Release Notes for Citrix ADC 13.0-71.44 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.0-71.44.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 13.0-71.44 replaces Build 13.0-71.40.
  • This build adds an enhancement to eliminate the susceptibility to DDoS style attack against DTLS as described in https://support.citrix.com/article/CTX289674.
  • This build also includes fixes for the following issues that existed in the previous Citrix ADC 13.0 release build: NSAUTH-9475.

What's New

The enhancements and changes that are available in Build 13.0-71.44.

Authentication, authorization, and auditing

  • Azure Government support for token authentication in Microsoft Intune integration

    In Citrix Gateway and Microsoft Intune integration scenario, Citrix Gateway now supports Microsoft Azure Government infrastructure for Microsoft Active Directory Libraries (ADAL) token authentication. Previously, only Microsoft Azure commercial infrastructure was supported.

    [ NSAUTH-8246 ]

Citrix ADC SDX Appliance

  • After deleting an interface or a channel from an ADC instance, the instance might be unreachable from the Management Service. With this change, if your Citrix ADC SDX appliance is running release 13.0 build 71.x and later or release 12.1 build 60.x and later, you cannot delete the interface or channel on an ADC instance from the Management Service.

    [ NSSVM-3442 ]

Citrix Gateway

  • Support for dynamic secure DNS update on Windows plug-in

    VPN plug-in for Windows now supports Secure DNS update. This feature is disabled by default. To enable it, create HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\secureDNSUpdate value of type REG_DWORD and set it to 1.

    • When you set the value to 1, the VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in tries the secure DNS update.
    • To try only the secure DNS update, you can set the value to 2.
    [ CGOP-13788 ]

Citrix Web App Firewall

  • Device fingerprinting bot detection technique for mobile (Android) applications using Bot Mobile SDK

    The device fingerprinting bot detection mechanism is now enhanced to secure mobile (Android) applications from bot attacks. To detect bots in a mobile application, the device fingerprinting detection technique uses a bot mobile SDK. The SDK is integrated with the mobile application to intercept the mobile traffic, collect client and device details, and send the data to the appliance. On the appliance side, the device fingerprinting bot detection technique examines the data and determines whether the connection is from a bot or a human.

    [ NSWAF-5983 ]

Load Balancing

  • Configurable MEP timer support to avoid MEP flaps on GSLB sites

    A new parameter, MEPKeepAliveTimeout, is now added to configure the MEP timer. By default, the timer value is set as 10 seconds. Previously, the timer had a fixed value of 4 seconds.

    If the local GSLB site does not receive any new packets (retransmitted packets and duplicate acknowledge packets are excluded) from a remote GSLB site on the site-metric MEP connection within the time frame specified in the MEP timer, the Citrix ADC appliance marks the connection as DOWN. And, waits for 15 more seconds without terminating the connection. If it receives any new packet, the MEP connection is retained and the status is marked as UP.

    [ NSLB-7342 ]
  • Support for file-based pattern sets

    The Citrix ADC appliance now supports file-based pattern sets.

    You can import a new pattern set file into the Citrix ADC appliance using the following command:
    "import patsetfile <src> <name> -overwrite -delimiter <char> -charset <ASCII | UTF_8>"

    You can update an existing pattern set file on the Citrix ADC appliance using the following command:
    "update patsetfile <patset filename>"

    You can add a pattern set file to the packet engine using the following command:
    "add patsetfile <patset filename>"

    You can bind patterns to the pattern set file using the following command:
    "add patset <name> -patsetfile <patset filename>"

    [ NSLB-5823 ]
  • MQTT protocol support on Citrix ADC appliances

    Citrix ADC appliances now natively support the Message Queuing Telemetry Transport (MQTT) protocol. MQTT is an OASIS standard messaging protocol for the Internet of Things (IoT). With this support, the Citrix ADC appliance can be used in IoT deployments to load balance MQTT traffic.

    Previously, you could configure MQTT on the Citrix ADC appliance by using protocol extensions. Users had to write their own extension code and import the extension file to the Citrix ADC appliance, from either a web server (using HTTP) or local workstation.

    [ NSLB-5822 ]

Networking

  • Support added in Citrix ADC CPX for Cilium CNI in a Kubernetes environment

    Citrix ADC CPX now supports Cilium CNI in a Kubernetes environment. Cilium is an open-source CNI which uses the extended version of the Berkeley Packet Filter (BPF) to improve the visibility, performance, and scalability of applications on Kubernetes.

    [ NSNET-17264 ]
  • Configure the Citrix ADC appliance to source Citrix ADC FreeBSD data traffic from a SNIP address

    Some Citrix ADC data features run on the underlying FreeBSD OS instead of on the Citrix ADC OS. Because of this reason, these features send traffic sourced from the Citrix ADC IP (NSIP) address instead of sourced from a SNIP address. Sourcing the data traffic from the NSIP address is not desirable if your setup has configurations to separate all management and data traffic.

