Release Notes for Citrix ADC 13.0-83.29 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.0-83.29.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Citrix Secure Access agent (formerly known as Citrix Gateway plug-in for Windows) build 21.9.1.2 and later contains the fix for https://support.citrix.com/article/CTX341455. The Citrix Gateway plug-in for Windows build 21.9.1.2 is included in the Citrix ADC build 13.0-83.29.
  • Build 13.0-83.27 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX330728.
  • Build 83.29 replaces Build 83.27.
  • This build also includes fix for the following issue: NSHELP-29519.

What's New

The enhancements and changes that are available in Build 13.0-83.29.

Networking

  • New bandwidth and subscription-based local licenses for Citrix ADC BLX appliances

    The following bandwidth-based subscription-based local licenses are now available for Citrix ADC BLX appliances.

    • Citrix ADC VPX/BLX Subscription 10 Mbps Standard, Advanced, Premium Edition
    • Citrix ADC VPX/BLX Subscription 100 Gbps Standard, Advanced, Premium Edition

    For more information, see https://docs.citrix.com/en-us/citrix-adc-blx/current-release/licensing-blx.html

    [ NSNET-21527 ]

  • RHI support for a VIP address bound to an IPset

    A Citrix ADC appliance advertizes a VIP address bound to an IPset as a kernel route if all of the following conditions are met:

    • The VIP address has the "host route" option enabled.
    • The IPset is bound to a configuration, for example, multi-IP load balancing virtual servers.
    [ NSNET-20209 ]

Platform

System

User Interface

  • Citrix ADC BLX check-in and check-out licensing

    You can allocate licenses to Citrix ADC BLX appliances on-demand from Citrix Application Delivery Management (ADM). The ADM software stores and manages the licenses, which have a licensing framework that provides scalable and automated license provisioning.

    A Citrix ADC BLX appliance can check out the license from the Citrix ADM when a Citrix ADC BLX appliance is deployed. When a Citrix ADC BLX appliance is removed or destroyed, the appliance checks back its license to the Citrix ADM software.

    For more information, see https://docs.citrix.com/en-us/citrix-adc-blx/current-release/licensing-blx.html

    [ NSCONFIG-5777 ]

Fixed Issues

The issues that are addressed in Build 13.0-83.29.

Authentication, authorization, and auditing

  • If form SSO is enabled, the Citrix ADC appliance responds to a credential request from the back-end server by adding a form along with the content-type header. This addition leads to duplicate headers if one is already present.

    [ NSHELP-28405 ]

  • The Citrix ADC appliance throws a server validation error if DualAuthOrPush.xml login schema is used.

    [ NSHELP-28063 ]

  • When you bind an LDAP monitor to a service, the monitor goes down because the Citrix ADC appliance sends an incorrect password to the active directory.

    [ NSHELP-27961 ]

  • In a multiple cascade AD, an account for a user does not get locked, if a user is not found in the last cascade.

    [ NSHELP-27948 ]

  • When a Citrix ADC appliance is configured for SAML authentication, the appliance dumps core upon using a certificate other than RSA.

    [ NSHELP-27813 ]

  • In some cases, a Citrix ADC appliance might crash while handling certain user's authentication request when role-based access is configured.

    [ NSHELP-27655 ]

  • Users are unable to log in through Citrix Workspace App if Azure AD is configured as an OAuth IdP at Citrix ADC authentication virtual server.

    [ NSHELP-27462 ]

  • Web App Firewall profile does not work as expected because of SQLite dependency failure in Citrix ADC version 13.0 build 67.x and later.

    [ NSHELP-27458 ]

  • In some cases, SAML authentication fails with Workspace app if the app is accessed using StoreFront.

    [ NSHELP-27338 ]

  • The Citrix ADC appliance crashes frequently while processing Authentication, authorization, and auditing-TM and 401 LB-based traffic.

    [ NSHELP-27094 ]

  • In some cases, a Citrix ADC appliance crashes while performing user authentication for Citrix Gateway and Authentication, authorization, and auditing - traffic managed deployment.

    [ NSHELP-26555 ]

  • Incorrect SSO domain name is populated for logged in user if Authentication, authorization, and auditing.USER.DOMAIN is used in the expression.

    [ NSHELP-26443 ]

  • Upon entering an incorrect OTP, an error message "Email Auth failed. No further action to continue" is displayed.

    [ NSHELP-26400 ]

  • In some cases, NSB leak is observed in Citrix ADC appliance when the SSO functionality is used with a proxy server.

    [ NSHELP-25492, NSHELP-28073 ]

  • Network connectivity test check fails because of a password decryption issue. However, the authentication functionality works fine.

    [ NSAUTH-10216 ]

Bot Management

  • In the Transaction Per Second (TPS) bot detection mechanism, the back-end application server returns a 304 response during response retrieval post CAPTCHA challenge.

    [ NSBOT-626 ]

Caching

  • In a high availability setup, HA synchronization fails for the "memLimit" cache parameter setting during an HA failover.

    [ NSHELP-28428 ]

  • An extra header information is sent in the cache response if the `insertAge` parameter is enabled in the `set cache contentGroup` command.

    [ NSHELP-27772 ]

  • A Citrix ADC appliance might crash if the "Max_age" and "s_maxage" parameter values are not set dynamic in the cache control block.

    [ NSHELP-27758 ]

  • In a high availability setup, the primary node crashes after it accesses a NULL pointer instead of a cached object.

    [ NSHELP-26967, NSHELP-20089 ]

  • A Citrix ADC appliance might crash if the following conditions are met:

    • Appliance is serving content from its integrated cache.
    • Cached content is revalidated.
    • New request comes to ADC from different client for same cached object.
    [ NSHELP-22596 ]

Citrix ADC SDX Appliance

  • On a Citrix ADC SDX appliance, the System is not under grace alarm is continuously generated instead of only once when the SDX license is not under the grace period.

    [ NSHELP-28740 ]

  • The Management Service on a Citrix ADC SDX appliance displays the interface speed for SNMP managers in Kbps/Mbps instead of bits per second.

    [ NSHELP-28724 ]

  • Community strings of SNMP v2 trap destinations are masked on a Citrix ADC SDX appliance.

    [ NSHELP-28625 ]

  • On a Citrix ADC SDX appliance, you can modify the throughput of a VPX instance even after the pooled license grace period (30 days).

    [ NSHELP-28553 ]

  • On a Citrix ADC SDX appliance, instance restore might fail if the instance was created with software version 13.0-76.x or earlier.

    [ NSHELP-28429 ]

  • On a Citrix ADC SDX appliance, creating an ADC instance using software version 12.0 XVA image fails. As a result, the instance is unreachable.

