Release Notes for Citrix ADC 12.1-62.27 Release
Notes
- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- Build 12.1-62.27 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX319135.
- Build 62.27 replaces Build 62.25.
- This build also includes fixes for the following issues that existed in the previous Citrix ADC 12.1 release build: NSHELP-28098.
What's New
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, when you reset the configuration or try to recover the password, you must log on using the appliance serial number as the password.
[ NSSVM-4357 ]
Networking
In a typical large scale NAT (LSN) setup of a Citrix ADC appliance, when DNS server is located outside of CGNAT boundary, a large number of LSN sessions are created due to DNS traffic flowing out of CGNAT device.
As these DNS LSN sessions are short lived and stateless, there isn't any value in synchronizing these sessions in a high availability setup
With this change, DNS LSN sessions aren't synchronized in a high availability setup.
[ NSNET-20338 ]
Platform
VMware ESX 7.0 update 1c support on Citrix ADC VPX instance
The Citrix ADC VPX instance now supports the VMware ESX version 7.0 Update 1c (Build 1732555).[ NSHELP-26444 ]
Fixed Issues
Authentication, authorization, and auditing
Log in to Citrix Gateway endpoints using full URL bookmarked on user's machine browser fails, if the endpoint appliances have RelayStateRule expression configured in the samlAction command.
For example, if you try to login using the bookmarked full URL like https://citrixgateway.com/citrix/storeweb on your browser and try to login, the login fails.
[ NSHELP-28098 ]
Error message customization on the portal page for end users fails when the "enableEnhancedAuthFeedback" parameter is enabled using the "set aaa parameter" command.
[ NSHELP-26814 ]
The Citrix Gateway appliance crashes during nFactor authentication if the following conditions are met.
- WebView is used to access the Citrix Gateway appliance.
- Blocking expressions are configured in the VPN session policy.
[ NSHELP-26433 ]
In rare cases, the OAuth authentication fails if a Citrix ADC appliance configured as OAuth IdP does not send a JWT token in the specified format.
[ NSHELP-26323 ]
In some cases, addition of multiple EPA related authentication policies results in high management CPU.
[ NSHELP-26281 ]
In some cases, a Citrix ADC appliance crashes because a default action is bound to a policy that has no login schema.
[ NSHELP-26192 ]
In some cases, attributes such as "Secure" and "Domain" present in Samesite cookie are not separated by a comma but are displayed as one attribute.
[ NSHELP-25825 ]
When you log off from Citrix Gateway and if RADIUS accounting is configured on the gateway, the logout information is not sent to the RADIUS accounting server.
[ NSHELP-25765 ]
Authentication fails during dialogue mode when the RADIUS server sends multiple duplicate responses.
[ NSHELP-25758 ]
A Citrix ADC appliance might crash if the following issues are observed:
- Invalid memory allocation.
- Web App Firewall is configured with form-based SSO authentication.
[ NSHELP-24551 ]
The authentication from Citrix Workspace app fails when Citrix ADC is configured with SAML authentication and relayStateRule. The browser based login is not impacted.
[ NSAUTH-10517 ]
Caching
When configuring cache content group, invalid wide spaces are observed in the cache-control header max-age value.
[ NSHELP-20066 ]
Citrix ADC SDX Appliance
After you restart the Management Service, first time checkout of instances or bandwidth from a pooled licensing server might fail.
[ NSHELP-26878 ]
When you restart the Management Service and if some VPX instances are provisioned, the following error message appears if you try to edit the session timeout for the default group from the System > User Administration > Groups page.
Authorized scope for default group cannot be changed.
[ NSHELP-26556 ]
Inventory does not happen as per the inventory cycle for instances where the IP address used during instance provisioning is changed later from the instance directly.
[ NSHELP-26407 ]
In some cases, a Citrix ADC SDX appliance might create core dumps while taking a backup.
[ NSHELP-26345 ]
On a Citrix ADC SDX appliance, the "geodb" details in the ADC instances are not collected when you take a backup of the appliance.
[ NSHELP-26190 ]
If you initiate the deletion of a Citrix ADC instance while the instance is being provisioned, the FIPS partition entry for the deleted instance might still be present in the database.