    The following Citrix ADC data features run on the underlying FreeBSD OS and send traffic sourced from the Citrix ADC IP (NSIP) address:

    • Load balancing scriptable monitors
    • GSLB autosync

    To resolve this issue, a global Layer-2 parameter "useNetprofileBSDtraffic" has been introduced. When this parameter is enabled, the Citrix ADC features send traffic sourced from one of the SNIP addresses in a netprofile associated with the feature.

    Currently, the global Layer-2 parameter "useNetprofileBSDtraffic" is supported only for load balancing scriptable monitors.

    For configuring the Citrix ADC appliance to source GSLB autosync traffic from a SNIP address, you can use extended ACL and RNAT rules as a workaround.

    [ NSNET-16274 ]
  • Dataset based extended ACLs

    A large number of ACLs are required in an enterprise. Configuring and managing a large number of ACLs is very difficult and cumbersome when they require frequent changes.

    A Citrix ADC appliance now supports datasets in extended ACLs. Dataset is an existing feature of a Citrix ADC appliance. A dataset is an array of indexed patterns of types: number (integer), IPv4 address, or IPv6 address.

    Dataset support in extended ACLs is useful for creating multiple ACL rules, which require common ACL parameters. While creating an ACL rule, instead of specifying the common parameters, you can specify an dataset, which includes these common parameters.

    Any changes made in the dataset are automatically reflected in the ACL rules that are using this dataset. ACLs with datasets are easier to configure and manage. They are also smaller and easier to read than the conventional ACLs.

    Currently, the Citrix ADC appliance supports only the IPv4 address type dataset for extended ACLs.

    [ NSNET-8252 ]

Platform

  • VMware ESX 7.0 support on Citrix ADC VPX instance

    The Citrix ADC VPX instance now supports the VMware ESX hypervisor 7.0 build 1632494.

    [ NSPLAT-16902 ]
  • AWS Top Secret (C2S) region support extended for all the Citrix ADC editions

    The AWS Top Secret (C2S) region now supports all the following Citrix ADC editions along with Bring Your Own License (BYOL):

    • Standard Edition
    • Advanced Edition
    • Premium Edition

    Previously, the AWS Top Secret region supported only the BYOL subscription.
    The AWS Top Secret region is readily available through the Commercial Cloud Services (C2S) contract with AWS.

    [ NSPLAT-9195 ]

Policies

  • Support for dynamic expressions in the CONTAINS function for optimizing advanced policy usage.

    Argument for the following methods are static:

    • contains()
    • after_str()
    • before_str()
    • substr(),
    • strip_end_chars()
    • strip_chars()
    • strip_start_chars()
    [ NSPOLICY-3545 ]

SSL

  • Support to offload crypto operations to Intel Coleto crypto chips in TLS 1.3 connections

    In TLS 1.3 connections, support is now added to offload crypto operations to Intel Coleto crypto chips on specific Citrix ADC MPX platforms.

    The following appliances that ship with Intel Coleto chips are supported:

    • MPX 5900
    • MPX/SDX 8900
    • MPX/SDX 15000
    • MPX/SDX 15000-50G
    • MPX/SDX 26000
    • MPX/SDX 26000-50S
    • MPX/SDX 26000-100G

    Software-only support for the TLSv1.3 protocol is available on all other Citrix ADC MPX and SDX appliances except Citrix ADC FIPS appliances.

    [ NSSSL-7453 ]
  • All subject alternate name (SAN) values are now displayed in a certificate

    A Citrix ADC appliance now displays all the SAN values when the details of a certificates are displayed.

    [ NSSSL-5978 ]
  • Policy support for TLSv1.3 protocol

    When TLSv1.3 protocol is negotiated for a connection, policy rules that inspect TLS data received from the client now trigger the configured action.
    For example, if the following policy rule returns true, the traffic is forwarded to the virtual server defined in the action.
    add ssl action action1 -forward vserver2
    add ssl policy pol1 -rule client.ssl.client_hello.sni.contains(xyz) -action action1

    [ NSSSL-869 ]

System

  • Display CPU usage (in parts per thousand) for a load balancing virtual server

    A new counter, "CPU-PM" now displays the statistical data for the CPU usage in per-Mille (parts per thousand). For example, 500 must be read as 500/1000 which is equal to 50 percent.

    In GUI, navigate to Traffic Management > Virtual Servers > Load Balancing > Statistics

    [ NSBASE-11304 ]
  • Support for request retry on timeout

    Request retry is now available for one more scenario where, if a back-end server takes more time to respond to requests, the appliance performs re-load balancing upon timeout and forwards the request to the next available server. Previously, the appliance kept waiting for server response which led to an increased RTT.
    To perform timeout, a new parameter retryOnTimeout is configurable in appqoe action. Minimum value: 30 millisseconds
    Maximum value: 2000.

