Release Notes for Citrix ADC 12.1-63.24 Release
Notes
- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- Citrix Secure Access agent (formerly known as Citrix Gateway plug-in for Windows) build 21.9.1.2 and later contains the fix for https://support.citrix.com/article/CTX341455. The Citrix Gateway plug-in for Windows build 21.9.1.2 is included in the Citrix ADC build 12.1-63.22 and later.
- Build 12.1-63.24 replaces Build 12.1-63.23.
- This build also includes a fix for the following issue: NSWAF-8668.
What's New
Policies
Executing assignment action immediately after policy evaluation
In a Citrix ADC appliance, an assignment action bound to a policy is triggered immediately when the policy rule evaluates to true. The action updates the value to the variable which can be used in subsequent policy rule evaluations. This way, the same variable can be updated and used for subsequent policy evaluations within the same feature. Previously, the appliance executed assignment actions only after evaluating all of the policies in the feature and when the policies of the associated assignment actions evaluated to true. Therefore, the variable value set by the assignment action could not be used in the subsequent policy rule evaluations within the feature.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/appexpert/variables/configuring-using-variables.html.
[ NSPOLICY-977 ]
User Interface
Any of the following Citrix ADC upgrade operations might cause login failure for local system user accounts:
- from Citrix ADC 13.0-83.x build to Citrix ADC 13.1-4.x build
- from Citrix ADC 12.1-63.x build to Citrix ADC 13.1-4.x build
- from Citrix ADC 12.1-63.x build to Citrix ADC 13.0-82.x build
This issue is observed only for those local system user accounts that meet any of the following conditions:
- user password was changed for the local system account on the Citrix ADC build (13.0-83.x or 12.1-63.x) before performing the upgrade operation.
- the local system user account was added on the Citrix ADC build (13.0-83.x or 12.1-63.x) before performing the upgrade operation.
Workaround:
The system root administrator can reset the password for the local system user accounts facing the login failure issue.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/system/authentication-and-authorization-for-system-user/how-to-reset-nsroot-administrator-password.html
[ NSCONFIG-5650 ]
Fixed Issues
Authentication, authorization, and auditing
If Citrix ADC appliance is configured for the SameSite cookie attribute and the Domain attribute for authentication, the authentication fails. This happens because the SameSite cookie attribute value and the Domain attribute are not separated by a semicolon.
[ NSHELP-28971 ]
A Citrix ADC appliance may crash if the following conditions are met.
- The appliance is under memory pressure.
- SAML is configured as one of the authentication methods.
[ NSHELP-28855 ]
Native OTP encryption tool does not allow special characters in device name.
[ NSHELP-28795 ]
An incorrect logout ("/cgi/tmlogout") URL is returned when a VPN virtual server is configured as SAML SP. The issue happens because the incorrect logout URL is generated in the SAML metadata.
[ NSHELP-28726 ]
In some cases, in a multicore environment, a client browser fails to access the resources behind a Authentication, authorization, and auditing-TM virtual server.
[ NSHELP-28474 ]
If form SSO is enabled, the Citrix ADC appliance responds to a credential request from the back-end server by adding a form along with the content-type header. This addition leads to duplicate headers if one is already present.
[ NSHELP-28405 ]
The Citrix Gateway appliance crashes during nFactor authentication if the following conditions are met.
- WebView is used to access the Citrix Gateway appliance.
- Blocking expressions are configured in the VPN session policy.
[ NSHELP-28214 ]
The Citrix ADC appliance throws a server validation error if DualAuthOrPush.xml login schema is used.
[ NSHELP-28063 ]
When you bind an LDAP monitor to a service, the monitor goes down because the Citrix ADC appliance sends an incorrect password to the active directory.
[ NSHELP-27961 ]
SameSite cookie attributes are not added to the authentication cookies if a Citrix ADC appliance is configured for 401-based authentication.
[ NSHELP-27764 ]
The configured RDP desktops does not enumerate if LDAP action is configured with attributes and Attribute[1-16].
[ NSHELP-27748 ]
In some cases, a Citrix ADC appliance might crash while handling certain user's authentication request when role-based access is configured.
[ NSHELP-27655 ]
Users are unable to log in through Citrix Workspace App if Azure AD is configured as an OAuth IdP at Citrix ADC authentication virtual server.
[ NSHELP-27462 ]
In rare cases, EPA evaluation might fail.
[ NSHELP-27333, NSHELP-27594 ]
In some cases, an HTTP POST request to a Authentication, authorization, and auditing-TM virtual server is processed incorrectly if the request does not have an authentication cookie. The POST body gets lost during processing.
[ NSHELP-27227 ]
Email Validation fails when configured as a next factor after Email ID registration.
[ NSHELP-26905 ]
The Citrix ADC appliance might fail to respond when handling user authentication if self auth URLs are very big.
[ NSHELP-26839, NSHELP-28299 ]
In a rare scenario, the secondary node in a high availability setup might crash if the following condition is met.
- The "aaa groups" and/or "aaa users" are configured on the Citrix ADC appliance.
[ NSHELP-26732, NSHELP-28558, NSHELP-29056 ]
In some cases, a Citrix ADC appliance crashes while performing user authentication for Citrix Gateway and Authentication, authorization, and auditing - traffic managed deployment.