    [ NSHELP-28408 ]

  • In a Citrix ADC SDX appliance, the Management Service reports incorrect data usage of ADC instances.

    [ NSHELP-28208 ]

  • On a Citrix ADC SDX appliance, you cannot change the CLI prompt in the Management Service console.

    [ NSHELP-28030 ]

  • Due to an upgrade in the Python version, loading Python SDK of the Management Service might fail due to syntax errors.

    [ NSHELP-27897 ]

  • On a Citrix ADC SDX appliance, the default value for raising the alarm on "Hypervisor Disk Usage High" is increased to 98%.

    [ NSHELP-27854 ]

  • On a Citrix ADC SDX appliance, the Management Service might report a high memory usage of around 80% due to increased jobs and schedulers running in inventory.

    [ NSHELP-27805 ]

  • On a Citrix ADC SDX appliance, upgrade might fail if the system files (snmpd.conf and ntp.conf) contain carriage return characters.

    [ NSHELP-27713 ]

  • On a Citrix ADC SDX appliance, an interface that is part of a management channel is displayed along with the management channel if the following sequence of conditions is met:

    1. The VPX instance is part of a cluster.
    2. The management channel is created.
    [ NSHELP-27487 ]

  • On a Citrix ADC SDX appliance, the ADC instances do not burst to maximum capacity when you configure burst throughput allocation mode.

    [ NSHELP-27477 ]

  • On a Citrix ADC SDX appliance, the Management Service might report a high memory usage of around 80% due to increased jobs and schedulers running in inventory.

    [ NSHELP-27396 ]

Citrix Gateway

  • Users may observe RDP session launch failure when there is an upgrade to the latest version.

    [ NSHELP-29519 ]

  • A Citrix ADC appliance might crash while processing the UDP traffic.

    [ NSHELP-28802 ]

  • An error message appears when you try to edit the CSS attributes in a custom theme.

    [ NSHELP-28648 ]

  • In a rare case, the Citrix Gateway appliance might crash during transfer login when a freed session is accessed.

    [ NSHELP-28022 ]

  • The Citrix ADC appliance crashes while processing the incoming Encapsulating Security Payload (ESP) traffic and the security association (SA) is not found.

    [ NSHELP-27991 ]

  • The Citrix ADC appliance might crash if both of the following conditions are met.

    • The appliance is deployed for ICA Proxy mode.
    • Gateway Insight feature for ICA flow is enabled.
    [ NSHELP-27982, NSHELP-28179 ]

  • The logon to Citrix Workspace fails if responder policies that can get into a blocked state during evaluation are bound to the virtual server.

    [ NSHELP-27819 ]

  • Users can see the mailboxes of other users when they log in to Microsoft Outlook. As a workaround, disable multiplexing.

    [ NSHELP-27538 ]

  • A Citrix ADC appliance might crash while processing the UDP traffic.

    [ NSHELP-27536 ]

  • A Citrix ADC appliance might crash if the EDT related commands, such as "clearconfig", "kill ica connection", or "stop dtls listener" are processed by the appliance.

    [ NSHELP-27398 ]

  • The personal bookmarks file of users cannot be copied from one Citrix Gateway appliance to another appliance.

    [ NSHELP-27389 ]

  • Sometimes, the Citrix Gateway appliance might crash when accessing an invalid memory location.

    [ NSHELP-27343 ]

  • The Citrix Gateway appliance might crash while processing UDP traffic.

    [ NSHELP-27317 ]

  • The Citrix Gateway appliance crashes when a syslog policy is bound to a virtual server, and the corresponding syslog action is modified.

    [ NSHELP-27171 ]

  • The Citrix Gateway appliance reboots unexpectedly because of flooding of SSL VPN log messages in the local ns.log file when Gateway Insight is enabled.

    [ NSHELP-27040, NSHELP-30723 ]

  • The Citrix ADC logs might be flooded with the log message "GwInsight: Func=ns_sslvpn_send_app_launch_fail_record Appflow policy evaluation has failed" when Gateway Insight is enabled.

    [ NSHELP-26750 ]

  • The Citrix Gateway appliance crashes when you try to clear the configuration if both of the following conditions are met:

    • An SSL profile and certificate-key pair is bound to the default TCP monitor.
    • The same default TCP monitor is bound to a syslog action.
    [ NSHELP-26685 ]

  • The SNMP OID sends incorrect set of current connections to the VPN virtual server.

    [ NSHELP-25596 ]

  • The Citric ADC appliance crashes when multiple VPN plug-in clients use X.509 certificates of size 1800 bytes or more to setup a tunnel.

    [ NSHELP-25195 ]

  • If you rename a VPN virtual server that is bound to an STA server, the status of the STA server appears DOWN when you run the show command.

    [ NSHELP-24714 ]

  • The ICA latency of a session is recorded incorrectly as 64,000 ms in the Citrix Director when L7 latency is enabled. L7 latency is enabled when the "nsapimgr" knob "enable_ica_l7_latency" is set to 1.

    [ NSHELP-23459 ]

  • If you have configured RADIUS accounting for ICA start/stop event, the session ID in the RADIUS accounting request for ICA start is displayed as all zeroes.

    [ NSHELP-22576 ]

  • The "show audit messages" output does not display the latest logs if you modify the syslog server in the global syslog parameters.

    [ NSHELP-19430 ]

Citrix Web App Firewall

  • In a Citrix ADC cluster setup, one of the nodes crashes if one or more nodes are upgraded from Citrix ADC version 12.0, 12.1, or 13.0 build 52.x or earlier builds. The crash occurs because of an incompatibility in the Web App Firewall cookie format and size.

    [ NSWAF-7689 ]

  • In Web App Firewall, the "Cookie-transformation" parameter splits the response-side cookie values if it has a comma as the delimiter.

    [ NSHELP-28411 ]

  • A Citrix ADC appliance might crash if command injection violations are observed in a specific order and if the following conditions are met:

    • Multiple cookies are present in the request
    • "URLDecodeRequestCookies" feature is turned off
    [ NSHELP-28365 ]

  • A Citrix ADC appliance might crash if the following conditions are met:

    • Web App Firewall cookie proxy is enabled.
    • The session cookie and persistent cookie have the same name.
    [ NSHELP-28181 ]

  • A Citrix ADC appliance might show high memory usage when parsing HTTP responses having Samesite attribute and Web Application Firewall feature enabled.

    [ NSHELP-27722, NSHELP-27922, NSHELP-28136, NSHELP-28265 ]

  • The cookie hijacking feature has limited support for the Internet Explorer (IE) browser because IE browsers do not reuse the SSL connections. Because of the limitation, multiple redirects are sent for a request eventually leading to a "MAX REDIRECTS EXCEEDED" error in the IE browser.