    To configure request retry on timeout by using the CLI:
    "add appqoe action <name> -retryOnTimeout <msecs>"

    Example
    "add appqoe action appact1 -retryOnTimeout 35"

    [ NSBASE-10914 ]
  • Process local and retain connections support for MPTCP cluster deployments

    MPTCP connections now support "Process Local" and "Retain Connections" features in the cloud and on-premises Citrix ADC cluster deployments.

    [ NSBASE-10734 ]
  • Responder response-related information in AppFlow records

    The AppFlow records generated by the Citrix ADC appliance now include the responder response-related information.

    [ NSBASE-10634 ]
  • Support for larger HTTP header size

    Citrix ADC appliance can now handle a large header size HTTP requests to accommodate the L7 application request. The header size of an HTTP request is increased to 128 KB.

    [ NSBASE-7957 ]

Fixed Issues

The issues that are addressed in Build 13.0-71.44.

Authentication, authorization, and auditing

  • In some cases, after the user password is changed, the following error message appears, Cannot complete your request.

    The error occurs because the modified password is corrupted after encryption.

    [ NSHELP-25437 ]
  • In some cases, a Citrix ADC appliance might crash if the client closes the TCP connection before finishing the Email OTP authentication.

    [ NSHELP-25154 ]
  • In some cases, a Citrix ADC appliance crashes during the Citrix ADC Authentication, authorization, and auditing session removal on the secondary node.

    [ NSHELP-25075 ]
  • In some cases, when Citrix ADC is used as an IdP to Citrix Cloud, Authentication, authorization, and auditingD crashes while performing nested group extraction activity in AD because of memory buffer overflow.

    [ NSHELP-24884 ]
  • LDAP authentication fails in a Citrix ADC appliance when a user's group length exceeds the defined limit.

    [ NSHELP-24373 ]
  • When trying to log on to the Citrix Gateway appliance, a user does not see a response if the log on attempt fails.

    [ NSHELP-23155 ]
  • A Citrix ADC appliance responds with a 400 error code when the header size of a Citrix Gateway user interface related request exceeds 1024 characters.

    [ NSAUTH-9475 ]
  • The configuration of the non-addressable authentication virtual server is not restored after a reboot if the following conditions are met:

    • The Citrix ADC appliance has a Standard edition license
    • The appliance is configured for nFactor authentication using Citrix Gateway
    [ NSAUTH-9263 ]

Bot Management

  • A bot request which is identified as a bad bot by a bot signature is reset, if the following condition is observed:

    • Bot terminal action such as drop, redirect, or reset for the corresponding signature is set as "False".
    [ NSBOT-222 ]

Caching

  • A Citrix ADC appliance might randomly crash if the following conditions are observed:

    • Integrated caching feature is enabled.
    • 100 GB or more memory is allocated for integrated caching.
    [ NSHELP-20854 ]

CallHome

  • On the Citrix AC MPX 22000 platform, the show techsupport command incorrectly shows that the hard drive is not mounted.

    [ NSHELP-24223 ]

Citrix ADC SDX Appliance

  • The Citrix ADC SDX appliance upgrade fails if the Citrix Hypervisor consumes more than 90% of the disk space.

    [ NSHELP-24873 ]
  • On the Citrix ADC SDX 8900, SDX 15000, and SDX 15000-50G platforms, a high CPU usage can be noticed on ADC instances after upgrading the SDX appliance from release 11.1 to release 12.1, or from release 11.1 to release 13.0.

    [ NSHELP-24031 ]

Citrix Gateway

  • In rare cases, the Citrix Gateway appliance might crash during session synchronization with the secondary appliance or during Intranet IP assignment.

    [ NSHELP-25221 ]
  • The UrlName parameter is appended to the session and other policy bindings when classic VPN URL is also bound leading to configuration addition on save and reboot.

    [ NSHELP-25072 ]
  • The Citrix Gateway IIP registration fails if Split DNS is set to "Both" or "Local".

    [ NSHELP-24928 ]
  • If ICA smart policy is enabled and there is some residual AppFlow configuration, you might observe a high latency connection.

    [ NSHELP-24908 ]
  • The Citrix ADC appliance might crash when UDP audio is enabled and the internal malloc system call returns an error.

    [ NSHELP-24890 ]
  • In rare cases, a Citrix Gateway appliance crashes when the syslog transport type is modified due to a memory corruption.

    [ NSHELP-24794 ]
  • The Citrix Gateway appliance does not extract the common-name from UTF8String encoded device certificates.

    [ NSHELP-24741 ]
  • The Citrix Gateway appliance crashes on removal of an intranet app whose hostName value exceeds 160 characters.

    [ NSHELP-24524 ]
  • If location detection is enabled, the Always On VPN's machine level tunnel takes a long time to get established after the client machine is restarted.

    [ NSHELP-24508 ]
  • The Citrix ADC appliance might crash when configured for clientless VPN.

