Release Notes for Citrix ADC 13.0-64.35 Release
Notes
- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- Build 13.0-64.35 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX281474.
What's New
Authentication, authorization, and auditing
Increase in the maximum length value for attributes
The maximum length value for the following attributes has changed as follows.
- set samlaction <saml-action-name> -samlissuerName - 511 (new max length)
- set samlidPProfile <saml-idp-profile-name> -samlissuerName - 511 (new max length)
- set samlidPProfile <saml-idp-profile-name> -serviceProviderID - 511 (new max length)
- set tm samlSSOProfile <saml-sso-profile-name> -samlissuerName - 511 (new max length)
- set vpn samlSSOProfile <saml-sso-profile-name> -samlissuerName - 511 (new max length)
- set oauthaction <oauth-action-name> -clientSecret - 239 (new max length)
- set oauthaction <oauthidp_profile-name> -clientSecret - 239 (new max length)
[ NSAUTH-8180 ]
Support to disable the weak Basic, Digest, and NTLM authentication globally
TheSSO configuration is now made more secure bydisabling the following weak authentication methods globally.
- Basic authentication
- Digest Access Authentication
- NTLM without setting Negotiate NTLM2 Key orNegotiate Sign
For more information, seehttps://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/enable-sso-for-auth-pol.html.
[ NSAUTH-7747 ]
Ability to start nFactor flow with decision block in nFactor visualizer
Using the nFactor visualizer, you can now start the nFactor flow with a decision block. For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/multi-factor-nfactor-authentication/nfactor-authentication-simplification.html.
[ NSAUTH-7665 ]
Support forclient_assertion_type and client_assertion in OAuth token API
OAuth feature now supports the following capabilities in the token API from the Relying Party (RP) side and from the IdP side of Citrix Gateway and Citrix ADC.
- PKCE (Proof Key for Code Exchange) support
- Support for client_assertion
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/oauth-authentication/citrix-adc-oauth-sp.html.
[ NSAUTH-6243 ]
Citrix ADC SDX Appliance
Citrix ADM service connect feature to enable auto-onboarding to Citrix ADM service
The Citrix Application Delivery Management (ADM) service connect feature enables seamless onboarding of Citrix ADC SDX appliances onto Citrix ADM service. This feature lets the ADC SDX appliance automatically connect with ADM service and send system, usage, and telemetry data to ADM service. Using this data, you can get insights and recommendations for your Citrix ADC infrastructure, on Citrix ADM service.
By default, the Citrix ADM service connect feature is enabled when you install or upgrade the Citrix ADC SDX appliance.
For more information, see the following topics:
- Citrix ADM service: https://docs.citrix.com/en-us/citrix-application-delivery-management-service/citrix-application-delivery-management-service.html
- Data governance: https://docs.citrix.com/en-us/sdx/13/data-governance.html
- Citrix ADM service connect: https://docs.citrix.com/en-us/sdx/13/adm-service-connect.html
Note: The ADM service connect feature is now available on Citrix ADC instances and Citrix Gateway appliances, however, the corresponding functionality on Citrix ADM service is not yet available. Citrix will update this note when the corresponding functionality becomes available in ADM service so that you can leverage the complete benefit of this feature.
[ NSSVM-3911 ]
Citrix Web App Firewall
Learning and deploying relaxation rules for XSS URL violation
The Citrix Web App Firewall can now learn XSS URL violations and deploy relaxation rules for false positive scenarios.
Note: In a cluster configuration, all nodes must be of the same version to deploy XSS URL rules.
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/top-level-protections/html-cross-site-scripting-check.html%23using-the-learn-feature-with-the-html-cross-site-scripting-check.
[ NSWAF-5186 ]
Security check to block violations in HTTP post body size limit
Citrix Web App Firewall profile now supports "PostBodyLimitAction as a configurable security check to honor error settings and block requests (except for redirect URL) if the HTTP post body size exceeds the maximum allowed limit. The security check is also applicable for requests with a transfer-encoding header set as chunked.Previously, post body limit violations resulted in 400 as a server response.The log format for"PostBodyLimitAction setting is now as changed as per the audit log format.
