Release Notes for Citrix ADC 13.0-86.17 Release
Notes
- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- Build 13.0-86.17 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX457836.
What's New
Platform
On the Citrix ADC SDX 8015 platform, the lights out management (LOM) version is upgraded from 3.21 to 3.56.
On the Citrix ADC SDX 14000, SDX 14000-40G, SDX 14000-40S and SDX 14000-FIPS platforms, the LOM version is upgraded from 4.08 to 4.14.
[ NSPLAT-23416 ]
System
Enhancements related to sending client details in TCP option header
- The Citrix ADC appliance now inserts the Client IP address in the final ACK packet of the three-way handshake in addition to in the first data packet. Previously, the appliance sends the client IP address only in the first data packet.
- The Citrix ADC appliance now supports sending client port in the TCP option for insert mode configuration. A parameter "Send Client Port in Tcp Option (sendClientPortInTcpOption)" has been introduced in the TCP profile for enabling or disabling this feature.
[ NSBASE-15635 ]
Fixed Issues
Authentication, authorization, and auditing
In a unified gateway setup, in rare cases you might be presented with a re-login page when accessing services behind the unified gateway even after the authentication is successful.
[ NSHELP-31148, NSHELP-27994 ]
Form-based SSO fails for the backend servers that send key-value parameters in the URL query.
[ NSHELP-30975 ]
The Citrix ADC appliance might crash due to large memory allocation because of a missing target URL in the OAuth configuration.
[ NSHELP-30963 ]
There might be an Intermittent failure in connecting to the Outlook exchange server via the Outlook app due to incorrect header addition by the Citrix ADC appliance.
[ NSHELP-30555 ]
The Citrix ADC appliance might crash due to memory corruption in case of core to core communication failure.
[ NSHELP-30275 ]
While sending an AS_REQ request for a delegated user, which is part of KCD SSO, the Citrix ADC appliance selects an encryption type with the following priority when domain controller (DC) publishes all encryption types.
- ETYPE_ARCFOUR_HMAC_MD5
- ETYPE_AES128_CTS_HMAC_SHA1_96
- ETYPE_AES256_CTS_HMAC_SHA1_96
Instead of
- ETYPE_AES256_CTS_HMAC_SHA1_96
- ETYPE_AES128_CTS_HMAC_SHA1_96
- ETYPE_ARCFOUR_HMAC_MD5
[ NSHELP-28681 ]
Single sign-on fails during an authentication session when the password change event is triggered. This issues occurs only if the persistentLogin attempts parameter is enabled.
[ NSHELP-28085 ]
When a Citrix ADC appliance performs a nested LDAP group search, some of the groups information from the active directory is missed because of an invalid behavior of the Citrix ADC appliance. The ADC appliance takes an incorrect value even when the `groupSearchSubAttribute` parameter is configured appropriately.
[ NSHELP-26316 ]
The Citrix ADC appliance crashes if both of the following conditions are met.
- Email OTP is configured
- Email server does not respond or there is a network issue with the email server
[ NSHELP-26137, NSHELP-27824 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance with Mellanox NICs, modifying the throughput of a VPX instance having Mellanox NICs reboots the VPX instance.
[ NSHELP-31305 ]
On a Citrix ADC SDX appliance, higher memory usage is detected due to the high volume of SNMP data processing.
[ NSHELP-31205 ]
In a Citrix ADC SDX appliance, higher memory usage is detected due to high volume of SNMP data processing.
[ NSHELP-30222 ]
The SNMP walk application running on the Citrix ADC SDX appliance for the SDX-ROOT-MIB::xenTable takes more time than expected.
[ NSHELP-30085 ]
Citrix Gateway
In rare cases, the Citrix ADC appliance configured with VPN virtual server might crash after successful login to Citrix Gateway.
[ NSHELP-31481 ]
Users are unable to enumerate the apps from Citrix Unified Gateway after upgrading the Chrome or Edge browsers to versions 100 and later.
[ NSHELP-31294 ]
In an ICA DTLS setup, the Citrix Gateway appliance crashes when processing the STA ticket.
[ NSHELP-31211 ]
Sometimes, users cannot access the bookmarks in advanced clientless VPN mode.
[ NSHELP-30939 ]
The Citrix Gateway appliance configured in ICA Proxy mode for UDP Audio connection might crash due to memory corruption.
[ NSHELP-30919 ]
VPN client users cannot log out successfully if SAML and EPA are configured as the successive factors in an nFactor authentication. With this fix, users can log out without any issues.
