Release Notes for Citrix ADC 13.0-84.11 Release

This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADC release Build 13.0-84.11.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 13.0-84.11 replaces Build 13.0-84.10.
  • This build also includes a fix for the following issue: NSWAF-8668.

What's New

The enhancements and changes that are available in Build 13.0-84.11.

Authentication, authorization, and auditing

  • Support for latest versions of Intune NAC APIs

    Citrix Gateway support for Intune Network Access Control (NAC) is now enhanced for the latest versions of Intune NAC APIs.

    [ NSAUTH-9722 ]

Platform

  • Support for Intel Ethernet Controller X710 and XL710 series on Citrix hypervisor

    You can now configure a Citrix ADC VPX instance running on Citrix hypervisor using single root I/O virtualization (SR-IOV) with the following NICs:

    • Intel X710 10G
    • Intel XL710 40G
    [ NSPLAT-21410 ]

Fixed Issues

The issues that are addressed in Build 13.0-84.11.

Authentication, authorization, and auditing

  • The Citrix ADC appliance crashes if email OTP is configured.

    [ NSHELP-29312 ]
  • A Citrix ADC appliance may crash if the following conditions are met.

    1. The appliance is under memory pressure.
    2. Audit logging is enabled and set as INFO level.
    3. User authentication is in progress.
    [ NSHELP-29053 ]
  • If Citrix ADC appliance is configured for the SameSite cookie attribute and the Domain attribute for authentication, the authentication fails. This happens because the SameSite cookie attribute value and the Domain attribute are not separated by a semicolon.

    [ NSHELP-28971 ]
  • A Citrix ADC appliance may crash if the following conditions are met.

    1. The appliance is under memory pressure.
    2. SAML is configured as one of the authentication methods.
    [ NSHELP-28855 ]
  • Native OTP encryption tool does not allow special characters in device name.

    [ NSHELP-28795 ]
  • An incorrect logout ("/cgi/tmlogout") URL is returned when a VPN virtual server is configured as SAML SP. The issue happens because the incorrect logout URL is generated in the SAML metadata.

    [ NSHELP-28726 ]
  • In some cases, in a multicore environment, a client browser fails to access the resources behind a Authentication, authorization, and auditing-TM virtual server.

    [ NSHELP-28474 ]
  • When you log in to the Citrix ADC appliance, a blank password field appears when both the following conditions are met.

    • Duo two-factor authentication is configured
    • RfWebuI portal theme is used
    [ NSHELP-27868 ]
  • SameSite cookie attributes are not added to the authentication cookies if a Citrix ADC appliance is configured for 401-based authentication.

    [ NSHELP-27764 ]
  • When a user performs a SAML logout, the log out does not happen immediately and the following error message is displayed:

    "Unsupported mechanisms found in Assertion; Please contact your administrator."

    This error is seen because the IDP that the customer configured uses a different URL encoding technique to encode the signature algorithm parameter in the response. This fix now supports encoding the signature algorithm parameter in a SAML response using multiple URL encoding techniques.

    [ NSHELP-27621 ]
  • In some cases, an HTTP POST request to a Authentication, authorization, and auditing-TM virtual server is processed incorrectly if the request does not have an authentication cookie. The POST body gets lost during processing.

    [ NSHELP-27227 ]
  • In a rare scenario, the secondary node in a high availability setup might crash if the following condition is met.

    • The "aaa groups" and/or "aaa users" are configured on the Citrix ADC appliance.
    [ NSHELP-26732 ]

Bot Management

  • A Citrix ADC appliance might crash when using the autogenerated bot trap URL functionality.

    [ NSBOT-780 ]
  • The response for a "botprofile_captcha_binding" nitro API request does not contain the default CAPTCHA configuration values.

    [ NSBOT-748 ]
  • Bot trap URL check is triggered on white-listed clients.

    [ NSBOT-581 ]
  • The bot device fingerprint detection technique fails if the user-agent header field value contains the "Android" keyword.

    [ NSBOT-577 ]

Citrix ADC SDX Appliance

  • When the interface speed value is more than 4Gbps, a wrong value is returned due to integer overflow.

    [ NSHELP-29658 ]
  • On a Citrix ADC SDX appliance, the Management Service does not send syslog or email notifications if the power supply, voltage, or disk failures occur more than once.