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/application-firewall/profiles/app-firewall-profile-settings.html.
[ NSWAF-5184 ]
Load Balancing
Increased character length for the monitor name
The number of characters in the monitor name is now increased up to 255 characters.
[ NSLB-5223 ]
Networking
Change in Interface numbering scheme in Citrix ADC BLX appliances
The interfaces numbering scheme for a Citrix ADC BLX appliance is modified such that it aligns with other Citrix ADC platforms. Citrix recommends you to update any scripts that has a dependency on the interface numbering.
Earlier, both the internal interfaces were numbered as the first and the last interface. All the dedicated interfaces (in a Citrix ADC appliance in non-DPDK or DPDK mode) are numbered in between the first and the last internal interfaces.
Example 1: A Citrix ADC BLX appliance in non-DPDK mode with two dedicated interfaces:
- The internal BLX interfaces are numbered as 0/1 and 0/4.
- The dedicated interfaces are numbered as 0/2 and 0/3.
Example 2: A Citrix ADC BLX appliance in DPDK mode with one DPDK interface:
- The internal BLX interfaces are numbered as 0/1 and 0/3.
- The DPDK interface is numbered as 0/2.
From this release onwards, the interfaces in a Citrix ADC appliance are numbered in the following sequential order:
- Both the internal interfaces are numbered as the first and the second interface.
- dedicated interfaces.
- DPDK interfaces (in Citrix ADC appliances in DPDK mode).
Example 1: A Citrix ADC BLX appliance in non-DPDK mode with two dedicated interfaces:
- The internal BLX interfaces are numbered as 0/1 and 0/2.
- The dedicated interfaces are numbered as 0/3 and 0/4.
Example 2: A Citrix ADC BLX appliance in DPDK mode with one DPDK interface (40G) and one non-DPDK dedicated interface:
- The internal BLX interfaces are numbered as 0/1 and 0/2.
- The non-DPDK dedicated interface is numbered as 0/3.
- The DPDK interface (40G) is numbered as 40/1.
[ NSNET-17067 ]
Non-default password support for the root user on Citrix ADC CPX
Citrix ADC CPX now supports non-default password for the root user (nsroot). When you deploy CPX, a random password is generated and assigned for the root user. You can also change it manually.
[ NSNET-10520 ]
Subscription local licenses support for Citrix ADC BLX appliances
A Local license is similar to a perpetual license however they have an expiration date. The software subscription that makes up local licenses are term-based and can be installed without requiring ADM as a licensing server.
The following type of subscription local licenses is available for Citrix ADC BLX appliances:
Bandwidth-based subscription local license. This type of license is enforced with a maximum allowed throughput that a particular Citrix ADC BLX appliance is entitled to. Each local license is also tied up with one of the Citrix ADC software editions (Standard, Enterprise, or Platinum), which unlocks the ADC feature set of this edition in a Citrix ADC BLX appliance. Embedded Select support is included with the subscription local license purchase.
Example:
A Citrix ADC BLX Subscription 10 Gbps Premium Edition - entitles a Citrix ADC BLX appliance with a maximum allowed throughput of 10 Gbps. This license also unlocks all the ADC features, listed in the Premium edition, in the Citrix ADC BLX appliance.
[ NSNET-9189 ]
Mellanox NICs support for Citrix ADC BLX appliances in DPDK mode
Citrix ADC BLX appliances now support Mellanox NICs with MLX5 driver for deployment in DPDK mode.
[ NSNET-8946 ]
Policies
Server certificate verification for importing responder HTML page
You cannow use the "import responder htmlpage" command for sending HTML error responses to the client. Previously, no server certification validationhappenedduring HTML page import. This issue is now resolved by using a new parameter, "CAcertFile. You can configure theparameter to verify theserver certificate authentication when importing an HTML page.
