Release Notes for Citrix ADC 13.0-61.48 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 13.0-61.48.

Notes

What's New

The enhancements and changes that are available in Build 13.0-61.48.

Authentication, authorization, and auditing

  • Title: Rate limiting for Citrix Gateway

    The rate limiting feature for Citrix Gateway enables you to define the maximum load for a given network entity or virtual entity on the Citrix Gateway appliance. Since the Citrix Gateway appliance consumes all the unauthenticated traffic, the appliance is often exposed to process requests at a high rate. The rate limiting feature enables you to configure the Citrix Gateway appliance to monitor the rate of traffic associated with an entity and take preventive action, in real time, based on the traffic.
    [ NSAUTH-7250 ]

Citrix Gateway

  • Title: Additional language support

    The Citrix Gateway user portal and the Citrix Gateway plug-in for Windows are now available in the Italian and Portuguese (Brazil) languages.
    [ CGOP-13689 ]

Citrix Web App Firewall

  • Title: Enhanced configuration support for Citrix ADC bot management
    The Citrix ADC bot management configuration is now enhanced as Citrix ADC CLI-based bot management configuration for easy maintenance and support. After you upgrade your appliance from an older version, you must first manually convert the existing bot configuration to Citrix ADC CLI-based bot configuration
    [ NSWAF-4980 ]
  • Title: Support for XML external entities (XXE) attack protection

    The Citrix ADC Web App Firewall mitigates XML external entities (XXE) attacks by examining if an incoming payload has any unauthorized XML input entities outside the trusted domain and blocks the request if the “inferred” content-type in the HTTP headers does not match with the content-type of the body. An XXE attack might occur if you have a weak XML parser that parses an XML payload with input containing references to external entities.

    Following are some of the potential threats that a Citrix ADC Web App Firewall mitigates using XML external entity (XXE) attack protection:
    * Confidential data leaks
    * Denial-of-service (DOS) attacks
    * Server-side forgery requests
    * Port scanning
    [ NSWAF-4923 ]
  • Title: Support for a custom signature pattern for non-default content-type requests.

    The Citrix ADC Web App Firewall (WAF) now supports a new location to inspect canonicalized content. By default, WAF does not block encoded payload with non-default content types. When these content types are whitelisted, and no configured action is applied, the SQL and cross-site scripting protection check do not filter SQL or cross-site scripting attacks in the encoded payloads. To resolve the issue, you can create a custom signature rule with the new location (HTTP_CANON_POST_BODY) that examines the encoded payloads for non-default content-types and if there is any SQL or cross-site scripting attack, it blocks the traffic after canonicalization of the post body.
    [ NSWAF-4576 ]
  • Title: Cookie hijack protection

    Cookie hijacking is a security attack, where a user session is hijacked by an attacker to gain unauthorized access to a web application. When a user browses a website, for example banking application, the website establishes a session with the browser. The web application will allocate session cookies for this session, and sends this session cookies along with other user attribute cookies in the response. During the session, the browser saves these cookies in a cookie file. The attacker can steal these cookies either manually from the cookie store of the browser or through some rouge browser extension. The attacker then uses the cookies to gain access to the user's web application sessions.

    To mitigate a cookie hijacking attack, the Citrix ADC Web App Firewall challenges the TLS connection from the client and also performs cookie consistency validation. For every new client request, the appliance validates the TLS connection and checks the consistency of application and session cookies in the request. If an attacker tries to mix and match an application cookie or a session cookie stolen from the victim, the cookie consistency validation fails and the appliance applies the corresponding cookie hijacking action.
    [ NSWAF-4311 ]
  • Title: Bot Transactions Per Second (TPS) detection technique

    Transactions Per Second (TPS) is a bot detection technique that identifies incoming traffic as a bot if the number of requests per second (RPS) and the percentage increase in RPS exceeds the configured threshold value.  By implementing the detection technique you can protect your web applications from automated bots.

    Note: The bot technique detects incoming traffic as bot only if both the parameters are configured and if both values increase beyond the threshold limit.
    [ NSWAF-2961 ]

Load Balancing

  • Title: Proactively checking expiry of DNS records before serving from the cache

    Support is now added to check expiry of DNS records before serving from the cache.

    During scale down, when the application containers are brought down, orchestration platforms update the DNS by removing the decommissioned container's IP addresses. If the DNS record TTL is configured in seconds, the DNS record might not be cleared from the Citrix ADC appliance cache as soon as its TTL expires. In this scenario, if a user attempts to resolve the application domain through teh cache, the decommissioned IP addresses are served. Once the IP addresses are decommissioned, the IP addresses can be either made invalid or assigned to other resources in the environment.

    If the IP address is not reachable, the application might fail to launch if retry is not built into the application. If retry is built into the application, then the application can try the other IP addresses in the DNS record. These actions add a delay in launching the application.

