAP Server page in the Citrix ADC GUI, an error message appears.
Workaround: To edit the authentication virtual server by using the Citrix ADC GUI, navigate to Security > Authentication, authorization, and auditing Application Traffic > Authentication Virtual Servers.[ NSAUTH-6339 ]
The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
[ NSAUTH-6106 ]
- The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:
- The Test LDAP Reachability option is opened.
- Invalid login credentials are populated and submitted.
- Valid login credentials are populated and submitted.
Workaround: Close and open the Test LDAP Reachability option.
[ NSAUTH-2147 ]
Citrix ADC SDX Appliance
On the Citrix ADC SDX 8400/8600 platform, health monitoring might display crypto errors.
[ NSHELP-26500 ]
In some cases, a Citrix ADC SDX appliance might create core dumps while taking a backup.
[ NSHELP-26345 ]
On a Citrix ADC SDX appliance,the "geodb" details in the ADC instances are not collected when you take a backup of the appliance.
[ NSHELP-26190 ]
If you initiate the deletion of a Citrix ADC instance while the instance is being provisioned, the FIPS partition entry for the deleted instance might still be present in the database.
[ NSHELP-25909 ]
Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:
- Throughput allocation mode is burst.
- There is a large difference between the throughput and the maximum burst capacity.
[ NSHELP-21992 ]
- SNMPv3 queries work only for a few minutes after changing the password.[ NSHELP-19313 ]
- SNMPwalk application fails if an SNMPv3 user bound to an SNMPv3 trap destination has an authentication failure (incorrect password, community or key).[ NSHELP-18541 ]
Citrix Gateway
The VPN plug-in for Windows does not cache the user selected device certificate while performing advanced authentication. As a result, users are prompted with all certificates on a subsequent logon attempt.
[ NSHELP-26432 ]
The Citrix Gateway appliance crashes when a server initiated connection sends data packets after the connection is closed.
[ NSHELP-26431 ]
Sometimes, the Citrix ADC appliance crashes when a trace is started either from the GUI or the CLI.
[ NSHELP-26249 ]
The Citrix ADC appliance might crash if the "rdpLinkAttribute" attribute size is greater than 64 characters.
[ NSHELP-26068 ]
The gateway plug-in for Windows maintains the existing proxy exception list even if the list gets overflow because of the browser limit on the Internet Explorer proxy exception list.
[ NSHELP-25578 ]
The packet engine crashes while fetching an ICA connection entry when you run the show icaconnection command. This crash happens because the ICA connection information in the ICA connection list is stale.
[ NSHELP-25420 ]
The UrlName parameter is appended to the session and other policy bindings when classic VPN URL is also bound leading to configuration addition on save and reboot.
[ NSHELP-25072 ]
Citrix Gateway crashes while decoding the CVPNv2 packet because of incorrect string termination.
[ NSHELP-24718 ]
A delay in the response from StoreFront servers might result in slow Citrix Gateway GUI related operations or "timed out at dispatch_netsvc" error messages.
[ NSHELP-24437 ]
A new, optimized pattern set, "ns_cvpn_v2_fast_regex_light_ver",is introduced for high CPU alerts. If a spike in CPU is intermittently observed with the default pattern set"ns_cvpn_v2_fast_regex", you can switch to the new pattern set.
[ NSHELP-24085 ]
The Gateway Insight does not display accurate information on the VPN users.
[ NSHELP-23937 ]
Citrix ADM displays incorrect bandwidth used by users when connected to VPN.
[ NSHELP-23855 ]
HDX Insight data is not observed in Director for individual sessions. The issue is seen when NetScaler App Experience (NSAP) sessions are established.
[ NSHELP-23834 ]
Packet drops are observed when a UDP application server sends packets that are larger than MTU and if the packets are fragmented.
