Release Notes for Citrix ADC 13.0-52.24 Release
This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 13.0-52.24.
Notes
- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
What's New
The enhancements and changes that are available in Build 13.0-52.24.
Authentication, authorization, and auditing
- Title: Encryption of Citrix Gateway login information for nFactor authentication
Citrix Gateway with nFactor authentication can encrypt the login request fields submitted by a client (browser or SSO apps) during the authentication process. The encrypted login request fields provide an extra layer of security to protect the user's sensitive data from being disclosed.
For details, see https://docs.citrix.com/en-us/citrix-adc/12-1/aaa-tm/multi-factor-nfactor-authentication.html
[ NSHELP-19554 ]
- Title: Support for SameSite attribute
For Citrix Gateway and Citrix ADC Authentication, authorization, and auditing deployments, support is now added to configure the SameSite cookie attribute. This attribute helps prevent issues that might occur because of certain browsers upgrade, such as Google Chrome 80. The SameSite attribute can now be set to None, Lax or Strict, as per the requirement.
For details, see https://docs.citrix.com/en-us/citrix-gateway/12-1/configure-samesite-attribute-for-citrix-gateway.html
https://docs.citrix.com/en-us/citrix-adc/12-1/aaa-tm/configure-samesite-for-aaa-deployments.html
[ NSAUTH-7531 ]
- Title: Support to bind VPN global certificates in a partitioned setup for OAuth IdP
In a Partitioned setup, you can now bind the certificates to VPN global for OAuth IdP deployments.
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/admin-partition/admin-partition-access-and-configure.html
[ NSAUTH-7084 ]
- Title: Support for active-active GSLB deployments on Citrix Gateway IdP
Citrix Gateway configured as Identity Provider (IdP) using OpenID Connect protocol can now support active-active GSLB deployments. The active-active GSLB deployment on Citrix Gateway IdP provides the capability to load balance incoming user login requests across multiple geographic locations.
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/configuring-openid-connect-protocol.html
[ NSAUTH-6276 ]
Citrix ADC SDX Appliance
- Title: Enable the VPX always-on feature without instance restart
Previously, after enabling or disabling the Manage through internal network feature on a VPX instance, the instance restarted. This feature enables an independent internal always-on connectivity between the SDX Management Service and the VPX instance. Now the instance does not restart after enabling or disabling the feature.
However, if you enable the Manage through internal network feature on a VPX instance (version 13.0 any build) provisioned on an SDX appliance that has been upgraded 13.0 52.x, the VPX instance reboots. This happens if the Manage through internal network option was already disabled on the VPX before the SDX upgrade.
To know more about the Manage through internal network feature, see https://docs.citrix.com/en-us/sdx/13/provision-netscaler-instances.html
[ NSSVM-2803 ]
- Title: Support for pooled capacity licensing for SD-WAN instances
You can now provision SD-WAN instances when pooled capacity licensing is configured on the SDX appliance. For more information about pooled capacity licensing, see https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/license-server/adc-pooled-capacity.html
[ NSSVM-2737 ]
Citrix Gateway
- Title: CredSSP protocol version 6 support for RDP proxy
CredSSP protocol version 6 is now supported for RDP proxy.
[ NSHELP-8732 ]
- Title: Support for Citrix Virtual Apps and Desktops 7 1912 LTSR
Citrix Gateway now supports Citrix Virtual Apps and Desktops 7 1912 LTSR.
[ CGOP-11796 ]
- Title: SSL support on LAN proxy in an outbound ICA proxy setup
If you configure outbound ICA proxy on Citrix Gateway, the Citrix Workspace app now encrypts all the traffic it sends to Citrix ADC LAN proxy over SSL. Previously, only the traffic between Citrix ADC LAN Proxy and Citrix Gateway was over SSL.
[ CGOP-9977 ]
Citrix Web App Firewall
- Title: POST body limit is set to 10 GB
The maximum value for the post body limit is now changed from 4 GB to 10 GB.
[ NSWAF-3815 ]
- Title: Appspider_7_2_83_1 Vulnerability Scanner Integration
For proactive vulnerability scanning, a Citrix ADC appliance is now integrated with the Appspider_7_2_83_1 scanner. As a result, you can now import the Appspider scanner report to prevent vulnerabilities and generate signatures.
[ NSWAF-2912 ]
Load Balancing
- Title: Support to configure the ADC generated cookie attributes
For Citrix ADC deployments, support is now added to insert additional cookie attributes to the cookies generated by Citrix ADC appliance. These additional cookie attributes help in enforcing the required policies for the ADC generated cookies based on the application access pattern.
This feature can be used to prevent issues that can occur because of the Google Chrome upgrade (Google Chrome 80).
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/load-balancing/insert-cookie-attributes.html
[ NSLB-6068 ]
- Title: SNMP OID for backup virtual servers
A SNMP Object Identifier (OID) "vsvrBackupVserver" of value 1.3.6.1.4.1.5951.4.1.3.1.1.81 is now added to the Citrix ADC management information base (MIB). This OID provides the details of the backup virtual servers that are configured for existing virtual servers.
[ NSLB-5365 ]
- Title: Lighter version of Citrix ADC CPX as the DNS cache in Kubernetes
Due to wider adoption of microservices architectures, DNS request rates inside a Kubernetes cluster are increasing. As a result, Kubernetes DNS (kube-dns) is overburdened. In a Kubernetes cluster, now you can deploy Citrix ADC CPX as a DNS cache on each node and forward DNS requests from application pods in the node to Citrix ADC CPX. Hence, you can resolve DNS requests faster and significantly reduce the load on Kubernetes DNS.