[ NSHELP-26555 ]
The Citrix Gateway plug-in fails to launch if the following conditions are met:
- Citrix Gateway appliance is configured as Full VPN only.
- Authentication method is OAuth RP.
[ NSHELP-26020 ]
The Citrix Gateway plug-in fails to launch if the following conditions are met:
- Citrix Gateway appliance is configured as Full VPN only.
- SSPR registration is configured as the last factor.
[ NSHELP-25691 ]
In some cases, NSB leak is observed in Citrix ADC appliance when the SSO functionality is used with a proxy server.
[ NSHELP-25492, NSHELP-28073 ]
Network connectivity test check fails because of a password decryption issue. However, the authentication functionality works fine.
[ NSAUTH-10216 ]
Caching
An extra header information is sent in the cache response if the `insertAge` parameter is enabled in the `set cache contentGroup` command.
[ NSHELP-27772 ]
A Citrix ADC appliance might crash if the "Max_age" and "s_maxage" parameter values are not set dynamic in the cache control block.
[ NSHELP-27758 ]
In a high availability setup, the primary node crashes after it accesses a NULL pointer instead of a cached object.
[ NSHELP-26967, NSHELP-20089 ]
A Citrix ADC appliance might crash if the following conditions are met:
- Appliance is serving content from its integrated cache.
- Cached content is revalidated.
- New request comes to ADC from different client for same cached object.
[ NSHELP-22596 ]
Citrix ADC SDX Appliance
Community strings of SNMP v2 trap destinations are masked on a Citrix ADC SDX appliance.
[ NSHELP-28625 ]
In a Citrix ADC SDX appliance, the Management Service reports incorrect data usage of ADC instances.
[ NSHELP-28208 ]
On a Citrix ADC SDX appliance, upgrade might fail if the system files (snmpd.conf and ntp.conf) contain carriage return characters.
[ NSHELP-27713 ]
On a Citrix ADC SDX appliance, the ADC instances do not burst to maximum capacity when you configure burst throughput allocation mode.
[ NSHELP-27477 ]
On a Citrix ADC SDX appliance, the IP address (NSIP) of an ADC instance might not be displayed if burst throughput is configured on that instance.
[ NSHELP-27133 ]
On a Citrix ADC SDX appliance, the Management Service does not send syslog messages to the configured syslog servers.
[ NSHELP-27000 ]
Citrix Gateway
Users may observe RDP session launch failure when there is an upgrade to the latest version.
[ NSHELP-29519 ]
An error message appears when you try to edit the CSS attributes in a custom theme.
[ NSHELP-28648 ]
The UDP traffic on a Citrix ADC 12.1 appliance might drop after you upgrade the appliance to the release 12.1 build 62.23.
[ NSHELP-28152 ]
You might observe issues with transfer login if SAML is configured as the last factor in nFactor authentication and classic EPA is also configured.
[ NSHELP-27983 ]
The Citrix ADC appliance might crash if both of the following conditions are met.
- The appliance is deployed for ICA Proxy mode.
- Gateway Insight feature for ICA flow is enabled.
[ NSHELP-27982, NSHELP-28179 ]
The logon to Citrix Workspace fails if responder policies that can get into a blocked state during evaluation are bound to the virtual server.
[ NSHELP-27819 ]
DNS registration does not work after the VPN connection is established.
To fix this issue, you must enable the nsapimgr knob, nsapimgr_wr.sh -ys call=toggle_vpn_configured_dns_disable_override.
[ NSHELP-27760 ]
A Citrix ADC appliance might crash while processing the UDP traffic.
[ NSHELP-27536 ]
A Citrix ADC appliance might crash if the EDT related commands, such as "clearconfig", "kill ica connection", or "stop dtls listener" are processed by the appliance.
[ NSHELP-27398 ]
The personal bookmarks file of users cannot be copied from one Citrix Gateway appliance to another appliance.
[ NSHELP-27389 ]
The Citrix Gateway appliance might crash while processing UDP traffic.
[ NSHELP-27317 ]
In some cases, the Citrix ADC appliance dumps core when SSO is enabled.
[ NSHELP-27306 ]
The Citrix Gateway appliance crashes when a syslog policy is bound to a virtual server, and the corresponding syslog action is modified.
[ NSHELP-27171 ]
The Citrix Gateway appliance might crash when a multi-core appliance receives the "/broker URL" request because of the following reasons:
- The request lands on a different core from the one on which the VPN session is created.
- A new authentication, authorization, and auditing cookie is used and a dummy session is created.
[ NSHELP-27008 ]
The Citrix Gateway appliance crashes when you try to clear the configuration if both of the following conditions are met:
- An SSL profile and certificate-key pair is bound to the default TCP monitor.
- The same default TCP monitor is bound to a syslog action.
[ NSHELP-26685 ]
The Citrix Gateway appliance displays corrupt session policy names in the SSLVPN NONHTTP_RESOURCEACCESS_DENIED logs.
[ NSHELP-26610 ]
The Citrix ADC appliance might crash if an FQDN is used in the syslog action configuration.
In this case, you can use the IP address of the syslog server instead of the FQDN.
[ NSHELP-26355 ]
Sometimes, endpoint analysis scan with EPA plug-in for macOS fails because the plug-in times out in 5 seconds and as a results the scan quits before it is complete.
