Release Notes for Citrix ADC 13.0-88.16 Release
Notes
- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- Build 13.0-88.12 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX463706.
- Build 88.16 replaces build 88.14 and build 88.12.
- Build 88.16 includes fixes for the following issues: NSHELP-33250, NSHELP-33345, and NSHELP-33063.
- Build 88.14 included a fix for the following issue that existed in the previous Citrix ADC 13.0 build: NSHELP-32907.
What's New
System
New parameter added in HTTP profile
A new parameter passProtocolUpgrade is added to the HTTP profile to prevent attacks on the back-end servers. Depending on the state of this parameter, the upgrade header is passed in the request sent to the back-end server or deleted before sending the request.
- If the passProtocolUpgrade parameter is enabled, then the upgrade header is passed to the back end. The server accepts the upgrade request and notifies it in its response.
- If this parameter is disabled, then the upgrade header is deleted and the remaining request is sent to the back end.
The passProtocolUpgrade parameter is added to the following profiles:
- nshttp_default_profile ENABLED by default
- nshttp_default_strict_validation DISABLED by default
- nshttp_default_internal_apps DISABLED by default
- nshttp_default_http_quic_profile ENABLED by default
Citrix recommends that this parameter be disabled by default. For more details, see the Citrix ADC Secure Deployment Guide.
[ NSBASE-17423 ]
User Interface
Support for Self Managed Pool license
The Citrix ADC appliance now supports the Self Managed Pool license, which simplifies and automates license file uploads to license server after the purchase. You can use Citrix ADM to create a licensing framework that comprises of a common bandwidth or vCPU and the instance pool.
[ NSCONFIG-6592 ]
Fixed Issues
Authentication, authorization, and auditing
The Citrix ADC appliance stops processing requests because of a memory leak in the MEM_SSLVPN module.
[ NSHELP-32646 ]
The NO_AUTHN authentication action does not persist after a Citrix ADC appliance is rebooted if the appliance has the Standard Edition license.
[ NSHELP-32522 ]
The Citrix Gateway Duo authentication logon page does not load with nonRfWebUI themes.
[ NSHELP-32463 ]
While registering your device with the Citrix Gateway appliance, the "Push registration failed" message appears for the Citrix Secure Access (Citrix SSO).
[ NSHELP-32461 ]
Sometimes, authentication to gateway using the Citrix Workspace app does not succeed.
[ NSHELP-32333 ]
SAML authentication fails if the Content Security Policy (CSP) feature is enabled on the Citrix ADC appliance.
[ NSHELP-32203 ]
The Citrix ADC appliance drops the charset suffix in Content-Type header and sends `Content-Type: application/x-www-form-urlencoded` if you have configured both of the following.
- SSO form based authentication
- `nsapimgr knob - nsapimgr_wr.sh -ys call=ns_formsso_use_ctype_simple_enable knob`
[ NSHELP-31977 ]
The Citrix ADC appliance crashes if the ADFSPIP URL is set to type "http://". ADFSPIP only supports "https://" URL types.
[ NSHELP-29838 ]
The Citrix ADC appliance crashes if both of the following conditions are met.
- Email OTP is configured
- Email server does not respond or there is a network issue with the email server
[ NSHELP-26137, NSHELP-27824 ]
Caching
A Citrix ADC appliance crashes when the cached content is served to the clients.
[ NSHELP-31760 ]
A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.
[ NSHELP-22942 ]
Citrix ADC SDX Appliance
A few redundant Hardware Security Module (HSM) config files are also backed up when Citrix ADC VPX instances are backed up using SDX and ADM.
[ NSHELP-32539 ]
The Citrix ADC SDX appliance does not send SNMP traps for hypervisor disk usage to Citrix ADM.
[ NSHELP-32323 ]
In a Citrix ADC SDX appliance, the VLAN whitelist is not updated with the correct value for the Mellanox interfaces assigned to a Citrix ADC VPX instance.
[ NSHELP-31849 ]
When you upgrade a Citrix SDX appliance, even though the hypervisor version is same for both the current and the upgraded SDX versions, the following incorrect event is notified in the Management Service GUI:
SVM and Hypervisor version mismatch
[ NSHELP-31769 ]
Installing an SSL certificate on a Citrix ADC SDX appliance fails if the certificate name or key name contains any space.