[ NSLB-5325 ]
- Title: Parallel synchronization of the GSLB configuration between the master and slave nodes
GSLB performance is now enhanced by enabling parallel auto synchronization of the GSLB configuration between the master and slave nodes. The parallel synchronization reduces the overall time taken to complete the GSLB synchronization. This process eliminates any delay in synchronization that might arise because of the following reasons:
- A slave node is unreachable.
- Master node has huge configuration to synchronize.
- Master configuration is changing frequently.
[ NSLB-4808 ]
- Title: Detailed error messages are displayed for user monitor probe failure
The causes for the user monitor probe failures are captured in the /var/nslog/nsumond.log file. You can now view the causes for the monitor probe failures by executing the 'show service/service group' command. Previously, the 'show service/service group' command output displayed a generic error message saying "probe failed".
[ NSLB-4804 ]
- Title: Correct error messages are logged for DBS monitor probe failure
For the DBS monitor probe failure, when the domain names are resolved but the IP addresses are not reachable, the Last Response message now displays the reason for probe failure. Previously, the Last Response message incorrectly displayed the reason as Domain Name Not Resolved.
[ NSLB-4626 ]
- Title: Support for MongoDB protocol
The Citrix ADC appliance now supports MongoDB and MongoDB-TLS protocols for load balancing.
[ NSLB-4137 ]
Networking
- Title: Support of connection failover for INAT rules
Citrix ADC appliance high availability setups support connection failover for INAT connections. The primary node sends INAT mappings and other INAT related connection information to the secondary node at regular intervals. The secondary appliance uses this information only in the event of a failover.
When a failover occurs, the new primary node has information about the INAT connections established before the failover and hence continues to serve those connections even after the failover.
From the client's perspective this failover is transparent. During the transition period, the client and server may experience a brief disruption and retransmissions. Connection failover can be enabled per INAT rule.
For enabling connection failover on an INAT rule, you enable the `connFailover` (`Connection Failover`) parameter of that specific INAT rule by using either CLI or GUI.
[ NSNET-11168 ]
- Title: Connection failover support for FTP connections from FTP server random port
Connection failover enables the primary node to duplicate connection and persistence information to the secondary node in a high availability setup. The state information of the connection is shared with the secondary node regularly when connection mirroring is enabled.
A Citrix ADC appliance high availability setup supports connection failover for an FTP connection for which the FTP server is using a random data port.
The primary node sends the FTP related connection information to the secondary node at regular intervals. The secondary appliance uses this information only in the event of a failover.
For enabling connection failover on a load balancing configuration of type FTP, you enable the `connFailover` (`Connection Failover`) parameter of the load balancing virtual server by using either CLI or GUI.
Also, for enabling the Citrix ADC appliance to process an FTP connection for which the FTP server is using a random port, you must enable the Citrix ADC global parameter: aftpAllowRandomSourcePort (Enable Random source port selection for Active FTP).
[ NSNET-7685 ]
- Title: Support of IEEE standard LLDP MIB
The Citrix ADC appliance now includes LLDP SNMP MIB that conform to IEEE standard.
[ NSNET-6213 ]
Platform
- Title: Configure a TCP health probe for UDP virtual servers
The Citrix ADC appliance supports external TCP-based health check for a UDP virtual server. This feature introduces a TCP listener on the VIP of the virtual server and the configured port. This TCP listener reflects the status of the virtual server.
To achieve the above, tcpProbePort parameter is added to the following vserver types:
- Load balancing virtual server
- Cache redirection virtual server
- Content switching virtual server
This feature is supported only for virtual servers assigned with an IPaddress or ipset.
[ NSPLAT-12345 ]
- Title: Option to enable or disable dom0 access
You can now enable or disable access to SDX Control Domain (dom0). With dom0 access, a user can directly access the SDX appliance and also change the configuration. Previously, dom0 access was enabled by default. Upon upgrade to 12.1 56/13.0 xx from previous release, dom0 access will be disabled.
To enable dom0 access, from the SDX GUI, navigate to System > Network Configuration. Under Appliance Supportability, check the Configure Applliance Supportability box.
[ NSPLAT-11065 ]
- Title: Deploy VPX instances on Microsoft Azure Stack
You can now deploy VPX instances on Azure Stack.
[ NSPLAT-9737 ]
Policies
- Title: Support to provide comments for key-value entries bound to a string map
The "bind policy stringmap" command now enables you to provide comments for each key-value entries bound to a string map.
CLI command:
bind policy stringmap[-comment ]
Where,
Comment provide comments about the key-value entries in a stringmap
[ NSPOLICY-3297 ]
- Title: Support for binary characters in a string or character literals
A Citrix ADC appliance now supports both ASCII and binary values in a string or character literals for the ASCII (default) charset.
Example
CLIENT.TCP.PAYLOAD(100).CONTAINS("\xff\x02")
[ NSPOLICY-3283 ]
SSL
- Title: New SNMP alarm for ECDHE exchange rate
ECDHE-based key exchange can cause the transactions per second on the appliance to drop. You can now configure an SNMP alarm for ECDHE-based transactions. In this alarm, you can set the threshold and normal limits for ECDHE exchange rate. A new counter `nsssl_tot_sslInfo_ECDHE_Tx` is added. This counter is the sum of all the ECDHE-based transaction counters on the front-end and back-end of the appliance. When the ECDHE-based key exchange crosses the configured limits an SNMP trap is sent. Another trap is sent when the value is back to the configured normal value.
[ NSSSL-7450 ]
- Title: Support for DTLSv1.2 protocol on the front end of Citrix ADC appliances containing Intel Coleto SSL chips
DTLS 1.2 protocol is now supported on the front end of Citrix ADC appliances containing Intel Coleto SSL chips. While configuring a DTLS virtual server, you must now specify DTLS1 or DTLS12.