[ NSHELP-26305 ]
The RfWebUI client detection page displays the "Install" button instead of the "Detect" button if a content switching virtual server is configured.
[ NSHELP-26138 ]
You might notice a discrepancy in the total number of established TCP connections if Enlightened Data Transport (EDT) is enabled.
[ NSHELP-25841 ]
The SNMP OID sends incorrect set of current connections to the VPN virtual server.
[ NSHELP-25596 ]
The Citric ADC appliance crashes when multiple VPN plug-in clients use X.509 certificates of size 1800 bytes or more to setup a tunnel.
[ NSHELP-25195 ]
The UrlName parameter is appended to the session and other policy bindings when classic VPN URL is also bound leading to configuration addition on save and reboot.
[ NSHELP-25072 ]
In a rare case, the Citrix Gateway appliance might crash if outbound proxy is configured for clientless VPN access.
[ NSHELP-24734 ]
If you rename a VPN virtual server that is bound to an STA server, the status of the STA server appears DOWN when you run the show command.
[ NSHELP-24714 ]
In a rare case, the Citrix Gateway logon page loads slowly if the "nshttp_profile_ids" directory is filling up the storage.
[ NSHELP-24705 ]
Citrix ADM displays incorrect bandwidth used by users when connected to VPN.
[ NSHELP-23855 ]
The ICA latency of a session is recorded incorrectly as 64,000 ms in the Citrix Director when L7 latency is enabled. L7 latency is enabled when the "nsapimgr" knob "enable_ica_l7_latency" is set to 1.
[ NSHELP-23459 ]
If you have configured RADIUS accounting for ICA start/stop event, the session ID in the RADIUS accounting request for ICA start is displayed as all zeroes.
[ NSHELP-22576 ]
In Analytics > Gateway Insight, under Authentication, it displays an incorrect Authentication Type. This issue occurs when you configure NO_AUTHN action in the ADC instance.
[ NSHELP-20117 ]
The "show audit messages" output does not display the latest logs if you modify the syslog server in the global syslog parameters.
[ NSHELP-19430 ]
Citrix Web App Firewall
If you are using WAF signatures, after upgrading the build, you must update all the WAF signatures including the default signatures to the latest version. Then, re-enable the required signature rules.
[ NSWAF-8668 ]
The aslearn learnt data is not skipped if there are special characters in the application firewall learnt data.
[ NSWAF-7584 ]
A Citrix ADC appliance might show high memory usage when parsing HTTP responses having Samesite attribute and Web Application Firewall feature enabled.
[ NSHELP-27722, NSHELP-27922, NSHELP-28136, NSHELP-28265 ]
Load Balancing
Persistence configuration for an LB group is lost after an HA failover or when the Citrix ADC appliance is rebooted.
[ NSHELP-28071 ]
In a cluster setup, when one or more nodes go to "DOWN" state, the backup node might fail to join the cluster node group. This failure causes some Citrix ADC features to fail.
[ NSHELP-27664 ]
The GSLB configuration might be partially lost if the following conditions are met:
- The Citrix ADC appliance is rebooted.
- The ADNS service is configured with the same IP address as of the remote GSLB site.
[ NSHELP-26816 ]
When a large number of GSLB services are configured on multiple GSLB sites that have high network latency, GSLB services status might fail to get updated on the remote GSLB site.
[ NSHELP-23799 ]
The packet engines (NSPPE) might crash when it receives the first RTSP data packet with an incomplete header, followed by an ACK before receiving the complete header.
[ NSHELP-22099 ]
Miscellaneous
When an inline device sends a custom message followed by a reset, the Citrix ADC appliance resets the connection before forwarding the inline-device response to the client.
[ NSHELP-27676 ]
A Citrix ADC appliance might crash because of a null point error.
[ NSHELP-27021 ]
Networking
A Citrix ADC appliance might crash when all of the following conditions are met:
- MAC mode is enabled on a non-addressable load balancing virtual server.
- The same virtual server is part of a link load balancing configuration or a policy-based routing configuration.
As part of the fix, the Citrix ADC appliance now displays the following warning message when the above conditions are met:
- Warning: MAC mode redirection should not be enabled with LLB config.
[ NSNET-19485 ]
In a CGNAT-NAT44 mode, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:
- The LSN module does not reset the subscriber paired IP reference count to zero while removing the subscriber related data from the appliance.
[ NSHELP-27332 ]
In a Citrix ADC appliance, passive FTP data connections might be lost after a memory allocation failure.
[ NSHELP-26522 ]
A Citrix ADC appliance might crash, if the following conditions are present:
- IPv6 link load balancing (LLB6) configuration has persistency option enabled.
- Some IPv6 dummy connections are created for this LLB6 configuration
[ NSHELP-25695 ]
For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.
[ NSHELP-24034 ]
Platform
On the Citrix ADC MPX 5900 and MPX 8900 platforms, an incorrect platform number appears on the LCD screen.
[ NSHELP-28207 ]
If you modify the checksum of the kernel provided by Citrix and then install the kernel, you might observe one of the following issues:
- The installns command completes. After the appliance restarts, it reports that the kernel installation could not be completed and the booting process halts. You must then load a different kernel to bring up the box.