[ NSHELP-23770 ]
VPN plug-in doesn't establish tunnel after Windows logon, if the following conditions are met:
- Citrix Gateway appliance is configured for Always On feature
- The appliance is configured for certificate based authentication with two factor authentication "off"
[ NSHELP-23584 ]
The UDP/ICMP/DNS based authorization policy denials for VPN do not show up in the ns.log file.
[ NSHELP-23410 ]
False launch failures of applications are reported in Gateway Insight. The launch failures are reported when there are no app or desktop launches.
[ NSHELP-23047 ]
In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.
[ NSHELP-22349 ]
- If reverse split tunneling is enabled, intranet routes are either added with wrong prefix values or not added at all.[ NSHELP-20825 ]
- A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:
- SplitTunnel is set to ON.
- IP address pool (Intranet IP) option is set to NoSpillOver.
[ NSHELP-20584 ]
In Analytics > Gateway Insight, under Authentication, it displays an incorrect Authentication Type. This issue occurs when you configure NO_AUTHN action in the ADC instance.
[ NSHELP-20117 ]
- SYSLOG log messages get truncated after 1024 bytes.[ NSHELP-19484 ]
In some cases, a Citrix ADC appliance might dump core during a user logout session.
[ NSHELP-19470 ]
- SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).
Workaround: Use an IP address for VDA.[ NSHELP-8549 ]
- An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.[ NSHELP-7872 ]
While adding an authentication virtual server using the XenApp and XenDesktop wizard,test connectivity for that authentication server fails.
[ CGOP-16792 ]
- Application launch failure due to invalid STA ticket is not reported in Gateway Insight.[ CGOP-13621 ]
- In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.[ CGOP-13511 ]
In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.
[ CGOP-7269 ]
- In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.[ CGOP-6794 ]
- If a Windows user name has non-ASCII characters, the user is unable to collect logfiles by using the Collect Log button.[ CGOP-3359 ]
Citrix Web App Firewall
When aslearn configured learned data is deployed and if the field types reach a threshold, the total learned data is not displayed correctly. As a result, theField Format learned data is not as same as the exported learned data.
[ NSHELP-18077 ]
Load Balancing
In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.
[ NSLB-7679 ]
In rare cases, the Citrix ADC appliance might crash while processing plain ACK packets that are received from a GSLB remote site.
[ NSHELP-25886 ]
When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.
[ NSHELP-24329 ]
The packet engines (NSPPE) might crash when it receives the first RTSP data packet with an incomplete header, followed by an ACK before receiving the complete header.
[ NSHELP-22099 ]
In a cluster setup, the set ratecontrol commandworksonlyafterrestartingthe Citrix ADC appliance.
Workaround: Use the nsapimgr_wr.sh -ys icmp_rate_threshold=<new value>command.
[ NSHELP-21811 ]
In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.
[ NSHELP-21425 ]
When you execute the "set service <servicename>" command, the following error message is displayed:
"IP Address cannot be set on a domain based server."This error message is displayed when the server is configured with a name greater than 32 characters.
[ NSHELP-20939 ]
In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.
[ NSHELP-20406 ]
Redirecting an HTTPS URL fails if the URL contains the % special character.
[ NSHELP-19993 ]
Miscellaneous
- When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.[ NSSWG-849 ]
A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URLFiltering third party vendor.
[ NSHELP-22409 ]
In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.
[ NSHELP-20366 ]
Networking
- In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.[ NSNET-5233 ]
In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or staysecondary option set.
[ NSNET-1646 ]
In a high availability setup, the secondary node might crash after a restart if the following conditions are met:
- A large number of active LSN sessions are present in the primary node.
- The Pitboss process restarts packet engines when synchronizing a large number of LSN sessions in the secondary node.
[ NSHELP-26257 ]
A Citrix ADC appliance might crash, if the following conditions are present:
- IPv6 link load balancing (LLB6) configuration has persistency option enabled.
- Some IPv6 dummy connections are created for this LLB6 configuration
[ NSHELP-25695 ]
Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.