    To avoid these delays, support is added to check expiry of DNS records before serving from the cache.
    [ NSLB-6340 ]
  • Title: Rate limiting negative responses served by the Citrix ADC appliance

    You can now set a threshold for negative responses being served from the cache by the Citrix ADC appliance. When the threshold is set, the appliance serves the response from the cache until the threshold is reached. When the threshold is reached, the appliance drops the requests instead of responding with an NXDOMAIN response. Setting a rate limit for negative response has the following advantages.
    * Saves the resources on the Citrix ADC appliance.
    * Prevents any malicious queries for non-existent domain names.
    [ NSLB-6339 ]
  • Title: Support for bailiwick check in DNS-based monitors

    Bailiwick check is now supported for the DNS-based monitors to detect the cache poisoning attack.
    [ NSLB-6334 ]
  • Title: Support for stronger algorithms for DNS keys
    The Citrix ADC appliance now supports stronger crypto algorithms, such as RSASHA256 and RSASHA512, to sign a DNS zone. Previously, only RSASHA1 algorithm was supported.
    [ NSLB-4947 ]

Miscellaneous

  • Title: Support for caching of token

    With this enhancement, the access token obtained from the endpoints can be cached for subsequent requests. The token caching support enhances the performance of the API.
    [ NSAPISEC-479 ]

Networking

  • Title: Cluster support for VPX public cloud and VPX Express license

    Clustering is now available in Standard edition for VPX public cloud, and in VPX Express license.
    [ NSNET-14779 ]

Platform

  • Support for Citrix ADC VPX - 1 Gbps licensing on Google Cloud Marketplace

    The following license types are now supported for the VPX 1000 model on Google Cloud Marketplace:
    - Citrix ADC VPX Standard Edition - 1 Gbps
    - Citrix ADC VPX Advanced Edition - 1 Gbps
    - Citrix ADC VPX Premium Edition - 1 Gbps
    [ NSPLAT-15311 ]

SSL

  • Title: Support for the complete domain name in Azure key vault
    A new parameter, vaultResource, is added to the “add azure application” command. This parameter fetches the domain of the resource group based on the regions before the access token is granted to the application. For example, the domain could be vault.azure.net or vault.usgov.net.
    Also, the parameter “azureVaultName” in the “add azure keyVault” command is modified to include the complete domain name instead of just the vault name.For example, the user has to now enter “example.vault.azure.net” or “example.vault.usgov.net” instead of just “example”. Earlier, the user was required to enter only the vault name and the domain name was added by the ADC appliance.
    [ NSSSL-8189 ]
  • Title: Support for Extended Master Secret in SSL handshake on Citrix ADC platforms
    Extended Master Secret (EMS) is an optional extension to the Transport Layer Security (TLS) protocol. To support EMS on the Citrix ADC appliance, a parameter "allowExtendedMasterSecret" is added that applies to both frontend and backend SSL profiles. If the parameter is enabled and the peer supports EMS, the ADC appliance uses the EMS calculation. If the peer does not support EMS, then the EMS calculation is not used for the connection even though the parameter is enabled on the appliance. For more information about EMS, see RFC 7627.

    ADC platforms that support EMS:
    - MPX and SDX platforms containing either Cavium N3 chips or Intel Coleto Creek crypto cards. The following platforms ship with Intel Coleto chips:
    - MPX 5900
    - MPX/SDX 8900
    - MPX/SDX 26000
    - MPX/SDX 26000-50S
    - MPS/SDX 26000-100G
    - MPX/SDX 15000-50G
    You can use the “show hardware’ command to identify whether your appliance has Coleto (COL) or N3 chips.
    - MPX and SDX platforms without crypto cards (software-only).
    - Software-only platforms: VPX, CPX, and BLX.

    EMS cannot be enabled on the following platforms:
    - FIPS platforms.
    - MPX and SDX platforms containing Cavium N2 (PX) crypto chips.

    The parameter is disabled by default on the default frontend (ns_default_ssl_profile_frontend ), default backend (ns_default_ssl_profile_backend ), and any user-defined SSL profiles. However, it is enabled by default on the secure frontend (ns_default_ssl_profile_secure_frontend ) SSL profile if the underlying platform type supports EMS.