    [ NSHELP-29443 ]
  • On the Citrix ADC SDX 14000-40G, 15000, and 15000-50G platforms, setting the interface speed using the CLI fails.

    [ NSHELP-29388 ]
  • When you change the profile on an ADC instance hosted on the Citrix ADC SDX platform, you might notice some extra entries for the "save config" command in the log file.

    [ NSHELP-29343 ]
  • On a Citrix ADC SDX appliance, an SNMP agent running in the Management Service returns an incorrect error code for non-existing OIDs.

    [ NSHELP-29209 ]

Citrix Gateway

  • The Citrix ADC appliance might crash during the VPN logon if an AppFlow policy with the HTTP rule is bound to a Citrix Gateway.

    [ NSHELP-28705 ]
  • The Citrix Gateway logon page might fail to load for 3G/tethered users.

    [ NSHELP-28367 ]
  • The Citrix ADC appliance might crash if EPA is configured and sufficient memory is not available.

    [ NSHELP-28329 ]
  • You might see an extra line for NS_AUDITLOG_STR* logs in the ns_aaa_json.c file.

    [ NSHELP-28160 ]
  • In rare cases, the Citrix Gateway portal page does not display the Download button for EPA plug-in on the Internet Explorer browser.

    [ NSHELP-27849 ]
  • DNS registration does not work after the VPN connection is established.

    To fix this issue, you must enable the nsapimgr knob, nsapimgr_wr.sh -ys call=toggle_vpn_configured_dns_disable_override.

    [ NSHELP-27760 ]
  • When accessing the Citrix Gateway appliance using the clientless VPN, core dump might be generated.

    [ NSHELP-27653 ]
  • The Citrix Gateway appliance might crash while processing server-initiated UDP traffic.

    [ NSHELP-27611 ]
  • The Citrix Gateway portal localization does not work with the Internet Explorer browser.

    [ NSHELP-26822 ]
  • The Citrix Gateway portal enterprise bookmark feature supports only the following protocols. All other bookmarks are blocked. http://, https://, rdp://, and ftp://.

    [ CGOP-19543 ]

Citrix Web App Firewall

  • If you are using WAF signatures, after upgrading the build, you must update all the WAF signatures including the default signatures to the latest version. Then, re-enable the required signature rules.

    [ NSWAF-8668 ]
  • In some cases, a Citrix ADC appliance might crash when trap URLs are auto-generated in the bot management system.

    [ NSHELP-29339 ]
  • The Web App Firewall signature ID 1048 blocks the Citrix Gateway page from loading.

    [ NSHELP-29113 ]

Load Balancing

  • Incremental synchronization fails for the "add dns action" and "add location" commands with policy expressions that contain wildcards.

    [ NSHELP-29301 ]
  • The GSLB service group is unable to handle monitor updates due to a missing ENUM value in failed commands.

    [ NSHELP-29050 ]
  • If a ZONE type DNS record is available for the parent domain, query for the child domain with an existing NS record results in parent domain SOA record instead of child domain NS record.

    [ NSHELP-28793 ]
  • The Citrix ADC appliance might fail to respond to a GSLB domain query with an expected GSLB service IP address, if the GSLB virtual server is configured as follows:
    Persistence type: Source IP address
    Load balancing algorithm: Static proximity
    Backup load balancing method: Round trip time (RTT)

    [ NSHELP-28668 ]
  • The VPX primary and secondary sites crashed after configuring the GSLB service group with Autoscale enabled.

    [ NSHELP-28530 ]
  • A Citrix ADC appliance in an HA setup loses connectivity because the NSB memory isn't freed after sending the HTTP response during the HTTP probe monitoring.

    [ NSHELP-28466 ]
  • The last response message is displayed incorrectly for monitors bound to GSLB service groups.

    [ NSHELP-28393 ]
  • Persistence configuration for an LB group is lost after an HA failover or when the Citrix ADC appliance is rebooted.

    [ NSHELP-28071 ]
  • The cookieTimeout value is incorrectly set during the GET operation, resulting in failure of CS virtual server update operation.

    [ NSHELP-27979 ]
  • Sometimes in a multi-PE system, the domain-based groups doesn't recover to UP state after a few failures in the system. This issue is due to a race condition between the CLI and internal monitors.