The following appliances ship with Intel Coleto chips:
- MPX 59xx
- MPX/SDX 89xx
- MPX/SDX MPX 26xxx
- MPX/SDX 26xxx-50S
- MPX/SDX 26xxx-100G
- MPX/SDX 15xxx-50G
[ NSSSL-7189 ]
- Title: Support to handle OCSP responses with SHA2-based certificate ID
The Citrix ADC appliance can now process OCSP responses containing SHA2 or its variants (SHA-224, SHA-256, SHA-384, SHA-512) based certificate ID. Earlier, OCSP requests timed out if the corresponding OCSP response was received with a SHA2-based certificate ID because the response certificate ID did not match the SHA1-based certificate ID used while sending the OCSP request. As a result, the SSL handshake failed depending on the status of client authentication and OCSP check set on the virtual server.
[ NSHELP-20399 ]
System
- Title: Configuring maximum limit for HTTP/2 frames
You can now modify the default configuration of the maximum number of frames (such as PING, RESET, SETTING, and EMPTY) received in an HTTP/2 connection. If the appliance receives frames more than the maximum limit, the appliance silently closes the connection.
[ NSBASE-9447 ]
- Title: Request retry for ADC Ingress traffic
When a client sends an HTTP or HTTPS request and if the back-end server resets the TCP connection, the request retry feature allows the Citrix ADC appliance to choose the next available service and forward the request, instead of sending a reset to the client. By retrying, the client saves RTT when the appliance initiates the same request to the next available service.
The request retry feature is applicable for the following error scenario:
- RESET from a back-end server when an appliance sends a request data packet.
Note: Currently, request retry is applicable only for HTTP and SSL protocols.
[ NSBASE-8288 ]
- Title: Support for Proxy protocol
A Citrix ADC appliance now uses Proxy protocol for safely transporting connection information from client to server across all appliance in the proxy layer. The appliance adds a proxy protocol header that inserts the client connection details and forwards it to other appliances and then to the back-end server. Following are some of the usage scenarios for a Proxy protocol in a Citrix ADC appliance.
- Learn original client IP address
- Select a language for a website
- Blacklist selected IP addresses
- Log and collect statistics
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/proxy-protocol.html
[ NSBASE-4984 ]
User Interface
- The SCOM links are currently unavailable on the Citrix ADC GUI downloads page.
[ NSUI-14323 ]
- Title: Client IP address in a TCP option
The TCP Profile GUI page now allows you to configure the clientiptcpoption and clientiptcpoptionnumber parameters for sending client IP address to the back-end server.
[ NSUI-13991 ]
Fixed Issues
The issues that are addressed in Build 13.0-52.24.
AppFlow
- In HDX Insight, uptime for terminated sessions display actual session uptime regardless of selected Interval.
[ NSHELP-21380 ]
Authentication, authorization, and auditing
- A Citrix ADC appliance skips the user to consider further groups in the following conditions:
- A user is a direct member of the nested group.
- A user is already a member of previous level groups.
[ NSHELP-21945 ]
- In a Citrix ADC high availability and cluster setup, a delay in freeing the memory space leads to piling up the memory.
[ NSHELP-21917 ]
- A Citrix ADC appliance might crash during audit logging if the user authentication is prompted with an extra sign-in request such as a password change or a RADIUS challenge.
[ NSHELP-21703 ]
- A Citrix Gateway appliance configured as SAML IdP for Workspace login might occasionally return an HTTP 404 error during logout.
[ NSHELP-21650 ]
- A Citrix ADC appliance might crash in the connection cleanup if the following conditions are met:
- Traffic is routed from a VPN setup.
- SSO is in progress.
- Rare timing issue closing a client connection.
[ NSHELP-21504 ]
- A Citrix ADC appliance deployed for cross-domain Kerberos might fail to perform SSO if the kcdAccount parameter is configured using a keytab file.
[ NSHELP-21406 ]
- A Citrix ADC appliance configured as a forward proxy does not allow NTLM authentication with HTTP 1.0 clients.
[ NSHELP-21349 ]
- In rare cases, a Citrix Gateway appliance might crash when an invalid HTTP packet is received.
[ NSHELP-21342 ]
- A Citrix ADC appliance using an NTLM protocol cannot perform SSO for the Messaging Application Programming Interface (MAPI) clients.
[ NSHELP-21270 ]
- A Citrix ADC appliance might crash during authentication, authorization, and auditing when a packet engine generates a duplicate session removal response.
[ NSHELP-21172 ]
- If Citrix ADC is configured for forms based SSO, and name-value pairs are specified in the configuration, these values are ignored if the values are absent in the form.
[ NSHELP-21139 ]
- In rare cases, nFactor log on fails if both of the following conditions are met:
- Citrix ADC appliance is configured for certificate authentication with a fallback to LDAP.
- The certificate authentication fails.
[ NSHELP-21118 ]
- A Citrix ADC appliance deployed as SAML might occasionally fail to perform SAML based logout.
[ NSHELP-21093 ]
- The nFactor Flows page on the Citrix ADC GUI does not open with Internet Explorer.
[ NSHELP-21065 ]
- The SAML metadataURL parameter does not work after a Citrix ADC appliance is restarted.
[ NSHELP-21006 ]
- In rare cases, the Citrix Gateway appliance might fail when users are challenged for a one-time code.
[ NSHELP-20967 ]
- A Kerberos SSO might fail when a Citrix ADC appliance is deployed in a multi-domain environment (parent-child domain) and the users are in parent domain and services are in the child domain.
[ NSHELP-20910 ]
- A Citrix ADC appliance might fail in the following circumstances:
- Citrix ADC appliance configured with OAuth or SAML IdP actions along with refreshing metadata information from an external source.