    [ NSHELP-27193 ]

  • After an upgrade to Citrix ADC version 13.0 build 76.29 and with the File Upload feature enabled on the appliance, the following issue is observed:

    • SQL and XSS protection checks block the file upload process for all web applications.
    [ NSHELP-27140 ]

Load Balancing

  • In a GSLB setup, the status of the remote services are not updated after the stats are cleared on the GSLB site. As a workaround, clear the stats again on the same GSLB site. The status of the remote services are then updated.

    [ NSHELP-28169 ]

  • In some cases, a Citrix ADC appliance might crash when the show running configuration command is issued.

    [ NSHELP-27815 ]

  • A Citrix ADC appliance might not insert an appropriate packet identifier in the responses, when pipelined radius requests are received. Due to this issue, the client receives an invalid response.

    [ NSHELP-27391 ]

  • The GSLB configuration might be partially lost if the following conditions are met:

    • The Citrix ADC appliance is rebooted.
    • The ADNS service is configured with the same IP address as of the remote GSLB site.
    [ NSHELP-26816 ]

Miscellaneous

  • The "add URLF categorization" command fails to update the database resulting in an internal error.

    [ NSSWG-1315 ]

  • The Citrix ADC appliance might crash after resuming processing if the following conditions are met:

    • SSL forward proxy feature is used.
    • Protocol information for an SSL forward proxy request is received in multiple asynchronous packets. The appliance pauses the packet processing and resumes it after receiving all the protocol details for the request.
    [ NSHELP-28447 ]

  • A Citrix ADC appliance adds extra L2 information when a tunnel or Type of Service (TOS) virtual servers are created.

    [ NSHELP-27825 ]

  • When an inline device sends a custom message followed by a reset, the Citrix ADC appliance resets the connection before forwarding the inline-device response to the client.

    [ NSHELP-27676 ]

Networking

  • After a Citrix ADC BLX appliance (version 13.0 build 82.x) running on a Debian based Linux host is upgraded, SSH does not work as intended in the shared mode.

    [ NSNET-23020 ]

  • After a Citrix ADC BLX appliance is upgraded to release 13.1 build 4.x, the web application firewall might incorrectly blocks a request that has no content type header.

    [ NSNET-21415 ]

  • In a Citrix ADC appliance, the internal driver layer might use an incorrect data buffer resulting in data corruption, which in turn causes the appliance to crash.

    [ NSHELP-27858 ]

  • The Citrix ADC VPX instance might crash when the following conditions are met:

    • A high number of FTP data connections are present.
    • A failover happens on the Citrix ADC appliance.
    • A client or server side NATPCB connection is cleared out.
    [ NSHELP-27816 ]

  • Fixed Issue:

    Citrix ADC CPX deployed as a sidecar and connected with multiple networks was not able to choose the correct source IP address for the destination subnet.

    [ NSHELP-27810 ]

  • In a high availability setup, HA synchronization might fail for WAF profile and location file configurations.

    [ NSHELP-27546 ]

  • In a Citrix ADC appliance, passive FTP data connections might be lost after a memory allocation failure.

    [ NSHELP-26522 ]

  • Packet loops are observed in a load balancing configuration if all of the following conditions are met:

    • The virtual server is configured to listen on port 80 and the connection failover ("connfailover") parameter is set to stateless.
    • The virtual server receives two request packets that have:
      • Source port = 80
      • Destination port = number other than 80
      • Destination IP address = IP address (VIP) of the virtual server
    [ NSHELP-22431 ]

Platform

  • "Failed to create target instance" error message is seen on the GCP console even when you do not create any target instances. This issue occurs when you do not have the "compute.targetInstances.get" IAM permission in your GCP service account. From this release, the Citrix ADC VPX creates target instances only for VMs that use the VIP Scaling feature.

    [ NSPLAT-20952 ]

  • On the Citrix ADC VPX instance on Azure cloud and on Microsoft Hyper-V server, in certain situations, congestion packet drops can occur on transmit side of Hyper-V virtual interface. These packet drops can stall the transmits from the Citrix ADC appliance.

    [ NSHELP-28375, NSHELP-26728, NSHELP-27671, NSHELP-27761 ]

  • On the Citrix ADC MPX 5900 and MPX 8900 platforms, an incorrect platform number appears on the LCD screen.

    [ NSHELP-28207 ]

  • On Citrix ADC MPX appliances using the Fortville NICs, the link does not come up properly when AUTO is set in the fiber transceiver.

    [ NSHELP-26518 ]
  • The status of SDX platform appears as UNKNOWN in the LOM console. This is only a display issue and has no functional impact.

    [ NSHELP-20009 ]

Policies

  • A Citrix ADC might crash if the FIX service type is used in Layer 2 and Layer 3 mode.

    [ NSHELP-28468 ]

  • The NS variable with global scope does not work for HTTP/2 traffic.

    [ NSHELP-27095 ]

  • A Citrix ADC appliance might crash if you configure the MATCHES_LOCATION() function in a policy expression and you start nstrace using a filter expression.

    [ NSHELP-22687 ]

SSL

  • SSL handshake renegotiation might fail on Citrix ADC MPX platforms, if asynchronous policies are configured on the SSL virtual server.

    [ NSHELP-27870 ]

  • On a Citrix ADC appliance, a false certificate expiry notification is logged the next day when a certificate-key pair is added with -expiryMonitor enabled.

    [ NSHELP-27348 ]

  • In a cluster database, the binding is not updated properly if you bind an SSL policy to a virtual server at the client hello bind point multiple times and with different priorities. As a result, an error appears when you remove the policy even after unbinding it from the virtual server.

    [ NSHELP-27301 ]

  • The Citrix ADC appliance does not accept an OCSP response if it does not have the content length HTTP header.

    [ NSHELP-27039 ]

  • On a Citrix ADC MPX/SDX 14000 FIPS appliance, you might see memory leaks when using EDT configuration with EDT datagram size > 1K.

    [ NSHELP-25375, NSHELP-25915, NSHELP-26016 ]

System

  • When a Citrix ADC instance is registered on Citrix ADM, port allocation errors are seen in the ADC counters.

    [ NSHELP-28779 ]

  • After an upgrade to Citrix ADC version 13.0 build 64-x and later, too many warning logs with a message, "Unexpected data received from the server on probe connection for SSL_BRIDGE service type - Server." is received.

    [ NSHELP-28656 ]

  • A Citrix ADC appliance running release 13.0 build 82.x and later might crash, if "ns mode pmtud" is enabled and partitions are used.