[ NSHELP-30193 ]
The PCoIP Apps and Desktops launch fails when launched from a browser and the error message "VMware client missing" is displayed. This issue occurs because the "vmware-view" protocol is not added to the list of allowed protocols.
[ NSHELP-30062 ]
The Citrix Gateway appliance might crash during channel parsing when HDX Insight is enabled and NSAP is disabled.
[ NSHELP-30029 ]
The Citrix ADC appliance incorrectly logs the "UDPFLOWSTAT" message that indicates traffic as "Allowed" for UDP traffic denied by an authorization policy.
[ NSHELP-29542 ]
Gateway Insight reports a false authentication failure even before the user submits the credentials for login when the authentication rule is configured to match one of the requests in the login flow.
[ NSHELP-29313 ]
The Active Users Session page does not display all the active user sessions unless the numbers of entries is changed to 2000 per page.
With this fix, a new link "All user session" (Citrix gateway -> Monitor Connections > All user session) is added in the admin UI that lists all the user sessions and connections.
[ NSHELP-29151 ]
The Citrix ADC appliance logs stale messages related to the VPND process that is deprecated.
[ NSHELP-28163 ]
Sometimes, during transfer login, Intranet IP subnets are incorrectly displayed on the client side.
[ NSHELP-26904 ]
The "show vpn icaConnection" command output does not display the serial numbers of the ICA connections correctly. This issue occurs because the serial number is reset arbitrarily when the "show vpn icaconnection" is run.
[ NSHELP-25646 ]
Citrix Web App Firewall
In the WAF SQL injection containing a quote (single quote, double quote, or back tick), the opening and closing quote must be present for marking the pattern as an attack. However, when a comment is present in the pattern the closing quote is not required.
[ NSHELP-30379 ]
Load Balancing
Scope prefix is not set correctly when ECS is enabled on the ADC appliance and the location is not found. This issue results in creating an incorrect persistence entry. The incorrect persistence entry is created based on LDNS IP address instead of ECS IP address received in the request for the non-static proximity-based GSLB method.
[ NSHELP-30846 ]
A partitioned Citrix ADC appliance might dump core while processing a DNS request packet with an additional header (EDNS).
[ NSHELP-30796 ]
In a rare race-condition scenario, the packet engine might crash with core dump when following configuration is present on the Citrix ADC appliance:
- The GSLB virtual server is configured with the source IP address-based persistence and DNS logging is enabled on the DNS profile bound to the ADNS service.
- The DNS load balancing server is configured without DNS logging enabled on the DNS profile.
[ NSHELP-29791 ]
The state of the service group displayed in the show and stat commands is inconsistent.
[ NSHELP-28931 ]
SQL or Oracle type monitors crash when the peer sends a request to reset the existing connection.
[ NSHELP-28478 ]
Miscellaneous
The Citrix ADC SWG appliance might crash when the memory allocated to a resource is not freed resulting in high memory usage even when there is no traffic.
[ NSHELP-31290 ]
Networking
From Citrix ADC release 13.0 onwards, "set rnat" command has been deprecated and has been changed to "add rnat" and "bind rnat" commands.
Upon upgrading a Citrix ADC appliance to release 13.0, the conversion of "set rnat" commands to "add rnat" and "bind rnat" commands fails if all of the following conditions are met:
- The "set rnat" command is present on a non-default traffic domain.
- A default route is present on the same non-default traffic domain.
[ NSNET-26304 ]
A Citrix ADC BLX appliance in DPDK mode might crash if a Web Application Firewall profile is configured with advanced security protection checks.
[ NSNET-22654 ]
Modifying a private IP address in an INAT rule by using the GUI fails if the following condition is met:
- Connection failover is enabled on the INAT rule.
[ NSHELP-30792 ]
In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:
- LSN filtering and mapping entries are not present in the appliance.
[ NSHELP-30225 ]
The Citrix ADC appliance might crash if you unbind a dataset from an ACL rule when some packets matched the ACL rule.
[ NSHELP-30221 ]
Modifying a net profile that already has an IP set bound to it might fail with the following error:
- "IP set is already bound to the network profile"
[ NSHELP-29363 ]
In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:
- Session reference count is not zero while deleting a filtering entry.
[ NSHELP-29348 ]
In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:
- Filtering and mapping reference counts are non-zero for the LSN module in the appliance.
[ NSHELP-28842 ]
Policies
In some scenarios, a Citrix ADC appliance might crash when an assignment action is used with the clear operation for an AppExpert variable.
[ NSHELP-29766 ]
SSL
The Citrix ADC SDX appliance crashes when crypto units are assigned to a VPX instance and jumbo config is enabled.