[ NSHELP-25909 ]
Citrix Gateway
The Citrix Gateway appliance crashes if IDENT port (113) is accessed from a user to another user's client using Intranet IP (plugin-to-plugin traffic) over a full VPN tunnel.
[ NSHELP-26631 ]
The Citrix Gateway appliance crashes when a server initiated connection sends data packets after the connection is closed.
[ NSHELP-26431 ]
Sometimes, the Citrix ADC appliance crashes when a trace is started either from the GUI or the CLI.
[ NSHELP-26249 ]
The Citrix ADC appliance might crash if the "rdpLinkAttribute" attribute size is greater than 64 characters.
[ NSHELP-26068 ]
Launching an application from StoreFront over Citrix Gateway might fail if the ICA file generated by StoreFront exceeds 2048 bytes in size.
[ NSHELP-25838 ]
A delay in the response from StoreFront servers might result in slow Citrix Gateway GUI related operations or "timed out at dispatch_netsvc" error messages.
[ NSHELP-24437 ]
HDX Insight data is not observed in Director for individual sessions. The issue is seen when NetScaler App Experience (NSAP) sessions are established.
[ NSHELP-23834 ]
Packet drops are observed when a UDP application server sends packets that are larger than MTU and if the packets are fragmented.
[ NSHELP-23770 ]
False launch failures of applications are reported in Gateway Insight. The launch failures are reported when there are no app or desktop launches.
[ NSHELP-23047 ]
While adding an authentication virtual server using the XenApp and XenDesktop wizard, test connectivity for that authentication server fails.
[ CGOP-16792 ]
Citrix Web App Firewall
A Citrix ADC appliance might crash if startURL closure is enabled and there is a memory allocation failure.
[ NSHELP-27155 ]
A Citrix ADC appliance might crash if the IP reputation feature is enabled and policy expressions are configured.
[ NSHELP-26983 ]
A Citrix ADC appliance might crash because of memory allocation failure.
[ NSHELP-26654 ]
Memory allocation failure is observed if the following conditions are met:
- Web App Firewall profile has Start URL Closure enabled and configured.
- HTTP responses that are being processed constantly contain thousands of unique URLs.
[ NSHELP-26435 ]
A memory leak might be observed when some message buffers used for XSS logging are not freed for specific payloads.
[ NSHELP-26430 ]
A Citrix ADC appliance might crash if there is a large number of Web App Firewall relaxation rules present in the system.
[ NSHELP-26074 ]
Load Balancing
The GSLB full synchronization fails if the following conditions are met:
- You add a GSLB service with an IP address-based server, whose public IP address and public port are used by another GSLB service.
- You run the "add gslb service" command. In this case, the command fails but the IP address-based server is still part of the GSLB running configuration.
[ NSHELP-26949 ]
The Citrix ADC appliance might crash while processing a malformed SIP packet.
[ NSHELP-26487 ]
In a cluster-GSLB deployment, the effective state of the local GSLB services is not updated on non-owner nodes because the GSLB owner node is unable to send service state updates to the non-owner nodes.
[ NSHELP-26260 ]
A Citrix ADC appliance might crash while processing an invalid session initiation protocol (SIP) packet.
[ NSHELP-26202 ]
In rare cases, the Citrix ADC appliance might crash while processing plain ACK packets that are received from a GSLB remote site.
[ NSHELP-25886 ]
In rare cases, an LDAP monitor incorrectly shows the LDAP server status as down because the monitor does not send the correct password in the server probe.
[ NSHELP-24967 ]
A Citrix ADC appliance might crash when DNS logging is enabled and a malformed DNS query is received.
[ NSHELP-21959 ]
Miscellaneous
A Citrix ADC appliance might crash if the following conditions are met:
- Change in request-based policy expression before the response is received.
- Content Inspection does not handle the undef case.
[ NSHELP-26980 ]
Networking
In a Citrix ADC appliance, BGP "neighbor <IPv6 neighbor> shutdown" command is not effective, if the neighbor is part of peer-group.
Because of this issue, any IPv6 BGP neighbor, which was shut down using the "neighbor <IPv6 neighbor> shutdown" command, is in UP state after the appliance is restarted or upgraded.
[ NSHELP-26957 ]
In a Citrix ADC appliance, reset to an FTP data connection might not completely remove the session from the appliance. This partial removal of the session causes the appliance to crash.
