Release Notes for Citrix ADC 13.0-79.64 Release
Notes
- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- Citrix ADC classic policies are deprecated and will be removed in a future release. Citrix recommends using advanced policies. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/appexpert/policies-and-expressions/introduction-to-policies-and-exp/classic-policy-deprecation-faq.html.
What's New
Authentication, authorization, and auditing
Polling support during authentication
Citrix ADC appliance can now be configured for Polling during multifactor authentication.
The Polling mechanism enables a Citrix ADC appliance to resume an ongoing authentication with the endpoint without having to restart the authentication process in a rare case of a TCP connection reset at the endpoint.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/polling-for-nfactor.html
[ NSAUTH-9043 ]
Bot Management
Bot detection based on mouse and keyboard dynamics
The Citrix bot management system can now detect bots based on keyboard and mouse movements. Unlike conventional bot techniques that require direct human interaction (for example, CAPTCHA validation), the new bot detection technique passively monitors mouse and keyboard dynamics. The Citrix ADC appliance then collects the real-time user data and sends the data to the Citrix ADM server for bot analysis.
The bot detection technique using keyboard and mouse dynamics has the following benefits:
- Enables monitoring throughout the user session, and eliminates single checkpoint.
- Requires no human interaction and it is completely transparent to users.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html
[ NSBOT-402 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, an ADC instance state currently shows "Out of Service" when the following conditions are met:
- The password of the ADC instance is changed directly using the instance CLI.
- The password doesn't match the instance admin profile password stored in the Management Service.
- The previous session is lost after you reboot the instance for the first time.
Now, whenever the instance goes out of service due to authentication failure, the instance state color changes to grey. To recover the instance, do one of the following:
- From the instance CLI, modify the password of the instance to match the password in the admin profile of the instance. Then rediscover the instance from the Management Service.
- Create an admin profile with the same password as the current password of the ADC instance. Then, update the ADC instance with the new admin profile.
[ NSSVM-4193 ]
Citrix Web App Firewall
Relaxation and enforcement modes for handling HTML SQL injection attacks
Web Application Firewall is now enhanced to operate in relaxation mode and enforcement mode for higher security protection. Depending on how you want the appliance to handle HTML SQL injection attacks, you can configure the security check either in enforcement or relaxation mode.
In enforcement mode, the security check allows HTML SQL injection attacks to bypass unless you have explicitly configured the profile to block the violations by binding enforcement rules.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/top-level-protections/relaxtion-and-deny-rules-for-html-sql-injection-attack.html
[ NSWAF-6435 ]
Load Balancing
Improved GSLB configuration synchronization performance and reduced synchronization time
The Citrix ADC appliance now supports incremental synchronization of GSLB configuration. In incremental synchronization, only the configuration that has changed on the main site between the last synchronization and the subsequent sync interval (10 secs) is synchronized across all the subordinate sites. Pushing only the incremental configurations considerably reduces the configuration file size and thus the overall time taken for synchronization. This also improves the GSLB configuration synchronization performance. If an incremental synchronization fails, the Citrix ADC appliance automatically performs a full configuration synchronization.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/global-server-load-balancing/synchronizing-configuration-in-gslb-setup/real-time-synchronization.html
[ NSLB-7384 ]
New algorithms for consistent hashing
The Prime Re-Shuffled Assisted CARP (PRAC) and Jump table Assisted Ring Hash (JARH) algorithms are now supported to perform consistent hashing. These algorithms provide consistency and uniform distribution of the traffic.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-customizing-algorithms/hashing-methods.html
[ NSLB-7028 ]
- In rare cases, an LDAP monitor incorrectly shows the LDAP server status as down because the monitor does not send the correct password in the server probe.[ NSHELP-24967 ]
Networking
BGP MD5 authentication support for Citrix ADC BLX appliances
The Citrix ADC BLX appliance now supports MD5 authentication for Border Gateway Protocol (BGP) with IPv4 peers.
When authentication is enabled, any BGP TCP segment exchanged between the BGP IPv4 peers is verified and accepted only if authentication is successful. For successful authentication, the peers must be configured with the same MD5 password. If authentication fails, the BGP neighbor relationship is not established.
MD5 authentication support for BGP in the Citrix ADC BLX appliance is compliant with RFC 2385.
[ NSNET-19089 ]
Platform
VMware ESX 7.0 update 1c support on Citrix ADC VPX instance
The Citrix ADC VPX instance now supports the VMware ESX version 7.0 Update 1c (Build 1732555).[ NSHELP-26444 ]
SSL
Support for 4096-bit RSA client certificate
On a Citrix ADC VPX appliance, client authentication with a 4096-bit RSA client certificate is now supported during an SSL handshake.