- The installns command detects the mismatch and stops installation. An error message appears.
[ NSHELP-27420 ]
If you want to set the cluster nodes to yield, you must perform the following additional configurations on CCO:
- If a cluster is formed, all the nodes come up with yield=DEFAULT.
- If a cluster is formed using the nodes that are already set to yield=YES, then the nodes are added to cluster using DEFAULT yield.
Note: If you want to set the cluster nodes to yield=YES, you can perform suitable configurations only after forming the cluster but not before the cluster is formed.
[ NSHELP-27091, NSHELP-26232 ]
On the Citrix ADC SDX platform, the cluster state might flap when a node joins a cluster. The flapping happens when an implicit reset of interface is triggered that impacts the cluster's health.
[ NSHELP-27081 ]
On Citrix ADC MPX appliances using the Fortville NICs, the link does not come up properly when AUTO is set in the fiber transceiver.
[ NSHELP-26518 ]
Policies
A Citrix ADC might crash if the FIX service type is used in Layer 2 and Layer 3 mode.
[ NSHELP-28468 ]
A Citrix ADC appliance might crash with the following conditions:
- An audit message action is configured with the string builder expression with one or more REGEX functions applied to the body of a request.
- An Application Firewall profile configured with the Streaming option enabled.
For example, HTTP.REQ.BODY(10000000).REGEX_SELECT(re/name=[^\r\n]*[\r\n]+/).
[ NSHELP-27895 ]
The NS variable with global scope does not work for HTTP/2 traffic.
[ NSHELP-27095 ]
The Citrix Gateway appliance might crash if all of the following conditions are met.
- nstrace is enabled with a filter expression
- Debug audit logging to an external ADC audit server is enabled
- An authentication policy with an advanced rule expression is configured
[ NSHELP-26045 ]
The following issue is observed if two policy variables are configured with different expiration time:
- Deletion of the expired value for the variable with the shorter expiration time might be delayed until the deletion of the expired value with the longer expiration time.
[ NSHELP-25786 ]
A Citrix ADC appliance might crash if you configure the MATCHES_LOCATION() function in a policy expression and you start nstrace using a filter expression.
[ NSHELP-22687 ]
SSL
If multiple SSL policies are bound at Client hello bind point to a single virtual server, and an ALPN or SNI policy is the first policy bound, the following error condition might occur:
If the client does not send an ALPN or SNI request, then the other policies bound to the virtual server are not evaluated.[ NSSSL-9865 ]
Adding a certificate-key pair might fail due to a memory allocation failure. As a result, the CA certificate-key pair lookup fails and the appliance crashes.
[ NSHELP-28197 ]
SSL handshake renegotiation might fail on Citrix ADC MPX platforms, if asynchronous policies are configured on the SSL virtual server.
[ NSHELP-27870 ]
In a high availability setup, CRL auto refresh fails intermittently if both of the following conditions are met:
- Files are syncing from the primary node to the secondary node.
- CRL file is downloading from the CRL server at the same time.
[ NSHELP-27435 ]
In a cluster database, the binding is not updated properly if you bind an SSL policy to a virtual server at the client hello bind point multiple times and with different priorities. As a result, an error appears when you remove the policy even after unbinding it from the virtual server.
[ NSHELP-27301 ]
The Citrix ADC appliance does not accept an OCSP response if it does not have the content length HTTP header.
[ NSHELP-27039 ]
On a Citrix ADC MPX/SDX 14000 FIPS appliance, you might see memory leaks when using EDT configuration with EDT datagram size > 1K.
[ NSHELP-25375, NSHELP-25915, NSHELP-26016 ]
In a cluster setup, an invalid "bind ssl certkey" command is added to the ns.conf file when you save the configuration. The invalid command is added if a CRL distribution point extension is part of a certificate on the Citrix ADC appliance.
[ NSHELP-23963 ]
A Citrix ADC appliance might crash if the following conditions are met:
- A certificate-key pair is added with the expiry monitor option enabled.
- The certificate date is earlier than 01/01/1970.
[ NSHELP-22934 ]
SSL counters displayed in the output of the "stat ssl" command are not cleared.
[ NSHELP-20966 ]
System
When a Citrix ADC instance is registered on Citrix ADM, port allocation errors are seen in the ADC counters.
[ NSHELP-28779 ]
TCP window leak is observed when a Citrix ADC appliance processes HTTP/2 header frames.
[ NSHELP-28475 ]
The Citrix ADC appliance crashes when all of the following conditions are met:
- A content inspection action, with a server IP address, uses the internal data of a service if already configured.
- As a result, the internal data of the service is also removed when the CI action is removed.
- When the actual service is removed, the Citrix ADC appliance makes an attempt access and delete the already removed internal data.
[ NSHELP-28293 ]
If the header size received is greater than the maximum header table size, the appliance resets the table size as zero. As a result, HTTP2 requests fail after a few requests.
[ NSHELP-27977 ]
The AppFlow collector pointer referenced by the analytics profile is corrupted.
[ NSHELP-27924 ]
A Citrix ADC appliance might crash with an ICAP OPTIONS response. The issue happens when the allowed header value contains a value other than 204.
[ NSHELP-27879 ]
The tcpCurClientConn counter shows a large value if the Citrix ADC appliance is registered on the Citrix ADM.