    [ NSHELP-24430 ]
  • The Citrix Gateway appliance might reboot if the RDP server profile bound to the VPN virtual server does not have the RDP IP address configured and the same port is used by the RDP server profile and the VPN virtual server.

    [ NSHELP-24199 ]
  • A new, optimized pattern set, "ns_cvpn_v2_fast_regex_light_ver", is introduced for high CPU alerts. If a spike in CPU is intermittently observed with the default pattern set "ns_cvpn_v2_fast_regex", you can switch to the new pattern set.

    [ NSHELP-24085 ]
  • The Citrix Gateway appliance might go down in an EDT proxy deployment if the "kill icaconnection" command is run while an EDT connection establishment is in progress.

    [ NSHELP-23882 ]
  • The Windows plug-in displays the Gateway not reachable message if the client machine has multiple instances of the Hyper-V and WiFi direct access virtual adapters.

    [ NSHELP-23794 ]
  • A Citrix Gateway appliance might crash when trying to parse an incoming packet.

    [ NSHELP-23747 ]
  • The Citrix Gateway appliance crashes when using UDP audio while accessing the Virtual Desktop.

    [ NSHELP-23514 ]
  • The UDP/ICMP/DNS based authorization policy denials for VPN do not show up in the ns.log file.

    [ NSHELP-23410 ]
  • The Citrix ADC appliance might crash during failover if UDP audio is enabled.

    [ NSHELP-22850 ]

Citrix Web App Firewall

  • Communication errors are observed in aslearn when you reset the Citrix Web App Firewall learning data in a cluster configuration.

    [ NSWAF-6768 ]
  • In a cluster configuration, the Web Services Interoperability (WSI) Check value with space is considered as an invalid input although it is valid in a Citrix ADC core appliance.

    [ NSWAF-6745 ]
  • The default credit card name configuration details for basic or advanced Web App Firewall profiles are missing in a cluster deployment.

    [ NSWAF-6675 ]
  • The default XML DOS binding for default Web App Firewall advanced profile is missing in a cluster deployment.

    [ NSWAF-6672 ]
  • In a cluster configuration, unable to bind the "safeobject" rule with a "safeobject" expression length of more than 255 characters.

    [ NSWAF-6670 ]
  • The default value for "FileUploadTypesAction" configuration for basic or advanced Web App Firewall profile is missing in a cluster deployment.

    [ NSWAF-6669 ]
  • Incorrect default "CMDInjectionAction" configuration is observed for Web App Firewall basic or advanced profile in a cluster deployment.

    [ NSWAF-6668 ]
  • A Citrix ADC cluster setup might crash if there are DHT transport errors between the cluster nodes, and the field consistency protection feature is enabled.

    [ NSWAF-6560 ]
  • The Citrix Web App Firewall cookie consistency check removes the SameSite cookie attribute in the response sent by the back-end server.

    [ NSHELP-24313 ]

Load Balancing

  • When a GSLB deployment uses the round trip time (RTT) method for load balance, the Citrix ADC appliance might fail if you delete or unbind a GSLB service during the traffic flow.

    [ NSHELP-24425 ]
  • The Citrix ADC appliance might crash if the association between Distributed Hash Table (DHT) entry and persistence session is deleted while freeing up the persistence session.

    [ NSHELP-24213 ]
  • If a service group member is assigned a wildcard port (port *), the monitor details for that service group member can be viewed from the Monitor Details page.

    [ NSHELP-9409 ]

Networking

  • In a Citrix ADC BLX or Citrix ADC CPX appliance, installing OSPF or BGP routes to the appliance's routing table might fail.

    [ NSNET-18707 ]
  • RNAT with "useproxyport" disabled might not work as expected for source ports that are numbered lesser than 1024.

    [ NSHELP-25162 ]
  • In a high availability setup with INC mode, any RNAT rule that has a VIP address set as the NAT IP address is removed during HA synchronization.

    [ NSHELP-24893 ]
  • Loading the Citrix ADC SNMP MIB to an SNMP manager might fail because of the presence of a duplicate object name "urlfiltDbUpdateStatus" in the SNMP MIB. The same object name "urlfiltDbUpdateStatus" is used for an SNMP trap and an SNMP trap variable binding.

    With the fix, the "urlfiltDbUpdateStatus" SNMP trap variable binding is changed to "urlFilterDbUpdateStatus".

    [ NSHELP-24778 ]
  • A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.

    [ NSHELP-24623 ]
  • The following link load balancing route added in a non-default traffic domain is moved to the default traffic domain after you save and restart the appliance.

    • add lb route 0.0.0.0 -td 1
    [ NSHELP-24067 ]
  • IPv6 policy based routes (PBR6) on a Citrix AC appliance might not work as expected.

    [ NSHELP-23161 ]
  • In a high availability setup, one of the Citrix ADC appliances might crash if you perform In Service Software Upgrade (ISSU) from Citrix ADC software version 13.0 47.24 or previous, to a later version.