[ NSSSL-8194 ]
System
Monitor support for proxy protocol
Citrix ADC appliance with a proxy protocol now supports monitor check. The monitor check functionality ensures the backend server also supports the proxy protocol. It is used to monitor the health status of the backend server.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-builtin-monitors/monitor-proxy-protocol-services.html
[ NSBASE-13489 ]
Monitor support for HTTP/2 protocol
Citrix ADC appliance now supports HTTP/2 monitors for monitoring the health of HTTP/2 services.
For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/load-balancing/load-balancing-builtin-monitors/monitor-http2-services.html
[ NSBASE-11299 ]
Fixed Issues
Authentication, authorization, and auditing
Error message customization on the portal page for end users fails when the "enableEnhancedAuthFeedback" parameter is enabled using the "set aaa parameter" command.
[ NSHELP-26814 ]
You cannot unset the group attribute from "memberof" in the LDAP server when configuring via the Citrix ADC GUI.
[ NSHELP-26199 ]
The Citrix Gateway plug-in fails to launch if the following conditions are met:
- Citrix Gateway appliance is configured as Full VPN only.
- Authentication method is OAuth RP.
[ NSHELP-26020 ]
In a Citrix ADC BLX appliance, LDAP authentication might not work as expected with the SSL, TLS, and plaintext security types.
[ NSHELP-25809 ]
The following issues are observed when the Citrix ADC appliance is configured as the Relying Party (RP).
- The appliance fails to process the authentication request from OAuth IdP if the IdP uses signature algorithm for JWT as RS512.
- The appliance sends "anonymous" value for "login_hint" parameter to OAuth IdP.
[ NSHELP-25794 ]
When you log off from Citrix Gateway and if RADIUS accounting is configured on the gateway, the logout information is not sent to the RADIUS accounting server.
[ NSHELP-25765 ]
Authentication fails during dialogue mode when the RADIUS server sends multiple duplicate responses.
[ NSHELP-25758 ]
The Citrix Gateway plug-in fails to launch if the following conditions are met:
- Citrix Gateway appliance is configured as Full VPN only.
- SSPR registration is configured as the last factor.
[ NSHELP-25691 ]
While configuring an authentication policy using the Citrix ADC GUI, "NO AUTH" action cannot be selected.
[ NSHELP-25466 ]
In some cases, the Citrix ADC appliance might crash when a user tries to authenticate and if the appliance is configured as follows.
- The appliance is configured for 401 authentication
- Authentication policy has NoAuth in first factor and Certificate authentication in the second factor
[ NSHELP-25051 ]
Bot Management
You cannot bind multiple rate limit session cookies to a bot profile.
[ NSBOT-390 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, the Management Service does not send syslog messages to the configured syslog servers.
[ NSHELP-27000 ]
After you restart the Management Service, first time checkout of instances or bandwidth from a pooled licensing server might fail.
[ NSHELP-26878 ]
On a Citrix ADC SDX appliance running software version 13.0, the ADC instances can be unreachable from the Management Service even though the instances are reachable directly using the instance IP address.
[ NSHELP-26679 ]
When you restart the Management Service and if some VPX instances are provisioned, the following error message appears if you try to edit the session timeout for the default group from the System > User Administration > Groups page.
Authorized scope for default group cannot be changed.
[ NSHELP-26556 ]
Inventory does not happen as per the inventory cycle for instances where the IP address used during instance provisioning is changed later from the instance directly.
[ NSHELP-26407 ]
Citrix Gateway
The Citrix ADC appliance might crash in an SSO flow if Citrix Secure Web Gateway and AppFlow are configured.
[ NSHELP-26781 ]
The Override Global option for the Local LAN Access parameter in the Citrix Gateway Session Profile > Client Experience > Advanced is disabled. It is enabled by default in the previous builds.
[ NSHELP-26689 ]
The Citrix Gateway appliance crashes if IDENT port (113) is accessed from a user to another user's client using Intranet IP (plugin-to-plugin traffic) over a full VPN tunnel.
[ NSHELP-26631 ]
EPA libraries for macOS are updated to version 1.3.4.7 (Opswat version : 4.3.1566.0)
[ NSHELP-26538 ]
The Citrix Gateway appliance crashes when a server initiated connection sends data packets after the connection is closed.
[ NSHELP-26431 ]
The Citrix Gateway login page displays an error stating that the login has failed if the following sequence of conditions is met. The error appears even if the user has not tried to log on again.
- Log on to the Citrix Gateway fails.
- Log on to the Citrix Gateway succeeds.
- The user logs out.
[ NSHELP-25157 ]
False launch failures of applications are reported in Gateway Insight. The launch failures are reported when there are no app or desktop launches.