    [ NSHELP-27965 ]
  • The configured state of the default monitor shows as disabled even when the default monitor is bound to a service.

    [ NSHELP-27669 ]
  • In a cluster setup, when one or more nodes go to "DOWN" state, the backup node might fail to join the cluster node group. This failure causes some Citrix ADC features to fail.

    [ NSHELP-27664 ]
  • When a large number of GSLB services are configured on multiple GSLB sites that have high network latency, GSLB services status might fail to get updated on the remote GSLB site.

    [ NSHELP-23799 ]

Miscellaneous

  • The URL set pattern matching fails for IDNA2008 standard domains.

    [ NSHELP-28902 ]
  • When MAC-based forwarding (MBF) is enabled for VXLAN, the stateful TCP session was not getting established.

    [ NSHELP-27125 ]

Networking

  • Upgrading a Citrix ADC appliance that has admin partitions might cause some configuration loss if the following condition is met:

    • If the entire available system memory is allocated to admin partitions.
    [ NSNET-23031 ]
  • The Citrix ADC appliance might crash while creating a monitor probe for the related service if the following conditions are met:

    • A net profile with an IP set that has at least one IPv4 address and no IPv6 address. The net profile is bound to a monitor, which is set to an IPv6 service.
    • A net profile with an IP set that has at least one IPv6 address and no IPv4 address. The net profile is bound to a monitor, which is set to an IPv4 service.
    [ NSHELP-29382 ]
  • In a high availability setup, in the case of HA version mismatch between both the nodes, dynamic routes are not synched to the secondary node. The secondary node is not reachable if its accessibility is dependent on the dynamic routes.

    As a fix, dynamic routes are synchronized to the secondary node even in case of HA version mismatch.

    [ NSHELP-28326 ]

Platform

  • The Citrix ADC appliance generates false packets per second (PPS) rate-limit alerts even before the Citrix ADC appliance reaches its PPS limit for the license.

    [ NSHELP-26935 ]

Policies

  • A Citrix ADC appliance might crash with the following conditions:

    • An audit message action is configured with the string builder expression with one or more REGEX functions applied to the body of a request.
    • An Application Firewall profile configured with the Streaming option enabled.

    For example, HTTP.REQ.BODY(10000000).REGEX_SELECT(re/name=[^\r\n]*[\r\n]+/).

    [ NSHELP-27895 ]

SSL

  • A Citrix ADC appliance crashes while processing an HTTP request if the policy action is set to "Forward" for a policy that is already bound at the request bind point.

    [ NSHELP-29115 ]
  • Adding a certificate-key pair might fail due to a memory allocation failure. As a result, the CA certificate-key pair lookup fails and the appliance crashes.

    [ NSHELP-28197 ]
  • All the IP addresses in a SAN certificate are now displayed. Earlier only the last SAN IP address of all the IP addresses in the SAN certificate were displayed.

    [ NSHELP-27336 ]
  • The Citrix ADC appliance crashes during reboot if you change the name of the built-in certificate ("ns-server-certificate") in the configuration file.

    [ NSHELP-26858 ]

System

  • When a Citrix ADC appliance receives an HTTP/2 GOWAY frame from a client, it incorrectly resets all streams with stream ID greater than promised ID (last peer initiated stream identifier).

    [ NSHELP-29328 ]
  • On a Citrix ADM, the ADM-Agent might report a high memory usage due to an issue in the ADM-Agent.

    [ NSHELP-29285 ]
  • The X-Forwarder header is not added to some requests sent from the Citrix ADC appliance to the back-end server.

    [ NSHELP-29142 ]
  • A Citrix ADC Intrusion Prevention System (IPS) observes an issue with the rewrite policy when inserting or modifying data if the following condition is met:

    • The Citrix ADC appliance sends data packets to the IPS server before the backend server connection opens.
    [ NSHELP-28496 ]
  • In a high availability setup, HA synchronization of admin partition configurations fails on the secondary node because of the following reason:

    • Low memory issues caused because of huge config loads on the secondary node
    [ NSHELP-28409 ]
  • The Citrix ADC appliance crashes when all of the following conditions are met:

    • A content inspection action, with a server IP address, uses the internal data of a service if already configured.
    • As a result, the internal data of the service is also removed when the CI action is removed.
    • When the actual service is removed, the Citrix ADC appliance makes an attempt access and delete the already removed internal data.
    [ NSHELP-28293 ]
  • When a client resets a connection with multiple TCP streams, the server-side transaction record is not sent which results in L4 records missing for those data streams.