[ NSHELP-26897 ]
Both the nodes of a high availability setup claim to be the primary node, if the following condition is met:
- None of the interfaces are in UP state within 3 seconds after the primary node is warm restarted. This issue is caused because a switch learn time is not set for an internal HA INIT module.
[ NSHELP-26288 ]
In a high availability setup, the secondary node might crash after a restart if the following conditions are met:
- A large number of active LSN sessions are present in the primary node.
- The Pitboss process restarts packet engines when synchronizing a large number of LSN sessions in the secondary node.
[ NSHELP-26257 ]
Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.
[ NSHELP-25105 ]
For a PBR6 rule with no direct route to the next hop, the Citrix ADC appliance might incorrectly discard RNAT6 processed packets with an error.
[ NSHELP-24632 ]
Platform
On the Citrix ADC SDX 8900 platform, the LOM version is upgraded from 4.5x to 4.61. On the Citrix ADC SDX 15000 and SDX 26000 platforms, the LOM version is upgraded from 5.03 to 5.56. After the upgrade, the default password of the LOM is reset to the serial number of the appliance for newly manufactured platforms. This upgrade addresses the vulnerability described CVE-2013-4786. For more information, see https:// support.citrix.com/article/CTX234367.
[ NSPLAT-19327 ]
A Citrix ADC VPX instance crashes when frequent link flaps are seen on 50G and 100G interfaces.
[ NSPLAT-16852 ]
On a Citrix ADC SDX appliance, traffic to the ADC instance might be interrupted when the interface link flaps and interface reset occurs simultaneously.
[ NSHELP-26307 ]
On a Citrix ADC SDX appliance, a VPX instance might fail to boot when provisioned with 24 interfaces due to inadequate shared memory allocation.
[ NSHELP-25912 ]
On a Citrix ADC SDX 15000-50G appliance, in cases of a brief surge of data traffic not directed to any of the ADC VPX instances, the following issue might happen:
- The LACP link on 10G ports might flap intermittently or go down permanently.
[ NSHELP-25561 ]
On a Citrix ADC SDX appliance, during a warm reboot of a VPX instance configured as a cluster node, the backplane LA channel might go into a PARTIAL-UP state because of a set interface command failure.
[ NSHELP-23353 ]
Policies
Unable to use variables in the assignment if the variable length is greater than 31 characters.
[ NSHELP-26362 ]
A Citrix ADC appliance might crash if the MATCHES() expression is used in the non-TCP-based protocol.
[ NSHELP-26062 ]
Policy string map might not work if UTF-8 characters are used in key text.
[ NSHELP-25357 ]
The following issue might cause a failover in a high availability setup:
If many non-HTTP, non-TCP packets get queued waiting to be handled after processing on them has been blocked.
[ NSHELP-23506 ]
SSL
- In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.[ NSSSL-3161 ]
A Citrix ADC appliance might dump core if the following conditions are met:
- Appliance is low on memory.
- DTLS is enabled.
- DEBUG level log is enabled.
[ NSHELP-26114 ]
Connection failures due to low memory might be seen on a Citrix ADC appliance when admin partition is enabled. The issue happens when the SSL crypto hardware chips are full.
[ NSHELP-25981 ]
In a cluster setup, you might observe the following issues:
- Missing command for the default certificate-key pair binding to the SSL internal services on the CLIP. However, if you upgrade from an older build you might have to bind the default certificate-key pair to the affected SSL internal services on the CLIP.
- Configuration discrepancy between the CLIP and the nodes for the default set command to the internal services.
- Missing default cipher bind command to the SSL entities in the output of the show running config command run on a node. The omission is only a display issue and has no functional impact. The binding can be viewed using the show ssl <entity> <name> command.
[ NSHELP-25764 ]
The Citrix ADC appliance becomes unresponsive if the following conditions are met:
- DTLS is enabled.
- UDP multiplexing uses a DTLS channel and pumps traffic at a high rate.
[ NSHELP-22987 ]
System
A Citrix ADC appliance closes a server connection approximately around 40 milliseconds after the client connection is closed with connection multiplexing disabled.