[ NSHELP-27463 ]
The Citrix ADC appliance might crash when it tries to dereference a non-allocated structure during content inspection. The crash happens because the memory allocation failed for that resource/structure.
[ NSHELP-27358 ]
A Citrix ADC appliance might crash when the AppFlow feature is disabled and enabled back.
[ NSHELP-27236 ]
The NSWL client occasionally logs data multiple times from the packet engine (PE-0), whereas, logs from other packet engines are skipped.
[ NSHELP-27138 ]
A Citrix ADC appliance might crash if the following conditions are met:
- When handling Logstream metadata records.
- Appflow feature is enabled.
[ NSHELP-26942 ]
For a client connection, a Citrix ADC appliance might incorrectly send a connection keep-alive header in response to the client's connection-close header. This incorrect connection keep-alive header leads to a delay in closing the connection on the client.
[ NSHELP-26474 ]
When you add an ADC high-availability pair to the ADM server, the secondary server connects to ADM using the SNIP as the source address. As a result, network issues occur on the uplink devices. For example, the firewall finds two MAC addresses for a SNIP on its interfaces.
[ NSHELP-26010 ]
After an upgrade from Citrix ADC 12.1 build 50.31 to Citrix ADC 13.0 build 58.32, the appliance does not retry after receiving a bad ACK for TCP SYN packet in the case of monitors. As a result, the appliance resets the monitor TCP connection and marks the service as DOWN state.
[ NSHELP-25813, NSHELP-29186 ]
A Citrix ADC appliance might fail during clear configuration if the following conditions are met:
- IP address of a service is changed when the service is bound to a virtual server.
- Same virtual server is used as a collector in an analytics profile.
[ NSBASE-11511 ]
User Interface
The following issue is observed if any operation is performed that reads the `ns.conf` file. For example, `show ns saved config`.
- The HTTPD process might freeze causing the GUI and NITRO API to become inaccessible.
[ NSHELP-28249 ]
When you fetch content of any file from an ADC instance by using the command "show systemfile", a download failure error message appears on the ADC Console. The issue occurs if the file content starts with NULL bytes.
[ NSHELP-28227 ]
The admautoregd SYSLOG flood leads to Customer Resource Definition
(CRD) misclassification and misdiagnosis because of an internal system issue (Python binary file missing).Fix: To stop monitoring the admautoregd process after 30 min if the python binary is still missing.
[ NSHELP-28185 ]
An additional backslash character is incorrectly introduced if special characters are used within arguments in some SSL commands, such as "create ssl rsakey" and "create ssl cert".
[ NSHELP-27378, NSHELP-28861 ]
The GSLB configuration synchronization might fail to synchronize commands with long user identifiers (UIDs).
[ NSHELP-27328 ]
The 'nsconfigaudit' tool might crash if the size of the input configuration file is very large.
[ NSHELP-27263 ]
In a high availability setup, a Citrix ADC appliance might crash during a system user authentication process, if the following condition is met:
- The password hash computation takes more time to miss five heartbeats.
[ NSHELP-27066 ]
The reporting functionality might stop working if the system clock gets updated on a Citrix ADC appliance.
[ NSHELP-25435 ]
The connection between the ADC instance and ADM service is lost when the following conditions are met:
- The instance is added to ADM service using a built-in agent.
- The instance is upgraded using the -Y option or from the ADM GUI. In both cases, the built-in agent doesn't restart. The -Y option provides Yes as an answer to all upgrade-related questions that appear on the CLI or GUI.
[ NSCONFIG-4368 ]
Video Optimization
A Citrix ADC appliance might crash because of memory allocation failure with the video optimization feature enabled.
[ NSHELP-28752 ]
Known Issues
AppFlow
- HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.[ NSINSIGHT-943 ]
Authentication, authorization, and auditing
In rare cases, the Citrix ADC appliance might crash due to an incorrect log position.
[ NSHELP-29267 ]
A Citrix ADC appliance configured to authenticate using OAuth Service Provider, cannot be configured with 'client-secrete_post" to authenticate with IDP tokenEndPoint.
With this fix, the authentication method "client_secret_basic" is added to the OAuth service provider feature of ADC when it communicates with the token endpoint of the IDP.
[ NSHELP-28945 ]
Sometimes, authentication might fail when Authentication, authorization, and auditing.LOGIN.PASSWORD is used.
[ NSHELP-28101 ]
Access to a service is denied if the following conditions are met:
- The service is bound to an authentication virtual server.
- 401 authentication is configured on the service and the virtual server that the service is bound to.
[ NSHELP-26903 ]
In rare cases, a Citrix Gateway appliance dumps core upon using the OAuth authentication method to access the appliance.
[ NSHELP-26745 ]
Sometimes, if nFactor is configured, incorrect IP address is logged in the logout message.
[ NSHELP-26692 ]
The "timeout" parameter for emailAction command is deprecated . The default value for timeout is 180 seconds.
[ NSHELP-26424 ]
When a Citrix ADC appliance performs a nested LDAP group search, some of the groups information from the active directory is missed because of an invalid behavior of the Citrix ADC appliance. The ADC appliance takes an incorrect value even when the `groupSearchSubAttribute` parameter is configured appropriately.