    If the parameter is enabled, the ADC appliance attempts to use EMS in TLS 1.2, TLS 1.1 and TLS 1.0 connections. The setting does not affect TLS 1.3 or SSLv3 connections.
    [ NSSSL-7518 ]
  • Title: Support to detect the ALPN extension in the client hello message using an SSL policy
    A Citrix ADC appliance can now identify the protocols coming in the ALPN extension of the client hello message while parsing the message for policy evaluation. The rule to identify the protocol in the ALPN extension of the client hello message is “client.ssl.client_hello.alpn.has_nextprotocol<protocol_name>”. Associate a “forward” type SSL action with the policy to forward the packets to an SSL_TCP type virtual server. To negotiate the application protocol in the ALPN extension for the connections handled by the SSL_TCP virtual server, a parameter “alpnProtocol” is added to frontend SSL profiles. Supported values for the parameter are HTTP1.1, HTTP2, or NONE (default value). Only the protocol specified in the SSL profile is negotiated, if the same protocol is received in the ALPN extension of the client hello message.
    Note: The "alpnProtocol" parameter is supported only on frontend SSL profiles and is applicable to the SSL connections handled by SSL_TCP type virtual servers. The maximum supported length of the ALPN extension for policy evaluation is 4096 bytes.
    Sample configuration to forward all requests containing HTTP2 protocol in the ALPN extension to an SSL_TCP virtual server v1:
    - add ssl action forward_stcp_v1 -forward v1
    - add ssl policy pol1 -rule "client.ssl.client_hello.alpn.has_nextprotocol(\"h2\")" -action forward_stcp_v1
    - bind ssl vserver VMain -policyName pol1 -priority 2 -type CLIENTHELLO_REQ

    To set the protocol in the frontend SSL profile, at the command prompt, type:
    - set ssl profile ns_default_ssl_profile_frontend -ALPNProtocol HTTP2
    [ NSHELP-21436 ]

System

  • Title: Proxy protocol support for HTTP/2 load balancing configuration

    A Citrix ADC appliance now supports proxy protocol for HTTP/2 load balancing configuration in addition to the existing support for TCP and HTTP traffic.

    Proxy protocol safely transports client details from client to server across Citrix ADC appliances. The appliance adds a proxy protocol header with client details and forwards it to the back-end server. Following are some of usage scenarios for proxy protocol in a Citrix ADC appliance.

    - Learning original client IP address
    - Selecting a language for a website
    - Blacklisting selected IP addresses
    - Logging and collecting statistics.

    For more information about proxy protocol, see https://docs.citrix.com/en-us/citrix-adc/13/system/proxy-protocol.html
    [ NSBASE-10516 ]

User Interface

  • Title: HTTP2 Statistics on Citrix ADC Dashboard GUI

    The Citrix ADC Dashboard GUI now displays statistical data for HTTP2 protocol in tabular and graphical format. 
    [ NSUI-15457 ]
  • Title: Desired State API support in cluster

    The Desired State API for service group membership changes is now supported in Citrix ADC cluster deployment.
    [ NSCONFIG-1493 ]
  • Title: Command line interface through SSH for Citrix ADC BLX appliances

    A Citrix ADC BLX appliance now supports the command line interface (CLI) to run ADC CLI commands to configure ADC features on the appliance.

    You can remotely access the CLI through a secure shell (SSH) from a workstation.

    The following list shows the IP address and port on which the Citrix ADC CLI is available through SSH:

    - Citrix ADC BLX appliance deployed in shared mode: <Linux host IP address>:9022
    - Citrix ADC BLX appliance deployed in dedicated mode: <Citrix ADC IP address (NSIP)>:22

    For more information about Citrix ADC BLX CLI, see https://docs.citrix.com/en-us/citrix-adc-blx/13/configure-blx.html
    [ NSCONFIG-1180 ]

Fixed Issues

The issues that are addressed in Build 13.0-61.48.

Authentication, authorization, and auditing

  • Users cannot add a new account on Citrix Workspace app (CWA) when both of the following conditions are met:
    * The Citrix ADC appliance is configured for nFactor flow.
    * The appliance is configured as a SAML SP or OAuth RP.
    [ NSHELP-23907 ]
  • In certain scenarios, authentication fails for custom login schemas.
    [ NSHELP-22929 ]
  • The _AltEmailRegister.xml_ login schema used for alternate email ID registration does not work as intended.
    [ NSHELP-22912 ]
  • In a cluster setup, a Citrix ADC appliance might crash in certain cases while authenticating a user.
    [ NSHELP-22871 ]
  • A Citrix ADC GUI does not display the AFDS server logon page content properly.
    [ NSHELP-22594 ]
  • In a cluster setup, if the "set authentication radiusAction" command is run, the Citrix ADC appliance specifies the network access server (NAS) IP address as 0.0.0.0 in access-requests sent to the RADIUS server.
    [ NSHELP-22580 ]
  • In rare cases, a Citrix ADC appliance dumps core when classic pre-authentication EPA policies are used in combination with nFactor advanced authentication policies.