[ NSHELP-26968 ]
When a Citrix ADC appliance processes a duplicate TCP packet, the following issues are observed on the appliance:
- The appliance generates a duplicate ACK with DSACK and the packet is dropped.
- If the incoming packet has any window update, the appliance makes a copy of it and simulates a window update ACK.
- The appliance creates the window update ACK with an incorrect timestamp.
[ NSHELP-26893 ]
In HTTP/2 front-end and HTTP/1.1 back-end scenarios, the user is unable to see back-end server connections if the Vserver IP filter and -link enabled parameters are configured in nstrace command.
[ NSHELP-26717 ]
Once enabled, the "clientSideMeasurements" parameter cannot be disabled in the AppFlow action command.
[ NSHELP-26464 ]
A Citrix ADC appliance might crash if the following conditions are observed:
- If a client request comes from a resource (with the same IP address and port) for which a resource on the previous Intrusion Prevention System (IPS) connection structure is not freed.
- The Intrusion Prevention System (IPS) module tries to access the non-freed resource from the freed structure.
[ NSHELP-26450 ]
A Citrix ADC appliance might crash when a reset is sent on a request which is being cached.
[ NSHELP-26410 ]
If an AppFlow collector of type Rest is used in an analytics profile, the Citrix ADC appliance might fail during the removal of the profile.
[ NSHELP-26299 ]
During clear configuration, when there is no URL set in use, an error log entry corresponding to the URL set is seen in the ns.log.
[ NSHELP-26242 ]
A Citrix ADC appliance might crash when the AppFlow collector is in a different subnet than the SNIP.
[ NSHELP-26008 ]
When Citrix ADC appliance rewrites unsupported TCP options with NOOP option, some IoT or embedded devices might reject TCP connections from the appliance.
[ NSHELP-25767 ]
A content switching virtual server displays an incorrect request and response byte count with MPTCP traffic.
[ NSHELP-25731 ]
An attempt to remove the AppFlow collector fails after the "set appflow action" command is performed.
[ NSHELP-25392 ]
The HTML page might not load when the AppFlow Client-Side Measurements and Rewrite features are enabled.
[ NSHELP-24043 ]
RNAT configuration does not work with HTTP/2 connections if the appliance uses the RNAT IP address for server-side (both http2 and http1.1) connections.
[ NSHELP-23783 ]
An error in the HTTP/2 and TCP window management logic might cause the server connection to run into an HTTP/2 and TCP window problem. It prevents the object from being cached completely. The issue is observed if the following conditions are met:
- The integrated caching feature is enabled and the response is being cached.
- During the preceding condition, the HTTP/2 client abruptly sends a reset stream packet or the HTTP/1.1 client sends a TCP RST on the connection.
[ NSBASE-13878 ]
Segmentation errors or duplicate free might cause a Citrix ADC appliance to crash if the following conditions are met:
- HTTP profile bound to a backend service has HTTP2 enabled and HTTP2 direct disabled.
- Multiple HTTP CONNECT requests are sent from the client over HTTP/2 streams to a virtual server of HTTP type.
[ NSBASE-13582 ]
After an upgrade to Citrix ADC version 12.1 build 61.x, the appliance might crash if registered on the ADM server.
[ NSBASE-13031 ]
A few AppFlow records containing IPFIX information might be abnormal.
[ NSBASE-11686 ]
User Interface
In a high availability setup, HA propagation might fail if all of the following conditions are met:
- Validate certificate (validatecert) option of the RPC node is set to YES and then set to NO.
- CA certificate is not configured
[ NSHELP-27315 ]
The GSLB incremental synchronization fails when you run the "enable gslb servicegroup" or "disable gslb servicegroup" command. As a result, GSLB full configuration synchronization is initiated.
[ NSHELP-27079 ]
The Citrix ADC GUI displays an incorrect VIP when you edit the content switching virtual server after it is bound to a policy.
[ NSHELP-26853 ]
After a Citrix ADC appliance is restarted, the license state of the appliance goes in grace state if the license server is not reachable from the appliance. The license state remains in grace state even if the license server becomes reachable.
[ NSHELP-26468 ]
The switch partition command allows forceful execution option f or force. It can allow users to switch to a new partition without prompting the save configuration and the configuration is not saved. The forceful switch will happen without prompt and the configuration is saved. It happens when you use the -save flag.