[ NSHELP-30950 ]
The Citrix ADC appliance crashes when SSL interception is enabled and there are multiple parallel requests to access a backend server with an expired certificate.
[ NSHELP-29520 ]
In some cases, a wrong certificate is returned when there are multiple SNI wildcard certificates attached to the same virtual server, and two certificates are similar, such as example.com and example.com.tr.
[ NSHELP-29494 ]
In a cluster setup, when two installed certificates are issuers of one server certificate that has the OCSP AIA extension, the appliance becomes unreachable if you remove the server certificate.
[ NSHELP-28058 ]
System
The Citrix ADC appliance crashes when the managing Citrix ADM appliance has a network MTU greater than 1500.
[ NSHELP-30835 ]
The REST collector is down even when the AppFlow parameter "TimeSeriesOverNSIP" is enabled.
[ NSHELP-30759 ]
All forwarded data packets from a Citrix ADC appliance do not have the configured TTL value instead have the value sent by the client or the server.
[ NSHELP-30683 ]
A Citrix ADC appliance with the client-side measurement configuration might corrupt a variable resulting in the page load failure under the following condition:
- The HTTP response contains a javascript variable that is greater than 2000 bytes.
[ NSHELP-30026 ]
In a Citrix ADC appliance, latency issue is observed in HTTP/2 transactions if the following conditions are met:
- HTTP/2 SSL configuration is enabled on the back-end service
- Service does not support HTTP/2 protocol.
[ NSHELP-30020 ]
Pitboss failure occurs when looping a large number of packets in the retransmission queue.
[ NSHELP-26071 ]
In a cluster setup, the "set ratecontrol" command works only after restarting the Citrix ADC appliance.
[ NSHELP-21811 ]
User Interface
The System > Diagnostics page in the Citrix ADC GUI does not display the page details for customers with an Advanced license.
[ NSHELP-31330 ]
If a Citrix ADC appliance configured with pooled licensing is upgraded, the appliance might restart with a partial configuration.
[ NSHELP-30926 ]
Reconnection to the Citrix ADC appliance fails with the following error when "CTRL+C" is entered while running the "show run" command in the CLI interface:
- "Invalid username or password"
This issue happens if the characters in the key and password are the same.
[ NSHELP-30817 ]
When a Citrix ADC appliance is configured to use an external authentication server, there might be a delay in running the stat commands irrespective of the RBAOnResponse parameter set to be disabled globally. The parameter can be disabled from GUI or CLI.
[ NSHELP-30289 ]
The search filter is not available for the 'Name' key in the Citrix ADC GUI Manage Certificates > CSR page.
[ NSHELP-30274 ]
Known Issues
Authentication, authorization, and auditing
The Citrix ADC appliance might crash if the SAML metadata URL in the configuration does not end with or contains backslash ( / ).
[ NSHELP-31937 ]
- A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[ NSHELP-563 ]
The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
[ NSAUTH-6106 ]
ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
"show adfsproxyprofile <profile name>"Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.
[ NSAUTH-5916 ]
Caching
A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.
[ NSHELP-22942 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.
[ NSSVM-4333 ]
In a Citrix ADC SDX appliance, the VLAN whitelist is not updated with the correct value for the Mellanox interfaces assigned to a Citrix ADC VPX instance.
[ NSHELP-31849 ]
Installing an SSL certificate on a Citrix ADC SDX appliance fails if the certificate name or key name contains any space.
[ NSHELP-31711 ]
Citrix Gateway
In some cases, a Citrix ADC appliance might crash while assigning an Intranet IP address to a client.
[ NSHELP-31712 ]
Sometimes, the Windows auto logon does not work when a user logs into the windows machine in an Always-On service mode. The machine tunnel does not transition to user tunnel and the message "Connecting..." is displayed in the VPN plugin UI.
[ NSHELP-31357, CGOP-21192 ]
When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file.
[ NSHELP-30662 ]
Users cannot connect to the Citrix Gateway appliance after changing the 'networkAccessOnVPNFailure' always on profile parameter from 'fullAccess' to 'onlyToGateway`.
[ NSHELP-30236 ]
The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully. To fix this issue, the following registry value is introduced.
\HKLM\Software\Citrix\Secure Access Client\SecureChannelResetTimeoutSeconds
Type: DWORD
By default, this registry value is not set or added. When the value of "SecureChannelResetTimeoutSeconds" is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).[ NSHELP-30189 ]
The Windows VPN client does not honor the 'SSL close notify' alert from the server and sends the transfer login request on the same connection.