- The configuration is changed while data is fetched from the external source or if authentication is in progress. The same issue is observed when you run a "clear config" command.
[ NSHELP-20646 ]
- In rare cases, authentication fails if the connection to the LDAP server is over HTTPS.
[ NSHELP-20181 ]
- When the active sync client sends HEAD request, the Citrix ADC appliance does not authenticate the 200 OK response.
[ NSHELP-20125 ]
- RBA access to cluster nodes gets interrupted because of DHT operation issue. Additional counters are added to handle this scenario.
[ NSHELP-20028 ]
- In isolated cases, there is a memory corruption causing a core dump while clearing a corrupted SSL VPN authentication, authorization, and auditing session entry after the timeout.
[ NSHELP-19775 ]
- The LDAP DN attribute fetched from the AD to Citrix ADC appliance is truncated if the attribute length is greater than 128 bytes.
[ NSAUTH-7210 ]
- In a Citrix ADC high availability and cluster setup, the appliance might crash when you upgrade the appliance from release 12.1 build 55.13 to release 12.1 build 55.18. The crash occurs if either Citrix Gateway or authentication, authorization, and auditing features are enabled on the appliance.
[ NSAUTH-7153 ]
- Protocol switching from HTTP to WebSockets fails when SSO is configured on a Citrix ADC appliance.
[ NSAUTH-6354 ]
- If you edit the authentication virtual server using the "End-to-end login test" or "Test End User Connection" options from the Create Authentication LDAP Server page in the Citrix ADC GUI, an error message appears.
[ NSAUTH-6339 ]
Citrix ADC SDX Appliance
- When you add an LDAP server under SDX GUI > Configuration > System > Authentication > LDAP, special characters used in form input text box are not decoded before getting displayed. And, the "&" character in the Base DN field is replaced with "&".
[ NSHELP-21488 ]
- After you upgrade the SDX appliance to release 13.0 any build, Citrix ADC instances provisioned without management interfaces (0/1, 0/2) become inaccessible.
[ NSHELP-21412 ]
- If you try to restart multiple VPX instances simultaneously, running on an SDX appliance, the channel and data interfaces for VPX instances disappear from the SDX Management Service.
[ NSHELP-21124 ]
- After you upgrade an SDX appliance, the SDX Management Service might not list ethernet interfaces. This happens if the post install process part of the upgrade is not successful.
[ NSHELP-21068 ]
- On an SDX appliance, you might occasionally see events with high CPU usage. This spike is seen because appliance backup is a CPU intensive process. The high CPU usage is temporary.
[ NSHELP-21063 ]
- The appliance loses the interface details when more than three instances are selected for reboot or shutdown.
[ NSHELP-21040 ]
Citrix Gateway
- The Windows VPN plug-in crashes if the plug-in client's language is set to Chinese.
[ NSHELP-21946 ]
- The Citrix ADC appliance might crash when configured for Advanced Clientless VPN.
[ NSHELP-21819 ]
- After an upgrade of Citrix Gateway to release 13.0 build 47.24, DNS resolution through VPN tunnel fails as the local DNS server responds with a false positive.
[ NSHELP-21794 ]
- The Enterprise Web apps might display an error if the cookies were set and expire at the same time.
[ NSHELP-21772 ]
- The Citrix Gateway logon page becomes unresponsive if RfWebUI based custom themes or nFactor with custom themes are used.
[ NSHELP-21763 ]
- The Intranet Application bindings to the authentication, authorization, and auditing group are lost when you restart the Citrix ADC appliance after upgrading to release 13.0 build 47.x.
[ NSHELP-21733 ]
- You cannot access links that start with "1https" or "0https".
[ NSHELP-21469 ]
- You cannot launch an application using advanced clientless VPN through bookmarks if the clientless VPN application's POST body contains html encoded ' (single quotes) or " (double quotes).
[ NSHELP-21361 ]
- Citrix Gateway VPN plug-in might take a long time to establish a tunnel to a machine if proxy PAC file is not reachable.
[ NSHELP-21355 ]
- In some cases, Citrix Gateway dumps core if the following conditions are met:
- EDT Insight functionality is enabled for the Citrix Gateway appliance.
- The appliance receives an out of order CGP BINDRESP packet from VDA.
[ NSHELP-21296 ]
- On some machines, the EPA prompt window buttons (YES, NO, ALWAYS) do not appear on the EPA plug-in screen.
[ NSHELP-21276 ]
- In a Citrix Gateway high availability setup, the secondary node crashes during high availability synchronization if logging is enabled on Citrix Web App Firewall global.
[ NSHELP-21254 ]
- If you have configured clientless VPN (CVPN) on Citrix Gateway, the appliance might crash because of erroneous rewrite handling.
[ NSHELP-21244 ]
- In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.
[ NSHELP-21184 ]
- If two or more client machines try to establish a VPN tunnel connection to the same gateway, the ping connectivity from one client machine to another machine fails.
[ NSHELP-21169 ]
- Sometimes, the Citrix ADC appliance might crash during transfer login.
[ NSHELP-21134 ]
- Users cannot log on to Citrix Gateway if the VPN virtual server host name contains "cvpn" in its name.
[ NSHELP-21119 ]
- If you have configured advanced clientless VPN access, SAP application bookmarks cannot be viewed properly if encoding, such as ('\x3a' or '&x3a' for ':'), is used in the Enterprise Web apps.
[ NSHELP-21072 ]
- A Citrix ADC appliance might crash and dump core if the memory allocation for client and server process control blocks fails.
[ NSHELP-20961 ]
- AlwaysOn service with user persona fails to establish a user tunnel if there are multiple device certificates in the device store.