Note: If you do not configure the CA certificate file name, the default root CA certificates are used for verifying the server certificate.
import responder htmlpage&%2391;<src>&%2393;<name>&%2391;-comment <string>&%2393;&%2391;-overwrite&%2393;&%2391;-CAcertFile <string>&%2393;For more information, see https://docs.citrix.com/en-us/citrix-adc/13/appexpert/responder/configuring-responder-action.html%23configure-html-page-import.
[ NSPOLICY-3620 ]
System
Support to bind the analytics profile globally
You can now bind the analytics profile globally.
Previously, you had to bind the analytics profile to each virtual server.[ NSBASE-11079 ]
Statistical data for ICAP, IPS, and IDS content inspection
Statistical data is now available for ICAP, IPS, and IDS content inspection features.
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/content-inspection/content-inspection-statistics-for-icap-ips-ids.html.
[ NSBASE-10447 ]
User Interface
Citrix ADM service connect feature to enable auto-onboarding to Citrix ADM service
The Citrix Application Delivery Management (ADM) service connect feature enables seamless onboarding of Citrix ADC MPX, SDX, and VPX instances, and Citrix Gateway appliances onto Citrix ADM service. This feature lets the ADC instance or Gateway appliance automatically connect with ADM service and send system, usage, and telemetry data to ADM service. Using this data, you get insights and recommendations for your Citrix ADC infrastructure on Citrix ADM service.
By default, the Citrix ADM service connect feature is enabled when you install or upgrade Citrix ADC MPX, SDX, and VPX instances or Citrix Gateway appliance.
For more information, see the following topics:
- Citrix ADM service: https://docs.citrix.com/en-us/citrix-application-delivery-management-service/citrix-application-delivery-management-service.html
- Data governance: https://docs.citrix.com/en-us/citrix-adc/13/data-governance.html
- Citrix ADM service connect: https://docs.citrix.com/en-us/citrix-adc/13/adm-service-connect.html
Note: The ADM service connect feature is now available on Citrix ADC instances and Citrix Gateway appliances, however, the corresponding functionality on Citrix ADM service is not yet available. Citrix will update this note when the corresponding functionality becomes available in ADM service so that you can leverage the complete benefit of this feature.
[ NSCONFIG-4150 ]
Citrix ADM service connect feature to enable auto-onboarding to Citrix ADM service
The Citrix Application Delivery Management (ADM) service connect feature enables seamless onboarding of Citrix ADC MPX, SDX, and VPX instances, and Citrix Gateway appliances onto Citrix ADM service. This feature lets the ADC instance or Gateway appliance automatically connect with ADM service and send system, usage, and telemetry data to ADM service. Using this data, you get insights and recommendations for your Citrix ADC infrastructure on Citrix ADM service.
By default, the Citrix ADM service connect feature is enabled when you install or upgrade Citrix ADC MPX, SDX, and VPX instances or Citrix Gateway appliance.
For more information, see the following topics:
- Citrix ADM service: https://docs.citrix.com/en-us/citrix-application-delivery-management-service/citrix-application-delivery-management-service.html
- Data governance: https://docs.citrix.com/en-us/citrix-adc/12-1/data-governance.html
- Citrix ADM service connect: https://docs.citrix.com/en-us/citrix-adc/12-1/adm-service-connect.html
Note: The ADM service connect feature is now available on Citrix ADC instances and Citrix Gateway appliances, however, the corresponding functionality on Citrix ADM service is not yet available. Citrix will update this note when the corresponding functionality becomes available in ADM service so that you can leverage the complete benefit of this feature.
[ NSCONFIG-3793 ]
Fixed Issues
Authentication, authorization, and auditing
If a Citrix ADC appliance is configured for the OTP login and the OTP field is left blank, the authentication fails. In such a scenario, the appliance logs the user password in ns.log leading to a security concern.
[ NSHELP-24027 ]
In some cases, the SAML assertion breaks when the attribute values have XML tags. This results in the failure of attribute extraction.