[ NSHELP-23047 ]
While adding an authentication virtual server using the XenApp and XenDesktop wizard, test connectivity for that authentication server fails.
[ CGOP-16792 ]
Citrix Web App Firewall
In a cluster configuration, the Web App Firewall learning engine learns the same data multiple times if the SQL wildcard matches a percentile (%) character.
[ NSWAF-7489 ]
A Citrix ADC appliance might crash if startURL closure is enabled and there is a memory allocation failure.
[ NSHELP-27155 ]
An issue is observed if cookie values are separated by a comma (a non-RFC standard) after cookie samesite support is added to the Citrix Web App Firewall profile.
[ NSHELP-26846 ]
A Citrix ADC appliance might crash if bot management fails to insert JavaScript in the HTTP response.
[ NSHELP-26730 ]
A memory leak might be observed when some message buffers used for XSS logging are not freed for specific payloads.
[ NSHELP-26430 ]
In a high availability setup, if dynamic profiling is configured along with SNMP alerts enabled, spike in memory usage might be observed on the secondary node.
[ NSHELP-25580 ]
The Citrix ADC appliance might crash because of a timeout issue when adding a violation record to a long list of records.
[ NSHELP-25507 ]
Load Balancing
In a cluster-GSLB deployment, the effective state of the local GSLB services is not updated on non-owner nodes because the GSLB owner node is unable to send service state updates to the non-owner nodes.
[ NSHELP-26260 ]
A Citrix ADC appliance might crash while processing an invalid session initiation protocol (SIP) packet.
[ NSHELP-26202 ]
When a content switching virtual server receives an HTTPS request, the largest cookie in the HTTPS request leads to a buffer overflow and stack corruption when the following conditions are met:
- The cookie format is incorrect.
- The cookie length is greater than 32 bytes.
[ NSHELP-25932 ]
When you modify the backend-server IP address for a server whose name is not the same as its IP address, you might not be able to save the complete configuration. This is a rare case and might occur if the Citrix ADC appliance memory is low.
[ NSHELP-24329 ]
In Autoscale high availability or cluster deployment, a Citrix ADC appliance might crash when creating a service member and if the following conditions are met:
- if you bind the service member to a service group in a non-owner node or a secondary node with health monitoring option disabled.
[ NSHELP-24029 ]
Miscellaneous
In a cluster setup, the command propagation might fail due to connection lost with CCO. The issue is observed if both of the following conditions are met:
- You perform a command propagation operation in the setup.
- The setup is in an idle state for more than two hours. A cluster setup is said to be in an idle state if there is no exchange of any CLI commands between nodes.
[ NSHELP-26350 ]
Networking
In a cluster setup with maximum connection (maxConn) global parameter set to a non-zero value, CLIP connections might fail if any of the following conditions is met:
- Upgrading the setup from Citrix ADC 13.0 76.x build to Citrix ADC 13.0 79.x build.
- Restarting the CCO node in a cluster setup running Citrix ADC 13.0 76.x build.
[ NSNET-21173 ]
When the number of newnslog backup files increase, it may cause disk space crunch for a running Citrix ADC CPX instance over a period of time. Using the NEWNSLOG_MAX_FILENUM environment variable, you can control the number of backup files. By setting the environment variable value to 10, you can limit the maximum number of newnslog backup files to 10.
[ NSNET-20261 ]
A Citrix ADC BLX appliance now supports the Citrix ADC IPv6 OSPF (OSPFv3) dynamic routing protocol feature. For more information, see https://docs.citrix.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-dynamic-routes/configuring-ipv6-ospf.html.
[ NSNET-19567 ]
A Citrix ADC appliance might crash when all of the following conditions are met:
- MAC mode is enabled on a non-addressable load balancing virtual server.
- The same virtual server is part of a link load balancing configuration or a policy-based routing configuration.
As part of the fix, the Citrix ADC appliance now displays the following warning message when the above conditions are met:
- Warning: MAC mode redirection should not be enabled with LLB config.
[ NSNET-19485 ]
A Citrix ADC appliance might crash, if the following conditions are present:
- IPv6 link load balancing (LLB6) configuration has persistency option enabled.
- Some IPv6 dummy connections are created for this LLB6 configuration
[ NSHELP-25695 ]
In a cluster AWS cloud setup, the node with a higher priority value might become the CCO. It happens when eight or more nodes with all different priority values are rebooted together.
[ NSHELP-25244 ]
Platform
In some cases, a VPX instance on a Citrix SDX appliance does not come up if a large number of interfaces are added to the VPX instance.