    [ NSHELP-28281 ]
  • The connection chaining TCP option gets added to the Citrix ADC RPC connections. The issue causes an interoperability issue with GSLB sites communication.

    [ NSHELP-27417 ]
  • In a rare case, a Citrix ADC appliance might send incorrect TCP SACK sequence numbers to the client when forwarding it from the backend server. The issue occurs if the TCP Selective ACK (SACK) option is enabled in a TCP Profile.

    [ NSHELP-24875 ]
  • When a Citrix ADC appliance receives an out-of-order TCP packet with the FIN flag set, the following issues might be observed:

    • The Citrix ADC appliance sends an incorrect SACK, which says the appliance received a 2 bytes instead of a 1 byte out-of-order TCP packet.
    • The Citrix ADC appliance does not acknowledge the TCP FIN packet by receiving in-order TCP packets.
    [ NSBASE-15735 ]
  • In case of a reset connection, the TCP simulate function in the Cache module might not yield the CPU in time for responding to the "pitboss" heartbeats.

    [ NSBASE-15367 ]

User Interface

  • Modifying an ACL based RNAT rule, which already has connection failover enabled, by using the Citrix ADC GUI might fail with the following error:

    • "Invalid argument value [connfailover]"
    [ NSHELP-29243 ]
  • ADC instances in a cluster mode configured with pooled capacity go down. This issue happens when a hostname is configured in the cluster nodes and if the nodes take more time in connecting to the ADM license server on bootup.

    [ NSHELP-28613 ]
  • The following issue is observed if any operation is performed that reads the `ns.conf` file. For example, `show ns saved config`.

    • The HTTPD process might freeze causing the GUI and NITRO API to become inaccessible.
    [ NSHELP-28249 ]
  • Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

    [ NSHELP-20988 ]
  • In a Citrix ADC CLI interface, the options to bind commands are not auto-populated if you press the <Tab> key while typing the command in the command prompt.

    For example, type the following command and when using the <Tab> key the objects are not auto-populated.

    "bind authentication vserver <authvservername> -policy <Tab>".

    Here, the authentication virtual server can be bound to multiple object types such as radius policy, Idappolicy, cert policy, TACAS policy, advanced authentication policy, and so on.

    [ NSCONFIG-6340 ]
  • Unbinding rate-limiting URL from a bot profile results in an internal database error.

    [ NSCONFIG-6231 ]

Known Issues

The issues that exist in release 13.0-84.11.

AppFlow

  • HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.

    [ NSINSIGHT-943 ]

Authentication, authorization, and auditing

  • In some cases, memory leak is observed in a Citrix ADC appliance if the SSO functionality is used with a proxy server.

    [ NSHELP-27744 ]
  • In some cases, "invalid credentials" error message is displayed during the RADIUS authentication process. The error is seen when the Citrix ADC appliance is accessed from a client device using the Google Chrome browser.

    [ NSHELP-27113 ]
  • Access to a service is denied if the following conditions are met:

    • The service is bound to an authentication virtual server.
    • 401 authentication is configured on the service and the virtual server that the service is bound to.
    [ NSHELP-26903 ]
  • The Citrix ADC appliance crashes if both of the following conditions are met.

    • Email OTP is configured
    • Email server does not respond or there is a network issue with the email server

    [ NSHELP-26137 ]
  • In certain scenarios, the Bind Authentication, authorization, and auditing group command might fail if policy name is longer than intranet application name.

    [ NSHELP-25971 ]
  • If the admin password for LDAP, RADIUS or TACACS services contains the double quotes (") character, the Citrix ADC appliance strips it during the "Test Connectivity" check, resulting in connection failure.

    [ NSHELP-23630 ]
  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

    [ NSHELP-563 ]
  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

    [ NSAUTH-6106 ]
  • ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    "show adfsproxyprofile <profile name>"

    Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.

    [ NSAUTH-5916 ]
  • The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

    • The Test LDAP Reachability option is opened.
    • Invalid login credentials are populated and submitted.
    • Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.