[ NSHELP-26222 ]
A load balancing virtual server persistence view fails to display all parameters when you edit an existing virtual server persistence configuration.
[ NSHELP-25965 ]
The show partition command might cause the "nsconfigd" daemon to crash if the following conditions are met:
- API session token is short-lived.
- Session token is expired before the show partition command is completed.[ NSHELP-25880 ]
In a cluster setup, when you access the Citrix ADC GUI from CLIP, you might observe the audit Syslog policies are not globally bound. The same issue is not observed when you access Citrix ADC GUI from the NSIP.
[ NSHELP-24631 ]
Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.
[ NSHELP-24195 ]
A Citrix ADC appliance does not support addition of CRL files greater than 2 MB using NITRO APIs.
[ NSHELP-20821 ]
In a cluster setup, the certificate-key pair might sync to the non-CCO nodes with some delay. As a result, it is possible that the certificate-key pair is added to the CCO node but fails on the non-CCO nodes with no error message.
[ NSHELP-12037 ]
Video Optimization
A Citrix ADC appliance might crash if all of the following conditions are met:
- GX interface is configured.
- GX session reporting is configured.
- The "clear subscriber sessions" command is triggered when a CCA message is pending to be received from the GX server.
[ NSHELP-27474 ]
Known Issues
AppFlow
- HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.[ NSINSIGHT-943 ]
Authentication, authorization, and auditing
Email Validation fails when configured as a next factor after Email ID registration.
[ NSHELP-26905 ]
In some cases, a Citrix ADC appliance dumps core when the appliance is configured for SAML authentication.
[ NSHELP-26546 ]
The "timeout" parameter for emailAction command is deprecated . The default value for timeout is 180 seconds.
[ NSHELP-26424 ]
You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.
[ NSHELP-26199 ]
The Citrix Gateway plug-in fails to launch if the following conditions are met:
- Citrix Gateway appliance is configured as Full VPN only.
- Authentication method is OAuth RP.
[ NSHELP-26020 ]
- SSO to StoreFront using Citrix ADC fails if the following conditions are met:
- The Citrix ADC appliance is configured for multi-factor authentication.
- Citrix ADC session times out before examining the configured authentication factors.
[ NSHELP-21466 ]
- Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.[ NSHELP-18844 ]
- A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.[ NSHELP-18751 ]
- A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[ NSHELP-563 ]
- If you edit the authentication virtual server using the "End-to-end login test or Test End User Connection options from the Create Authentication LDAP Server page in the Citrix ADC GUI, an error message appears.
Workaround: To edit the authentication virtual server by using the Citrix ADC GUI, navigate to Security > Authentication, authorization, and auditing Application Traffic > Authentication Virtual Servers.[ NSAUTH-6339 ]
The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
[ NSAUTH-6106 ]
- The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:
- The Test LDAP Reachability option is opened.
- Invalid login credentials are populated and submitted.
- Valid login credentials are populated and submitted.
Workaround: Close and open the Test LDAP Reachability option.
[ NSAUTH-2147 ]
Caching
A Citrix ADC appliance might crash if the following conditions are met:
- Appliance is serving content from its integrated cache.
- Cached content is revalidated.
- New request comes to ADC from different client for same cached object.
[ NSHELP-22596 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, upgrade might fail if the system files (snmpd.conf and ntp.conf) contain carriage return characters.
[ NSHELP-27713 ]
On a Citrix ADC SDX appliance, the ADC instances do not burst to maximum capacity when you configure burst throughput allocation mode.
[ NSHELP-27477 ]
On the Citrix ADC SDX 8400/8600 platform, health monitoring might display crypto errors.
[ NSHELP-26500 ]
Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:
- Throughput allocation mode is burst.
- There is a large difference between the throughput and the maximum burst capacity.
[ NSHELP-21992 ]
- SNMPv3 queries work only for a few minutes after changing the password.[ NSHELP-19313 ]
- SNMPwalk application fails if an SNMPv3 user bound to an SNMPv3 trap destination has an authentication failure (incorrect password, community or key).[ NSHELP-18541 ]
Citrix Gateway
In some cases, the Citrix ADC appliance dumps core when SSO is enabled.
[ NSHELP-27306 ]
The Citrix Gateway appliance crashes when a syslog policy is bound to a virtual server, and the corresponding syslog action is modified.