[ NSHELP-31711 ]
Sometimes, upload of the post-install script file (postinst.sh) to Citrix hypervisor fails during platform upgrade, when you upgrade the Citrix ADC SDX appliance from 13.0 to 13.1 firmware.
[ NSHELP-31125 ]
Citrix Gateway
The Citrix ADC appliance crashes if either or both Gateway Insight and Web Insight features are enabled.
[ NSHELP-33345 ]
Sometimes, RDP proxy does not work in the presence of a connection broker.
[ NSHELP-33063 ]
The Citrix Gateway appliance might crash if HDX Insight is enabled and a user logs in to StoreFront immediately after logging out.
[ NSHELP-32907, NSHELP-33079, NSHELP-33289 ]
Patset based MAC address EPA scan does not work along with device certificate scan in the same factor.
[ NSHELP-32760 ]
The "Transfer Login" dialog box does not display Transfer button.
[ NSHELP-32614 ]
The Citrix ADC appliance crashes while handling the logout request POST /CitrixAuthService/AuthService.asmx from StoreFront server when callback URL is configured on StoreFront.
[ NSHELP-32207 ]
In a cluster setup, the Citrix ADC appliance crashes while sending the CGP_FINISH_REQUEST request to the client.
[ NSHELP-32029 ]
When UDP sessions are launched, stale connections appear to exist even after closing the sessions. However, these are not actual stale connections but an issue with the counter.
[ NSHELP-32009 ]
When a user logs on to the Citrix ADC appliance and if Citrix Workspace is not installed, the link to download Citrix Workspace incorrectly points to Citrix Receiver.
[ NSHELP-31877 ]
In a Citrix Gateway appliance, the global VPN parameters do not take effect if the VPN parameters are not set at the session action level.
Before you upgrade your high availability setup, ensure that you manually disable HA sync on the secondary appliance. For details, see https://docs.citrix.com/en-us/citrix-adc/current-release/upgrade-downgrade-citrix-adc-appliance/upgrade-downgrade-ha-pair.html
[ NSHELP-31478, CGOP-21737 ]
The policy-based routing (PBR) policies do not take effect for DNS traffic over VPN.
[ NSHELP-31123 ]
ICA app launch fails in the following conditions:
- Content Security Policy (CSP) feature is enabled.
- The user logs in from a browser but uses the Citrix Workspace app to launch the app.
[ NSHELP-30534 ]
The Citrix Gateway logon page title and the portal themes are not displayed correctly.
[ NSHELP-29202 ]
While configuring the IIP pool (IP address and mask), if the IP address doesn't match the first IP address in the range, the Citrix ADC CLI and GUI displays only one block and not all.
Example:
bind vpn vserver vpn_ssl -intranetIP 172.168.1.1 255.255.255.0
bind vpn vserver vpn_ssl -intranetIP 172.168.2.1 255.255.255.0In this case, the CLI or the GUI while showing vpn vserver vpn_ssl only displays 172.168.2.1 pool and not 172.168.2.2.
[ NSHELP-29084 ]
The Citrix ADC appliance might crash if EPA is configured and sufficient memory is not available.
[ NSHELP-28329 ]
The Gateway Insight does not display accurate information on the VPN users.
[ NSHELP-23937 ]
Citrix Web App Firewall
A standalone Citrix ADC appliance or the secondary mode in an HA setup might crash if you configure a signature object for Citrix Web App Firewall on the following software versions:
- 13.0 build 88.5 and later
- 13.1 build 33.41 and later
[ NSHELP-33250 ]
In Citrix Web App Firewall, when you provide the content-type header with a protocol (application/pkcs7-signature), it incorrectly parses the header. As a result, the firewall blocks the valid requests.
[ NSHELP-32844 ]
Some of the relaxation rules are not imported while restoring a WAF profile.
[ NSHELP-32729 ]
A WAF signature update fails when a proxy server and a proxy port are configured. During the signature auto-update process hourly run, the ADC appliance contacts the auto-update host for downloading the updated files instead of going through the configured proxy server and proxy port. As a result, an update failure is seen when the auto-update host is not reachable.