[ NSHELP-26316 ]
You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.
[ NSHELP-26199 ]
The Citrix ADC appliance crashes if both of the following conditions are met.
- Email OTP is configured
- Email server does not respond or there is a network issue with the email server
[ NSHELP-26137, NSHELP-27824 ]
- SSO to StoreFront using Citrix ADC fails if the following conditions are met:
- The Citrix ADC appliance is configured for multi-factor authentication.
- Citrix ADC session times out before examining the configured authentication factors.
[ NSHELP-21466 ]
- Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.[ NSHELP-18844 ]
- A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.[ NSHELP-18751 ]
- A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[ NSHELP-563 ]
- If you edit the authentication virtual server using the "End-to-end login test or Test End User Connection options from the Create Authentication LDAP Server page in the Citrix ADC GUI, an error message appears.
Workaround: To edit the authentication virtual server by using the Citrix ADC GUI, navigate to Security > Authentication, authorization, and auditing Application Traffic > Authentication Virtual Servers.[ NSAUTH-6339 ]
The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
[ NSAUTH-6106 ]
- The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:
- The Test LDAP Reachability option is opened.
- Invalid login credentials are populated and submitted.
- Valid login credentials are populated and submitted.
Workaround: Close and open the Test LDAP Reachability option.
[ NSAUTH-2147 ]
CallHome
CallHome registration might fail for Citrix ADC MPX appliances using pooled licensing. The registration fails because CallHome uses an incorrect serial number for registering the appliances with the Citrix Support Server.
[ NSHELP-28667 ]
Citrix ADC SDX Appliance
The data in ADC events table can now be sorted across pages if the total number of data records is less than 5000.
[ NSHELP-29170 ]
The Management Service on a Citrix ADC SDX appliance displays the interface speed for SNMP managers in Kbps/Mbps instead of bits per second.
[ NSHELP-28724 ]
On the Citrix ADC SDX 8400/8600 platform, health monitoring might display crypto errors.
[ NSHELP-26500 ]
Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:
- Throughput allocation mode is burst.
- There is a large difference between the throughput and the maximum burst capacity.
[ NSHELP-21992 ]
- SNMPv3 queries work only for a few minutes after changing the password.[ NSHELP-19313 ]
- SNMPwalk application fails if an SNMPv3 user bound to an SNMPv3 trap destination has an authentication failure (incorrect password, community or key).[ NSHELP-18541, NSHELP-19313 ]
Citrix Gateway
In a Citrix ADC GSLB and SSL VPN setup, memory leak is observed while handling a DTLS ICA connection. As a result, the connection drops and memory builds up.
[ NSHELP-30182 ]
If the clientCert parameter is set to 'Optional' in the SSL profile when configuring the VPN virtual server, users are prompted multiple times to select the smart card.
[ NSHELP-30070 ]
In the Citrix Gateway portal page, RDP proxy link icon does not change with RfWebUI portal theme.
[ NSHELP-28974 ]
In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.
[ NSHELP-28856 ]
Sometimes, after disconnecting the VPN, the DNS resolver fails to resolve the host names, because the DNS suffixes are removed during VPN disconnection.
[ NSHELP-28848 ]
The Windows plug-in might crash during authentication.
[ NSHELP-28394 ]
The Citrix ADC appliance might crash if EPA is configured and sufficient memory is not available.
[ NSHELP-28329 ]
Access to StoreFront through a VPN virtual server fails if StoreFront is accessed through a backup load balancing virtual server.
[ NSHELP-27852 ]
You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.
With this fix, you can now unbind the authorization policy by using the GUI.
[ NSHELP-27064 ]
The Citrix Gateway appliance might crash if forwardSession is configured for a back-end subnet and a server in the same subnet is accessed over the VPN tunnel.
[ NSHELP-27037 ]
Sometimes, during transfer login, Intranet IP subnets are incorrectly displayed on the client side.
[ NSHELP-26904 ]
The Citrix Gateway GUI displays the message "Invalid IP or Port" when editing a VPN session profile.
[ NSHELP-26722 ]
The Citrix Receiver download URL (receiver.exe file) does not download after authentication.
[ NSHELP-26600 ]
While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:
- A default pre-shared key (PSK) is configured.
- You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
[ NSHELP-25694 ]
The Citrix Gateway login page does not load on deleting an admin partition, if configured.
[ NSHELP-25538 ]
The packet engine crashes while fetching an ICA connection entry when you run the show icaconnection command. This crash happens because the ICA connection information in the ICA connection list is stale.
[ NSHELP-25420 ]
Citrix Gateway crashes while decoding the CVPNv2 packet because of incorrect string termination.
[ NSHELP-24718 ]
A new, optimized pattern set, "ns_cvpn_v2_fast_regex_light_ver", is introduced for high CPU alerts. If a spike in CPU is intermittently observed with the default pattern set "ns_cvpn_v2_fast_regex", you can switch to the new pattern set.
[ NSHELP-24085 ]
The Gateway Insight does not display accurate information on the VPN users.
[ NSHELP-23937 ]
VPN plug-in doesn't establish tunnel after Windows logon, if the following conditions are met:
- Citrix Gateway appliance is configured for Always On feature
- The appliance is configured for certificate based authentication with two factor authentication "off"
[ NSHELP-23584 ]
The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.