    [ NSHELP-21701 ]

Platform

  • The Citrix ADC MPX 8000-1G platform supports pooled licensing.

    [ NSPLAT-17354 ]
  • A Citrix ADC VPX instance, on which NSVLAN and two link aggregation (LA) channels are configured, is not reachable when the following conditions are met:

    • First LA channel is disabled.
    • The VPX instance is rebooted.
    [ NSPLAT-16082 ]
  • If a Citrix ADC instance uses ADM-based licensing, the Citrix ADC licensing might not work when the ADM version is lesser than the ADC version. Therefore, when you upgrade the ADC version, ensure the corresponding ADM version is the same as or higher than the current ADC version.

    [ NSPLAT-15184 ]
  • While upgrading a Citrix ADC SDX appliance, if an SSD fails during one of the many reboots, the corresponding RAID pair volume becomes inactive after the appliance reboots. You can observe the following:
    The volume appears as "not created" in the GUI.
    The failed SSD slot is reported as "not present."
    The corresponding VPX-SR also shows up as degraded.
    As a result, ADC instances residing on the VPX-SR might not boot or remain in a halted state.

    [ NSHELP-24751 ]
  • When multiple LA channels are configured on an SDX appliance without any management interfaces (0/1, 0/2) and if the first LA channel is disabled through the VPX CLI, the VPX appliance might be unreachable.
    [ NSHELP-21889 ]
  • On the ADC SDX 14000 and 15000 appliances, traffic loss of up to 9 seconds is observed if the following conditions are met:

    • 10G ports are connected using the LA channel to two Cisco switches that are configured in VPC setup as active or passive
    • The link to active or primary Cisco switch bounces.
    [ NSHELP-21875 ]

Policies

  • A Citrix ADC appliance might crash if the following conditions are met:

    • Use of nstrace with a filter expression.
    • Authentication, authorization, and auditing authentication functionality enabled.
    [ NSPOLICY-3844 ]
  • A Citrix ADC appliance might crash if global scope variables are used in invalid HTTP requests.

    [ NSHELP-25369 ]

SSL

  • On the following Citrix ADC SDX platforms, the SSL card might go down if the external client uses ECDSA P224/521 curve for signature during SSL handshake for client authentication:

    • SDX 11515/11520/11530/11540/11542
    • SDX 22040/22060/22080/22100/22120
    • SDX 24100/24150
    • SDX 14000
    • SDX 14000-40S
    • SDX 14000-40G
    • SDX 14000 FIPS
    • SDX 25000
    • SDX 25000A
    [ NSSSL-9324 ]
  • A Citrix ADC appliance does not propose ECDHE ciphers in the client hello message after you reboot the appliance and if the following conditions are met:

    • The default profile is disabled.
    • A secure monitor is bound to a non-SSL service.
    [ NSHELP-24706 ]
  • The SSL handshake at the back end fails when the back-end server sends a single SSL record containing the following messages: 'Server Hello', 'Server Certificate', 'Server Key Exchange' and 'Server Hello Done'.

    [ NSHELP-24615 ]
  • A Citrix ADC appliance closes a DTLS session by sending an alert if the maximum retry timeout value is reached.

    [ NSHELP-24560 ]
  • A Citrix ADC MPX/SDX 11542, MPX/SDX 14000, MPX 22000/24000/25000, or MPX/SDX 14000 FIPS appliance might crash if the following conditions are met:

    • ECDHE/ECDSA hybrid model is enabled.
    • DTLS traffic is received when the CPU utilization is already high.
    [ NSHELP-24405 ]
  • A Citrix ADC appliance might not propose ECDHE ciphers in the client hello message if the following conditions are met:

    • HA synchronization is in progress.
    • Monitor probes are sent before the synchronization is complete.
    [ NSHELP-24355 ]
  • The Citrix ADC appliance crashes if NULL or RC2 ciphers are used by the SSL backend service on the following platforms:

    • MPX 5900
    • MPX 8900
    • MPX 15000
    • MPX 15000-50G
    • MPX 26000
    • MPX 26000-50S
    • MPX 26000-100G
    [ NSHELP-24308 ]
  • A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.

    [ NSHELP-24201 ]
  • A Citrix ADC appliance does not propose ECDHE ciphers in the client hello message after you reboot the appliance and if the following conditions are met:

    • The default profile is enabled.
    • A secure monitor is bound to a non-SSL service.
    [ NSHELP-24037 ]
  • In a cluster setup, an invalid "bind ssl certkey" command is added to the ns.conf file when you save the configuration. The invalid command is added if a CRL distribution point extension is part of a certificate on the Citrix ADC appliance.

    [ NSHELP-23963 ]

System

  • A lightweight CPX instance might crash if you use an analytics profile without setting the collector.