    [ NSHELP-28068 ]

  • If the header size received is greater than the maximum header table size, the appliance resets the table size as zero. As a result, HTTP2 requests fail after a few requests.

    [ NSHELP-27977 ]

  • The AppFlow collector pointer referenced by the analytics profile is corrupted.

    [ NSHELP-27924 ]

  • If ADM has pending transactions in the queue, it reports randomly a critical alert for high memory usage.

    [ NSHELP-27913 ]

  • A Citrix ADC appliance might crash with an ICAP OPTIONS response. The issue happens when the allowed header value contains a value other than 204.

    [ NSHELP-27879 ]

  • TCP zombie timeout flushes active server or client connections because of the half-close timeout on the faster side of the connection.

    [ NSHELP-27502, NSBASE-14650 ]

  • In the AppFlow, the layer 4 byte count for flow records is not matching the HTTP virtual server transactions. The count value is lower than the layer 7 virtual server byte count value.

    [ NSHELP-27495 ]

  • The tcpCurClientConn counter shows a large value if the Citrix ADC appliance is registered on the Citrix ADM.

    [ NSHELP-27463 ]

  • A Citrix ADC appliance might crash when the AppFlow feature is disabled and enabled back.

    [ NSHELP-27236 ]

  • The NSWL client occasionally logs data multiple times from the packet engine (PE-0), whereas, logs from other packet engines are skipped.

    [ NSHELP-27138 ]

  • A Citrix ADC appliance might crash if the following conditions are met:

    • When handling Logstream metadata records.
    • Appflow feature is enabled.
    [ NSHELP-26942 ]

  • A Citrix ADC appliance might crash when a policy with the "HTTP.REQ.*" expression is bound to the RESPONSE bind point of the HTTP_QUIC virtual server. The issue does not occur if you bind the same policy to an HTTP or SSL type virtual server along with HTTP_QUIC virtual server.

    [ NSBASE-14612 ]

User Interface

  • Unable to select a protocol other than "HTTPQUIC" when associating a policy to a global bind point in the Citrix Web App Firewall Policy Manager GUI page.

    [ NSHELP-29071 ]

  • When you deselect the secure option for RPC node in the ADC GUI, the following error message appears:

    Argument pre-requisite missing [validateCert, secure==YES]

    [ NSHELP-28239 ]

  • When you fetch content of any file from an ADC instance by using the command "show systemfile", a download failure error message appears on the ADC Console. The issue occurs if the file content starts with NULL bytes.

    [ NSHELP-28227 ]

  • The admautoregd SYSLOG flood leads to Customer Resource Definition
    (CRD) misclassification and misdiagnosis because of an internal system issue (Python binary file missing).

    Fix: To stop monitoring the admautoregd process after 30 min if the python binary is still missing.

    [ NSHELP-28185 ]

  • In a cluster setup, singleton or global entities with two or more passwords might fail on a node during a config synchronization process because of the following reason:

    • If the first password in the sequence is skipped, the subsequent password decryption fails on the synching node. The decryption fails because it looks for the CCOs local key, which is not present on the synching node.
    [ NSHELP-28035 ]

  • There might be a loss in configuration if a VPX instance on AWS, configured with KEK is upgraded to Citrix ADC release 13.0 build 76.x or later. All sensitive data encrypted using KEK fails if the configuration is loaded after a reboot.

    [ NSHELP-28010 ]

  • An additional backslash character is incorrectly introduced if special characters are used within arguments in some SSL commands, such as "create ssl rsakey" and "create ssl cert".

    [ NSHELP-27378, NSHELP-28861 ]

  • In a high availability setup, HA synchronization or HA propagation might fail if any of the following conditions is met:

    • The RPC node password has special characters.
    • The RPC node password has 127 characters (maximum characters allowed).
    [ NSHELP-27375 ]

  • The 'nsconfigaudit' tool might crash if the size of the input configuration file is very large.

    [ NSHELP-27263 ]

  • In a high availability setup, a Citrix ADC appliance might crash during a system user authentication process, if the following condition is met:

    • The password hash computation takes more time to miss five heartbeats.

    [ NSHELP-27066 ]

  • The reporting functionality might stop working if the system clock gets updated on a Citrix ADC appliance.

    [ NSHELP-25435 ]

  • The "botprofile_logexpression_binding" Nitro API GET call returns no response if the log expression is bound to a bot profile.

    [ NSCONFIG-5490 ]

  • In a cluster configuration, when you bind a Web App Firewall profile with fine-grained rules and then with non-fine-graned rules to the same URL, fine-grained rules get removed in the database. As a result, only the non-fine-grained rules are displayed on the Cluster IP address.

    [ NSCONFIG-5389 ]

  • If a Citrix ADC BLX appliance is licensed using Citrix ADM, licensing might fail after upgrading the appliance to release 13.0 build 83.x.

    [ NSCONFIG-4834 ]

Video Optimization

  • A Citrix ADC appliance might crash because of memory allocation failure with the video optimization feature enabled.

    [ NSHELP-28752 ]

Known Issues

The issues that exist in release 13.0-83.29.

AppFlow

  • HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.

    [ NSINSIGHT-943 ]

Authentication, authorization, and auditing

  • A Citrix ADC appliance may crash if the following conditions are met.

    1. The appliance is under memory pressure.
    2. Audit logging is enabled and set as INFO level.
    3. User authentication is in progress.
    [ NSHELP-29053 ]

  • A Citrix ADC appliance configured to authenticate using OAuth Service Provider, cannot be configured with 'client-secrete_post" to authenticate with IDP tokenEndPoint.

    With this fix, the authentication method "client_secret_basic" is added to the OAuth service provider feature of ADC when it communicates with the token endpoint of the IDP.

    [ NSHELP-28945 ]

  • A Citrix ADC appliance may crash if the following conditions are met.

    1. The appliance is under memory pressure.
    2. SAML is configured as one of the authentication methods.
    [ NSHELP-28855 ]

  • An incorrect logout ("/cgi/tmlogout") URL is returned when a VPN virtual server is configured as SAML SP. The issue happens because the incorrect logout URL is generated in the SAML metadata.

    [ NSHELP-28726 ]

  • A Citrix ADC appliance might fail to respond when SAML authentication is in progress and X.509 certificates of size 1800 bytes or more are used in the SAML authentication.

    [ NSHELP-28608, NSHELP-29913 ]

  • In a Citrix ADC high availability setup, some authentications commands are displayed during CLI configuration as a result of syncing issue.

    [ NSHELP-28448 ]

  • The Citrix ADC appliance, when configured as an OAuth Relying Party, does not add the extracted 'email' and 'username' field information from the ID token to the hash attribute of the authentication, authorization, and auditing session.