[ NSHELP-20897 ]
- Users cannot access internal resources even if VPN is successfully connected, but the DNS servers are not correctly configured for the Citrix Virtual Adapter.
[ NSHELP-20892 ]
- The apps configured on the StoreFront do not appear on the Citrix Gateway home page if all of the following conditions are met:
- WiHome is configured.
- Advanced clientless VPN access is enabled.
- User logs on either from an Internet Explorer or Firefox.
[ NSHELP-20888 ]
- nFactor authentication fails if Online Certificate Status Protocol (OCSP) is enabled for device certificate check.
[ NSHELP-20855 ]
- If reverse split tunneling is enabled, intranet routes are either added with wrong prefix values or not added at all.
[ NSHELP-20825 ]
- In a Citrix Gateway high availability setup, the secondary node might crash if no policies are configured and you upgrade the node from release 12.0 to release 13.0.
[ NSHELP-20790 ]
- A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:
- SplitTunnel is set to ON.
- IP address pool (Intranet IP) option is set to NoSpillOver.
[ NSHELP-20584 ]
- In a high availability setup, during Citrix ADC failover, icons of some of the apps in the /var/netscaler/logon folder are not visible.
[ NSHELP-20573 ]
- When the backend servers are not accessible, clients run out of connections and no new connections to the back end are successful.
[ NSHELP-20535 ]
- In a high availability setup, the secondary node crashes whenever an authentication, authorization, and auditing session or a VPN session containing SAML related information is propagated to the primary node.
[ NSHELP-20230 ]
- In some cases, the external facing Citrix Gateway in a double-hop deployment with ICA Insight enabled, dumps core for a particular network traffic pattern.
[ NSHELP-19487 ]
- You can now configure the RfWebUI parameters such as loginFormTimeout and Session timeout by editing the plugins.xml.
[ NSHELP-19221 ]
- If the authentication, authorization, and auditing sessions are high in number, it takes a longer time to terminate a user session.
[ NSHELP-19131 ]
- After an upgrade of Citrix ADC and gateway plug-in to release 13.0 build 41.20, users experience continuous blue screen of death (BSOD) error when trying to set up the VPN tunnel.
[ CGOP-12099 ]
Citrix Web App Firewall
- The Citrix ADC appliance blocks Closure URLs after two minutes if URL closure protection is enabled.
[ NSWAF-3292 ]
- A Citrix ADC appliance might crash if a Web App Firewall profile uses APPFW_DROP and APPFW_RESET policy actions.
[ NSHELP-21283 ]
- A Citrix ADC appliance might crash when APPFW_DROP and APPFW_RESET are used as Web App Firewall policy actions.
[ NSHELP-21220 ]
- The Citrix ADC appliance might crash because of memory failure if the Citrix Web App Firewall feature is enabled.
[ NSHELP-21201 ]
- A Citrix ADC appliance might crash because of memory allocation failure.
[ NSHELP-21071 ]
- A Citrix ADC appliance might crash if the signature feature is enabled and a specific request pattern is detected.
[ NSHELP-20884 ]
- A Citrix ADC appliance resets the connection if an incoming GWT request has a query string in the URL.
[ NSHELP-20564 ]
- After an upgrade from build 12.0-58.15 to 12.0-62.8, the URL transformation feature is not working for some URLs. The issue is caused by incorrect canonicalization when rewriting URLs.
[ NSHELP-20460 ]
- In a high availability setup, enabling IP reputation feature might result in high availability command propagation failures.
[ NSHELP-20010 ]
- A Citrix ADC appliance might crash if you use a slow FTP/HTTP server to download signatures and if the download time is more than 10 minutes.
[ NSHELP-18331 ]
Clustering
- When you execute the show techsupport -scope cluster command, the following error is displayed for all the Citrix ADC SDX appliances:
"This is a low bandwidth instance"
[ NSHELP-20666 ]
Load Balancing
- The Citrix ADC appliance might crash during GSLB synchronization. This issue occurs when the "set gslb service" command is executed on a non-existent GSLB service.
[ NSHELP-21304 ]
- After connection failover, when the secondary appliance becomes the new primary appliance, packet loss is observed.
[ NSHELP-21155 ]
- When you execute the "set service
" command, the following error message is displayed:
"IP Address cannot be set on a domain based server."
This error message is displayed when the server is configured with a name greater than 32 characters.
[ NSHELP-20939 ]
- The Citrix ADC appliance might crash intermittently if device watchdog request
(DWR) probing is enabled for Policy and Charging Rules Function (PCRF), and the PCRF becomes unreachable.
[ NSHELP-20827 ]
- For a GSLB setup in a cluster, when you run the "set rpcnode" command, the Source IP address in a RPC node changes to the NSIP address. Therefore, GSLB uses the NSIP address instead of SNIP address while initiating a MEP connection.
[ NSHELP-20552 ]
- In a cluster setup, when you execute the "unset lb vserver test -redirectFromPort" command, the HTTP redirect port for load balancing virtual server does not get cleared from the database.
[ NSHELP-20518 ]
- The Citrix ADC appliance might crash when persistence is enabled in the IPv6 high availability setup.
[ NSHELP-20219 ]
Networking
- The CLI of a Citrix ADC appliance displays unwanted debug messages when the appliance processes IPv6 fragmented packets.
[ NSNET-12704 ]
- A Citrix ADC BLX appliance with DPDK support fails to start and dumps core if DPDK is misconfigured (for example, if hugepages are not configured) on the Linux host.
For more information on configuring DPDK on a linux host for Citrix ADC BLX appliance, see https://docs.citrix.com/en-us/citrix-adc-blx/13/deploy-blx-dpdk.html
[ NSNET-11349 ]
- A Citrix ADC BLX appliance fails to start because of DPDK misconfiguration (for example, if hugepages are not configured) on the Linux host. You need to run the start command (systemctl start blx) twice to start the Citrix ADC BLX appliance.