    [ NSHELP-25239 ]
  • Configure HTTP/2 Initial Connection Window Size

    As per RFC 7540, the flow-control window for HTTP2 stream and connection must be initialized to 64K (65535) octets, and any change to this value must be communicated to the peer. The ADC appliance communicates the change in flow-control window size as follows:

    • Using the SETTINGS frame for the stream level flow-control window.
    • Using the WINDOW_UPDATE frame for the connection level flow-control window.

    In an HTTP profile, you can configure the http2InitialWindowSize parameter to set the initial window size at the stream level.

    Because of an internal system error, the ADC appliance initializes the flow-control window for the connection also with the value configured for "http2InitialWindowSize". When there is a change in the configured flow-control window for the stream, the ADC appliance communicates to the peer using the SETTINGS frame. But the ADC appliance fails to communicate the change in the flow-control window for the connection using the WINDOW_UPDATE frame. This leads to a connection freeze.

    To overcome the issue, the http2InitialConnWindowSize parameter (in bytes) is now added to control the connection level flow-control window. By using separate configurable parameters namely "http2InitialWindowSize" and "http2InitialConnWindowSize", you can now configure the flow-control window size at both stream and connection levels.

    Configure HTTP/2 initial connection-level flow-control window size parameter by using the CLI

    At the command prompt, type:

    "set httpprofile p1 -http2InitialConnWindowSize <window-size>"

    Where, http2InitialConnWindowSize is the initial window size for connection level flow control, in bytes.
    Default value: 65535
    Minimum value: 65535
    Maximum value: 67108864

    [ NSHELP-25155 ]
  • A Citrix ADC appliance might crash because of memory corruption when the HTTP/2 feature is enabled.

    [ NSHELP-25005 ]
  • In a cluster setup, the validation of default values in surge protection is handled differently on the database and packet engine.

    [ NSHELP-24455 ]
  • The analytics records are not sent to the Citrix ADM if the following conditions are observed:

    - IPFIX collector is configured in the admin partition of the Citrix ADC appliance.

    - Collector is in a subnet other than SNIP address.

    [ NSHELP-24283 ]
  • High CPU usage is observed in the Citrix ADC web logging (NSWL) client running on a Linux platform if the polling interval is not set properly.

    [ NSHELP-24266 ]
  • When you enable Appflow on an ADC instance, the ADM does not display HDX Insight of that instance. This issue occurs because ADM fails to process the Logstream data received from the instance.

    [ NSHELP-24227 ]
  • Deleting a TCP profile bound to a content switching virtual server leads to a configuration inconsistency in the cluster database.

    [ NSHELP-24004 ]
  • A Citrix ADC appliance might crash while clearing the configuration when it tries to access the ICAP server details. The server details information is not removed from the monitor list when the ICAP content inspection configuration is cleared.

    [ NSHELP-23945 ]
  • A Citrix ADC appliance might crash if the following conditions are observed:

    • HTTP/2 enabled in the HTTP profile bound to load balancing virtual server of type HTTP/SSL or service.
    • Connection multiplexing option disabled in the HTTP Profile bound to load balancing virtual server or service.
    [ NSHELP-21202 ]
  • A Citrix ADC appliance with connection chaining and SSL enabled might send more MTU data.

    [ NSHELP-9411 ]
  • After an upgrade to Citrix ADC version 12.1 build 61.x, the appliance might crash if registered on the ADM server.

    [ NSBASE-13031 ]
  • Enabling metrics collector in the default partition might fail if it is already enabled in the admin partition setup.

    [ NSBASE-12623 ]
  • In a cluster setup, enabling process local support for MPTCP connections reduces the inter-node steering.

    [ NSBASE-10587 ]

User Interface

  • The diff ns config command displays an ERROR: Failed to get UID for command: apply ns pbr6 error message. It happens when the apply ns pbr6 command is saved in ns.conf or running-config files.

    [ NSHELP-25373 ]
  • In a cluster setup, unwanted extra binding configuration gets saved in the ns.conf file.

    [ NSHELP-24636 ]
  • The following error conditions are observed in the Citrix Gateway GUI:

    • When a policy is bound to primary authentication in the VPN virtual server, the GUI incorrectly shows that the policy is bound to the secondary authentication and the group authentication.
    • When the VPN virtual server is bound to a server certificate, the server GUI incorrectly shows that the VPN virtual server is bound to CA cert as well.
    [ NSHELP-24494 ]
  • On a Citrix ADC SDX platform, the following error message appears while loading the GUI:
    Operation not supported by device [Pooled licensing not supported on this platform]

    [ NSHELP-24474 ]
  • On the Citrix ADC GUI, you are unable to view the "Custom Reports" created for a specific partition.

    [ NSHELP-24370 ]
  • The following temporary files present in the /var/tmp folder of a Citrix ADC appliance is causing memory full state.