[ NSHELP-26861 ]
On a Citrix ADC SDX 15000-50G appliance, in cases of a brief surge of data traffic not directed to any of the ADC VPX instances, the following issue might happen:
- The LACP link on 10G ports might flap intermittently or go down permanently.
[ NSHELP-25561 ]
On a Citrix ADC SDX appliance, during a warm reboot of a VPX instance configured as a cluster node, the backplane LA channel might go into a PARTIAL-UP state because of a set interface command failure.
[ NSHELP-23353 ]
By default, high availability monitor (HAMON) and HA heartbeat are disabled on a management interface that is configured as an internal management interface. Also, HAMON and HA heartbeat cannot be enabled on this interface.
Later, if the same interface is configured back as a management interface and the VPX instance is rebooted, HAMON and HA heartbeat options are still disabled.
However, you can now enable these options manually to avoid any issues with the HA configuration.[ NSHELP-21803 ]
Policies
Unable to use variables in the assignment if the variable length is greater than 31 characters.
[ NSHELP-26362 ]
The following issue might cause a failover in a high availability setup:
If many non-HTTP, non-TCP packets get queued waiting to be handled after processing on them has been blocked.
[ NSHELP-23506 ]
SSL
On a Citrix ADC appliance, memory leak is seen if the SSL "sessionTicket" parameter is enabled.
[ NSHELP-26207 ]
A Citrix ADC appliance might crash while handling requests from TLS 1.3 clients if the following conditions are met:
- The TLS 1.3 protocol is enabled on the front-end virtual server.
- The underlying hardware platform uses Intel Coleto Creek crypto acceleration cards (select MPX and SDX models use these chips.)
- On SDX platforms, Intel Coleto Creek crypto card resources are assigned to the ADC instance.
[ NSHELP-26089 ]
Connection failures due to low memory might be seen on a Citrix ADC appliance when admin partition is enabled. The issue happens when the SSL crypto hardware chips are full.
[ NSHELP-25981 ]
In a cluster setup, you might observe the following issues:
- Missing command for the default certificate-key pair binding to the SSL internal services on the CLIP. However, if you upgrade from an older build you might have to bind the default certificate-key pair to the affected SSL internal services on the CLIP.
- Configuration discrepancy between the CLIP and the nodes for the default set command to the internal services.
- Missing default cipher bind command to the SSL entities in the output of the show running config command run on a node. The omission is only a display issue and has no functional impact. The binding can be viewed using the show ssl <entity> <name> command.
[ NSHELP-25764 ]
The Citrix ADC appliance becomes unresponsive if the following conditions are met:
- DTLS is enabled.
- UDP multiplexing uses a DTLS channel and pumps traffic at a high rate.
[ NSHELP-22987 ]
System
In a high availability setup, the secondary node might crash if metrics is enabled on the Citrix ADC appliance from Citrix ADM.
[ NSHELP-26969 ]
When a Citrix ADC appliance processes a duplicate TCP packet, the following issues are observed on the appliance:
- The appliance generates a duplicate ACK with DSACK and the packet is dropped.
- If the incoming packet has any window update, the appliance makes a copy of it and simulates a window update ACK.
- The appliance creates the window update ACK with an incorrect timestamp.
[ NSHELP-26893 ]
In HTTP/2 front-end and HTTP/1.1 back-end scenarios, the user is unable to see back-end server connections if the Vserver IP filter and -link enabled parameters are configured in nstrace command.
[ NSHELP-26717 ]
For a client connection, a Citrix ADC appliance might incorrectly send a connection keep-alive header in response to the client's connection-close header. This incorrect connection keep-alive header leads to a delay in closing the connection on the client.
[ NSHELP-26474 ]
Once enabled, the "clientSideMeasurements" parameter cannot be disabled in the AppFlow action command.
[ NSHELP-26464 ]
A Citrix ADC appliance might crash if the following conditions are observed:
- If a client request comes from a resource (with the same IP address and port) for which a resource on the previous Intrusion Prevention System (IPS) connection structure is not freed.
- The Intrusion Prevention System (IPS) module tries to access the non-freed resource from the freed structure.
[ NSHELP-26450 ]
A Citrix ADC appliance might crash when a reset is sent on a request which is being cached.
[ NSHELP-26410 ]
The patch HTTP method gets blocked when the markHTTPHeaderExtraWSError parameter is enabled in the set httpProfile command.
[ NSHELP-26398 ]
A Citrix ADC appliance might crash in an AppFlow module when the appliance is under memory stress.
[ NSHELP-26367 ]
During clear configuration, when there is no URL set in use, an error log entry corresponding to the URL set is seen in the ns.log.