[ NSNET-11107 ]
- "sh IP BGP summary" command on the VTYSH command line incorrectly displays the 32 bit ASN values as negative values.
[ NSHELP-21234 ]
- On a Citrix ADC appliance, management connections to IPv6 Subnet IP addresses might get reset when you perform the clear config basic operation.
[ NSHELP-21206 ]
- During the set partition operation, the maximum memory of the partition is now increased up to NS_SYS_MEM_FREE() only. Earlier, it was increased up to the maximum memory available so that the configured partition is not lost after rebooting the Citrix ADC appliance.
[ NSHELP-21159 ]
- The Citrix ADC fails to install Intermediate System to Intermediate System (IS-IS) next-hop because of missing authentication (AUTH) information on the received large Link State PDUs (LSPs).
[ NSHELP-21062 ]
- The BGP daemon might display duplicate warning messages for a route removed from the Citrix ADC routing table.
[ NSHELP-20906 ]
- After a system restart, the Citrix ADC appliance advertises routes with a reduced metric for 180 seconds.
[ NSHELP-20842 ]
- The Citrix ADC appliance might not update ECMP routes properly when multiple BGP
sessions go to "DOWN" state simultaneously.
[ NSHELP-20664 ]
- The Citrix ADC appliance might skip Policy-based routes (PBR) rules for outgoing monitor packets of type UDP and ICMP.
[ NSHELP-20545 ]
NSSWG
- In a compound URLSet expression such as
.URLSET_MATCHES_ANY(URLSET1 || URLSET2), the "Urlset Matched" field in an appflow record reflects only the state of the last evaluated URLSet. For example, if the requested URL belongs only to URLSET1, the URLSet Matched field is set to 0, although the URL belongs to one of the URLSets. As a result, the URLSET1 changes URLSet Matched field to 1 but the URLSET2 sets it back to 0
[ NSSWG-1100 ]
- URL filtering categorization fails if an incoming URL has a double slash after the domain name. The "http://" scheme is prepended. For example, www.example.com//index.html
[ NSSWG-1082 ]
- The following behavior is observed in a Citrix ADC appliance and Citrix Gateway:
- Citrix ADC appliance might become unresponsive when deployed as a proxy and SSO is enabled for the back-end applications.
- The same behavior is observed in Citrix Gateway with outbound proxy configuration.
[ NSHELP-21437 ]
Platform
When you warm reboot the Citrix ADC VPX appliance, the subscription licenses might be lost under the following conditions:
- Using Elastic Network Adapter (ENA) based AWS instances types: C5, C5n, M4, and M5.
- Enabling ENA interface on existing supported AWS instances.
[ NSPLAT-13467 ]
- Tx stalls can occur on Citrix ADC MPX appliances that use 10G IXGBE ports and Citrix ADC SDX appliances that use 10G IXGBEVF ports.
[ NSPLAT-13338 ]
- Title: Support for new Citrix ADC SDX hardware platforms
This release now supports the following new platforms:
- Citrix ADC SDX 15000. For more information, see https://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/hardware-platforms/sdx-15000.html
- Citrix ADC SDX 26000. For more information, see https://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/hardware-platforms/sdx-26000.html
- Citrix ADC SDX 26000-50S. For more information, see https://docs.citrix.com/en-us/citrix-hardware-platforms/sdx/hardware-platforms/sdx-26000-50s.html
[From Build 51.10]
[ NSPLAT-12815 ]
- After upgrading Citrix ADC SDX 8900 and SDX 15000 50G appliances to version 11.1 63.9, 10G NICs do not appear on the appliances. This issue prevents the VPX instances from booting up. As a result, the instances become unreachable.
[ NSPLAT-12093 ]
- In a cluster setup, when the 50G port of a MPX 15000 appliance is configured as part of the backplane, the MTU of the 50G port is set to zero instead of 1578.
[ NSHELP-21113 ]
- In some cases, when you restart one or more VPX instances on a Citrix ADC SDX appliance containing Fortville NICs, LACP on the interfaces might go to the 'defaulted' state.
[ NSHELP-21091 ]
- In some cases, the SDX 14000 appliance might become unresponsive and needs reboot.
[ NSHELP-21017 ]
In the VPX deployment on Cisco CSP 2100 platform, occasionally packets might get dropped when more than one virtual function (VF) is created out of the physical network interface card (pNIC).
[ NSHELP-20991 ]
- Tx stall might be observed on appliances contain Fortville interfaces if a packet spans more than eight descriptors. The stall might cause the interface to go into error-disabled state.
[ NSHELP-20800 ]
Policies
- The Citrix ADC appliance now allows all string and character literals which include binary characters. However, the UTF-8 character sets still require the string and character literals to be a valid UTF-8.
Previously, the appliance allowed only valid UTF-8 string and character literals. This was true for both UTF-8 and binary (ASCII) character sets. However, this did not allow some binary string and character literals which meant that some valid expressions related to binary content cannot be written.
Example:
CLIENT.TCP.PAYLOAD(100).CONTAINS("\xff\x02")
[ NSPOLICY-2362 ]
- A Citrix ADC appliance might crash if there are few network buffers when rewriting chunked data.
[ NSHELP-20847 ]
SSL
- In some cases, the following appliances might crash while running SSL traffic:
- MPX 59xx
- MPX/SDX 89xx
- MPX/SDX MPX 26xxx
- MPX/SDX 26xxx-50S
- MPX/SDX 26xxx-100G
- MPX/SDX 15xxx-50G
[ NSSSL-7606 ]
- Policy-based client authentication with mandatory certificate verification fails if client authentication with optional client-certificate is also configured on the virtual server.