    [ NSAUTH-2147 ]

Caching

  • A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

    [ NSHELP-22942 ]

Citrix ADC SDX Appliance

  • On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.

    [ NSSVM-4333 ]
  • The data in ADC events table can now be sorted across pages if the total number of data records is less than 5000.

    [ NSHELP-29170 ]
  • Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:

    • Throughput allocation mode is burst.
    • There is a large difference between the throughput and the maximum burst capacity.
    [ NSHELP-21992 ]

Citrix Gateway

  • In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.

    [ NSHELP-28856 ]
  • Sometimes, after disconnecting the VPN, the DNS resolver fails to resolve the host names, because the DNS suffixes are removed during VPN disconnection.

    [ NSHELP-28848 ]
  • Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.

    [ NSHELP-28551 ]
  • Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.

    [ NSHELP-28404 ]
  • The Windows plug-in might crash during authentication.

    [ NSHELP-28394 ]
  • The Citrix Gateway appliance might crash if async is blocked and you modify the content switching policy configuration.

    [ NSHELP-27570 ]
  • The Citrix Gateway appliance might crash if an unknown VPN client option is set in the session policy.

    [ NSHELP-27380 ]
  • You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.

    With this fix, you can now unbind the authorization policy by using the GUI.

    [ NSHELP-27064 ]
  • Sometimes, during transfer login, Intranet IP subnets are incorrectly displayed on the client side.

    [ NSHELP-26904 ]
  • The Citrix Gateway GUI displays the message "Invalid IP or Port" when editing a VPN session profile.

    [ NSHELP-26722 ]
  • The Citrix ADC appliance crashes if either of the following conditions occur:

    • The syslog action is configured with the domain name and you clear the configuration by using the GUI or the CLI.
    • High availability synchronization happens on the secondary node.

    Workaround:

    Create syslog action with syslog server's IP address instead of syslog server's domain name.

    [ NSHELP-25944 ]
  • While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:

    • A default pre-shared key (PSK) is configured.
    • You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
    [ NSHELP-25694 ]
  • In a high availability setup, VPN user sessions get disconnected if the following condition is met:

    • If two or more successive manual HA failover operations are performed when HA synchronization is in progress.

    Workaround: Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).

    [ NSHELP-25598 ]
  • EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.

    [ NSHELP-24848 ]
  • The Gateway Insight does not display accurate information on the VPN users.

    [ NSHELP-23937 ]
  • VPN plug-in doesn't establish tunnel after Windows logon, if the following conditions are met:

    • Citrix Gateway appliance is configured for Always On feature
    • The appliance is configured for certificate based authentication with two factor authentication "off"
    [ NSHELP-23584 ]
  • The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.

    Example:

    New output:

    > show tunnel global
    Policy Name: ns_tunnel_nocmp Priority: 0

    Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
    Priority: 1
    Global bindpoint: REQ_DEFAULT

    Policy Name: ns_adv_tunnel_msdocs Type: Advanced policy
    Priority: 100
    Global bindpoint: RES_DEFAULT
    Done
    >

    Previous output:

    > show tunnel global
    Policy Name: ns_tunnel_nocmp Priority: 0 Disabled

    Advanced Policies:

    Global bindpoint: REQ_DEFAULT
    Number of bound policies: 1

    Done

    [ NSHELP-23496 ]
  • Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.

    [ NSHELP-21897 ]
  • If you would like to use Always On VPN before Windows Logon functionality, it is recommended to upgrade to Citrix Gateway 13.0 or later. This enables you to leverage the additional enhancements introduced in release 13.0 that are not available in the 12.1 release.

    [ CGOP-19355 ]
  • Application launch failure due to invalid STA ticket is not reported in Gateway Insight.

    [ CGOP-13621 ]
  • The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.

    [ CGOP-13584 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

    [ CGOP-13511 ]
  • While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

    [ CGOP-13050 ]
  • The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.

    [ CGOP-13049 ]
  • An error message appears when you add or edit a session policy from the Citrix ADC GUI.

    [ CGOP-11830 ]
  • In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]
  • In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.