[ NSHELP-25105 ]
For a PBR6 rule with no direct route to the next hop, the Citrix ADC appliance might incorrectly discard RNAT6 processed packets with an error.
[ NSHELP-24632 ]
A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.
[ NSHELP-24623 ]
For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.
[ NSHELP-24034 ]
If an INAT rule is added for a VIP address, the Citrix ADC appliance incorrectly allows the addition of a load balancing configuration in which the virtual server is of type ANY and is set with the same VIP address.
[ NSHELP-21288 ]
In a high availability (HA) setup, if Gratuitous ARP (GARP) is disabled, the upstream router might not direct the traffic to the new primary after an HA failover.
[ NSHELP-20796 ]
Platform
A Citrix ADC VPX instance crashes when frequent link flaps are seen on 50G and 100G interfaces.
[ NSPLAT-16852 ]
- When NetScaler licenses hosted on NetScaler MAS expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.[ NSPLAT-6417 ]
- When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the "rm cloudprofile" command to delete the profile.[ NSPLAT-4520 ]
- In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.[ NSPLAT-4451 ]
On a Citrix ADC SDX appliance, traffic to the ADC instance might be interrupted when the interface link flaps and interface reset occurs simultaneously.
[ NSHELP-26307 ]
On a Citrix ADC SDX appliance, a VPX instance might fail to boot when provisioned with 24 interfaces due to inadequate shared memory allocation.
[ NSHELP-25912 ]
On a Citrix ADC SDX 15000-50G appliance, in cases of a brief surge of data traffic not directed to any of the ADC VPX instances, the following issue might happen:
- The LACP link on 10G ports might flap intermittently or go down permanently.
Workaround:
1. Find out the internal ethX port corresponding to the 10G port
2. Run the following command on the Citrix Hypervisor shell prompt: ethtool -G ethX rx 4096 tx 512
3. Review traffic profile to block off unwanted traffic on the switch side[ NSHELP-25561 ]
Policies
A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.
[ NSPOLICY-1462 ]
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
[ NSPOLICY-1267 ]
Policy string map might not work if UTF-8 characters are used in key text.
[ NSHELP-25357 ]
SSL
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[ NSSSL-4427 ]
- An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.[ NSSSL-4001 ]
- In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.[ NSSSL-3402 ]
- An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.[ NSSSL-3184 ]
- You cannot bind two certificates with public keys signed by different algorithms (for example, RSA and ECDSA) to a virtual server, as an SNI certificate if the domain name is the same.[ NSSSL-2560 ]
In a cluster setup, you might observe the following issues:
- Missing command for the default certificate-key pair binding to the SSL internal services on the CLIP. However, if you upgrade from an older build you might have to bind the default certificate-key pair to the affected SSL internal services on the CLIP.
- Configuration discrepancy between the CLIP and the nodes for the default set command to the internal services.
- Missing default cipher bind command to the SSL entities in the output of the show running config command run on a node. The omission is only a display issue and has no functional impact. The binding can be viewed using the show ssl <entity> <name> command.
[ NSHELP-25764 ]
A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.
[ NSHELP-24201 ]
In a cluster setup, an invalid "bind ssl certkey" command is added to the ns.conf file when you save the configuration. The invalid command is added if a CRL distribution point extension is part of a certificate on the Citrix ADC appliance.
[ NSHELP-23963 ]
A Citrix ADC appliance might crash if the following conditions are met:
- A certificate-key pair is added with the expiry monitor option enabled.
- The certificate date is earlier than 01/01/1970.
[ NSHELP-22934 ]
System
If an AppFlow collector of type Rest is used in an analytics profile, the Citrix ADC appliance might fail during the removal of the profile.
[ NSHELP-26299 ]
A Citrix ADC appliance might crash when the AppFlow collector is in a different subnet than the SNIP.