    As a recommendation, Citrix suggests to migrate EPA as a factor in the nFactor authentication flow.
    [ NSHELP-22553 ]
  • In extremely rare cases, a Citrix ADC appliance configured as Identity Provider (IdP) to a load balancing virtual server might crash after successful authentication.
    [ NSHELP-22528 ]
  • In some cases, a Citrix ADC appliance dumps core because of memory corruption while performing form-based SSO authentication.
    [ NSHELP-22488 ]
  • In rare cases, when metadataUrl parameter is used in samlIdPProfile command, a Citrix ADC appliance dumps core while releasing the client connection.
    [ NSHELP-22440 ]
  • In rare cases, a virtual server configured with front-end NTLM authentication causes the Citrix ADC appliance to dump core.
    [ NSHELP-22372 ]
  • A Citrix ADC appliance dumps core if the following conditions are met.
    * The appliance is configured for form-based SSO.
    * The appliance memory runs out for the AppSecure pool.
    [ NSHELP-22096 ]
  • You cannot access Citrix ADC management console via GUI when special characters are used for the "nsroot" password.
    [ NSHELP-21630 ]

Citrix ADC SDX Appliance

  • SDX 26000-100G 15000-50 G appliances might take longer time to upgrade. As a result, the system might display the message “The Management Service could not come up after 1 hour 20 minutes. Contact the administrator.”
    [ NSSVM-3018 ]
  • The Citrix ADC SDX UI might be inaccessible after you try to upgrade to release 13.0-58.30.
    1. SSH to the SVM IP address using the “nsrecover” credentials.
    2. At the shell prompt, type “svmd stop” to stop all SVM processes.
    3. To verify that all SVM processes have stopped, type “ps -ax | grep svm”. To kill any running SVM processes, type “kill -9 <process-id of the running process>”.
    4. Edit the file /var/mps/mps_featurelist.conf.bak using the vi editor. Add “DisableMetricCollection” at the end of the file and save the file.
    5. Type “svmd start” to restart the SVM processes. The upgrade continues and the SDX UI is launched after approx. 30 minutes.
    [ NSHELP-23904 ]
  • The SDX GUI might not be accessible after you upgrade a Citrix ADC SDX appliance to release 12.1 build 56.x.
    [ NSHELP-23637 ]
  • A VPX instance hosted on a Citrix ADC SDX 15000-50G or SDX 26000 appliance is unreachable from the Management Service after you change some properties, such as description and host name.
    [ NSHELP-23491 ]
  • If the IP address of a Citrix ADC SDX appliance that is configured using pooled licensing is changed in SDX, the Citrix ADM managing the SDX appliance continues to show the old SDX IP address.
    [ NSHELP-23490 ]
  • You will receive email notifications for a few categories in the following scenarios:
    - Event configuration is suppressed on the Citrix ADC SDX appliance.
    - Event configuration is updated on the Citrix ADC SDX appliance.
    [ NSHELP-22701 ]
  • Upgrading a Citrix ADC SDX appliance to release 12.1 build 56.x might timeout due to a latency in interprocess communication.
    [ NSHELP-22644 ]
  • The NTP service of Citrix ADC SDX Management Service responds to NTP queries. However, Management Service does not have any option to configure restrictions for NTP queries.

    [ NSHELP-12246 ]

Citrix Gateway

  • If you use a French keyboard on a VPN plug-in, characters entered using CTRL+ALT do not work.
    [ NSHELP-23556 ]
  • If you have configured nFactor authentication with advanced policies and if the Gateway Insight feature is enabled, the following details are not reported to the Citrix Application Delivery Management system.
    * Device type
    * Browser type
    * Operating system
    * Device details
    [ NSHELP-23549 ]
  • In a Citrix Gateway deployment, the DHCP server route is added, by default. If your deployment does not require a DHCP server route, perform one of the following.