Example:
New output:
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
Priority: 1
Global bindpoint: REQ_DEFAULTPolicy Name: ns_adv_tunnel_msdocs Type: Advanced policy
Priority: 100
Global bindpoint: RES_DEFAULT
Done
>Previous output:
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0 DisabledAdvanced Policies:
Global bindpoint: REQ_DEFAULT
Number of bound policies: 1Done
[ NSHELP-23496 ]
In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.
[ NSHELP-22349 ]
- A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:
- SplitTunnel is set to ON.
- IP address pool (Intranet IP) option is set to NoSpillOver.
[ NSHELP-20584 ]
In some cases, a Citrix ADC appliance might dump core during a user logout session.
[ NSHELP-19470 ]
- An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.[ NSHELP-7872 ]
If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.
[ CGOP-19355 ]
- Application launch failure due to invalid STA ticket is not reported in Gateway Insight.[ CGOP-13621 ]
- In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.[ CGOP-13511 ]
When an ICA connection is launched from a MAC receiver version 19.6.0.32 or Citrix Virtual Apps and Desktops version 7.18, HDX Insight feature is disabled.
[ CGOP-13494 ]
When EDT Insight feature is enabled, sometimes audio channels might fail during network discrepancy.
[ CGOP-13493 ]
In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.
[ CGOP-7269 ]
- If a Windows user name has non-ASCII characters, the user is unable to collect logfiles by using the Collect Log button.[ CGOP-3359 ]
Citrix Web App Firewall
The Web App Firewall signature ID 1048 blocks the Citrix Gateway page from loading.
[ NSHELP-29113 ]
A Citrix ADC appliance might crash if the following modules are enabled:
- Web App Firewall with advanced security checks.
- Appqoe.
[ NSHELP-28251 ]
In the Citrix Web App Firewall module, the Distributed Hash Table (DHT) entries are not freed up on the primary node. This issue occurs if application firewall sessions have a shorter timeout and are created at a higher rate.
[ NSHELP-26570 ]
Some requests with security violations are not blocked by HTML cross-site scripting security check.
[ NSHELP-24762 ]
Load Balancing
In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.
[ NSLB-7679 ]
The state of the service group displayed in the show and stat commands is inconsistent.
[ NSHELP-28931 ]
The Citrix ADC appliance might fail to respond to a GSLB domain query with an expected GSLB service IP address, if the GSLB virtual server is configured as follows:
Persistence type: Source IP address
Load balancing algorithm: Static proximity
Backup load balancing method: Round trip time (RTT)[ NSHELP-28668 ]
In rare cases, the location database configuration might be missing from the configuration (ns.conf) file.
[ NSHELP-28570 ]
The load balancing or GSLB domain-based Autoscale servicegroup state remains DOWN if you use a wildcard port.
[ NSHELP-28548 ]
The SMPP retry messages are sent to all nodes in a cluster even when the request is successful. This scenario leads to high memory consumption on the Citrix ADC appliance.
[ NSHELP-28332 ]
Sometimes in a multi-PE system, the domain-based groups doesn't recover to UP state after a few failures in the system. This issue is due to a race condition between the CLI and internal monitors.
[ NSHELP-27965 ]
The configured state of the default monitor shows as disabled even when the default monitor is bound to a service.
[ NSHELP-27669 ]
When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.
[ NSHELP-24329 ]
In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.
[ NSHELP-21425 ]
When you execute the "set service <servicename>" command, the following error message is displayed:
"IP Address cannot be set on a domain based server."This error message is displayed when the server is configured with a name greater than 32 characters.
[ NSHELP-20939 ]
In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.
[ NSHELP-20406 ]
Redirecting an HTTPS URL fails if the URL contains the % special character.
[ NSHELP-19993 ]
Miscellaneous
- When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.[ NSSWG-849 ]
A Citrix ADC appliance adds extra L2 information when a tunnel or Type of Service (TOS) virtual servers are created.
[ NSHELP-27825 ]
In a cluster setup, the command propagation might fail due to connection lost with CCO. The issue is observed if both of the following conditions are met:
- You perform a command propagation operation in the setup.
- The setup is in an idle state for more than two hours. A cluster setup is said to be in an idle state if there is no exchange of any CLI commands between nodes.
[ NSHELP-26350, NSHELP-24910 ]
A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.
[ NSHELP-22409 ]
In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.
[ NSHELP-20366 ]
Networking
A Citrix ADC appliance might crash if all of the following conditions are met:
- A load balancing route is configured in a traffic domain on the appliance.
- A clear config operation is performed on the appliance.
[ NSNET-23847 ]
- In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.[ NSNET-5233 ]
In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:
- Filtering and mapping reference counts are non-zero for the LSN module in the appliance.
[ NSHELP-28842 ]
A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.
[ NSHELP-24623 ]
In a high availability setup, dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:
- A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.
As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition
[ NSHELP-24000 ]
If an INAT rule is added for a VIP address, the Citrix ADC appliance incorrectly allows the addition of a load balancing configuration in which the virtual server is of type ANY and is set with the same VIP address.
[ NSHELP-21288 ]
When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.