[ NSHELP-32613 ]
The Citrix ADC appliance might crash if the following conditions are met:
- There is a high load on the appliance.
- Configuration changes are being done.
- Signature deletion takes a long time.
[ NSHELP-32454 ]
Legitimate cookies are placed in the log while displaying duplicate cookie violation logs.
[ NSHELP-32369 ]
Load Balancing
In rare cases, a Citrix ADC appliance might crash and generate a core dump when SSL session ID based persistence and SSL session ticket based processing are enabled on a content switching virtual server.
[ NSHELP-32228 ]
Miscellaneous
Lua math.random() function might not return a random number.
[ NSHELP-32447 ]
A cluster node goes into a packet loop when the following conditions are met:
- A UDP packet with a destination IP address as CLIP is sent to a cluster node.
- The CCO has changed from one node to another during the lifespan of the cluster instance.
[ NSHELP-30804 ]
Networking
With ECMP configured on a Citrix ADC appliance, the following issue might be observed for an SSH load balancing connection:
- The Citrix ADC appliance sends the first packet through a different route than for the rest of the packets of the same flow.
[ NSHELP-32089 ]
The Citrix ADC appliance might crash in some scenarios when the following conditions are met:
- The Citrix ADC appliance receives multiple first fragments with different offsets.
- The Citrix ADC appliance does not reassemble the fragments.
[ NSHELP-32084 ]
In a load balancing configuration with "sessionless" option enabled on the virtual server and ECMP on the server side, the following issue might be observed:
- The Citrix ADC appliance sends the packets to a server always through the same route.
[ NSHELP-32061 ]
Platform
On a Citrix ADC SDX appliance, the ring size is increased from 1024 to 2048 entries for the Mellanox interfaces.
[ NSPLAT-24539 ]
A Citrix ADC VPX instance crashes when you downgrade from software version 13.1 to version 13.0 build 88.x and earlier builds, if the following conditions are met:
- AWS Instance Metadata Service (IMDS) isn't reachable from the VM.
- Elastic Network Adapter (ENA) based instances are used in AWS.
[ NSHELP-32906 ]
Policies
A Citrix ADC appliance might crash during policy addition with patset when the following condition is met:
- The flag associated with NSB is set in the wrong order for Rewrite TCP scenario.
[ NSHELP-31064 ]
SSL
A Citrix ADC appliance crashes if the following conditions are met:
- A client sends another client hello before the handshake is complete.
- The request contains some special set of ciphers in the first client hello.
[ NSHELP-32422 ]
On Citrix ADC MPX and SDX platforms with Intel QAT-enabled crypto acceleration hardware, the SOURCEIP persistence type is applied inconsistently to requests sent to virtual servers over TLS 1.3 connections. That is, requests sent from a single source IP address might be distributed to multiple different back-end servers.
[ NSHELP-32410, NSHELP-32895, NSHELP-32572, NSHELP-32688 ]
A Citrix ADC appliance containing a Cavium SSL card might crash while sending a DTLS ALERT message to the client.
[ NSHELP-32031 ]
An SSL handshake might fail if the following sequence of conditions is met:
- Hello Verify Request (HVR) is enabled on DTLS.
- The Citrix ADC appliance sends an HVR to the client.
- The client does not receive the HVR.
- The client tries to retransmit the first client hello instead of responding to the HVR with a session cookie.
Note: In response to the retransmitted client hello message, the ADC appliance sends the HVR to the client a maximum of three times. If a proper response is not received, the appliance fails the handshake.
[ NSHELP-31808 ]
A Citrix ADC appliance might crash if the certificate authentication rule is evaluated and triggered twice on the same request.
[ NSHELP-31785 ]
If the SSL interception is enabled, and the DNS servers do not return a valid DNS response, then the website access is blocked.
[ NSHELP-30201 ]
A Citrix ADC appliance might crash when processing SSL traffic in software mode.
[ NSHELP-29996 ]
System
When a Citrix ADM server receives large HTTP traffic with unique URLs, it consumes high memory. As a result, the Citrix ADM server becomes inaccessible.
[ NSHELP-32922 ]
In a Citrix ADC appliance, the header modification framework results in memory corruption. This condition occurs when the cookies that are to be consumed by the Citrix ADC appliance are deleted in a particular sequence before it is forwarded.