    Set the client side registry NoDHCPRoute to 1 in the path : HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client
    From the Citrix ADC appliance, create a new file named pluginCustomization.json with the value \{ "NoDHCPRoute" : true } in the folders /netscaler/ns_gui/vpn and /var/netscaler/gui/vpn.
    [ NSHELP-23029 ]
  • The intranet IP deregistration does not occur after the VPN is logged off, if the Intranet IP had taken more than 15 seconds for registration.
    [ NSHELP-23021 ]
  • If the proxy server's URL length is greater than 32 bytes, then the VPN plug-in's API that is exposed crashes.
    [ NSHELP-22977 ]
  • Transfer logon does not work with Internet Explorer and Windows plug-in when RfWebUI theme is configured with nFactor.
    [ NSHELP-22927 ]
  • When manual proxy is configured on a local machine, the user tunnel cannot be established automatically after a service tunnel is established.
    [ NSHELP-22831 ]
  • When you reboot or power up a client Windows 10 machine, the Always On VPN plug-in 13.0 falls back to classic authentication even if nFactor authentication is configured.
    [ NSHELP-22795 ]
  • When you restart the client machine after upgrading the Citrix Gateway appliance from release 12.0 build 59.8 to release 13.0 build 47.24, Always On cannot establish a seamless VPN connection.
    [ NSHELP-22700 ]
  • Internet explorer-based web browsers do not display the arrow in the drop-down lists for X1 and RFWebUI themes.
    [ NSHELP-22623 ]
  • The logon screen for Windows might display incorrect fields if you configure a proxy on a client machine and if the proxy is not applicable to the VPN FQDN.
    [ NSHELP-22618 ]
  • After you upgrade your Citrix Gateway appliance to build 13.0.47.24, log on to the Citrix Gateway from VMware Horizon Client version 5.2 and later fails.
    [ NSHELP-22541 ]
  • In a multicore processor setup, the Citrix Gateway appliance crashes if the following two conditions are met:
    * Gateway Insight feature is enabled.
    * A request is received on a non-owner core.
    [ NSHELP-22524 ]
  • In rare cases, the Citrix Gateway appliance might crash if DTLS is enabled.
    [ NSHELP-22520 ]
  • The Citrix VPN plug-in does not process the IPv6 DNS packets.
    [ NSHELP-22446 ]
  • If HTTP 2.0 is enabled on the server and client, Always On service fails to establish the machine tunnel.
    [ NSHELP-22423 ]
  • In a Citrix Gateway setup with AlwaysOn feature enabled, AlwaysOn cannot establish a seamless VPN connection after a client is restarted.
    [ NSHELP-22420 ]
  • In some cases, the Citrix ADC appliance crashes because the core receives a packet to send to the client but the IIP information is not yet available. in NSHELP-21522 we fix in ns_iip6.c, this is add fix in ns_iip.c
    [ NSHELP-22411 ]
  • The Citrix Gateway appliance crashes if the ICA file length is greater than 2,048 characters and if Gateway Insight is enabled.
    [ NSHELP-22387 ]
  • In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.
    [ NSHELP-22349 ]
  • Soft phones that have the "keep-alive" UDP server initiated connection mechanism might intermittently drop the calls.
    [ NSHELP-22231 ]
  • The Linux VPN client might crash if you download a large file (approximately 3 GB).
    [ NSHELP-22032 ]
  • When you log on to StoreFront through Citrix Gateway with ICA Proxy set to Off, the Categories icon on StoreFront does not appear.
    [ NSHELP-21797 ]
  • When the syslog server is configured through TCP, intermittently some logs are not sent to the syslog server.
    [ NSHELP-21624 ]
  • The Citrix Gateway appliance crashes while freeing up an SSL VPN session that was previously freed.
    [ NSHELP-21073 ]

Citrix Web App Firewall

  • If a signature rule ID is greater than 2,147,483,647 or lower than zero, the value gets truncated.
    [ NSWAF-126 ]
  • A Citrix ADC appliance might crash if the incoming request has many form fields and field consistency protection enabled in the Web App Firewall profile.
    [ NSHELP-21856 ]
  • A Citrix ADC appliance might strip off the response body if the response body signature rules are enabled.
    [ NSHELP-20872 ]
  • A Citrix ADC appliance might crash if there is high memory usage and memory values are not freed up because of an application failure.
    [ NSHELP-18863 ]

Load Balancing

  • The Citrix ADC appliance load balances all the traffic that is destined to a particular load balancing virtual server to the same backend server, when all of the following conditions occur:

    - Load balancing virtual server is configured with hash-based LB method.
    - Service group with autoscale mode DNS is bound to the load balancing virtual server.

    Work Around: Configure the load balancing virtual server with the Round Robin LB method.
    [ NSHELP-21952 ]

Miscellaneous

  • Service disruption might occur at runtime if the bot management TPS detection technique is configured with the "mitigation" action. 
    [ NSBOT-124 ]
  • During an upgrade, a Citrix ADC appliance might crash if the bot signature file contains long strings.
    [ NSBOT-37 ]

Networking

  • Deny ACL6 rules might drop IPv6 traffic for an established session.
    [ NSNET-11409 ]
  • The BGP module in a Citrix ADC appliance might crash if it accesses a null interface related information.
    [ NSHELP-22258 ]
  • In a cluster setup with retainConnectionsOnCluster option enabled, a cluster node might crash when it receives fragmented packets followed by non-fragmented packets.
    [ NSHELP-21674 ]

  • In a cluster setup, a Citrix ADC appliance might crash when it receives a node-to-node steered ICMP error message from the server. The crash occurs because the received packet does not contain the interface-related information.
    [ NSHELP-18401 ]

Platform

  • On the Citrix ADC SDX 26000-100G platform, the interface might not come up after you restart the appliance.
    [ NSPLAT-11985 ]
  • On the Citrix ADC SDX 15000-50G platform, some files from the NIC dump might not be cleared from the /tmp directory when the Citrix Hypervisor support bundle is collected multiple times. These files might disrupt a successful reboot of the appliance.
    [ NSHELP-22903 ]
  • In the CPU visualizer of the SDX dashboard, CPU usage of a VPX instance displays 0 if cores from CPU 0 are allotted to the instance.
    [ NSHELP-22869 ]
  • The Citrix ADC SDX 8900 appliance shows missing NIC interfaces after performing a factory reset. Upgrade to one of the following releases:
    - Release 12.1-56.x or later
    - Release 13.0-61.x or later
    [ NSHELP-22715 ]
  • Connectivity to a VPX instance fails if the following conditions are met:
    - The instance is configured without a management interface.
    - Only the LACP port channel is configured as a data interface.
    - The first member of the LACP channel is lost or disabled.
    For example, if interface 50/1 and 50/2 are the members of the channel and interface 50/1 is DOWN and 50/2 is UP, connectivity to the instance is lost. However, if interface 50/1 is UP and 50/2 is DOWN, VPX connectivity is available.
    This issue is specific to Mellanox NICs.
    [ NSHELP-22424 ]
  • High availability monitor (HAMON) is enabled by default on internal interface and cannot be disabled on SDX appliances if an internal interface is configured.There is no functional impact of the above setting.
    [ NSHELP-21803 ]
  • The SNMP module on a Citrix ADC MPX platform might return an incorrect value for some system properties.
    [ NSHELP-19621 ]