[ NSHELP-26242 ]
After an upgrade from Citrix ADC 12.1 build 50.31 to Citrix ADC 13.0 build 58.32, the appliance does not retry after receiving a bad ACK for TCP SYN packet in the case of monitors. As a result, the appliance resets the monitor TCP connection and marks the service as DOWN state.
[ NSHELP-25813 ]
RNAT configuration does not work with HTTP/2 connections if the appliance uses the RNAT IP address for server-side (both http2 and http1.1) connections.
[ NSHELP-23783 ]
The CAPTCHA validation does not work as expected if a high TTL value is set as 255 for all packets.
[ NSBASE-13966 ]
An error in the HTTP/2 and TCP window management logic might cause the server connection to run into an HTTP/2 and TCP window problem. It prevents the object from being cached completely. The issue is observed if the following conditions are met:
- The integrated caching feature is enabled and the response is being cached.
- During the preceding condition, the HTTP/2 client abruptly sends a reset stream packet or the HTTP/1.1 client sends a TCP RST on the connection.
[ NSBASE-13878 ]
A Citrix ADC appliance might fail while generating AppFlow records for certain HTTP responses generated by VPN. The issue happens when Gateway Insight is enabled.
[ NSBASE-13698 ]
The TCP advertised window (ADV_WND) update is not as per expectation on receiving data packet if the dynamic receive buffering (DRB) feature is enabled. As a result, uploads are slower compared to the rate when the DRB feature is disabled.
[ NSBASE-13100 ]
User Interface
The Citrix ADC GUI displays an incorrect VIP when you edit the content switching virtual server after it is bound to a policy.
[ NSHELP-26853 ]
In a Citrix ADC BLX appliance, expiry time for a local license might not decrement as expected.
As a fix, the expiry time for a local license now decrements by 1 for every 24 hrs.
[ NSHELP-26554 ]
In a high availability setup of Citrix ADC BLX appliances, config synchronization might fail sometimes.
[ NSHELP-26495 ]
After a Citrix ADC appliance is restarted, the license state of the appliance goes in grace state if the license server is not reachable from the appliance. The license state remains in grace state even if the license server becomes reachable.
[ NSHELP-26468 ]
The switch partition command allows forceful execution option f or force. It can allow users to switch to a new partition without prompting the save configuration and the configuration is not saved. The forceful switch will happen without prompt and the configuration is saved. It happens when you use the -save flag.
[ NSHELP-26222 ]
A load balancing virtual server persistence view fails to display all parameters when you edit an existing virtual server persistence configuration.
[ NSHELP-25965 ]
The show partition command might cause the "nsconfigd" daemon to crash if the following conditions are met:
- API session token is short-lived.
- Session token is expired before the show partition command is completed.[ NSHELP-25880 ]
In a cluster setup, when you access the Citrix ADC GUI from CLIP, you might observe the audit Syslog policies are not globally bound. The same issue is not observed when you access Citrix ADC GUI from the NSIP.
[ NSHELP-24631 ]
Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.
[ NSHELP-24195 ]
A Citrix ADC appliance does not support addition of CRL files greater than 2 MB using NITRO APIs.
[ NSHELP-20821 ]
In a Citrix ADC BLX appliance, the "Reporting" tab in the GUI might not work as expected.
[ NSCONFIG-4877 ]
The connection between the ADC instance and ADM service is lost when the following conditions are met:
- The instance is added to ADM service using a built-in agent.
- The instance is upgraded using the -Y option or from the ADM GUI. In both cases, the built-in agent doesn't restart. The -Y option provides Yes as an answer to all upgrade-related questions that appear on the CLI or GUI.
[ NSCONFIG-4368 ]
Video Optimization
A Citrix ADC appliance might crash if an incoming request is not in compliance with the FQDN grammar rules for policy evaluation. Some examples of invalid FQDNs are SNI and hostname starting with a period ('.').
[ NSHELP-25564 ]
Known Issues
Authentication, authorization, and auditing
In some cases, an HTTP POST request to a Authentication, authorization, and auditing-TM virtual server is processed incorrectly if the request does not have an authentication cookie. The POST body gets lost during processing.
[ NSHELP-27227 ]
The Citrix ADC appliance crashes frequently while processing Authentication, authorization, and auditing-TM and 401 LB-based traffic.
[ NSHELP-27094 ]
In some cases, a Citrix ADC appliance crashes while performing user authentication for Citrix Gateway and Authentication, authorization, and auditing - traffic managed deployment.
[ NSHELP-26555 ]
Incorrect SSO domain name is populated for logged in user if Authentication, authorization, and auditing.USER.DOMAIN is used in the expression.
[ NSHELP-26443 ]
Upon entering an incorrect OTP, an error message "Email Auth failed. No further action to continue" is displayed.