.
[ NSHELP-32799 ]
You can enable AppFlow feature in the admin partition only after enabling ULFD mode in the default partition.
[ NSHELP-32670 ]
The Citrix ADC appliance might treat an HTTP request as an invalid request when a partial HTTP request method is present in an incoming TCP segment.
[ NSHELP-32462 ]
A Citrix ADC appliance might crash if the following condition is met:
- During high memory usage combinations of HTTP2 and SSL, the Citrix ADC appliance fails to allocate memory.
[ NSHELP-32255 ]
A Citrix ADC appliance crashes in the syslog action configuration flow. This crash is observed during High Availability synchronization on the secondary node.
[ NSHELP-32254, NSHELP-32397 ]
A gRPC client fails to parse the gRPC status header, when the following condition is met:
- The gRPC status header is added both in the leading header and the trailing header instead of adding only in the trailing header.
[ NSHELP-31640 ]
When using the content inspection feature, the Rewrite header insertion with payload might not work correctly.
[ NSHELP-30088 ]
With SACK enabled, the Citrix ADC appliance does not retransmit the last one byte TCP segment in the retransmission list because of the following reason: the appliance uses the last one byte TCP segment as a dummy segment to mark the end of the retransmission list.
[ NSHELP-28778 ]
User Interface
You cannot bind a GSLB service to a GSLB virtual server using the Citrix ADC GUI as the GSLB services list under GSLB Service Group Binding> GSLB Service Binding > GSLB Services shows empty.
[ NSHELP-32236 ]
In Citrix ADC release 13.0, the OK button on the Configure Priority Load Balancing Virtual Server Service page is grayed out.
[ NSHELP-32007 ]
The Citrix ADC appliance GUI does not display the correct count of the configured SAML and OAuth IDP policies.
[ NSHELP-31480 ]
In a Citrix ADC appliance, while using the GUI interface, the following issue is seen on the responder policy page:
- The custom created responder policies might be displayed under the built-in responder policies.
[ NSHELP-31428 ]
In a Citrix ADC HA setup, the following issue is observed in the Citrix ADC GUI after saving a configuration and clicking the refresh button:
- The GUI incorrectly shows the orange dot on the Save button even when no unsaved configuration changes are present on the appliance.
[ NSHELP-30031 ]
A Citrix ADC appliance that has checked out licenses from Citrix ADM goes to grace period when the appliance disconnects from ADM. The appliance appears unlicensed in ADM and continues in the grace period even after it reconnects to ADM.
[ NSCONFIG-7098 ]
Known Issues
Authentication, authorization, and auditing
You might experience issues during logout if SAML authentication is configured.
[ NSHELP-31962 ]
Single sign-on (SSO) fails if SSO is enabled for the traffic that does not have the required bearer token to handle SSO.
[ NSHELP-31362 ]
Non-ASCII characters are recorded in nsvpn.log when LDAP action is configured to an FQDN instead of an IP address.
[ NSHELP-27281 ]
In some cases, "invalid credentials" error message is displayed during the RADIUS authentication process. The error is seen when the Citrix ADC appliance is accessed from a client device using the Google Chrome browser.
[ NSHELP-27113 ]
In certain scenarios, the Bind Authentication, authorization, and auditing group command might fail if policy name is longer than intranet application name.
[ NSHELP-25971 ]
The Citrix ADC appliance dumps core when NOAUTH is configured as the first factor and Negotiate as the subsequent factor in the 401 based authentication flow.
[ NSHELP-25203 ]
If the admin password for LDAP, RADIUS or TACACS services contains the double quotes (") character, the Citrix ADC appliance strips it during the "Test Connectivity" check, resulting in connection failure.
[ NSHELP-23630 ]
- A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[ NSHELP-563 ]
DUO authentication fails if the Content Security Policy (CSP) feature is enabled on the Citrix ADC appliance.
[ NSAUTH-12687 ]
ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
"show adfsproxyprofile <profile name>"Workaround: Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.