[ NSHELP-23940 ]
A Citrix ADC appliance configured as an Identity Provider(IdP) for Citrix Workspace might crash when users are part of a large number of active directory groups.
[ NSHELP-23899 ]
The user does not get a 401 authentication prompt because the Citrix ADC appliance requests the authentication configuration from a wrong virtual server structure.
[ NSHELP-23892 ]
The Citrix Workspace login fails whena Citrix ADC appliance is configured as an Identity Provider(IdP) for Citrix Workspace and a custom attribute extraction error occurs.
[ NSHELP-23843 ]
In some cases, the "ns.log" file in the Citrix ADC appliance gets incorrectly flooded with the following log messages "claims allowed in current loginschema".
[ NSHELP-23593 ]
VPN session policies bound to a Authentication, authorization, and auditing user or group are not applied if the Citrix ADC appliance is accessed by VPN client using webview nFactor authentication method.
[ NSHELP-23526 ]
The Citrix ADC GUI under "System Global Authentication Policy Binding" page has the following errors:
- Goto Expression field incorrectly displays"END" instead of "NEXT".
- The bound next factor policy is not reflected under the "Next Factor" field.
[ NSHELP-23474 ]
In rare cases, the session user name is incorrectly shown as "anonymous" instead of common name for the device certificate if both the following conditions are met.
- A Citrix ADC appliance is configured for nFactor authentication.
- Device Certificate is configured as the only factor in an nFactor configuration.
[ NSHELP-23243 ]
SAML authentication for the last factor fails when both the following conditions are met:
- The Citrix ADC appliance is configured as SAML SP.
- EPA is enabled on the VPN virtual server as pre-authentication policy and the RfWebUI theme is bound to the server.
[ NSHELP-22932 ]
The session establishment fails when accessed from the Citrix Workspace app using Webview if preauthentication EPA is configured along with nFactor authentication.
[ NSHELP-22845 ]
The login page for a Citrix ADC appliance is not displayed correctly when LDAP and SAML are configured as the primary authentication mechanism.
[ NSHELP-22713 ]
When you log on to the Citrix Gateway appliance, a blank page is displayed if the following conditions are met:
- The Citrix Gateway appliance is configured for nFactor authentication with saml as next factor EULA
- You click the back arrow to go the previous page during the logon process.
[ NSHELP-22604 ]
In some cases, a Citrix ADC appliance crashes because of the memory corruption caused by a buffer overwrite for the list of OTP devices.
[ NSHELP-22478 ]
Sometimes, the form-based SSO authentication fails for the first time if a Set-Cookie is contained in the HTTP response header of the HTML form.
[ NSHELP-21740 ]
Citrix ADC SDX Appliance
An incorrect platform model string is displayed when you configure pooled licensing on the Citrix ADC SDX 8400, 8600, or 8015 appliances.
[ NSHELP-24234 ]
If you take a backup of one SDX appliance, restoring the instances on another SDX appliance fails.
[ NSHELP-23947 ]
On a Citrix ADC SDX 8900 appliance, the number of instances available for provisioning are reduced after you upgrade the appliance.
[ NSHELP-23808 ]
Upgrading a Citrix ADC SDX appliance to release 12.1 build 57.x might fail because a process in the Management Service is unresponsive.
[ NSHELP-23612 ]
On the Citrix ADC SDX appliance, a user with read-only permissions can transfer files to Management Service using a file transfer utility, such as SCP or SFTP.
[ NSHELP-22638 ]
Citrix Gateway
The Citrix Gateway appliance might crash when adding a cookie_watch JavaScript while serving clientless VPN traffic.
[ NSHELP-24096 ]
You cannot disable the Citrix Gateway EPA plug-in from the GUI after upgrading to release 13.0 build 58.30.
[ NSHELP-24016 ]
The VPN plug-in cannot load the Citrix Gateway logon page if a port number is specified during login. This issue occurs only if nFactor authentication is configured for the virtual server on the appliance.