Policies

  • The rewrite action of insert_after type might not work with HTTP chunked or FIN terminated response.
    [ NSHELP-22743 ]

SSL

  • The Citrix ADC appliance might crash during an abbreviated (resumed) TLS 1.3 handshake if all of the following settings are applied to an SSL profile:

    - SNIHTTPHostMatch is set to CERT
    - TLSv1.3 is enabled
    - Session ticket is enabled.

    [ NSHELP-22126 ]
  • SSL record decryption might fail intermittently when the Citrix ADC appliance is configured to use jumbo frames.
    [ NSHELP-21969 ]
  • When a Citrix ADC appliance is configured to use SSL session tickets and client authentication is enabled, the appliance might crash when the clients send a large client certificate. For example, an RSA certificate containing 4096 bits key.
    [ NSHELP-21662 ]
  • The Citrix ADC appliance might crash and dump core if OCSP stapling is configured and the appliance is low on memory.
    [ NSHELP-21661 ]
  • OCSP signature verification fails when an empty extension is received in the "SingleResponse" field of the OCSP response.
    [ NSHELP-20997 ]

System

  • A Citrix ADC appliance might incorrectly send RST_STREAM frame for successfully completed transaction streams for HTTP/2 connections.
    [ NSHELP-22969 ]
  • A Citrix ADC appliance might restart if the following conditions are met:

    -   Time series profile fetches looping over an array.

    -   A wrong parameter is used to loop.
    [ NSHELP-22828 ]
  • A Citrix ADC appliance might crash if the following conditions are observed:
    - Flash Cache is enabled.
    - The client connection is reset.
    - Client request in the queue to be serviced as part of the caching process.
    [ NSHELP-21872 ]
  • In non-end point case, the Citrix ADC appliance might reset a TCP connection if sack-reneging occurs multiple times on the connection"
    [ NSHELP-21405 ]

User Interface

  • A FIPS key created on a primary node is not synched to the secondary node using Enable SIM option in the Citrix ADC GUI.
    [ NSUI-16016 ]
  • Earlier, the Actions field listed both the Assignments and Rewrite Actions together but the Add/Edit functionality was only intended for Rewrite actions not for Assignments. Now we removed Add/Edit options and provided "Configure Assignments", "Configure Rewrite Actions" as hyperlinks to configure them independently.
    [ NSHELP-23095 ]
  • Saved v/s Running config utility may display differences for 'bind serviceGroup' command even after saving the configuration.
    [ NSHELP-22459 ]
  • The “nsconfig” command with the “-k” option fails to create a backup file with the current Citrix ADC configuration.
    [ NSHELP-22179 ]
  • In a high availability setup, a synchronization issue might replace the secondary node's license file with the primary node's license file.

    The presence of the primary node’s license file cause a host ID mismatch for this file on the secondary node. Because of this host ID mismatch, all the Citrix ADC features are disabled when the secondary node takes over as primary after a failover.
    [ NSHELP-21871 ]
  • A Citrix ADC appliance might crash if the /tmp directory is full.
    [ NSHELP-21809 ]
  • A Citrix ADC appliance becomes unstable if you use the -outfilename parameter in diffnsconfig command. As a result, the diffnsconfig output is large to completely fill the root disk.
    [ NSHELP-19345 ]
  • In a cluster setup, the certificate-key pair might sync to the non-CCO nodes with some delay. As a result, it is possible that the certificate-key pair is added to the CCO node but fails on the non-CCO nodes with no error message.
    [ NSHELP-12037 ]

Known Issues

The issues that exist in release 13.0-61.48.

Authentication, authorization, and auditing

  • In some cases, a Citrix ADC appliance becomes unresponsive when single sign-on is attempted.
    [ NSHELP-23632 ]
  • In rare cases, a Citrix ADC appliance crashes upon handling authentication request if a DUP-FREE (trying to free an already free resource) scenario arises.
    [ NSHELP-23565 ]
  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.
    [ NSHELP-563 ]
  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
    [ NSAUTH-6106 ]
  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    "show adfsproxyprofile <profile name>"

    Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.
    [ NSAUTH-5916 ]

Caching

  • A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.
    [ NSHELP-22942 ]
  • A Citrix ADC appliance might randomly crash if the following conditions are observed:
    * Integrated caching feature is enabled.
    * 100 GB or more memory is allocated for integrated caching.