[ NSHELP-26400 ]
In certain scenarios, the Bind Authentication, authorization, and auditing group command might fail if policy name is longer than intranet application name.
[ NSHELP-25971 ]
- A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[ NSHELP-563 ]
Network connectivity test check fails because of a password decryption issue. However, the authentication functionality works fine.
[ NSAUTH-10216 ]
The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
[ NSAUTH-6106 ]
ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
"show adfsproxyprofile <profile name>"Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.
[ NSAUTH-5916 ]
Caching
A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.
[ NSHELP-22942 ]
Citrix ADC SDX Appliance
The Management Service command line is broken and the following error appears:
ERROR: Invalid property field
[ NSSVM-4551 ]
On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.
[ NSSVM-4333 ]
On a Citrix ADC SDX appliance, the IP address (NSIP) of an ADC instance might not be displayed if burst throughput is configured on that instance.
[ NSHELP-27133 ]
Citrix Gateway
The Citrix Gateway appliance crashes when a syslog policy is bound to a virtual server, and the corresponding syslog action is modified.
[ NSHELP-27171 ]
The Citrix Gateway appliance reboots unexpectedly because of flooding of SSL VPN log messages in the local ns.log file when Gateway Insight is enabled.
[ NSHELP-27040 ]
The Citrix Gateway appliance might crash if forwardSession is configured for a back-end subnet and a server in the same subnet is accessed over the VPN tunnel.
[ NSHELP-27037 ]
Some Citrix Gateway related log files are not rotated resulting in an increased log size.
[ NSHELP-26767 ]
The Citrix ADC logs might be flooded with the log message "GwInsight: Func=ns_sslvpn_send_app_launch_fail_record Appflow policy evaluation has failed" when Gateway Insight is enabled.
[ NSHELP-26750 ]
When you enter the FQDN as the proxy in the Create Citrix Gateway Traffic Profile page, the message "Invalid Proxy Value" appears.
[ NSHELP-26613 ]
The Citrix Gateway appliance displays corrupt session policy names in the SSLVPN NONHTTP_RESOURCEACCESS_DENIED logs.
[ NSHELP-26610 ]
If the application name is longer than 20 characters, then the application name appears truncated when connecting over Citrix Gateway.
[ NSHELP-26604 ]
The VPN plug-in for Windows displays incorrect information on the Windows credential screen when the network changes.
[ NSHELP-26562 ]
The RfWebUI client detection page displays the Install button instead of the Detect button if a content switching virtual server is configured.
[ NSHELP-26138 ]
The Citrix ADC appliance crashes if either of the following conditions occur:
- The syslog action is configured with the domain name and you clear the configuration by using the GUI or the CLI.
- High availability synchronization happens on the secondary node.
Workaround:
Create syslog action with syslog server's IP address instead of syslog server's domain name.
[ NSHELP-25944 ]
You might notice a discrepancy in the total number of established TCP connections if Enlightened Data Transport (EDT) is enabled.
[ NSHELP-25841 ]
While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:
- A default pre-shared key (PSK) is configured.
- You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
[ NSHELP-25694 ]
The Windows VPN gateway plug-in fails to drop IPv6 DNS packets resulting in issues with DNS resolution.
[ NSHELP-25684 ]
The Citrix Gateway login page does not load on deleting an admin partition, if configured.
[ NSHELP-25538 ]
The Citric ADC appliance crashes when multiple VPN plug-in clients use X.509 certificates of size 1800 bytes or more to setup a tunnel.
[ NSHELP-25195 ]
EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.
[ NSHELP-24848 ]
The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.
Example:
New output:
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
Priority: 1
Global bindpoint: REQ_DEFAULTPolicy Name: ns_adv_tunnel_msdocs Type: Advanced policy
Priority: 100
Global bindpoint: RES_DEFAULT
Done
>Previous output:
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0 DisabledAdvanced Policies:
Global bindpoint: REQ_DEFAULT
Number of bound policies: 1Done
[ NSHELP-23496 ]
The ICA latency of a session is recorded incorrectly as 64,000 ms in the Citrix Director when L7 latency is enabled. L7 latency is enabled when the "nsapimgr" knob "enable_ica_l7_latency" is set to 1.
Workaround: Set the L7 latency frequency to 5 by using the CLI or the GUI.
[ NSHELP-23459 ]
Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.
[ NSHELP-21897 ]
- Application launch failure due to invalid STA ticket is not reported in Gateway Insight.[ CGOP-13621 ]
- The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.[ CGOP-13584 ]
- In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.[ CGOP-13511 ]
While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.
[ CGOP-13050 ]
The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.