[ NSHELP-27171 ]
The Citrix Gateway appliance might crash if forwardSession is configured for a back-end subnet and a server in the same subnet is accessed over the VPN tunnel.
[ NSHELP-27037 ]
The Citrix Gateway appliance might crash when a multi-core appliance receives the "/broker URL" request because of the following reasons:
- The request lands on a different core from the one on which the VPN session is created.
- A new authentication, authorization, and auditing cookie is used and a dummy session is created.
[ NSHELP-27008 ]
The Citrix Gateway appliance crashes when you try to clear the configuration if both of the following conditions are met:
- An SSL profile and certificate-key pair is bound to the default TCP monitor.
- The same default TCP monitor is bound to a syslog action.
[ NSHELP-26685 ]
The Citrix Receiver download URL (receiver.exe file) does not download after authentication.
[ NSHELP-26600 ]
You might notice a discrepancy in the total number of established TCP connections if Enlightened Data Transport (EDT) is enabled.
[ NSHELP-25841 ]
While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:
- A default pre-shared key (PSK) is configured.
- You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
[ NSHELP-25694 ]
The gateway plug-in for Windows maintains the existing proxy exception list even if the list gets overflow because of the browser limit on the Internet Explorer proxy exception list.
[ NSHELP-25578 ]
The Citrix Gateway login page does not load on deleting an admin partition, if configured.
[ NSHELP-25538 ]
The packet engine crashes while fetching an ICA connection entry when you run the show icaconnection command. This crash happens because the ICA connection information in the ICA connection list is stale.
[ NSHELP-25420 ]
The UrlName parameter is appended to the session and other policy bindings when classic VPN URL is also bound leading to configuration addition on save and reboot.
[ NSHELP-25072 ]
Citrix Gateway crashes while decoding the CVPNv2 packet because of incorrect string termination.
[ NSHELP-24718 ]
A new, optimized pattern set, "ns_cvpn_v2_fast_regex_light_ver", is introduced for high CPU alerts. If a spike in CPU is intermittently observed with the default pattern set "ns_cvpn_v2_fast_regex", you can switch to the new pattern set.
[ NSHELP-24085 ]
The Gateway Insight does not display accurate information on the VPN users.
[ NSHELP-23937 ]
Citrix ADM displays incorrect bandwidth used by users when connected to VPN.
[ NSHELP-23855 ]
VPN plug-in doesn't establish tunnel after Windows logon, if the following conditions are met:
- Citrix Gateway appliance is configured for Always On feature
- The appliance is configured for certificate based authentication with two factor authentication "off"
[ NSHELP-23584 ]
The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.
Example:
New output:
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
Priority: 1
Global bindpoint: REQ_DEFAULTPolicy Name: ns_adv_tunnel_msdocs Type: Advanced policy
Priority: 100
Global bindpoint: RES_DEFAULT
Done
>Previous output:
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0 DisabledAdvanced Policies:
Global bindpoint: REQ_DEFAULT
Number of bound policies: 1Done
[ NSHELP-23496 ]
The ICA latency of a session is recorded incorrectly as 64,000 ms in the Citrix Director when L7 latency is enabled. L7 latency is enabled when the "nsapimgr" knob "enable_ica_l7_latency" is set to 1.
To avoid the issue, set the "L7LatencyFrequency" parameter to 5 by running the following command at the CLI:
"set ica parameter -L7LatencyFrequency 5"[ NSHELP-23459 ]
The UDP/ICMP/DNS based authorization policy denials for VPN do not show up in the ns.log file.
[ NSHELP-23410 ]
If you have configured RADIUS accounting for ICA start/stop event, the session ID in the RADIUS accounting request for ICA start is displayed as all zeroes.
[ NSHELP-22576 ]
In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.
[ NSHELP-22349 ]
- A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:
- SplitTunnel is set to ON.
- IP address pool (Intranet IP) option is set to NoSpillOver.
[ NSHELP-20584 ]
In Analytics > Gateway Insight, under Authentication, it displays an incorrect Authentication Type. This issue occurs when you configure NO_AUTHN action in the ADC instance.
[ NSHELP-20117 ]
In some cases, a Citrix ADC appliance might dump core during a user logout session.