[ NSHELP-21190 ]
- For SNI enabled sessions, the ADC appliance can control how the host header is validated. A new parameter SNIHTTPHostMatch is added to SSL profile and SSL global parameters to have better control on this validation. This parameter can take three values; CERT, STRICT, and NONE. SNI must be enabled on the SSL virtual server or the profile bound to the virtual server, and the HTTP request must contain the host header.
[ NSHELP-13370 ]
System
- Analytics reports do not appear on the Citrix ADM GUI if you:
1. Install ADM 12.1.52.15 or later.
2. Select Logstream transport mode to configure analytics on instances.
[ NSHELP-21618 ]
- A Citrix ADC appliance does not reset HTTP/2 streams on a client connection with an HTTP/2 RST_STREAM after an idle timeout.
[ NSHELP-21537 ]
- A client connection becomes unresponsive if you enable multiplexing in an HTTP/2 profile on a Citrix ADC appliance.
[ NSHELP-21434 ]
- A Citrix ADC appliance does not forward a response to the client if it contains both trailer and content-length headers.
[ NSHELP-21427 ]
- A Citrix ADC appliance might crash if there is a memory allocation failure for HTTP/2 secure monitor.
[ NSHELP-21400 ]
- A Citrix ADC appliance might crash if appQoE action fails.
[ NSHELP-21393 ]
- An HTTP transaction might fail if a Citrix ADC appliance sends an HTTP/2 request with multiple cookie name-value pairs to the back-end server.
[ NSHELP-21373 ]
- A Citrix ADC appliance might crash if it receives an HTTP/1.1 request with an HTTP/2.0 version in it. For any client request with an HTTP/2.0 version, the appliance considers it as an HTTP/2.0 request and processes it. This leads to a crash.
[ NSHELP-21187 ]
- A Citrix ADC appliance might crash if Appflow Client-Side Measurements is enabled when serving large HTTP responses.
[ NSHELP-21099 ]
- In a cluster setup, the Citrix ADC appliance might crash for a new MPTCP connection, if the 4 tuples are reused with a different MPTCP key before the original connection has timed out on the Citrix ADC appliance.
[ NSHELP-20844 ]
- The FTP data connection in passive mode becomes unresponsive during MAC mode transparent virtual server deployment.
[ NSHELP-20698 ]
- Memory usage increases if you enable proxy protocol and if retransmission occurs because of network congestion.
[ NSHELP-20613 ]
- The show connectiontable command displays a few entries that do not satisfy the mentioned filter in the following conditions:
- Command is run under high traffic.
- Command is used with an IP or port filter.
[ NSBASE-9509 ]
User Interface
- The Citrix ADC pooled capacity licensing might fail if latency is high between ADC and ADM. This issue occurs if latency is greater than 200 ms.
The Citrix ADC licensing client attempts repeatedly to check out the licenses from ADM. In a high availability and cluster setup, licensing configurations are unnecessarily reapplied whenever synchronization is triggered. Propagation and synchronization of the pooled licensing commands are disabled. Each node must be licensed independently by logging in to the NSIP of the node. You can execute only show commands on the Cluster IP.
[ NSUI-14868 ]
- After upgrading to build 12.1-55.x, the appliance might boot up unlicensed if pool licensing is configured. As a result, all the features are disabled and any configuration that is license dependent is missing in the running configuration. Perform a warm reboot to restore the pool license and the configuration.
Caution: Do not run "save config" or force an HA failover on an unlicensed appliance.
[ NSUI-7869 ]
- You can now set client authentication to optional, in the SSL parameters of a virtual server, using the GUI. Earlier, client authentication changed to mandatory if you used the GUI to change any SSL parameters.
[ NSHELP-21060 ]
- KeyError exceptions are observed if the count query is not working in a Citrix ADC appliance.
[ NSHELP-20979 ]
- You cannot search for an entity using the search filter in the ADC GUI if the entity name contains a space.
[ NSHELP-20506 ]
- Role based authentication (RBA) does not allow group names to start with "#" character.
[ NSHELP-20266 ]
- During a partition deployment, a partitioned appliance might crash if you run the "uiinternal" commands and then "clear config" in the default partition.
[ NSHELP-20247 ]
- In certain scenarios, the user name (specified with a "%u" character) in the prompt string does not display correctly.
[ NSHELP-19991 ]
- The Citrix ADC command interface and the GUI do not display the system time parameter setting for few SNMP alarms.
[ NSHELP-19958 ]
- You cannot retrieve a backup file using the NetScaler GUI if the file name is from 61 to 63 characters long even though the maximum limit is 63 characters.
[ NSHELP-11667 ]
- The Citrix Gateway appliance sends duplicate RADIUS access-requests to the RADIUS authentication service for each logon to the appliance.
[ NSHELP-11148 ]
Known Issues
The issues that exist in release 13.0-52.24.
Authentication, authorization, and auditing
- A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.
[ NSHELP-563 ]
- The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
[ NSAUTH-6106 ]
- ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
"show adfsproxyprofile"
Work Around: Connect to the primary active Citrix ADC in the cluster and issue "show adfsproxyprofile" command. It would display the proxy profile status.
[ NSAUTH-5916 ]
Citrix Gateway
- In a Citrix Gateway double hop high availability setup, the ICA connection might be lost after an HA failover.
Workaround: Change the FQDN to the IP address of the next hop server.
[ NSHELP-22444 ]
- In a Citrix Gateway high availability setup, the secondary node might crash during a failover if syslog is configured.
[ NSHELP-22438 ]
- The Citrix Gateway appliance might crash intermittently if a syslog policy is configured.