    [ CGOP-6794 ]

Citrix Web App Firewall

  • A Citrix ADC appliance might crash if the following modules are enabled:

    • Web App Firewall with advanced security checks.
    • Appqoe.
    [ NSHELP-28251 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]
  • The state of the service group displayed in the show and stat commands is inconsistent.

    [ NSHELP-28931 ]
  • The load balancing or GSLB domain-based Autoscale servicegroup state remains DOWN if you use a wildcard port.

    [ NSHELP-28548 ]
  • In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.

    [ NSHELP-20406 ]

Miscellaneous

  • When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.

    [ NSSWG-849 ]
  • Citrix ADC CPX instance, running on a Linux system with 64-bit architecture and 1 TB of file storage, can load certificate and key files now.

    [ NSHELP-28986 ]
  • A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URL Filtering third party vendor.

    [ NSHELP-22409 ]

Networking

  • A Citrix ADC appliance might crash if all of the following conditions are met:

    • A load balancing route is configured in a traffic domain on the appliance.
    • A clear config operation is performed on the appliance.
    [ NSNET-23847 ]
  • A Citrix ADC BLX appliance in DPDK mode might crash if a Web Application Firewall profile is configured with advanced security protection checks.

    Workaround: Remove the Advanced security protection configuration for WAF.

    [ NSNET-22654 ]
  • In a Citrix ADC BLX appliance, NSVLAN bound with tagged non-dpdk interfaces might not work as expected. NSVLAN bound with untagged non-dpdk interfaces works fine.

    [ NSNET-18586 ]
  • After an upgrade from Citrix ADC BLX appliance 13.0 61.x build to 13.0 64.x build, settings on the BLX configuration file are lost. The BLX configuration file is then reset to default.

    [ NSNET-17625 ]
  • The following interface operations are not supported for Intel `X710 10G (i40e)` interfaces on a Citrix ADC BLX appliance with DPDK:

    • Disable
    • Enable
    • Reset
    [ NSNET-16559 ]
  • On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file ("/etc/blx/blx.conf") settings. This issue occurs because "mawk", which is present by default on Debian based Linux systems, does not run some of the awk commands present in the "blx.conf" file.

    Workaround: Install "gawk" before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install "gawk":

    • apt-get install gawk
    [ NSNET-14603 ]
  • Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:

    "The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable"

    Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:

    • dpkg --add-architecture i386
    • apt-get update
    • apt-get dist-upgrade
    • apt-get install libc6:i386
    [ NSNET-14602 ]
  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.

    [ NSNET-5233 ]
  • In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • The LSN module does not find the service while decrementing the reference count or deleting the service.
    [ NSHELP-29134 ]
  • In a Large scale NAT44 deployment, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:

    • The LSN module accessed the memory location of an already deleted service.
    [ NSHELP-28815 ]
  • In a high availability setup, dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:

    • A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.

    As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition

    [ NSHELP-24000 ]
  • When an admin partition memory limit is changed in Citrix ADC appliance, the TCP buffering memory limit gets automatically set to admin partition new memory limit.

    [ NSHELP-21082 ]

Platform

  • The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:

    1. During the first boot of the Citrix ADC appliance, you do not save the prompted password.
    2. Subsequently, you reboot the Citrix ADC appliance.
    [ NSPLAT-22013 ]
  • When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:

    • 13.1-4.x
    • 13.0-82.31 and later
    • 12.1-62.21 and later

    The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:

    • Any 11.1 build
    • 12.1-62.21 and earlier
    • 13.0-81.x and earlier
    [ NSPLAT-21691 ]
  • In a cluster setup on a Citrix ADC SDX appliance, there is a CLAG MAC mismatch on the second node and CLIP if the following conditions are met:

    • The CLAG is created on a Mellanox NIC.
    • You add another VPX instance to the cluster and CLAG setup.

    As a result, traffic to the VPX instance stops.

    [ NSPLAT-21049 ]
  • In a cluster setup on a Citrix ADC SDX appliance, the first node goes DOWN because of a MAC address mismatch on CLIP and MAC table, if the following conditions are met:

    • The CLAG is created on a Mellanox NIC.
    • You remove the second node from the cluster.
    [ NSPLAT-21042 ]
  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the "rm cloudprofile" command to delete the profile.

    [ NSPLAT-4520 ]
  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.

    [ NSPLAT-4451 ]

Policies

  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267 ]

SSL

  • On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.