[ NSHELP-23925 ]
When VPN tunnel is active, users cannot access a portal if the following conditions are met:
- Host-name based intranet applications are configured along with reverse split tunnel.
- The hostname of the portal matches an intranet application name.[ NSHELP-23912 ]
In the VPN virtual server page, the configured portal themes, policies, and profiles summary does not appear on the left side of the page.
[ NSHELP-23903 ]
In rare cases, a Citrix Gateway appliance might crash while handling transfer logon or logout requests.
[ NSHELP-23863 ]
The Windows plug-in cannot perform a seamless Transfer Logon in the Always On service mode if the RfWebUI portal theme is bound to the Citrix ADC virtual server.
[ NSHELP-23837 ]
When you upgrade your VPN plug-in to 13.0, DNS queries are sent to both local and remote DNS servers if the split tunnel is set to OFF.
[ NSHELP-23826 ]
Local DNS queries over the VPN plug-in if specified to a particular DNS server are not honored because the queries are sent to randomly selected DNS servers on the client.
[ NSHELP-23743 ]
The Windows credential screen does not refresh after the networkcomes back up.
[ NSHELP-23594 ]
SAP CFolders do not work as intended when accessed over advanced clientless VPN.
[ NSHELP-23561 ]
In the Citrix Gateway Always On service mode, when the machine is rebooted, the tunnel is not established if an Intranet IP address is configured.
[ NSHELP-23304 ]
The Citrix ADC appliance crashes if the "show vpn storeinfo" command is run repeatedly.
[ NSHELP-23144 ]
The ICA Proxy application launch over SOCKS channel fails.
[ NSHELP-23111 ]
Users cannot access resources over the VPN when the machines resume from sleep or hibernate state.
[ NSHELP-23024 ]
VPN plug-in cannot establish a seamless session after the Citrix Gateway appliance is restarted because the configuration is overwritten when Always On is enabled.
[ NSHELP-22674 ]
In rare cases, the Citrix ADC appliance might become unresponsive if the appliance is configured for EDT, and HDX Insight is enabled for EDT sessions.
[ NSHELP-22640 ]
The Citrix Gateway appliance crashes when accessing the DNS server configuration if RDP Proxy is configured and DNS resolution is attempted after WINS resolution.
[ NSHELP-22577 ]
In a Citrix Gateway double hop high availability setup, the ICA connection might be lost after an HA failover.
[ NSHELP-22444 ]
In a Citrix Gateway high availability setup, the secondary node might crash during a failover if syslog is configured.
[ NSHELP-22438 ]
Feature: Citrix Gateway
The Citrix Gateway appliance might crash because some commands are not run.[ NSHELP-22371 ]
The Citrix Gateway appliance might crash intermittently if a syslog policy is configured.
[ NSHELP-22304 ]
Citrix Web App Firewall
A Citrix ADC appliance might crash if the response side or XML security checks are enabled and log expressions are configured in a Web App Firewall profile.
[ NSWAF-6466 ]
In a cluster configuration, the unbind command to configure an HTML Cross-Site Scripting check relaxation rule with the location as URL is unsuccessful.
[ NSWAF-6463 ]
In a cluster configuration, the Citrix Web App Firewall aslearn data aggregation on the cluster coordinator node (CCO) fails when RPC nodes are secured.
[ NSWAF-6460 ]
After an upgrade, the "bufferOverflowMaxqueryLength" and "bufferOverflowmaxHeaderLength" values in an existing Citrix Web App Firewall profile might not be appropriate for deployment. As a result, you might have to modify the values if incorrect.
[ NSWAF-6346 ]
A Citrix ADC appliance might crash if bot signature is enabled with external DNS server configuration.
[ NSHELP-24190 ]
POST requests with content-type "application/octet-stream" are not processed if Streaming is enabled without a signature set.
[ NSHELP-22668 ]
In a high availability setup, the Web App Firewall session in the secondary node is a stale session.