    [ NSHELP-28262 ]

  • Sometimes, authentication might fail when Authentication, authorization, and auditing.LOGIN.PASSWORD is used.

    [ NSHELP-28101 ]

  • Single sign-on fails during an authentication session when the password change event is triggered. This issues occurs only if the persistentLogin attempts parameter is enabled.

    [ NSHELP-28085 ]

  • When SAML metadata is configured, memory leak is observed with SSL certificates.

    Workaround: Set the "metadataRefreshInterval" parameter to 3600 minutes.

    [ NSHELP-27846, NSHELP-25020 ]

  • The Citrix ADC appliance might go into an SSO loop with the backend server and result in memory build up if both the following conditions are met.

    • The ADC appliance performs a negotiate and NTLM SSO authentications with the backend server.
    • The backend server fails to perform both the authentications.
    [ NSHELP-27757 ]

  • When a user performs a SAML logout, the log out does not happen immediately and the following error message is displayed:

    "Unsupported mechanisms found in Assertion; Please contact your administrator."

    This error is seen because the IDP that the customer configured uses a different URL encoding technique to encode the signature algorithm parameter in the response. This fix now supports encoding the signature algorithm parameter in a SAML response using multiple URL encoding techniques.

    [ NSHELP-27621 ]

  • In some cases, "invalid credentials" error message is displayed during the RADIUS authentication process. The error is seen when the Citrix ADC appliance is accessed from a client device using the Google Chrome browser.

    [ NSHELP-27113 ]

  • Access to a service is denied if the following conditions are met:

    • The service is bound to an authentication virtual server.
    • 401 authentication is configured on the service and the virtual server that the service is bound to.
    [ NSHELP-26903 ]

  • The Citrix ADC appliance might crash during active directory group extraction if the distinguished name of an extracted group is NULL.

    [ NSHELP-26899 ]

  • The Citrix ADC appliance might crash when the synchronization of the session and key configuration happens between the primary to the secondary controller card.

    [ NSHELP-26891 ]

  • In a rare scenario, the secondary node in a high availability setup might crash if the following condition is met.

    • The "aaa groups" and/or "aaa users" are configured on the Citrix ADC appliance.
    [ NSHELP-26732, NSHELP-28558, NSHELP-29056 ]

  • When a Citrix ADC appliance performs a nested LDAP group search, some of the groups information from the active directory is missed because of an invalid behavior of the Citrix ADC appliance. The ADC appliance takes an incorrect value even when the `groupSearchSubAttribute` parameter is configured appropriately.

    [ NSHELP-26316 ]

  • The Citrix ADC appliance crashes if both of the following conditions are met.

    • Email OTP is configured
    • Email server does not respond or there is a network issue with the email server

    [ NSHELP-26137, NSHELP-27824 ]

  • In certain scenarios, the Bind Authentication, authorization, and auditing group command might fail if policy name is longer than intranet application name.

    [ NSHELP-25971 ]

  • If the admin password for LDAP, RADIUS or TACACS services contains the double quotes (") character, the Citrix ADC appliance strips it during the "Test Connectivity" check, resulting in connection failure.

    [ NSHELP-23630 ]
  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

    [ NSHELP-563 ]

  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

    [ NSAUTH-6106 ]

  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    "show adfsproxyprofile <profile name>"

    Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.

    [ NSAUTH-5916 ]
  • The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

    • The Test LDAP Reachability option is opened.
    • Invalid login credentials are populated and submitted.
    • Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.

    [ NSAUTH-2147 ]

Caching

  • A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

    [ NSHELP-22942 ]

CallHome

  • CallHome registration might fail for Citrix ADC MPX appliances using pooled licensing. The registration fails because CallHome uses an incorrect serial number for registering the appliances with the Citrix Support Server.

    [ NSHELP-28667 ]

Citrix ADC SDX Appliance

  • On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.

    [ NSSVM-4333 ]

  • The data in ADC events table can now be sorted across pages if the total number of data records is less than 5000.

    [ NSHELP-29170 ]

  • Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:

    • Throughput allocation mode is burst.
    • There is a large difference between the throughput and the maximum burst capacity.
    [ NSHELP-21992 ]

Citrix Gateway

  • Memory leak is observed in a Citrix ADC appliance when an outbound proxy is configured.

    [ NSHELP-29234 ]

  • Sometimes, the Citrix SSO app crashes while handling large DNS packets.

    [ NSHELP-29133 ]

  • Citrix Secure Access for macOS takes a longer time than expected to run the post-authentication EPA check.

    [ NSHELP-29118 ]

  • In the Citrix Gateway portal page, RDP proxy link icon does not change with RfWebUI portal theme.

    [ NSHELP-28974 ]

  • In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.

    [ NSHELP-28856 ]

  • Sometimes, after disconnecting the VPN, the DNS resolver fails to resolve the host names, because the DNS suffixes are removed during VPN disconnection.

    [ NSHELP-28848 ]

  • The Citrix Gateway VPN full tunnel does not work as expected if binary response is enabled. As a result, the NSAAC cookie is corrupted. With this fix, the binary response works in the earlier VPN plug-ins. However, Citrix recommends that you use the latest VPN plug-in which works with the JSON response.

    [ NSHELP-28729 ]

  • The Citrix ADC appliance might crash during the VPN logon if an AppFlow policy with the HTTP rule is bound to a Citrix Gateway.

    [ NSHELP-28705 ]

  • After you upgrade the Citrix Gateway appliance to version 13.0, the proxy configuration in session profile does not work as intended. The Proxy connection is bypassed for non-HTTP NS proxy configured.

    Example:
    add vpn sessionAction -proxy NS -httpProxy 192.0.2.0:24 -sslProxy 192.0.2.0:24

    In this example, -httpProxy works as intended but -sslProxy does not work.

    [ NSHELP-28640 ]

  • Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

    [ NSHELP-28551 ]

  • The Citrix Gateway appliance crashes while processing STA in DTLS Audio because the allocated memory is not reset.

    [ NSHELP-28432, NSHELP-29796 ]

  • Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

    [ NSHELP-28404 ]

  • The Windows plug-in might crash during authentication.

    [ NSHELP-28394 ]

  • The Citrix Gateway logon page might fail to load for 3G/tethered users.

    [ NSHELP-28367 ]

  • The Citrix ADC appliance might crash if EPA is configured and sufficient memory is not available.

    [ NSHELP-28329 ]

  • You might see an extra line for NS_AUDITLOG_STR* logs in the ns_aaa_json.c file.