    Workaround: Allocate less than 100 GB of memory. 
    [ NSHELP-20854 ]

Citrix ADC SDX Appliance

  • On the Citrix ADC SDX 8900, SDX 15000, and SDX 15000-50G platforms, a high CPU usage can be noticed on ADC instances after upgrading the SDX appliance from release 11.1 to release 12.1, or from release 11.1 to release 13.0.
    [ NSHELP-24031 ]
  • You cannot include a hash (%23) in community strings for SNMP managers and trap destinations configured on a Citrix ADC SDX appliance.
    [ NSHELP-23989 ]
  • If a VPX instance was provisioned on an old 11.1 build, update operations on the VPX instance using the SDX CLI fail if the following conditions are met:
    - The "Shell/SFTP/SCP Access" option was selected.
    - The "Add Instance Administration" option was not selected.
    These options were available under "Instance Administration."
    [ NSHELP-23683 ]
  • In some cases, the licenses are not read correctly by the Management Service after you restart a Citrix ADC SDX appliance.
    [ NSHELP-23619 ]

Citrix Gateway

  • The Citrix Gateway appliance might go down in an EDT proxy deployment if the "kill icaconnection" command is run while an EDT connection establishment is in progress.
    [ NSHELP-23882 ]
  • You might face issues when editing documents using the web based office apps linked in SharePoint when these apps are accessed through the advanced clientless VPN.
    [ NSHELP-23364 ]
  • The Citrix Gateway appliance might crash while launching an app if the VDA FQDN resolution fails. 
    [ NSHELP-22454 ]
  • Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.
    [ NSHELP-21897 ]
  • When you access Microsoft Excel through clientless VPN SharePoint, you cannot edit the Excel file.

    Workaround: Run the following CLI commands:

    >add rewrite policy ns_cvpn_v2_req_body_decode_pol "http.req.header(\"Content-Length\").exists && http.req.header(\"Content-Length\").value(0).typecast_num_t(decimal).gt(0) && http.req.header(\"Content-Type\").exists && (HTTP.REQ.HEADER(\"Content-Type\").CONTAINS(\"text/\") || (HTTP.REQ.HEADER(\"Content-Type\").CONTAINS(\"application/\") && HTTP.REQ.HEADER(\"Content-Type\").CONTAINS_ANY(\"ns_cvpn_v2_application_content_type_end\")))" ns_cvpn_v2_req_body_decode_act

    >bind rewrite policylabel ns_cvpn_v2_req_rw_label ns_cvpn_v2_req_body_decode_pol 27001

     
    [ CGOP-15123 ]
  • When you upgrade your Unified Gateway environment to release 13.0 build 58.x or later, the DTLS knob is disabled in the content switching virtual server that is configured before the gateway or the VPN virtual server. You must manually enable the DTLS knob in the content switching virtual server after the upgrade. Do not enable the DTLS knob if you are using the wizard for configuration.
    [ CGOP-13972 ]
  • The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.
    [ CGOP-13584 ]
  • The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).
    Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.
    [ CGOP-13532 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
    [ CGOP-13511 ]
  • In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.
    [ CGOP-7269 ]

Citrix Web App Firewall

  • A Citrix ADC appliance might crash during the Web App Firewall XML validation check.
    [ NSHELP-23562 ]

Load Balancing

  • During GSLB real-time synchronization, the continuous batching of GSLB configuration commands might result in pushing the commands to the subordinate sites in an incorrect order.
    [ NSHELP-23934 ]
  • The generation of SNMP alarms might be delayed if the synchronization of configuration from the master site to subordinate sites fails.
    [ NSHELP-23391 ]
  • When you upgrade the Citrix ADC appliance to release 12.0 build 63.13, you might see some duplicate configuration entries for load balancing persistence groups. For example, the "show running config" command might display the "add lb group" command multiple times. This is only a display issue and does not impact the functionality. However, the "show running config" command might take slightly more time to execute than usual.
    [ NSHELP-23050 ]
  • The statistics for a stream identifier do not show any graphs.
    [ NSHELP-22753 ]
  • The Citrix ADC appliance might rarely crash when an integer value is truncated after series of operations related to Stream Identifier.
    [ NSHELP-22489 ]

Miscellaneous

  • Citrix ADC appliance might crash if the bot device fingerprint technique is disabled while traffic flowing into the appliance.
    Workaround: Unbind the bot profile before disabling the device fingerprint technique.
    [ NSBOT-156 ]

Networking

  • The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:
    ERROR: Operation timed out
    ERROR: Communication error with the packet engine
    [ NSNET-4312 ]
  • The following issues are observed related to BGP community strings in the Citrix ADC appliance:

    - When the appliance receives a BGP community string x:65535, the BGP session is disconnected.