[ NSHELP-20288 ]
Load Balancing
The real-time synchronization of GSLB configuration from the master site to the subordinate sites might fail if the secure option is enabled for the remote site RPC node.
[ NSHELP-24178 ]
A Citrix ADC appliance might crash when trying to evaluate subscriber policies andgxSessionReporting is enabled.
[ NSHELP-24159 ]
If connection mirroring does not synchronize PCB parameters, it might lead to loss of TCP options such as Maximum Segment Size (MSS) and Window Scaling.
[ NSHELP-23990 ]
The Citrix ADC appliance crashes if the storeDB parameter is enabled in the MYSQL-ECV monitor.
[ NSHELP-23983 ]
When you add two service groups with the same value for "devno" parameter explicitly using CLI, the addition of the second service group fails. This is because the same devno is already assigned to the first service group. It is recommended not to provide the devno explicitly from CLI because it is automatically populated.
[ NSHELP-23817 ]
If the health check option is enabled for Gx interface and Gx server is not responsive, negative TTL sessions are not created.
[ NSHELP-23355 ]
The statistics for a stream identifier do not show any graphs.
[ NSHELP-22753 ]
For DNS UDP requests the subscriber session is created based on the destination IP address instead of the source IP address, if both a subscriber expression and a DNS expression are used in the same policy.
[ NSHELP-22521 ]
Feature: Clustering
In a cluster setup, ACL rules with VLAN settings do not take effect resulting in packets hitting other ACL rules.
This issue occurs when you delete a virtual server on the cluster setup resulting in the cluster nodes not adding VLAN information on the steered packets.
[ NSHELP-22103 ]
Feature: High Availability
In a high availability (HA) setup, when the secondary node restarts, the primary node might crash during connection mirroring of sessions to the secondary node.
[ NSHELP-21715 ]
Miscellaneous
Some commands present in the rc.netscaler file are not applied correctly after a Citrix ADC appliance is restarted because of which the appliance might not work as intended.
[ NSHELP-22507 ]
Networking
The nstcpdump.sh script fails to run on the Citrix ADC BLX CLI connected through SSH and logged in using the default admin (nsroot) credentials. The script fails because the default admin (nsroot) does not have permission to access certain files and network resources.
[ NSNET-16816 ]
In a high availability set up with connection mirroring enabled for FTP traffic, the secondary node might crash if the following condition is true.
- data connection propagates to the secondary node before the control connection
[ NSHELP-24088 ]
When the L2 mode is enabled, the Citrix ADC appliance forwards the DHCP broadcast packets received in the default partition.
[ NSHELP-23957 ]
The Citrix ADC appliance might fail during a NAT64 translation of a received IPv6 request packet if the following condition is true:
The last 32 bits of the destination IPv6 address, which is the translated destination IPv4 address, is greater than 240.0.0.0 (falls in reserved IP range).
Add an ACL to deny such packets.
[ NSHELP-22742 ]
You might observe high CPU usage on a Citrix ADC appliance when it sends fragmented IPv6 packets.
[ NSHELP-22699 ]
A packet with an invalid virtual MAC address as the destination address is wrongly classified as a packet havingthe Citrix ADC owned MAC address.
[ NSHELP-22697 ]
Platform
On the Citrix ADC SDX 24000 platform, a critical alert on logical drives is generated after you upgrade the appliance to software version 13.0. This is a false positive.
cp /opt/Citrix/system_config/NSSDX-22000 /opt/Citrix/system_config/NSSDX-22000T[ NSHELP-23505 ]
In some cases on a Citrix ADC SDX appliance, configuring some virtual instances with 50G and 100G Mellanox interfaces exhausts the memory.
[ NSHELP-23394 ]
You need to reboot a Citrix ADC SDX appliance to reset and initialize an SSL card when the card returns an error. With this fix, reboot is not required.
[ NSHELP-22725 ]
Policies
A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.