[ NSHELP-29675 ]
Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.
[ NSHELP-28551 ]
Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.
[ NSHELP-28404 ]
You cannot unbind a classic authorization policy by using the GUI. However, you can use the CLI to unbind the Authentication, authorization, and auditing authorization policy.
With this fix, you can now unbind the authorization policy by using the GUI.
[ NSHELP-27064 ]
EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.
[ NSHELP-24848 ]
The Gateway Insight does not display accurate information on the VPN users.
[ NSHELP-23937 ]
Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.
[ NSHELP-21897 ]
- Application launch failure due to invalid STA ticket is not reported in Gateway Insight.[ CGOP-13621 ]
- The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.[ CGOP-13584 ]
- In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.[ CGOP-13511 ]
While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.
[ CGOP-13050 ]
The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.
[ CGOP-13049 ]
- An error message appears when you add or edit a session policy from the Citrix ADC GUI.[ CGOP-11830 ]
In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.
[ CGOP-7269 ]
Load Balancing
In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.
[ NSLB-7679 ]
In certain scenarios, servers bound to a service group display an invalid cookie value. You can see the correct cookie value in the trace logs.
[ NSHELP-21196 ]
Miscellaneous
AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.
[ NSHELP-31836 ]
Networking
The following interface operations are not supported for Intel `X710 10G (i40e)` interfaces on a Citrix ADC BLX appliance with DPDK:
- Disable
- Enable
- Reset
[ NSNET-16559 ]
Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:
"The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable"
Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:
- dpkg --add-architecture i386
- apt-get update
- apt-get dist-upgrade
- apt-get install libc6:i386
[ NSNET-14602 ]
Platform
The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:
- During the first boot of the Citrix ADC appliance, you do not save the prompted password.
- Subsequently, you reboot the Citrix ADC appliance.
[ NSPLAT-22013 ]
When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:
- 13.1-4.x
- 13.0-82.31 and later
- 12.1-62.21 and later
The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:
- Any 11.1 build
- 12.1-62.21 and earlier
- 13.0-81.x and earlier
[ NSPLAT-21691 ]
In a cluster setup on a Citrix ADC SDX appliance, there is a CLAG MAC mismatch on the second node and CLIP if the following conditions are met:
- The CLAG is created on a Mellanox NIC.
- You add another VPX instance to the cluster and CLAG setup.
As a result, traffic to the VPX instance stops.
[ NSPLAT-21049 ]
In a cluster setup on a Citrix ADC SDX appliance, the first node goes DOWN because of a MAC address mismatch on CLIP and MAC table, if the following conditions are met:
- The CLAG is created on a Mellanox NIC.
- You remove the second node from the cluster.
[ NSPLAT-21042 ]
Policies
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
[ NSPOLICY-1267 ]
SSL
On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.
Workaround:
- On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, "set ssl vserver <name> -SSL3 DISABLED".
- Save the configuration.
[ NSSSL-9572 ]
- You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.[ NSSSL-6478 ]
- You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.[ NSSSL-6213 ]
- The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
ERROR: crl refresh disabled[ NSSSL-6106 ]
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[ NSSSL-4427 ]
- An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.[ NSSSL-4001 ]
An SSL handshake might fail if the following sequence of conditions is met:
- Hello Verify Request (HVR) is enabled on DTLS.
- The Citrix ADC appliance sends an HVR to the client.
- The client does not receive the HVR.
- The client tries to retransmit the first client hello instead of responding to the HVR with a session cookie.
Note: In response to the retransmitted client hello message, the ADC appliance sends the HVR to the client a maximum of three times. If a proper response is not received, the appliance fails the handshake.
[ NSHELP-31808 ]
System
When you install Citrix ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.
Workaround : Reboot the Management pod.
[ NSBASE-15556 ]
User Interface
Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.
Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.
[ NSUI-13024 ]
In a high availability setup, VPN user sessions get disconnected if the following condition is met:
- If two or more successive manual HA failover operations are performed when HA synchronization is in progress.
Workaround: Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).
[ NSHELP-25598 ]
If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.
1. Upgrade the Citrix ADC appliance to one of the builds:
- 13.0 52.24 build
- 12.1 57.18 build
- 11.1 65.10 build
2. Add a system user, or change the password of an existing system user, and save the configuration, and
3. Downgrade the Citrix ADC appliance to any older build.To display the list of these system users by using the CLI:
At the command prompt, type:"query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"
Workaround:
To fix this issue, use one of the following independent options:
- If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords.
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
[ NSCONFIG-3188 ]