[ NSHELP-26008 ]
A content switching virtual server displays an incorrect request and response byte count with MPTCP traffic.
[ NSHELP-25731 ]
The HTML page might not load when the AppFlow Client-Side Measurements and Rewrite features are enabled.
[ NSHELP-24043 ]
RNAT configuration does not work with HTTP/2 connections if the appliance uses theRNAT IP address for server-side (both http2 and http1.1) connections.
[ NSHELP-23783 ]
For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output.For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.
[ NSHELP-22684 ]
When the Intrusion Prevention System (IPS) is processing data before the cache module, the PayloadInfo variable is not cleared properly. Eventually, when the cache module accesses the variable it causes a Citrix ADC appliance to crash.
[ NSHELP-21907 ]
- The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.[ NSHELP-21240 ]
When a Citrix ADC appliance sends a "tcpSynFloodAttack" SNMP trap, the "unackSynCount" log message has string characters instead of integer values.
[ NSHELP-20401 ]
- The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.[ NSHELP-10972 ]
Segmentation errors or duplicate free might cause a Citrix ADC appliance to crash if the following conditions are met:
- HTTP profilebound to a backend service has HTTP2 enabled and HTTP2 direct disabled.
- Multiple HTTP CONNECT requests are sent from the client over HTTP/2 streams to a virtual server of HTTP type.
[ NSBASE-13582 ]
A few AppFlow records containing IPFIX information might be abnormal.
[ NSBASE-11686 ]
- Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.[ NSBASE-8506 ]
ICAP support for Citrix ADC
A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html
[ NSBASE-825 ]
User Interface
In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.
[ NSUI-14752 ]
- The Global Binding and Show Binding options are not working on the Content Inspection Policy GUI page. As an alternative, you can configure these parameters through the command interface.[ NSUI-13193 ]
- If you create an ECDSA key by using the GUI, the type of curve is not displayed.[ NSUI-6838 ]
When you configure IP reputation using advanced policy expressions, the "TOR_PROXY" threat category is missing in the Expression Editor GUI.
[ NSHELP-25654 ]
Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.
[ NSHELP-24195 ]
A Citrix ADC appliance might crash if the /tmp directory is full.
[ NSHELP-21809 ]
Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.
[ NSHELP-20988 ]
A Citrix ADC appliance does not support addition of CRL files greater than 2 MB using NITRO APIs.
[ NSHELP-20821 ]
- The Citrix ADC command interface and the GUI do not display the system time parameter setting for few SNMP alarms.[ NSHELP-19958 ]
- The top-level page title is missing on all security check GUI pages.[ NSHELP-18607 ]
In a cluster setup, when you start a new trace (System > Diagnostics > Start new trace), the start trace operation succeeds. But the GUI, incorrectly displays the following error:
Trace not started[ NSHELP-18566 ]
In a cluster setup, the certificate-key pair might sync to the non-CCO nodes with some delay. As a result, it is possible that the certificate-key pair is added to the CCO node but fails on the non-CCO nodes with no error message.
[ NSHELP-12037 ]
The connection between the ADC instance and ADM service is lost when the following conditions are met:
- The instance is added to ADM service using a built-in agent.
- The instance is upgraded using the -Y option or from the ADM GUI. In both cases, the built-in agent doesn't restart. The -Y option provides Yes as an answer to all upgrade-related questions that appear on the CLI or GUI.
[ NSCONFIG-4368 ]
If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.
1. Upgrade the Citrix ADC appliance to one of the builds:
- 13.0 52.24 build
- 12.1 57.18 build
- 11.1 65.10 build
2. Add a system user, or change the password of an existing system user, and save the configuration, and
3. Downgrade the Citrix ADC appliance to any older build.To display the list of these system users by using the CLI:
At the command prompt, type:"query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"
Workaround:
To fix this issue, use one of the following independent options:
- If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords.
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
[ NSCONFIG-3188 ]