[ NSPOLICY-1462 ]
SSL
The Citrix ADC appliance might crash if the following conditions are met:
- TLS 1.3 early data processing is enabled in an SSL profile of a non-default admin partition.
- TLS 1.3 early data processing is disabled in all the SSL profiles of the default admin partition.
[ NSHELP-23607 ]
A Citrix ADC appliance might crash if the following conditions are met:
- A certificate-key pair is added with the expiry monitor option enabled.
- The certificate date is earlier than 01/01/1970.
[ NSHELP-22934 ]
In a cluster setup, a NITRO API query to fetch SSL policy bindings is a success from the CLIP address, but the query fails if is run from a cluster node.
[ NSHELP-22853 ]
A Citrix ADC appliance might crash if there are a large number of OCSP cached entries and you run the clear config command.
[ NSHELP-22695 ]
Configuring empty CRLs for frequent updates exhausts the shared allocated memory on the Citrix ADC appliance.
[ NSHELP-22166 ]
Feature: SSL
A partitioned Citrix ADC appliance might not respond as expected if you perform the following actions:
1) Create two OCSP responders in different partitions.
2) Clear the config in one partition.
3) Remove the OCSP responder in the other partition.[ NSHELP-20861 ]
System
A Citrix ADC appliance might not optimize and compress large objects such as Javascript or CSS if front end optimization is enabled.
[ NSHELP-24041 ]
In the case of TLS v1.2 session reuse protocol, the following behavior is observed in the Citrix ADC appliance:
- The categorization information is saved in the server PCB, and the domain information is saved in the client PCB.
- Data is sent to AppFlow only from the client PCB, hence for session reuse cases, categorization information is sent as null.
[ NSHELP-23542 ]
If a service, representing an inline device, is down when traffic is being inspected, a resource is not freed properly. The Citrix ADC appliance crashes when this freed resource is accessed again.
[ NSHELP-23145 ]
Feature: System
For synflood trap generation, if you do not reset the varbinding values, the appliance uses the old trap varbinding values instead of the current and threshold values.[ NSHELP-20653 ]
Feature: System
In Multi-path TCP (MPTCP) the si_cur_Clients and si_cur_clnt_ConnOpenEst counters are incremented twice.[ NSHELP-19896 ]
Feature: Analytics
Sometimes, analytics data is not populated in ADM service.
[ NSBASE-11508 ]
User Interface
Multi-Factor(nFactor) login does not work using the Citrix ADC GUI. After the first factor login, the next factor login input does not work.
[ NSHELP-24078 ]
A Citrix ADC appliance might crash when an internal process restarts for a maximum number of times.
[ NSHELP-23378 ]
Only the last three digits of the year are displayed in "Up since (Local)" line of the "stat system" command.
[ NSHELP-22960 ]
Adding a service group member directly is successful. However, the operation fails if you perform the following steps:
1. Navigate to Traffic Management > Load Balancing > Service Groups.
2. Select a service group and click Service Group Members.
3. Right click one of the entries and select Add.
4. In the Create Service Group Member, change the IP address and click Create.
[ NSHELP-21925 ]
NITRO API (routerdynamicrouting) for fetching the ZebOS running configuration does not fetch the complete output for large configurations (more than 25 lines).
[ NSCONFIG-3535 ]
After you upgrade the Citrix ADC appliance to release 13.0 build 64.x, the Secure option for all the RPC nodes is turned ON by default. This option secures the communication between the ADC nodes in the high availability, cluster, and GSLB deployments, which use the port number 3008. If the firewall between the ADC nodes blocks the port number 3008, unblock it and proceed. Otherwise, configuration synchronization and configuration propagation might fail. You can change this option anytime using the CLI or the GUI.
[ NSCONFIG-2702 ]
Known Issues
Authentication, authorization, and auditing
Feature: Authentication, authorization, and auditing-TM
A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[ NSHELP-563 ]
Feature: Authentication, authorization, and auditing
The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
[ NSAUTH-6106 ]
Feature: Authentication, authorization, and auditing
ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
"show adfsproxyprofile <profile name>"Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.