[ NSAUTH-5916 ]
Citrix ADC SDX Appliance
On a Citrix ADC SDX appliance, if the CLAG is created on a Mellanox NIC, the CLAG MAC is changed when the VPX instance is restarted. Traffic to the VPX instance stops after restart because the MAC table has the old CLAG MAC entry.
[ NSSVM-4333 ]
On a Citrix ADC SDX GUI, displaying the NTP servers can freeze the user interface if the NTP configuration file (ntp.conf) has only spaces in any of the lines.
[ NSHELP-31530 ]
Citrix Gateway
Windows Update check-based EPA scan does not work on Windows 11 22H2 version.
[ NSHELP-33068 ]
The Citrix Secure Access client, version 21.7.1.2 and later, fails to upgrade to later versions for users with no administrative privileges.
This is applicable only if the Citrix Secure Access client upgrade is done from a Citrix ADC appliance.
[ NSHELP-32793 ]
When users click the Home Page tab on the Citrix Secure Access screen for Windows, the page displays the connection refused error.
[ NSHELP-32510 ]
On a Mac device using Chrome, the VPN extension crashes while accessing two FQDNs.
[ NSHELP-32144 ]
Debug logging control for Citrix Secure Access client is now independent of Citrix Gateway and it can be enabled or disabled from the plug-in UI for both machine and user tunnel.
[ NSHELP-31968 ]
Sometimes, the Windows auto logon does not work when a user logs into the windows machine in an Always-On service mode. The machine tunnel does not transition to the user tunnel and the message "Connecting..." is displayed in the VPN plug-in UI.
[ NSHELP-31357, CGOP-21192 ]
When Always on is configured, the user tunnel fails because of the incorrect version number (1.1.1.1) in the aoservice.exe file.
[ NSHELP-30662 ]
Users cannot connect to the Citrix Gateway appliance after changing the 'networkAccessOnVPNFailure' always on profile parameter from 'fullAccess' to 'onlyToGateway`.
[ NSHELP-30236 ]
The gateway home page is not displayed immediately after the gateway plug-in establishes the VPN tunnel successfully. To fix this issue, the following registry value is introduced.
\HKLM\Software\Citrix\Secure Access Client\SecureChannelResetTimeoutSeconds
Type: DWORDBy default, this registry value is not set or added. When the value of "SecureChannelResetTimeoutSeconds" is 0 or not added, the fix to handle the delay does not work, which is the default behavior. Admin has to set this registry on the client to enable the fix (that is to display the home page immediately after the gateway plug-in establishes the VPN tunnel successfully).
[ NSHELP-30189 ]
The Windows VPN client does not honor the 'SSL close notify' alert from the server and sends the transfer login request on the same connection.
[ NSHELP-29675 ]
Client certificate authentication fails for Citrix SSO for macOS if there are no client certificates in the macOS Keychain.
[ NSHELP-28551 ]
Sometimes, a user is logged out of Citrix Gateway within a few seconds when the client idle timeout is set.
[ NSHELP-28404 ]
The Citrix Gateway appliance might crash while processing server-initiated UDP traffic.
[ NSHELP-27611 ]
The Citrix Gateway appliance might crash if async is blocked and you modify the content switching policy configuration.
[ NSHELP-27570 ]
The Citrix Gateway appliance might crash if an unknown VPN client option is set in the session policy.
[ NSHELP-27380 ]
While creating an RDP client profile using the Citrix ADC GUI, an error message appears when the following conditions are met:
- A default pre-shared key (PSK) is configured.
- You try to modify the RDP cookie validity timer in the RDP Cookie Validity (seconds) field.
[ NSHELP-25694 ]
EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.
[ NSHELP-24848 ]
The "show tunnel global" command output includes advanced policy names. Previously, the output did not display the advanced policy names.
Example:
New output:
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0Policy Name: ns_adv_tunnel_nocmp Type: Advanced policy
Priority: 1
Global bindpoint: REQ_DEFAULTPolicy Name: ns_adv_tunnel_msdocs Type: Advanced policy
Priority: 100
Global bindpoint: RES_DEFAULT
Done
>Previous output:
> show tunnel global
Policy Name: ns_tunnel_nocmp Priority: 0 DisabledAdvanced Policies:
Global bindpoint: REQ_DEFAULT
Number of bound policies: 1Done
[ NSHELP-23496 ]
Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.