    [ NSHELP-28160 ]

  • Access to StoreFront through a VPN virtual server fails if StoreFront is accessed through a backup load balancing virtual server.

    [ NSHELP-27852 ]

  • When accessing the Citrix Gateway appliance using the clientless VPN, core dump might be generated.

    [ NSHELP-27653 ]

  • The Citrix Gateway appliance might crash while processing server-initiated UDP traffic.

    [ NSHELP-27611 ]

  • The Citrix Gateway appliance might crash if async is blocked and you modify the content switching policy configuration.

    [ NSHELP-27570 ]

  • The Citrix Gateway appliance might crash when reconnecting to an existing ICA session.

    [ NSHELP-27441 ]

  • The Citrix Gateway appliance might crash if an unknown VPN client option is set in the session policy.

    [ NSHELP-27380 ]

  • You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.

    With this fix, you can now unbind the authorization policy by using the GUI.

    [ NSHELP-27064 ]

  • Sometimes, during transfer login, Intranet IP subnets are incorrectly displayed on the client side.

    [ NSHELP-26904 ]

  • The Citrix Gateway portal localization does not work with the Internet Explorer browser.

    [ NSHELP-26822, NSHELP-27604 ]

  • The Citrix Gateway GUI displays the message "Invalid IP or Port" when editing a VPN session profile.

    [ NSHELP-26722 ]

  • When you enter the FQDN as the proxy in the Create Citrix Gateway Traffic Profile page, the message "Invalid Proxy Value" appears.

    [ NSHELP-26613 ]

  • While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:

    • A default pre-shared key (PSK) is configured.
    • You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
    [ NSHELP-25694 ]

  • In a high availability setup, VPN user sessions get disconnected if the following condition is met:

    • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.

    Workaround: Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

    [ NSHELP-25598 ]

  • EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.

    [ NSHELP-24848 ]

  • The Gateway Insight does not display accurate information on the VPN users.

    [ NSHELP-23937 ]

  • VPN plug-in doesn't establish tunnel after Windows logon, if the following conditions are met:

    • Citrix Gateway appliance is configured for Always On feature
    • The appliance is configured for certificate based authentication with two factor authentication "off"
    [ NSHELP-23584 ]

  • The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.

    Example:

    New output:

    > show tunnel global
    Policy Name: ns_tunnel_nocmp Priority: 0

    Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
    Priority: 1
    Global bindpoint: REQ_DEFAULT

    Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
    Priority: 100
    Global bindpoint: RES_DEFAULT
    Done
    >

    Previous output:

    > show tunnel global
    Policy Name: ns_tunnel_nocmp Priority: 0 Disabled

    Advanced Policies:

    Global bindpoint: REQ_DEFAULT
    Number of bound policies: 1

    Done

    [ NSHELP-23496 ]

  • Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.

    [ NSHELP-21897 ]
  • Application launch failure due to invalid STA ticket is not reported in Gateway Insight.

    [ CGOP-13621 ]
  • The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.

    [ CGOP-13584 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

    [ CGOP-13511 ]

  • When an ICA connection is launched from a MAC receiver version 19.6.0.32 or Citrix Virtual Apps and Desktops version 7.18, HDX Insight feature is disabled.

    [ CGOP-13494 ]

  • When EDT Insight feature is enabled, sometimes audio channels might fail during network discrepancy.

    [ CGOP-13493 ]

  • While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

    [ CGOP-13050 ]

  • The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.

    [ CGOP-13049 ]
  • An error message appears when you add or edit a session policy from the Citrix ADC GUI.

    [ CGOP-11830 ]

  • In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]

Citrix Web App Firewall

  • The Web App Firewall signature ID 1048 blocks the Citrix Gateway page from loading.

    [ NSHELP-29113 ]

  • A Citrix ADC appliance might crash if the following modules are enabled:

    • Web App Firewall with advanced security checks.
    • Appqoe.
    [ NSHELP-28251 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]

  • The GSLB service group is unable to handle monitor updates due to a missing ENUM value in failed commands.

    [ NSHELP-29050 ]

  • The Citrix ADC appliance crashes while trying to free up memory allocated in a different partition from the one it is being freed from.

    [ NSHELP-29038 ]

  • The Monitor response time shown when you run the show service command is sometimes incorrect.

    [ NSHELP-28994 ]

  • Some service group members are not removed from the Autoscale service group list when there is a conflict between statically bound member and dynamically resolved DNS records. This issue leads to memory corruption.

    [ NSHELP-28949 ]

  • The state of the service group displayed in the show and stat commands is inconsistent.

    [ NSHELP-28931 ]

  • If a ZONE type DNS record is available for the parent domain, query for the child domain with an existing NS record results in parent domain SOA record instead of child domain NS record.

    [ NSHELP-28793 ]

  • The Citrix ADC appliance might fail to respond to a GSLB domain query with an expected GSLB service IP address, if the GSLB virtual server is configured as follows:
    Persistence type: Source IP address
    Load balancing algorithm: Static proximity
    Backup load balancing method: Round trip time (RTT)

    [ NSHELP-28668 ]

  • In rare cases, the location database configuration might be missing from the configuration (ns.conf) file.

    [ NSHELP-28570 ]

  • The load balancing or GSLB domain-based Autoscale servicegroup state remains DOWN if you use a wildcard port.

    [ NSHELP-28548 ]

  • The VPX primary and secondary sites crashed after configuring the GSLB service group with Autoscale enabled.

    "Workaround":
    Do not add the dummy virtual servers, such as the content switching virtual server when you add a GSLB service or bind an IP port to a GSLB service group.

    [ NSHELP-28530 ]

  • SQL or Oracle type monitors crash when the peer sends a request to reset the existing connection.

    [ NSHELP-28478 ]

  • A Citrix ADC appliance in an HA setup loses connectivity because the NSB memory isn't freed after sending the HTTP response during the HTTP probe monitoring.

    [ NSHELP-28466 ]

  • In a persistence-enabled deployment, an incorrect virtual server is stored during context save.

    [ NSHELP-28342 ]

  • The SMPP retry messages are sent to all nodes in a cluster even when the request is successful. This scenario leads to high memory consumption on the Citrix ADC appliance.

    [ NSHELP-28332 ]

  • Persistence configuration for an LB group is lost after an HA failover or when the Citrix ADC appliance is rebooted.

    [ NSHELP-28071 ]

  • The cookieTimeout value is incorrectly set during the GET operation, resulting in failure of CS virtual server update operation.

    [ NSHELP-27979 ]

  • Sometimes in a multi-PE system, the domain-based groups doesn't recover to UP state after a few failures in the system. This issue is due to a race condition between the CLI and internal monitors.