[ NSAUTH-5916 ]
Feature: Authentication, authorization, and auditing
You might see a No such policy exists message on the nFactor Flow page in nFactor Visualizer when you try to unbind a policy from a factor. The unbind option work as expected.[ NSAUTH-5821 ]
Caching
A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.
[ NSHELP-22942 ]
Citrix Gateway
EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.
[ NSHELP-24848 ]
The Gateway Insight does not display accurate information on the VPN users.
[ NSHELP-23937 ]
You might face issues when editing documents using the web based office apps linked in SharePoint when these apps are accessed through the advanced clientless VPN.
[ NSHELP-23364 ]
Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.
[ NSHELP-21897 ]
Transfer Logon does not work if the following two conditions are met:
- nFactor authentication is configured.
- Citrix ADC theme is set to Default.
[ CGOP-14092 ]
Feature: Citrix Gateway
The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.[ CGOP-13584 ]
Feature: Citrix Gateway
In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.[ CGOP-13511 ]
While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.
[ CGOP-13050 ]
The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.
[ CGOP-13049 ]
Feature: Citrix Gateway
An error message appears when you add or edit a session policy from the Citrix ADC GUI.[ CGOP-11830 ]
In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.
[ CGOP-7269 ]
Load Balancing
In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.
[ NSLB-7679 ]
The generation of SNMP alarms might be delayed if thesynchronization of configuration from the master site to subordinate sites fails.
[ NSHELP-23391 ]
Networking
WhenyoupushconfigurationstotheclusterinstancesusingaStyleBook,thecommandsfail withthe"Command propagation failed" error message.
Onsuccessive failures,theclusterretainsthepartialconfiguration.
1.Identifythefailedcommandsfromthelog.
2.Manuallyapplytherecoverycommandstothefailedcommands.[ NSHELP-24910 ]
Policies
Feature: System
Connections might hang if the size of processing data is more than the configured default TCP buffer size.Set the TCP buffer size to maximum size of data that needs to be processed.
[ NSPOLICY-1267 ]
SSL
Feature: SSL
Update command is not available for the following add commands:- add azure application
- add azure keyvault
- add ssl certkey with hsmkey option
[ NSSSL-6484 ]
Feature: SSL
You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.[ NSSSL-6478 ]
Feature: SSL
You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.[ NSSSL-6213 ]
Feature: SSL
The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
ERROR: crl refresh disabled[ NSSSL-6106 ]
Feature: SSL
Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[ NSSSL-4427 ]
Feature: SSL
An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.[ NSSSL-4001 ]
If strong password option is enabled on a Citrix ADC appliance, password protected certificate-key pairs might not be added. With this fix, the password protected certificate-key pairs are always added successfully. However, downgrading to an earlier build causes the certificate-key configuration to be lost.
Also, in the NITRO API response for certificate-key pairs, the passplain variable is sent instead of the passcrypt variable.[ NSHELP-25675 ]
In a cluster setup, certificate configuration changes are not allowed if any certificate or key files are removed.
[ NSHELP-24913 ]
User Interface
Feature: Cloudbridge connector
Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.
Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.
[ NSUI-13024 ]
Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.
[ NSHELP-24195 ]
Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.
[ NSHELP-20988 ]
Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.
[ NSCONFIG-4330 ]
If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.
1. Upgrade the Citrix ADC appliance to one of the builds:
- 13.0 52.24 build
- 12.1 57.18 build
- 11.1 65.10 build
2. Add a system user, or change the password of an existing system user, and save the configuration, and
3. Downgrade the Citrix ADC appliance to any older build.To display the list of these system users by using the CLI:
At the command prompt, type:"query ns config -changedpassword &%2391;-config <full path of the configuration file (ns.conf)>&%2393;"
To fix this issue, use one of the following independent options:
- If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords.
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
[ NSCONFIG-3188 ]