[ CGOP-13049 ]
- An error message appears when you add or edit a session policy from the Citrix ADC GUI.[ CGOP-11830 ]
In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.
[ CGOP-7269 ]
Citrix Web App Firewall
The aslearn learnt data is not skipped if there are special characters in the application firewall learnt data.
[ NSWAF-7584 ]
The cookie hijacking feature has limited support for the Internet Explorer (IE) browser because IE browsers do not reuse the SSL connections. Because of the limitation, multiple redirects are sent for a request eventually leading to a "MAX REDIRECTS EXCEEDED" error in the IE browser.
[ NSHELP-27193 ]
After an upgrade to Citrix ADC version 13.0 build 76.29 and with the File Upload feature enabled on the appliance, the following issue is observed:
- SQL and XSS protection checks block the file upload process for all web applications.
[ NSHELP-27140 ]
In the Citrix Web App Firewall module, the Distributed Hash Table (DHT) entries are not freed up on the primary node. This issue occurs if application firewall sessions have a shorter timeout and are created at a higher rate.
[ NSHELP-26570 ]
Some requests with security violations are not blocked by HTML cross-site scripting security check.
[ NSHELP-24762 ]
Configure Proxy Settings for Signature Auto-update
If the outbound traffic is through a proxy device (such as bluecoat or Squid), you can now configure proxy settings for the signature auto-updates.
CLI command:
set appfw settings -proxyServer <IP> -proxyPort <port>
Example:
set appfw settings -proxyServer 10.10.10.10 -proxyPort 8080
[ NSHELP-17494 ]
Load Balancing
In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.
[ NSLB-7679 ]
The GSLB configuration might be partially lost if the following conditions are met:
- The Citrix ADC appliance is rebooted.
- The ADNS service is configured with the same IP address as of the remote GSLB site.
[ NSHELP-26816 ]
In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.
[ NSHELP-20406 ]
Miscellaneous
When you push configurations to the cluster instances using a StyleBook, the commands fail with the "Command propagation failed" error message.
On successive failures, the cluster retains the partial configuration.
Workaround:
- Identify the failed commands from the log.
- Manually apply the recovery commands to the failed commands.
[ NSHELP-24910 ]
Networking
In a Citrix ADC BLX appliance, NSVLAN bound with tagged non-dpdk interfaces might not work as expected. NSVLAN bound with untagged non-dpdk interfaces works fine.
[ NSNET-18586 ]
After an upgrade from Citrix ADC BLX appliance 13.0 61.x build to 13.0 64.x build, settings on the BLX configuration file are lost. The BLX configuration file is then reset to default.
[ NSNET-17625 ]
The following interface operations are not supported for Intel `X710 10G (i40e)` interfaces on a Citrix ADC BLX appliance with DPDK:
- Disable
- Enable
- Reset
[ NSNET-16559 ]
On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file ("/etc/blx/blx.conf") settings. This issue occurs because "mawk", which is present by default on Debian based Linux systems, does not run some of the awk commands present in the "blx.conf" file.
Workaround: Install "gawk" before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install "gawk":
- apt-get install gawk
[ NSNET-14603 ]
Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:
"The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable"
Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:
- dpkg --add-architecture i386
- apt-get update
- apt-get dist-upgrade
- apt-get install libc6:i386
[ NSNET-14602 ]
In a Citrix ADC appliance, BGP "neighbor <IPv6 neighbor> shutdown" command is not effective, if the neighbor is part of peer-group.
Because of this issue, any IPv6 BGP neighbor, which was shut down using the "neighbor <IPv6 neighbor> shutdown" command, is in UP state after the appliance is restarted or upgraded.
[ NSHELP-26957 ]
In a high availability setup, VPN user sessions get disconnected if the following condition is met:
- If two or more successive manual HA failover operations are performed when HA synchronization is in progress.
Workaround: Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).
[ NSHELP-25598 ]
For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.
[ NSHELP-24034 ]
Platform
On the Citrix ADC SDX 8900 platform, the LOM version is upgraded from 4.5x to 4.61. On the Citrix ADC SDX 15000 and SDX 26000 platforms, the LOM version is upgraded from 5.03 to 5.56. After the upgrade, the default password of the LOM is reset to the serial number of the appliance for newly manufactured platforms. This upgrade addresses the vulnerability described CVE-2013-4786. For more information, see https:// support.citrix.com/article/CTX234367.
[ NSPLAT-19327 ]
While rebooting the Citrix ADC VPX instance for AWS, if you add static routes to DNS servers using a gateway other than the default gateway, the following events occur:
- The static routes added to DNS servers are removed.
- New static routes are added using the default gateway.