[ NSHELP-19470 ]
- SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).
Workaround: Use an IP address for VDA.[ NSHELP-8549 ]
- An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.[ NSHELP-7872 ]
- Application launch failure due to invalid STA ticket is not reported in Gateway Insight.[ CGOP-13621 ]
- In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.[ CGOP-13511 ]
In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.
[ CGOP-7269 ]
- In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.[ CGOP-6794 ]
- If a Windows user name has non-ASCII characters, the user is unable to collect logfiles by using the Collect Log button.[ CGOP-3359 ]
Citrix Web App Firewall
Some requests with security violations are not blocked by HTML cross-site scripting security check.
[ NSHELP-24762 ]
When aslearn configured learned data is deployed and if the field types reach a threshold, the total learned data is not displayed correctly. As a result, the Field Format learned data is not as same as the exported learned data.
[ NSHELP-18077 ]
Load Balancing
In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.
[ NSLB-7679 ]
The GSLB configuration might be partially lost if the following conditions are met:
- The Citrix ADC appliance is rebooted.
- The ADNS service is configured with the same IP address as of the remote GSLB site.
[ NSHELP-26816 ]
When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.
[ NSHELP-24329 ]
In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.
[ NSHELP-21425 ]
When you execute the "set service <servicename>" command, the following error message is displayed:
"IP Address cannot be set on a domain based server."This error message is displayed when the server is configured with a name greater than 32 characters.
[ NSHELP-20939 ]
In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.
[ NSHELP-20406 ]
Redirecting an HTTPS URL fails if the URL contains the % special character.
[ NSHELP-19993 ]
Miscellaneous
- When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.[ NSSWG-849 ]
In a cluster setup, the command propagation might fail due to connection lost with CCO. The issue is observed if both of the following conditions are met:
- You perform a command propagation operation in the setup.
- The setup is in an idle state for more than two hours. A cluster setup is said to be in an idle state if there is no exchange of any CLI commands between nodes.
[ NSHELP-26350 ]
In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.
[ NSHELP-20366 ]
Networking
- In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.[ NSNET-5233 ]
In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or staysecondary option set.
[ NSNET-1646 ]
A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.
[ NSHELP-24623 ]
If an INAT rule is added for a VIP address, the Citrix ADC appliance incorrectly allows the addition of a load balancing configuration in which the virtual server is of type ANY and is set with the same VIP address.
[ NSHELP-21288 ]
When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.
[ NSHELP-21082 ]
In a high availability (HA) setup, if Gratuitous ARP (GARP) is disabled, the upstream router might not direct the traffic to the new primary after an HA failover.
[ NSHELP-20796 ]
Platform
- When NetScaler licenses hosted on NetScaler MAS expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.[ NSPLAT-6417 ]
- When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the "rm cloudprofile" command to delete the profile.[ NSPLAT-4520 ]
- In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.[ NSPLAT-4451 ]
The Citrix ADC appliance generates false packets per second (PPS) rate-limit alerts even before the Citrix ADC appliance reaches its PPS limit for the license.
[ NSHELP-26935 ]
Policies
A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.
[ NSPOLICY-1462 ]
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
[ NSPOLICY-1267 ]
The following issue is observed if two policy variables are configured with different expiration time:
- Deletion of the expired value for the variable with the shorter expiration time might be delayed until the deletion of the expired value with the longer expiration time.
[ NSHELP-25786 ]
SSL
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[ NSSSL-4427 ]
- An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.[ NSSSL-4001 ]
- In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.[ NSSSL-3402 ]
- An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.[ NSSSL-3184 ]
- You cannot bind two certificates with public keys signed by different algorithms (for example, RSA and ECDSA) to a virtual server, as an SNI certificate if the domain name is the same.[ NSSSL-2560 ]
In a high availability setup, CRL auto refresh fails intermittently if both of the following conditions are met:
- Files are syncing from the primary node to the secondary node.
- CRL file is downloading from the CRL server at the same time.
[ NSHELP-27435 ]
The Citrix ADC appliance does not accept an OCSP response if it does not have the content length HTTP header.
[ NSHELP-27039 ]
On a Citrix ADC MPX/SDX 14000 FIPS appliance, you might see memory leaks when using EDT configuration with EDT datagram size > 1K.