[ NSHELP-21897 ]
- Application launch failure due to invalid STA ticket is not reported in Gateway Insight.[ CGOP-13621 ]
- The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.[ CGOP-13584 ]
- In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.[ CGOP-13511 ]
While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.
[ CGOP-13050 ]
The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.
[ CGOP-13049 ]
- An error message appears when you add or edit a session policy from the Citrix ADC GUI.[ CGOP-11830 ]
In Outlook Web App (OWA) 2013, clicking Options under the Setting menu displays a Critical error dialog box. Also, the page becomes unresponsive.
[ CGOP-7269 ]
Load Balancing
In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.
[ NSLB-7679 ]
In certain scenarios, servers bound to a service group display an invalid cookie value. You can see the correct cookie value in the trace logs.
[ NSHELP-21196 ]
In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.
[ NSHELP-20406 ]
Miscellaneous
The Citrix ADC appliance sets the buffer size for the web server logging feature to an incorrect default value of 3MB instead of 16MB.
[ NSHELP-32429 ]
AlwaysOnAllow list registry does not work as expected if the registry value is greater than 2000 bytes.
[ NSHELP-31836 ]
Citrix ADC CPX instance, running on a Linux system with 64-bit architecture and 1 TB of file storage, can load certificate and key files now.
[ NSHELP-28986 ]
Networking
In a Citrix ADC BLX appliance, NSVLAN bound with tagged non-dpdk interfaces might not work as expected. NSVLAN bound with untagged non-dpdk interfaces works fine.
[ NSNET-18586 ]
The following interface operations are not supported for Intel `X710 10G (i40e)` interfaces on a Citrix ADC BLX appliance with DPDK:
- Disable
- Enable
- Reset
[ NSNET-16559 ]
On a Debian based Linux host (Ubuntu version 18 and later), a Citrix ADC BLX appliance is always deployed in shared mode irrespective of the BLX configuration file ("/etc/blx/blx.conf") settings. This issue occurs because "mawk", which is present by default on Debian based Linux systems, does not run some of the awk commands present in the "blx.conf" file.
Workaround: Install "gawk" before installing a Citrix ADC BLX appliance. You can run the following command in the Linux host CLI to install "gawk":
- apt-get install gawk
[ NSNET-14603 ]
Installation of a Citrix ADC BLX appliance might fail on a Debian based Linux host (Ubuntu version 18 and later) with the following dependency error:
"The following packages have unmet dependencies: blx-core-libs:i386 : PreDepends: libc6:i386 (>= 2.19) but it is not installable"
Workaround: Run the following commands in the Linux host CLI before installing a Citrix ADC BLX appliance:
- dpkg --add-architecture i386
- apt-get update
- apt-get dist-upgrade
- apt-get install libc6:i386
[ NSNET-14602 ]
When you remove a virtual server, the Citrix ADC appliance incorrectly sets the related VIP RHI state to DOWN if the following conditions are met:
- The virtual server has backup virtual servers.
- The virtual server is in DOWN state and at least one backup virtual server is in UP state.
[ NSHELP-29972 ]
In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:
- The LSN module does not find the service while decrementing the reference count or deleting the service.
[ NSHELP-29134 ]
In a large scale NAT44 setup, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:
- Because of stale filtering entry.
[ NSHELP-28895 ]
In a Large scale NAT44 deployment, the Citrix ADC appliance might crash while receiving SIP traffic because of the following reason:
- The LSN module accessed the memory location of an already deleted service.
[ NSHELP-28815 ]
In a high availability setup, dynamic routing enabled SNIP address is not exposed to VTYSH on reboot if the following condition is met:
- A dynamic routing enabled SNIP address is bound to the shared VLAN in non-default partition.
As part of the fix, the Citrix ADC appliance now does not allow binding a dynamic routing enabled SNIP address to the shared VLAN in non-default partition
[ NSHELP-24000 ]
Platform
The high availability failover does not work in AWS and GCP clouds. The management CPU might reach its 100% capacity in AWS and GCP clouds, and Citrix ADC VPX on-premises. Both of these issues are caused when the following conditions are met:
- During the first boot of the Citrix ADC appliance, you do not save the prompted password.