    - When <bgp extended asn> capability is not enabled, the BGP daemon doesn't handle the combination of AS4_PATH attribute and certain community strings in a desired manner. This improper handling results in crash of BGP daemon.
    [ NSHELP-24119 ]
  • For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.
    [ NSHELP-24034 ]
  • In a high availability set up in INC mode, BFD sessions are lost after a failover.
    [ NSHELP-23648 ]
  • BFD settings might not apply in a Citrix ADC appliance after you hard reboot the appliance several times.
    [ NSHELP-23471 ]
  • A Citrix ADC appliance might crash during deployment if the following conditions are observed:
    - Multipath TCP (MPTCP) is enabled with MBF and PMTUD
    - MPTCP traffic is received and the response causes ICMP Fragmentation Needed error.
    [ NSHELP-22418 ]
  • In a high availability setup, one of the Citrix ADC appliances might crash if you perform In Service Software Upgrade (ISSU) from Citrix ADC software version 13.0 47.24 or previous, to a later version.
    [ NSHELP-21701 ]
  • When you add a slave interface with jumbo MTU to link aggregation channel that is used as backplane, the following warning message incorrectly appears:

    "The MTU for a backplane interface must be large enough to handle all packets. It must be equal to the (MTU value). If recommended value is not configurable, please review MTU of jumbo interfaces."

    This is only a display issue, and there is no impact on the functionality.
    [ NSHELP-20794 ]

Platform

  • If a Citrix ADC instance uses ADM-based licensing, the Citrix ADC licensing might not work when the ADM version is lesser than the ADC version. Therefore, when you upgrade the ADC version, ensure the corresponding ADM version is the same as or higher than the current ADC version.
    [ NSPLAT-15184 ]
  • Upgrading a Citrix ADC SDX appliance to software version 12.1 might fail if the Citrix Hypervisor version is 6.1.
    [ NSHELP-24036 ]
  • NITRO API request or GUI access to a Citrix ADC appliance fails if the appliance remains idle from management activity over HTTP(S) for more than six days.

    Workaround: Restart the HTTPD process. Run the following commands in the Citrix ADC CLI:

    - add serviceGroup mgmt_http_svc HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES

    - bind serviceGroup mgmt_http_svc 127.0.0.1 80
    [ NSHELP-22849 ]

Policies

  • A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.
    [ NSPOLICY-1462 ]
  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
    [ NSPOLICY-1267 ]
  • A Citrix ADC appliance might crash if you configure the MATCHES_LOCATION() function in a policy expression and you start nstrace using a filter expression.
    [ NSHELP-22687 ]

SSL

  • Update command is not available for the following add commands:
    - add azure application
    - add azure keyvault
    - add ssl certkey with hsmkey option
    [ NSSSL-6484 ]
  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.
    [ NSSSL-6478 ]
  • You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.
    [ NSSSL-6213 ]
  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled
    [ NSSSL-6106 ]
  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
    [ NSSSL-4001 ]
  • In rare cases, a Citrix ADC appliance crashes if the following conditions are met:
    - An SSL virtual server receives a Client Hello message with the SSL record header split into two or more TCP packets.
    - A policy bound at client hello with a forward action specified returns true.
    - The TCP checksum of the packet, which completes the record header of Client Hello message, contains the 0xXX 0x16 pattern.
    [ NSHELP-23754 ]
  • In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.
    [ NSHELP-13466 ]

System

  • For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output. For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.
    [ NSHELP-22684 ]
  • A Citrix ADC appliance might crash if the following conditions are observed:
    - HTTP/2 enabled in the HTTP profile bound to load balancing virtual server of type HTTP/SSL or service.
    - Connection multiplexing option disabled in the HTTP Profile bound to load balancing virtual server or service.
    [ NSHELP-21202 ]
  • The Citrix ADC MPX 26000-100G appliance might become unresponsive if the aggregator process becomes unstable.
    [ NSBASE-11747 ]

User Interface

  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.
    [ NSUI-13024 ]
  • Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.
    [ NSHELP-24195 ]
  • The Citrix ADC GUI does not display the "Top CLIENT.UDP.DNS.DOMAIN" statistical data in graphical format for the selected stream identifier.
    [ NSHELP-23777 ]
  • After executing the "saveconfig - all" command, the last saved time for the admin partitions is not accurately updated.
    [ NSHELP-23740 ]
  • In Citrix ADC GUI, the Web App Firewall Profiles page does not have the next or previous navigation options to view more than 25 profiles in the list pane.

    Navigation: Security->Citrix Web App Firewall->Profiles
    [ NSHELP-22622 ]
  • On a Citrix ADC MPX appliance, to transition the pooled capacity license to a perpetual license, you must first remove the pooled licensing configuration and then remove the pooled capacity license.

     
    [ NSCONFIG-4167 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:
    * 13.0 52.24 build
    * 12.1 57.18 build
    * 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"

    Workaround:

    To fix this issue, use one of the following independent options:
    * If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    * Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    * If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
    [ NSCONFIG-3188 ]