    [ NSHELP-27965 ]

  • A Citrix ADC appliance might fail when handling monitor probe for mysql type of monitor, which eventually leads to a system reboot.

    [ NSHELP-27953 ]

  • The configured state of the default monitor shows as disabled even when the default monitor is bound to a service.

    [ NSHELP-27669 ]

  • In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

    [ NSHELP-20406 ]

Miscellaneous

  • When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.

    [ NSSWG-849 ]

  • Citrix ADC CPX instance, running on a Linux system with 64-bit architecture and 1 TB of file storage, can load certificate and key files now.

    [ NSHELP-28986 ]

  • The URL set pattern matching fails for IDNA2008 standard domains.

    [ NSHELP-28902 ]

Networking

  • A Citrix ADC BLX appliance in DPDK mode might crash if a Web Application Firewall profile is configured with advanced security protection checks.

    Workaround: Remove the Advanced security protection configuration for WAF.

    [ NSNET-22654 ]

  • In a Citrix ADC BLX appliance, NSVLAN bound with tagged non-dpdk interfaces might not work as expected. NSVLAN bound with untagged non-dpdk interfaces works fine.

    [ NSNET-18586 ]

  • The following interface operations are not supported for Intel `X710 10G (i40e)` interfaces on a Citrix ADC BLX appliance with DPDK:

    • Disable
    • Enable
    • Reset
    [ NSNET-16559 ]

  • On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file ("/etc/blx/blx.conf") settings. This issue occurs because "mawk", which is present by default on Debian based Linux systems, does not run some of the awk commands present in the "blx.conf" file.

    Workaround: Install "gawk" before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install "gawk":

    • apt-get install gawk
    [ NSNET-14603 ]

  • Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

    "The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable"

    Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

    • dpkg --add-architecture i386
    • apt-get update
    • apt-get dist-upgrade
    • apt-get install libc6:i386
    [ NSNET-14602 ]
  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

    [ NSNET-5233 ]

  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • The LSN module does not find the service while decrementing the reference count or deleting the service.
    [ NSHELP-29134 ]

  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • Filtering and mapping reference counts are non-zero for the LSN module in the appliance.
    [ NSHELP-28842 ]

  • In a Large scale NAT44 deployment, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • The LSN module accessed the memory location of an already deleted service.
    [ NSHELP-28815 ]

  • In a Citrix ADC appliance with even number of packet engines (PE), the appliance incorrectly displays the status of active interfaces as inactive of a redundant interface set (LR channels). This issue does not impact any functionality of the Citrix ADC appliance.

    [ NSHELP-28099 ]

  • The Citrix ADC appliance might not generate "coldStart" SNMP trap messages after a cold restart.

    [ NSHELP-27917 ]

  • In a high availability setup, dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:

    • A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.

    As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition

    [ NSHELP-24000 ]

  • When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

    [ NSHELP-21082 ]

Platform

  • When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:

    • 13.1-4.x
    • 13.0-82.31 and later
    • 12.1-62.21 and later

    The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:

    • Any 11.1 build
    • 12.1-62.21 and earlier
    • 13.0-81.x and earlier
    [ NSPLAT-21691 ]
  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the "rm cloudprofile" command to delete the profile.

    [ NSPLAT-4520 ]
  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.

    [ NSPLAT-4451 ]

  • The HA failover for Citrix ADC VPX instance on the GCP and AWS cloud fails when the password of an RPC node contains a special character.

    [ NSHELP-28600 ]

  • The Citrix ADC appliance generates false packets per second (PPS) rate-limit alerts even before the Citrix ADC appliance reaches its PPS limit for the license.

    [ NSHELP-26935 ]

Policies

  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267 ]

  • A Citrix ADC appliance might crash with the following conditions:

    • An audit message action is configured with the string builder expression with one or more REGEX functions applied to the body of a request.
    • An Application Firewall profile configured with the Streaming option enabled.

    For example, HTTP.REQ.BODY(10000000).REGEX_SELECT(re/name=[^\r\n]*[\r\n]+/).

    Workaround: Reconfigure the message action string builder expression without REGEX functions.

    For example, HTTP.REQ.BODY(10000000).AFTER_STR("name=").BEFORE_STR("\r")).

    [ NSHELP-27895 ]

SSL

  • On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

    Workaround:

    1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, "set ssl vserver <name> -SSL3 DISABLED".
    2. Save the configuration.
    [ NSSSL-9572 ]
  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

    [ NSSSL-6478 ]
  • You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

    [ NSSSL-6213 ]
  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled

    [ NSSSL-6106 ]
  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.

    [ NSSSL-4001 ]
  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

    [ NSSSL-3184, NSSSL-1379, NSSSL-1394 ]

  • A Citrix ADC appliance crashes while processing an HTTP request if the policy action is set to "Forward" for a policy that is already bound at the request bind point.

    [ NSHELP-29115 ]

  • In a cluster setup, when two installed certificates are issuers of one server certificate that has the OCSP AIA extension, the appliance becomes unreachable if you remove the server certificate.

    [ NSHELP-28058 ]

  • In a high availability setup, the certificate type is not synchronised correctly between the primary and secondary nodes.

    [ NSHELP-27589 ]

  • In a VPN deployment, the Citrix ADC appliance picks up an SSL session for session reuse from cache to communicate to the proxy or back-end server. It does this without matching the SNI received from the client to the SNI present in the cached session.

    As a result, either the SNI is not sent or a different SNI is sent depending on the cached data.

    [ NSHELP-27439 ]

  • In a high availability setup, CRL auto refresh fails intermittently if both of the following conditions are met:

    • Files are syncing from the primary node to the secondary node.
    • CRL file is downloading from the CRL server at the same time.
    [ NSHELP-27435 ]

  • All the IP addresses in a SAN certificate are now displayed. Earlier only the last SAN IP address of all the IP addresses in the SAN certificate were displayed.

    [ NSHELP-27336 ]

  • The CA certificate name that issued the CRL is truncated to 32 characters, even though a certificate-key name can be up to 64 characters. This issue occurs because the CRL field has a limit of 32 characters.

    [ NSHELP-26986 ]

  • SSL handshake fails if you use DH ciphers with an external HSM.

    [ NSHELP-25307 ]

System

  • The Citrix ADC appliance crashes if either of the following conditions occur:

    • The syslog action is configured with the domain name and you clear the configuration by using the GUI or the CLI.
    • High availability synchronization happens on the secondary node.

    "Workaround:"

    Create syslog action with syslog server's IP address instead of syslog server's domain name.

    [ NSHELP-30987, NSHELP-28121, NSHELP-29843 ]

  • The X-Forwarder header is not added to some requests sent from the Citrix ADC appliance to the back-end server.