    • sh.runn.audit.<pid> file created by nsconfigaudit tool.
    • tmp_ns.conf.<pid> file created by show run command for partition.
    [ NSHELP-24092 ]
  • For a "routerdynamicrouting" NITRO API request, the Citrix ADC appliance might return JSON data with formatting errors if the response size is large.

    [ NSHELP-19913 ]
  • A Citrix ADC appliance becomes unstable if you use the -outfilename parameter in diffnsconfig command. As a result, the diffnsconfig output is large to completely fill the root disk.

    [ NSHELP-19345 ]

Known Issues

The issues that exist in release 13.0-71.44.

Authentication, authorization, and auditing

  • A Citrix ADC appliance may crash if the following conditions are met.

    1. The appliance is under memory pressure.
    2. SAML is configured as one of the authentication methods.
    [ NSHELP-28855 ]
  • In a rare scenario, the secondary node in a high availability setup might crash if the following condition is met.

    • The "aaa groups" and/or "aaa users" are configured on the Citrix ADC appliance.
    [ NSHELP-26732 ]
  • In certain scenarios, the Bind Authentication, authorization, and auditing group command might fail if policy name is longer than intranet application name.

    [ NSHELP-25971 ]
  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

    [ NSHELP-563 ]
  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

    [ NSAUTH-6106 ]
  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    "show adfsproxyprofile <profile name>"

    Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.

    [ NSAUTH-5916 ]

Caching

  • A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

    [ NSHELP-22942 ]

Citrix ADC SDX Appliance

  • On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.

    [ NSSVM-4333 ]

Citrix Gateway

  • Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

    [ NSHELP-28551 ]
  • Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

    [ NSHELP-28404 ]
  • The Citrix Gateway appliance might crash while processing server-initiated UDP traffic.

    [ NSHELP-27611 ]
  • The Citrix Gateway appliance might crash if async is blocked and you modify the content switching policy configuration.

    [ NSHELP-27570 ]
  • The Citrix Gateway appliance might crash if an unknown VPN client option is set in the session policy.

    [ NSHELP-27380 ]
  • When you enter the FQDN as the proxy in the Create Citrix Gateway Traffic Profile page, the message "Invalid Proxy Value" appears.

    [ NSHELP-26613 ]
  • The Citrix ADC appliance crashes if either of the following conditions occur:

    • The syslog action is configured with the domain name and you clear the configuration by using the GUI or the CLI.
    • High availability synchronization happens on the secondary node.

    Workaround:

    Create syslog action with syslog server's IP address instead of syslog server's domain name.

    [ NSHELP-25944 ]
  • While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:

    • A default pre-shared key (PSK) is configured.
    • You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
    [ NSHELP-25694 ]
  • EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.

    [ NSHELP-24848 ]
  • The Gateway Insight does not display accurate information on the VPN users.

    [ NSHELP-23937 ]
  • The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.

    Example:

    New output:

    > show tunnel global
    Policy Name: ns_tunnel_nocmp Priority: 0

    Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
    Priority: 1
    Global bindpoint: REQ_DEFAULT

    Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
    Priority: 100
    Global bindpoint: RES_DEFAULT
    Done
    >

    Previous output:

    > show tunnel global
    Policy Name: ns_tunnel_nocmp Priority: 0 Disabled

    Advanced Policies:

    Global bindpoint: REQ_DEFAULT
    Number of bound policies: 1

    Done

    [ NSHELP-23496 ]
  • Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.

    [ NSHELP-21897 ]
  • Application launch failure due to invalid STA ticket is not reported in Gateway Insight.

    [ CGOP-13621 ]
  • The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.

    [ CGOP-13584 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

    [ CGOP-13511 ]
  • While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

    [ CGOP-13050 ]
  • The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.

    [ CGOP-13049 ]
  • An error message appears when you add or edit a session policy from the Citrix ADC GUI.

    [ CGOP-11830 ]
  • In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]
  • In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

    [ NSHELP-20406 ]

Networking

  • A Citrix ADC BLX appliance in DPDK mode might crash if a Web Application Firewall profile is configured with advanced security protection checks.

    Workaround: Remove the Advanced security protection configuration for WAF.

    [ NSNET-22654 ]
  • In a Citrix ADC BLX appliance, NSVLAN bound with tagged non-dpdk interfaces might not work as expected. NSVLAN bound with untagged non-dpdk interfaces works fine.

    [ NSNET-18586 ]
  • After an upgrade from Citrix ADC BLX appliance 13.0 61.x build to 13.0 64.x build, settings on the BLX configuration file are lost. The BLX configuration file is then reset to default.

    [ NSNET-17625 ]
  • The following interface operations are not supported for Intel `X710 10G (i40e)` interfaces on a Citrix ADC BLX appliance with DPDK:

    • Disable
    • Enable
    • Reset
    [ NSNET-16559 ]
  • On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file ("/etc/blx/blx.conf") settings. This issue occurs because "mawk", which is present by default on Debian based Linux systems, does not run some of the awk commands present in the "blx.conf" file.