- Subsequently, you reboot the Citrix ADC appliance.
[ NSPLAT-22013 ]
When you upgrade from 13.0/12.1/11.1 builds to a 13.1 build or downgrade from a 13.1 build to 13.0/12.1/11.1 builds, some python packages are not installed on the Citrix ADC appliances. This issue is fixed for the following Citrix ADC versions:
- 13.1-4.x
- 13.0-82.31 and later
- 12.1-62.21 and later
The python packages are not installed, when you downgrade the Citrix ADC versions from 13.1-4.x to any of the following versions:
- Any 11.1 build
- 12.1-62.21 and earlier
- 13.0-81.x and earlier
[ NSPLAT-21691 ]
In a cluster setup on a Citrix ADC SDX appliance, there is a CLAG MAC mismatch on the second node and CLIP if the following conditions are met:
- The CLAG is created on a Mellanox NIC.
- You add another VPX instance to the cluster and CLAG setup.
As a result, traffic to the VPX instance stops.
[ NSPLAT-21049 ]
In a cluster setup on a Citrix ADC SDX appliance, the first node goes DOWN because of a MAC address mismatch on CLIP and MAC table, if the following conditions are met:
- The CLAG is created on a Mellanox NIC.
- You remove the second node from the cluster.
[ NSPLAT-21042 ]
On the Citrix ADC SDX 8015/8400/8600 platform, you might see increased memory consumption on Xen Server.
Workaround: Run the following command on Xen Server, and then reboot the appliance.
/opt/xensource/libexec/xen-cmdline --set-xen "dom0_mem=1024M,max:1024M"[ NSHELP-32260 ]
During the Citrix ADC VPX HA failover, the Elastic IP address movement in the AWS cloud fails if you configure an IPset without binding the IPset to any IP address.
[ NSHELP-29425 ]
The HA failover for Citrix ADC VPX instance on the GCP and AWS cloud fails when the password of an RPC node contains a special character.
[ NSHELP-28600 ]
Policies
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.
Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
[ NSPOLICY-1267 ]
In a Citrix ADC appliance, the content switching policies that are migrated from classic policies to advanced policies using the NSPEPI tool might not work when the following conditions are met:
- The policies are bound to the content switching vserver.
- The "caseSensitive" parameter is set to OFF.
[ NSHELP-31951 ]
SSL
When a virtual server receives a TLS 1.3 record with invalid padding, it sends a fatal "decode_error" alert instead of an "unexpected_message" alert.
[ NSSSL-11890 ]
On a heterogeneous cluster of Citrix ADC SDX 22000 and Citrix ADC SDX 26000 appliances, there is a config loss of SSL entities if the SDX 26000 appliance is restarted.
Workaround:
- On the CLIP, disable SSLv3 on all the existing and new SSL entities, such as virtual server, service, service group, and internal services. For example, `set ssl vserver <name> -SSL3 DISABLED`.
- Save the configuration.
[ NSSSL-9572 ]
- You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.[ NSSSL-6478 ]
- You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.[ NSSSL-6213 ]
- The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
ERROR: crl refresh disabled[ NSSSL-6106 ]
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[ NSSSL-4427 ]
- An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.[ NSSSL-4001 ]
System
In a Citrix ADC appliance, the default value of the "maxHeaderFieldLen" parameter in the HTTP profile causes the following issue.
- Traffic failure after upgrading to 13.0 build.
[ NSHELP-32079 ]
The Citrix ADC appliance with the virtual server service type SSL configuration crashes when the Citrix ADC appliance receives the TCP FIN control packet followed by the TCP RESET control packet.
[ NSHELP-31656 ]
High RTT is observed for a TCP connection if the following condition is met:
- a high maximum congestion window (>4 MB) is set
- TCP NILE algorithm is enabled
For a Citrix ADC appliance to use the NILE algorithm for congestion control, the conditions must exceed the slow start threshold, which is coupled with the maximum congestion window
So, until the maximum configured congestion window is reached, the Citrix ADC continues to accept data and ends up with high RTT.
[ NSHELP-31548 ]
A Citrix ADC appliance might crash when the following condition is met:
- Both analytics profile and AppFlow policy are bound, and the profile has the "httpAllHdrs" option enabled.