[ NSHELP-25375 ]
A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.
[ NSHELP-24201 ]
In a cluster setup, an invalid "bind ssl certkey" command is added to the ns.conf file when you save the configuration. The invalid command is added if a CRL distribution point extension is part of a certificate on the Citrix ADC appliance.
[ NSHELP-23963 ]
A Citrix ADC appliance might crash if the following conditions are met:
- A certificate-key pair is added with the expiry monitor option enabled.
- The certificate date is earlier than 01/01/1970.
[ NSHELP-22934 ]
System
Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.
[ NSHELP-27410 ]
A Citrix ADC appliance might crash when the AppFlow feature is disabled and enabled back.
[ NSHELP-27236 ]
A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.
[ NSHELP-27179 ]
The NSWL client occasionally logs data multiple times from the packet engine (PE-0), whereas, logs from other packet engines are skipped.
[ NSHELP-27138 ]
A Citrix ADC appliance might crash if the following conditions are met:
- When handling Logstream metadata records.
- Appflow feature is enabled.
[ NSHELP-26942 ]
A Citrix ADC appliance might crash if it receives a partially acknowledged MPTCP MP-FAIL signal on an already closed MPTCP session. The crash is applicable to virtual servers that have MPTCP enabled in the TCP profile.
[ NSHELP-26594 ]
If the Citrix ADC appliance is registered on the ADM server, a memory leak is observed on the appliance even with very low traffic.
[ NSHELP-25347 ]
In a rare case, a Citrix ADC appliance might send incorrect TCP SACK sequence numbers to the client when forwarding it from the backend server. The issue occurs if the TCP Selective ACK (SACK) option is enabled in a TCP Profile.
[ NSHELP-24875 ]
For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output. For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.
[ NSHELP-22684 ]
When the Intrusion Prevention System (IPS) is processing data before the cache module, the PayloadInfo variable is not cleared properly. Eventually, when the cache module accesses the variable it causes a Citrix ADC appliance to crash.
[ NSHELP-21907 ]
In a cluster setup, the "set ratecontrol" command works only after restarting the Citrix ADC appliance.
Workaround: Use the "nsapimgr_wr.sh -ys icmp_rate_threshold=<new value>" command.
[ NSHELP-21811 ]
- The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.[ NSHELP-21240 ]
When a Citrix ADC appliance sends a "tcpSynFloodAttack" SNMP trap, the "unackSynCount" log message has string characters instead of integer values.
[ NSHELP-20401 ]
- The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.[ NSHELP-10972 ]
In a cluster setup, enabling process local support for MPTCP connections reduces the inter-node steering.
[ NSBASE-10587 ]
- Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.[ NSBASE-8506 ]
ICAP support for Citrix ADC
A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html
[ NSBASE-825 ]
User Interface
In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.
[ NSUI-14752 ]
- If you create an ECDSA key by using the GUI, the type of curve is not displayed.[ NSUI-6838 ]
Importing a certificate in an admin partition might incorrectly fail with the following message:
ERROR: User doesnt have permission for given Destination path
[ NSHELP-26918 ]
The reporting functionality might stop working if the system clock gets updated on a Citrix ADC appliance.
[ NSHELP-25435 ]
A Citrix ADC appliance might crash if the /tmp directory is full.
[ NSHELP-21809 ]
- The Citrix ADC command interface and the GUI do not display the system time parameter setting for few SNMP alarms.[ NSHELP-19958 ]
- The top-level page title is missing on all security check GUI pages.[ NSHELP-18607 ]
In a cluster setup, when you start a new trace (System > Diagnostics > Start new trace), the start trace operation succeeds. But the GUI, incorrectly displays the following error:
Trace not started[ NSHELP-18566 ]
If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.
1. Upgrade the Citrix ADC appliance to one of the builds:
- 13.0 52.24 build
- 12.1 57.18 build
- 11.1 65.10 build
2. Add a system user, or change the password of an existing system user, and save the configuration, and
3. Downgrade the Citrix ADC appliance to any older build.To display the list of these system users by using the CLI:
At the command prompt, type:"query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"
Workaround:
To fix this issue, use one of the following independent options:
- If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords.
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
[ NSCONFIG-3188 ]