[ NSHELP-27116 ]
If you want to set the cluster nodes to yield, you must perform the following additional configurations on CCO:
- If a cluster is formed, all the nodes come up with yield=DEFAULT.
- If a cluster is formed using the nodes that are already set to yield=YES, then the nodes are added to cluster using DEFAULT yield.
Note: If you want to set the cluster nodes to yield=YES, you can perform suitable configurations only after forming the cluster but not before the cluster is formed.
[ NSHELP-27091 ]
On the Citrix ADC SDX platform, the cluster state might flap when a node joins a cluster. The flapping happens when an implicit reset of interface is triggered that impacts the cluster's health.
[ NSHELP-27081 ]
Policies
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
[ NSPOLICY-1267 ]
The NS variable with global scope does not work for HTTP/2 traffic.
[ NSHELP-27095 ]
The Citrix Gateway appliance might crash if all of the following conditions are met.
- nstrace is enabled with a filter expression
- Debug audit logging to an external ADC audit server is enabled
- An authentication policy with an advanced rule expression is configured
[ NSHELP-26045 ]
The following issue is observed if two policy variables are configured with different expiration time:
- Deletion of the expired value for the variable with the shorter expiration time might be delayed until the deletion of the expired value with the longer expiration time.
[ NSHELP-25786 ]
SSL
If multiple SSL policies are bound at Client hello bind point to a single virtual server, and an ALPN or SNI policy is the first policy bound, the following error condition might occur:
If the client does not send an ALPN or SNI request, then the other policies bound to the virtual server are not evaluated.[ NSSSL-9865 ]
On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.
Workaround:
- On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, "set ssl vserver <name> -SSL3 DISABLED".
- Save the configuration.
[ NSSSL-9572 ]
- Update command is not available for the following add commands:
- add azure application
- add azure keyvault
- add ssl certkey with hsmkey option
[ NSSSL-6484 ]
- You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.[ NSSSL-6478 ]
- You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.[ NSSSL-6213 ]
- The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
ERROR: crl refresh disabled[ NSSSL-6106 ]
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[ NSSSL-4427 ]
- An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.[ NSSSL-4001 ]
The CA certificate name that issued the CRL is truncated to 32 characters, even though a certificate-key name can be up to 64 characters. This issue occurs because the CRL field has a limit of 32 characters.
[ NSHELP-26986 ]
The Citrix ADC appliance crashes during reboot if you change the name of the built-in certificate ("ns-server-certificate") in the configuration file.
[ NSHELP-26858 ]
System
A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.
[ NSHELP-27179 ]
A mismatch in Logstream records is observed in the Citrix ADC appliance and the dataloader.
[ NSHELP-25796 ]
A Citrix ADC appliance might fail during clear configuration if the following conditions are met:
- IP address of a service is changed when the service is bound to a virtual server.
- Same virtual server is used as a collector in an analytics profile.
[ NSBASE-11511 ]
User Interface
Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.
Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.
[ NSUI-13024 ]
Importing a certificate in an admin partition might incorrectly fail with the following message:
ERROR: User doesnt have permission for given Destination path
[ NSHELP-26918 ]
In a Citrix ADC VPX appliance, a set capacity operation might fail after adding a license server. The issue occurs because the Flexera related components take a longer time to initialize because of the large number of supported licenses of type check-in and check-out (CICO)
[ NSHELP-23310 ]
Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.
[ NSHELP-20988 ]
In a Citrix ADC BLX cluster setup, "sync cluster files" command might fail because of an internal error.
Workaround: Restart the "nsclfsyncd" process.
[ NSCONFIG-4968 ]
If a Citrix ADC BLX appliance is licensed using Citrix ADM, licensing might fail after upgrading the appliance to release 13.0 build 83.x.
Workaround: First upgrade Citrix ADM to release 13.0 build 83.x or later before upgrading the Citrix ADC BLX appliance.
[ NSCONFIG-4834 ]
When you downgrade a Citrix ADC appliance version 13.0-71.x to an earlier build, some Nitro APIs might not work because of the file permission changes.
Workaround: Change permission for "/nsconfig/ns.conf" to 644.
[ NSCONFIG-4628 ]
Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.
[ NSCONFIG-4330 ]
If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.
1. Upgrade the Citrix ADC appliance to one of the builds:
- 13.0 52.24 build
- 12.1 57.18 build
- 11.1 65.10 build
2. Add a system user, or change the password of an existing system user, and save the configuration, and
3. Downgrade the Citrix ADC appliance to any older build.To display the list of these system users by using the CLI:
At the command prompt, type:"query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"
Workaround:
To fix this issue, use one of the following independent options:
- If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords.
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
[ NSCONFIG-3188 ]