    [ NSHELP-29142, NSHELP-29583 ]

  • A Citrix ADC appliance crashes if the following conditions are met:

    • The client-side measurements option is enabled on the AppFlow action.
    • The chunk headers fall on the packet boundary.
    [ NSHELP-29049 ]

  • A Citrix ADC appliance resets a connection if the HTTP pipeline (one or multiple requests) size exceeds 128 KB. The issue occurs because the pipeline size is hard limited to 128 KB.

    [ NSHELP-28846 ]

  • A Citrix ADC appliance might crash when replaying a chunked response from the ICAP-module to the client.

    [ NSHELP-28788 ]

  • A Citrix ADC Intrusion Prevention System (IPS) observes an issue with the rewrite policy when inserting or modifying data if the following condition is met:

    • The Citrix ADC appliance sends data packets to the IPS server before the backend server connection opens.
    [ NSHELP-28496 ]

  • TCP window leak is observed when a Citrix ADC appliance processes HTTP/2 header frames.

    [ NSHELP-28475 ]

  • In a high availability setup, HA synchronization of admin partition configurations fails on the secondary node because of the following reason:

    • Low memory issues caused because of huge config loads on the secondary node
    [ NSHELP-28409 ]

  • The Citrix ADC appliance crashes when all of the following conditions are met:

    • A content inspection action, with a server IP address, uses the internal data of a service if already configured.
    • As a result, the internal data of the service is also removed when the CI action is removed.
    • When the actual service is removed, the Citrix ADC appliance makes an attempt access and delete the already removed internal data.
    [ NSHELP-28293 ]

  • When a client resets a connection with multiple TCP streams, the server-side transaction record is not sent which results in L4 records missing for those data streams.

    [ NSHELP-28281 ]

  • The connection chaining TCP option gets added to the Citrix ADC RPC connections. The issue causes an interoperability issue with GSLB sites communication.

    [ NSHELP-27417 ]

  • Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.

    [ NSHELP-27410 ]

  • In a TCP connection, the Citrix ADC appliance might drop a FIN packet, received from a server, instead of forwarding it to the client if all of the following conditions are met:

    • TCP buffering is enabled.
    • The server sends the FIN packet and the data packet separately.
    [ NSHELP-27274 ]

  • A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.

    [ NSHELP-27179 ]

  • Pitboss failure occurs when looping a large number of packets in the retransmission queue.

    [ NSHELP-26071 ]

  • A mismatch in Logstream records is observed in the Citrix ADC appliance and the dataloader.

    [ NSHELP-25796 ]

  • In a rare case, a Citrix ADC appliance might send incorrect TCP SACK sequence numbers to the client when forwarding it from the backend server. The issue occurs if the TCP Selective ACK (SACK) option is enabled in a TCP Profile.

    [ NSHELP-24875 ]

  • Some SYSLOG messages are dropped when logging on to an external SYSLOG server using TCP protocol.

    [ NSHELP-24522 ]

  • In certain scenarios, the nstrace packet capture misses all packets if you apply the IP address based filter.

    [ NSHELP-23483 ]

  • In a cluster setup, the "set ratecontrol" command works only after restarting the Citrix ADC appliance.

    Workaround: Use the "nsapimgr_wr.sh -ys icmp_rate_threshold=<new value>" command.

    [ NSHELP-21811 ]
  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

    [ NSHELP-21240 ]
  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

    [ NSHELP-10972 ]
  • In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.

    [ NSBASE-16304, NSGI-1293 ]
  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

    [ NSBASE-8506 ]

  • ICAP support for Citrix ADC

    A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.

    For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html

    [ NSBASE-825 ]

User Interface

  • In the Compression Policy Manager GUI, unable to bind a compression policy to an HTTP protocol by specifying a relevant bind point and connection type.

    [ NSUI-17682 ]

  • In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.

    [ NSUI-14752 ]

  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

    [ NSUI-13024 ]
  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.

    [ NSUI-6838 ]

  • ADC instances in a cluster mode configured with pooled capacity go down. This issue happens when a hostname is configured in the cluster nodes and if the nodes take more time in connecting to the ADM license server on bootup.

    [ NSHELP-28613 ]

  • Citrix ADC GUI might incorrectly generate a cluster technical support bundle of only one node instead of all the cluster nodes.

    [ NSHELP-28606 ]

  • The API response for a NITRO GET request with filter might contain additional information even if it is not mentioned in the filter.

    [ NSHELP-28598 ]

  • While configuring or checking SSL certificates using the Citrix ADC GUI, the error "Directory doesn't exist" might appear. This issue occurs when a filename with two consecutive dots ("..") exists in the SSL folder "/nsconfig/ssl".

    Workaround: Delete or move these files from the "/nsconfig/ssl" folder.

    [ NSHELP-28589 ]

  • Generating a cluster technical support bundle by using Citrix ADC GUI might fail with an error.

    [ NSHELP-28586 ]

  • In a high availability setup, HA synchronization might fail for a built-in policy pattern set binding, if the built-in policy pattern set was modified on the primary node.

    [ NSHELP-28460 ]

  • The following issue is observed if any operation is performed that reads the `ns.conf` file. For example, `show ns saved config`.

    • The HTTPD process might freeze causing the GUI and NITRO API to become inaccessible.
    [ NSHELP-28249 ]

  • When the user tries to change the page size of a list in the side panel views, the page gets distorted.

    [ NSHELP-28220 ]

  • After upgrading a high availability setup or a cluster setup to release 13.0 build 74.14 or later, config synchronization might fail because of the following reason:

    • Both "ssh_host_rsa_key" private and public keys are an incorrect pair.

    Workaround: Regenerate "ssh_host_rsa_key". For more information, see https://support.citrix.com/article/CTX322863.

    [ NSHELP-27834 ]

  • You cannot bind a service or a service group to a priority load balancing virtual server using the Citrix ADC GUI.

    [ NSHELP-27252 ]

  • ping or ping6 command with interface (-I) option might fail with the following error:

    • "interface option not supported"
    [ NSHELP-26962 ]

  • In a Citrix ADC VPX appliance, a set capacity operation might fail after adding a license server. The issue occurs because the Flexera related components take a longer time to initialize because of the large number of supported licenses of type check-in and check-out (CICO)

    [ NSHELP-23310 ]

  • Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

    [ NSHELP-20988 ]

  • Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.

    [ NSCONFIG-4330 ]

  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:

    • 13.0 52.24 build
    • 12.1 57.18 build
    • 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"

    Workaround:

    To fix this issue, use one of the following independent options:

    • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

    [ NSCONFIG-3188 ]

Top