[ NSHELP-22304 ]
- Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.
[ NSHELP-21897 ]
- In case a Citrix ADC appliance is configured for nFactor authentication, upon RADIUS authentication failure, the Citrix ADM appliance incorrectly displays the failed authentication type as "LDAP".
[ NSHELP-20440 ]
- The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.
[ CGOP-13584 ]
- The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).
Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.
[ CGOP-13532 ]
- In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
[ CGOP-13511 ]
- In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.
[ CGOP-7269 ]
Networking
- After you restart the Citrix ADC appliance, the internal transport layer service might get unregistered. As a result, any transport protocol service request on the appliance fails.[ NSNET-15252 ]
- The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:
ERROR: Operation timed out
ERROR: Communication error with the packet engine
[ NSNET-4312 ]
- In a high availability setup, one of the Citrix ADC appliances might crash if you perform In Service Software Upgrade (ISSU) from Citrix ADC software version 13.0 47.24 or previous, to a later version.
[ NSHELP-21701 ]
- In a cluster setup with retainConnectionsOnCluster option enabled, a cluster node might crash when it receives fragmented packets followed by non-fragmented packets.
[ NSHELP-21674 ]
- When the Citrix ADC appliance is cleaning up large number of server connections as part of remove command, the Pitboss process might restart. This Pitboss restart might cause the ADC appliance to crash.
[ NSHELP-136 ]
Platform
- Health Monitoring alarm misrepresents PSU numbering. When power supply cable is disconnected from PSU - 1, then health monitoring sends an incorrect alarm that PSU - 2 has failed.
[ NSPLAT-4985 ]
Policies
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround: Change the FQDN to the IP address of the next hop server.
[ NSHELP-22444 ]
- In a Citrix Gateway high availability setup, the secondary node might crash during a failover if syslog is configured.
[ NSHELP-22438 ]
- The Citrix Gateway appliance might crash intermittently if a syslog policy is configured.
[ NSHELP-22304 ]
- Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.
[ NSHELP-21897 ]
- In case a Citrix ADC appliance is configured for nFactor authentication, upon RADIUS authentication failure, the Citrix ADM appliance incorrectly displays the failed authentication type as "LDAP".
[ NSHELP-20440 ]
- The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.
[ CGOP-13584 ]
- The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).
Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.
[ CGOP-13532 ]
- In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
[ CGOP-13511 ]
- In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.
[ CGOP-7269 ]
Networking
- After you restart the Citrix ADC appliance, the internal transport layer service might get unregistered. As a result, any transport protocol service request on the appliance fails.[ NSNET-15252 ]
- The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:
ERROR: Operation timed out
ERROR: Communication error with the packet engine
[ NSNET-4312 ]
- In a high availability setup, one of the Citrix ADC appliances might crash if you perform In Service Software Upgrade (ISSU) from Citrix ADC software version 13.0 47.24 or previous, to a later version.
[ NSHELP-21701 ]
- In a cluster setup with retainConnectionsOnCluster option enabled, a cluster node might crash when it receives fragmented packets followed by non-fragmented packets.
[ NSHELP-21674 ]
- When the Citrix ADC appliance is cleaning up large number of server connections as part of remove command, the Pitboss process might restart. This Pitboss restart might cause the ADC appliance to crash.
[ NSHELP-136 ]
Platform
- Health Monitoring alarm misrepresents PSU numbering. When power supply cable is disconnected from PSU - 1, then health monitoring sends an incorrect alarm that PSU - 2 has failed.
[ NSPLAT-4985 ]
Policies
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
[ NSPOLICY-1267 ]
- The rewrite action of insert_after type might not work with HTTP chunked or FIN terminated response.
[ NSHELP-22743 ]
SSL
- Update command is not available for the following add commands:
- add azure application
- add azure keyvault
- add ssl certkey with hsmkey option
[ NSSSL-6484 ]
- You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.
[ NSSSL-6478 ]
- You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.
[ NSSSL-6213 ]
- The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
ERROR: crl refresh disabled
[ NSSSL-6106 ]
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
[ NSSSL-4427 ]
- An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
[ NSSSL-4001 ]
- In rare cases, the Citrix ADC appliance might crash due to missed heartbeats.
[ NSHELP-21593 ]
- In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.
[ NSHELP-13466 ]
System
- A Citrix ADC appliance might crash during deployment if the following conditions are observed:
- Multipath TCP (MPTCP) is enabled with MBF and PMTUD
- MPTCP traffic is received and the response causes ICMP Fragmentation Needed error.
[ NSHELP-22418 ]
- A Citrix ADC appliance might crash if the following conditions are observed:
- Flash Cache is enabled.
- The client connection is reset.
- Client request in the queue to be serviced as part of the caching process.
[ NSHELP-21872 ]
- High memory usage is observed if you enable HTTP/2 feature and if there is a large file download (if the file size is greater than or equal to one GB). The issue occurs with slow clients if the downloaded data buffers leading to an excessive resource utilization.
[ NSHELP-20531 ]
User Interface
- Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.
Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.
[ NSUI-13024 ]
- When you use the scroll bar in the Syslog dashboard in Citrix ADC GUI, the page either scrolls fast or displays whitespace.
[ NSHELP-21267 ]
- If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.
1. Upgrade the Citrix ADC appliance to 13.0 52.24 build,
2. Add a system user, or change the password of an existing system user, and save the configuration, and
3. Downgrade the Citrix ADC appliance to any older build.
To display the list of these system users by using the CLI:
At the command prompt, type:
query ns config -changedpassword [-config]
Workaround:
To fix this issue, use one of the following independent options:
- If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords. For more information, see: https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
[ NSCONFIG-3188 ]