    Workaround:

    1. On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, "set ssl vserver <name> -SSL3 DISABLED".
    2. Save the configuration.
    [ NSSSL-9572 ]
  • You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

    [ NSSSL-6478 ]
  • You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

    [ NSSSL-6213 ]
  • The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled

    [ NSSSL-6106 ]
  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.

    [ NSSSL-4001 ]
  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.

    [ NSSSL-3184 ]
  • In a cluster setup, when two installed certificates are issuers of one server certificate that has the OCSP AIA extension, the appliance becomes unreachable if you remove the server certificate.

    [ NSHELP-28058 ]
  • In a VPN deployment, the Citrix ADC appliance picks up an SSL session for session reuse from cache to communicate to the proxy or back-end server. It does this without matching the SNI received from the client to the SNI present in the cached session.

    As a result, either the SNI is not sent or a different SNI is sent depending on the cached data.

    [ NSHELP-27439 ]
  • The CA certificate name that issued the CRL is truncated to 32 characters, even though a certificate-key name can be up to 64 characters. This issue occurs because the CRL field has a limit of 32 characters.

    [ NSHELP-26986 ]

System

  • Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.

    [ NSHELP-27410 ]
  • A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.

    [ NSHELP-27179 ]
  • Pitboss failure occurs when looping a large number of packets in the retransmission queue.

    [ NSHELP-26071 ]
  • A mismatch in Logstream records is observed in the Citrix ADC appliance and the dataloader.

    [ NSHELP-25796 ]
  • In a cluster setup, the "set ratecontrol" command works only after restarting the Citrix ADC appliance.

    Workaround: Use the "nsapimgr_wr.sh -ys icmp_rate_threshold=<new value>" command.

    [ NSHELP-21811 ]
  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.

    [ NSHELP-21240 ]
  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.

    [ NSHELP-10972 ]
  • When processing large streams of gRPC traffic, the TCP advertised window increases exponentially leading to high memory usage.

    [ NSBASE-15447 ]
  • In a cluster configuration, a node with CCO priority gets disconnected from Open vSwitch (OVS) because of network issues. After the node rejoins to the cluster configuration, it does not receive the latest SYN cookie.

    [ NSBASE-14419 ]
  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.

    [ NSBASE-8506 ]
  • ICAP support for Citrix ADC

    A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.

    For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html

    [ NSBASE-825 ]

User Interface

  • In the Compression Policy Manager GUI, unable to bind a compression policy to an HTTP protocol by specifying a relevant bind point and connection type.

    [ NSUI-17682 ]
  • In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.

    [ NSUI-14752 ]
  • Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

    [ NSUI-13024 ]
  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.

    [ NSUI-6838 ]
  • Citrix ADC GUI might incorrectly generate a cluster technical support bundle of only one node instead of all the cluster nodes.

    [ NSHELP-28606 ]
  • Generating a cluster technical support bundle by using Citrix ADC GUI might fail with an error.

    [ NSHELP-28586 ]
  • After upgrading a high availability setup or a cluster setup to release 13.0 build 74.14 or later, config synchronization might fail because of the following reason:

    • Both "ssh_host_rsa_key" private and public keys are an incorrect pair.

    Workaround: Regenerate "ssh_host_rsa_key". For more information, see https://support.citrix.com/article/CTX322863.

    [ NSHELP-27834 ]
  • You cannot bind a service or a service group to a priority load balancing virtual server using the Citrix ADC GUI.

    [ NSHELP-27252 ]
  • In a Citrix ADC VPX appliance, a set capacity operation might fail after adding a license server. The issue occurs because the Flexera related components take a longer time to initialize because of the large number of supported licenses of type check-in and check-out (CICO)

    [ NSHELP-23310 ]
  • When you downgrade a Citrix ADC appliance version 13.0-71.x to an earlier build, some Nitro APIs might not work because of the file permission changes.

    Workaround: Change permission for "/nsconfig/ns.conf" to 644.

    [ NSCONFIG-4628 ]
  • Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.

    [ NSCONFIG-4330 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:

    • 13.0 52.24 build
    • 12.1 57.18 build
    • 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"

    Workaround:

    To fix this issue, use one of the following independent options:

    • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

    [ NSCONFIG-3188 ]

Known Issues