[ NSHELP-30628 ]
The Citrix ADC appliance reports a false SNMP alarm on the service SYN flood counters.
[ NSHELP-28710, NSHELP-28713 ]
Increased packet retransmissions are seen in public cloud MPTCP cluster deployments if linkset is disabled.
[ NSHELP-27410 ]
A Citrix ADC appliance might send an invalid TCP packet along with TCP options such as SACK blocks, timestamp, and MPTCP Data ACK on MPTCP connections.
[ NSHELP-27179 ]
A mismatch in Logstream records is observed in the Citrix ADC appliance and the dataloader.
[ NSHELP-25796 ]
Some SYSLOG messages are dropped when logging on to an external SYSLOG server using TCP protocol.
[ NSHELP-24522 ]
In certain scenarios, the nstrace packet capture misses all packets if you apply the IP address based filter.
[ NSHELP-23483 ]
When you install Citrix ADM on a Kubernetes cluster, it does not work as expected because the required processes might not come up.
Workaround : Reboot the Management pod.
[ NSBASE-15556 ]
In a cluster configuration, a node with CCO priority gets disconnected from Open vSwitch (OVS) because of network issues. After the node rejoins to the cluster configuration, it does not receive the latest SYN cookie.
[ NSBASE-14419 ]
User Interface
Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.
Workaround: Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.
[ NSUI-13024 ]
After you create a profile for Citrix Web App Firewall and try to generate the configuration report of the application firewall in System > Reports, the following error appears:
"Failed to load PDF document."
[ NSHELP-32469 ]
Modifying a static route by using the Citrix ADC GUI (system > network > routes) might incorrectly fail with the following error message:
- "Required argument missing [gateway]"
[ NSHELP-32024 ]
In an HA / Cluster setup, configuration synchronization fails if you have configured SSH keys other than RSA. For example, ECDSA or DSA keys.
[ NSHELP-31675 ]
In a Citrix ADC appliance, binding the cache policy to override global or default global using the GUI interface fails with the following error:
- Required argument missing.
This error is not seen while binding the cache policy using the CLI interface.
[ NSHELP-30826 ]
Due to an incorrect upgrade installation sequence, the following issue occurs in the Citrix ADC appliance.
- The kernel image is updated first and after a few steps, encryption keys are copied. In between these steps some failure happens and the ADC appliance comes up with a new image. The missing encryption keys in the new image lead to decryption failure and missing configuration.
[ NSHELP-30755 ]
Citrix ADC GUI might incorrectly generate a cluster technical support bundle of only one node instead of all the cluster nodes.
[ NSHELP-28606 ]
Generating a cluster technical support bundle by using Citrix ADC GUI might fail with an error.
[ NSHELP-28586 ]
After upgrading a high availability setup or a cluster setup to release 13.0 build 74.14 or later, config synchronization might fail because of the following reason:
- Both "ssh_host_rsa_key" private and public keys are an incorrect pair.
Workaround: Regenerate "ssh_host_rsa_key". For more information, see https://support.citrix.com/article/CTX322863.
[ NSHELP-27834 ]
You cannot bind a service or a service group to a priority load balancing virtual server using the Citrix ADC GUI.
[ NSHELP-27252 ]
In a high availability setup, VPN user sessions get disconnected if the following condition is met:
- If two or more successive manual HA failover operations are performed when HA synchronization is in progress.
Workaround: Perform successive manual HA failover only after the HA synchronization is completed (Both the nodes are in Sync success state).
[ NSHELP-25598 ]
Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.
[ NSCONFIG-4330 ]
If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.
- Upgrade the Citrix ADC appliance to one of the builds
- 13.0 52.24 build
- 12.1 57.18 build
- 11.1 65.10 build
- Add a system user, or change the password of an existing system user, and save the configuration, and
- Downgrade the Citrix ADC appliance to any older build.
To display the list of these system users by using the CLI:
At the command prompt, type:`query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]`
Workaround: To fix this issue, use one of the following independent options:
- If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
- Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
- If none of the above options work, a system administrator can reset the system user passwords.
For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html.
[ NSCONFIG-3188 ]- Upgrade the Citrix ADC appliance to one of the builds