[ NSHELP-21082 ]
Platform
- When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the "rm cloudprofile" command to delete the profile.[ NSPLAT-4520 ]
- In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.[ NSPLAT-4451 ]
- The status of SDX platform appears as UNKNOWN in the LOM console. This is only a display issue and has no functional impact.[ NSHELP-20009 ]
Policies
A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.
[ NSPOLICY-1462 ]
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
[ NSPOLICY-1267 ]
SSL
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[ NSSSL-4427 ]
- An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.[ NSSSL-4001 ]
- In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.[ NSSSL-3402 ]
- An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.[ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]
- You cannot bind two certificates with public keys signed by different algorithms (for example, RSA and ECDSA) to a virtual server, as an SNI certificate if the domain name is the same.[ NSSSL-2560 ]
In a cluster setup, when two installed certificates are issuers of one server certificate that has the OCSP AIA extension, the appliance becomes unreachable if you remove the server certificate.
[ NSHELP-28058 ]
In a high availability setup, the certificate type is not synchronised correctly between the primary and secondary nodes.
[ NSHELP-27589 ]
The Citrix ADC appliance might crash during a reboot if you change the casing in the name of the built-in certificate ("ns-server-certificate") in the configuration file.
[ NSHELP-26858 ]
A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.
[ NSHELP-24201 ]
System
The Citrix ADC appliance might incorrectly add an IPv4 address to an AppFlow record related to an IPv6 transaction.
[ NSHELP-29261 ]
In some scenarios, a Citrix ADC appliance might crash under the following conditions:
- TCP jumbo frames are used.
- Persistence is configured on a TCP load balancing virtual server.
[ NSHELP-29162 ]
The X-Forwarder header is not added to some requests sent from the Citrix ADC appliance to the back-end server.
[ NSHELP-29142, NSHELP-29583 ]
A Citrix ADC appliance crashes if the following conditions are met:
- The client-side measurements option is enabled on the AppFlow action.
- The chunk headers fall on the packet boundary.
[ NSHELP-29049 ]
A Citrix ADC appliance resets a connection if the HTTP pipeline (one or multiple requests) size exceeds 128 KB. The issue occurs because the pipeline size is hard limited to 128 KB.
[ NSHELP-28846 ]
TCP zombie timeout flushes active server or client connections because of the half-close timeout on the faster side of the connection.
[ NSHELP-27502, NSBASE-14650 ]
The connection chaining TCP option gets added to the Citrix ADC RPC connections. The issue causes an interoperability issue with GSLB sites communication.
[ NSHELP-27417 ]
Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.
[ NSHELP-27410 ]
A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.
[ NSHELP-27179 ]
A Citrix ADC appliance might crash if it receives a partially acknowledged MPTCP MP-FAIL signal on an already closed MPTCP session. The crash is applicable to virtual servers that have MPTCP enabled in the TCP profile.
[ NSHELP-26594 ]
For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output. For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.
[ NSHELP-22684 ]
- The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.[ NSHELP-21240 ]
- The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.[ NSHELP-10972 ]
- In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.[ NSBASE-16304, NSGI-1293 ]
In a cluster setup, enabling process local support for MPTCP connections reduces the inter-node steering.
[ NSBASE-10587 ]
- Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.[ NSBASE-8506 ]
ICAP support for Citrix ADC
A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html
[ NSBASE-825 ]
User Interface
In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.
[ NSUI-14752 ]
- The Global Binding and Show Binding options are not working on the Content Inspection Policy GUI page. As an alternative, you can configure these parameters through the command interface.[ NSUI-13193, NSUI-11561 ]
- If you create an ECDSA key by using the GUI, the type of curve is not displayed.[ NSUI-6838 ]
In some cases, you might not be able to load SSL keys from the SSL keys tab in the Citrix ADC GUI.
[ NSHELP-28870 ]
ping or ping6 command with interface (-I) option might fail with the following error:
- "interface option not supported"
[ NSHELP-26962 ]
Importing a certificate in an admin partition might incorrectly fail with the following message:
ERROR: User doesnt have permission for given Destination path
[ NSHELP-26918 ]
When you configure IP reputation using advanced policy expressions, the "TOR_PROXY" threat category is missing in the Expression Editor GUI.
[ NSHELP-25654 ]
A Citrix ADC appliance might crash if the /tmp directory is full.
[ NSHELP-21809 ]
Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.
[ NSHELP-20988 ]
- The Citrix ADC command interface and the GUI do not display the system time parameter setting for few SNMP alarms.[ NSHELP-19958 ]
- The top-level page title is missing on all security check GUI pages.[ NSHELP-18607 ]
In a cluster setup, when you start a new trace (System > Diagnostics > Start new trace), the start trace operation succeeds. But the GUI, incorrectly displays the following error:
Trace not started[ NSHELP-18566, NSHELP-24796 ]
If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.
1. Upgrade the Citrix ADC appliance to one of the builds:
- 13.0 52.24 build
- 12.1 57.18 build
- 11.1 65.10 build
2. Add a system user, or change the password of an existing system user, and save the configuration, and
3. Downgrade the Citrix ADC appliance to any older build.To display the list of these system users by using the CLI:
At the command prompt, type:"query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"
Workaround:
To fix this issue, use one of the following independent options:
- If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords.
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
[ NSCONFIG-3188 ]