    Workaround: Install "gawk" before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install "gawk":

    • apt-get install gawk
    [ NSNET-14603 ]
  • Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

    "The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable"

    Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

    • dpkg --add-architecture i386
    • apt-get update
    • apt-get dist-upgrade
    • apt-get install libc6:i386
    [ NSNET-14602 ]
  • In a high availability setup, VPN user sessions get disconnected if the following condition is met:

    • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.

    Workaround: Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

    [ NSHELP-25598 ]
  • In a high availability setup, dynamic routing enabled SNIP address is not exposed to vtysh on reboot if the following condition is met:

    • A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.

    As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition

    [ NSHELP-24000 ]

Platform

  • When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:

    • 13.1-4.x
    • 13.0-82.31 and later
    • 12.1-62.21 and later

    The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:

    • Any 11.1 build
    • 12.1-62.21 and earlier
    • 13.0-81.x and earlier
    [ NSPLAT-21691 ]

Policies

  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267 ]

SSL

  • On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

    Workaround:

    1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, "set ssl vserver <name> -SSL3 DISABLED".
    2. Save the configuration.
    [ NSSSL-9572 ]
  • Update command is not available for the following add commands:

    • add azure application
    • add azure keyvault
    • add ssl certkey with hsmkey option
    [ NSSSL-6484 ]
  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

    [ NSSSL-6478 ]
  • You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

    [ NSSSL-6213 ]
  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled

    [ NSSSL-6106 ]
  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.

    [ NSSSL-4001 ]
  • A Citrix ADC appliance crashes while processing an HTTP request if the policy action is set to "Forward" for a policy that is already bound at the request bind point.

    [ NSHELP-29115 ]
  • In a cluster setup, when two installed certificates are issuers of one server certificate that has the OCSP AIA extension, the appliance becomes unreachable if you remove the server certificate.

    [ NSHELP-28058 ]
  • In a high availability setup, CRL auto refresh fails intermittently if both of the following conditions are met:

    • Files are syncing from the primary node to the secondary node.
    • CRL file is downloading from the CRL server at the same time.
    [ NSHELP-27435 ]
  • The CA certificate name that issued the CRL is truncated to 32 characters, even though a certificate-key name can be up to 64 characters. This issue occurs because the CRL field has a limit of 32 characters.

    [ NSHELP-26986 ]

System

  • The connection chaining TCP option gets added to the Citrix ADC RPC connections. The issue causes an interoperability issue with GSLB sites communication.

    [ NSHELP-27417 ]
  • Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.

    [ NSHELP-27410 ]
  • A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.

    [ NSHELP-27179 ]
  • A mismatch in Logstream records is observed in the Citrix ADC appliance and the dataloader.

    [ NSHELP-25796 ]
  • In a rare case, a Citrix ADC appliance might send incorrect TCP SACK sequence numbers to the client when forwarding it from the backend server. The issue occurs if the TCP Selective ACK (SACK) option is enabled in a TCP Profile.

    [ NSHELP-24875 ]
  • In a cluster setup, the "set ratecontrol" command works only after restarting the Citrix ADC appliance.

    Workaround: Use the "nsapimgr_wr.sh -ys icmp_rate_threshold=<new value>" command.

    [ NSHELP-21811 ]
  • When processing large streams of gRPC traffic, the TCP advertised window increases exponentially leading to high memory usage.

    [ NSBASE-15447 ]

User Interface

  • In the Compression Policy Manager GUI, unable to bind a compression policy to an HTTP protocol by specifying a relevant bind point and connection type.

    [ NSUI-17682 ]
  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

    [ NSUI-13024 ]
  • After upgrading a high availability setup or a cluster setup to release 13.0 build 74.14 or later, config synchronization might fail because of the following reason:

    • Both "ssh_host_rsa_key" private and public keys are an incorrect pair.

    Workaround: Regenerate "ssh_host_rsa_key". For more information, see https://support.citrix.com/article/CTX322863.

    [ NSHELP-27834 ]
  • You cannot bind a service or a service group to a priority load balancing virtual server using the Citrix ADC GUI.

    [ NSHELP-27252 ]
  • In a Citrix ADC VPX appliance, a set capacity operation might fail after adding a license server. The issue occurs because the Flexera related components take a longer time to initialize because of the large number of supported licenses of type check-in and check-out (CICO)

    [ NSHELP-23310 ]
  • Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

    [ NSHELP-20988 ]
  • When you downgrade a Citrix ADC appliance version 13.0-71.x to an earlier build, some Nitro APIs might not work because of the file permission changes.

    Workaround: Change permission for "/nsconfig/ns.conf" to 644.

    [ NSCONFIG-4628 ]
  • Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.

    [ NSCONFIG-4330 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:

    • 13.0 52.24 build
    • 12.1 57.18 build
    • 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"

    Workaround:

    To fix this issue, use one of the following independent options:

    • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

    [ NSCONFIG-3188 ]