Release Notes for NetScaler 13.1-37.262 FIPS Build

Analytics Infrastructure

• Export management logs to Syslog servers or Splunk HEC

  NetScaler now supports exporting management and host logs to external syslog servers or to HEC on Splunk. For more information, see Logs.

  [ NSANINFRA-5470 ]

Authentication, authorization, and auditing

• Support to validate client IP address

  NetScaler now validates the client IP address after verifying the details in the NSC_TMAS cookie and ensuring that the requests are generated from the same client IP address.

  [ NSAUTH-14417 ]

Load Balancing

• Password update on all GSLB sites

  A new parameter `sitePassword` is added to the `set gslb site` command that replaces the RPC node password. If the GSLB synchronization is enabled, the password is updated in all GSLB sites.

  For more information, see Configure a basic GSLB site.

  [ NSLB-9994 ]

Miscellaneous

• Support for Secure Private Access for on-premises solution on FIPS

  The Secure Private Access on-premises solution is now supported on NetScaler platforms that comply with Federal Information Processing Standards (FIPS) and running the 13.1-37.219 and later FIPS builds. For more information about FIPS, see Federal Information Processing Standards. For more information about Secure Private Access for on-premises, see Secure Private Access for on-premises.

  [ SPAOP-6363 ]

Platform

• Support for OpenSSH version 9.x
  

  The OpenSSH version on NetScaler is now upgraded from 8.x to 9.x.
  [ NSPLAT-29640 ]

• LOM version 3.11.0

  LOM version 3.11.0 is now available for the following platforms. This version addresses multiple functional issues.

  • MPX 9100
  • MPX 9100 FIPS
  • MPX 16000

  For more information, see Upgrade the LOM firmware on a NetScaler MPX appliance

  [ NSPLAT-29596 ]

• Synchronize timer behavior in FreeBSD 11.4 and FreeBSD 8.4

  The kernel clock and timer events in FreeBSD 11.4 is made similar to that of the FreeBSD 8.4 to achieve stability in the NetScaler VPX platform.

  [ NSPLAT-26973 ]

• Improved SSL performance for encryption algorithms

  SSL performance of the following encryption algorithms is enhanced for NetScaler running on Intel processors that support Intel AVX-512:

  • RSA 2048/4096
  • ChaCha20-Poly1305
  • AES-GCM
  [ NSPLAT-26379 ]

• FIPS is displayed in the output

  The output of the `show version` command on an MPX appliance now shows FIPS if the underlying appliance is using a FIPS build.

  For example,

  >show version
  NetScaler NS13.1: Build 37.106.nc, Date: Jan 23 2023, 01:34:26 (64-bit) (NS13.1-FIPS)
  Done

  [ NSPLAT-25763 ]

• Support for AWS EC2 instance IMDSv2 mode

  The Instance Metadata Service Version 2 (IMDSv2) mode for AWS EC2 instance is now supported in the NetScaler appliance. IMDSv1 and IMDSv2 are two modes available for accessing instance metadata from a running AWS EC2 instance and IMDSv2 is more secure than IMDSv1. Earlier, IMDSv2 was not supported by NetScaler. Hence, when the AWS EC2 instance was using the IMDSv2 mode, the NetScaler appliance was overwriting the static default route after a cold reboot.

  [ NSPLAT-21205 ]

SSL

• Changes to command output

  The output of the "show fipsStatus" command on a VPX FIPS appliance shows additional information, such as the control plane and data plane cryptographic library version.

  > sh fipsstatus
  FipsStatus: System is operating in FIPS mode
  NetScaler Cryptographic Module v1.0
  NetScaler Control Plane Cryptographic Library v1.0
  NetScaler Data Plane Cryptographic Library v1.0
  Done

  [ NSSSL-12374 ]

• Validating the Basic Constraint during certificate verification

  During certificate verification, the appliance now validates that the Basic Constraint field is set to CA:TRUE for CA certificates if the "ndcppComplianceCertCheck" is set to YES in the "set ssl parameter" command.

  [ NSSSL-12107 ]

• Validating the X.509 extension during certificate verification

  The following validations now happen during certificate verification if the "ndcppComplianceCertCheck" is set to YES in the "set ssl parameter" command:

  • When the NetScaler appliance acts as a client, the Extended Key Usage X.509 extension in the server certificate contains the server extension.
  • When the NetScaler appliance acts as a server, the Extended Key Usage X.509 extension in the client certificate contains the client extension.
  [ NSSSL-12092 ]

• Support for Dynamic Client Certificate Generation

  The Dynamic Client Certificate Generation feature allows NetScaler to facilitate end-to-end mutual Transport Layer Security communication. NetScaler achieves this by generating a new client certificate for the backend server-side handshake, using the information extracted from the client certificate provided during the client-side SSL handshake.

  Traditional certificate-based authentication protocols, such as smart card authentication, require a complete end-to-end TLS handshake for client verification. Dynamic Client Certificate Generation feature overcomes this restriction, allowing security teams to inspect encrypted traffic (through decryption and re-encryption) while still satisfying smart card or certificate-based authentication requirements.

  The following are the benefits:

  • Customers can manage application availability using NetScaler while maintaining strong mutual TLS communication.
  • NetScaler decrypts, inspects the content, and then re-encrypts the TLS communication, even when Smart Card or certificate-based authentication is used.
  • By operating as a middleman, NetScaler enables content inspection combined with NetScaler Console SSL insights or any other third-party tool for enhanced observability.

  Enable the Dynamic Client Certificate Generation feature using the CLI:

  1. Enable the feature on the SSL profile bound to the backend service.

  At the command prompt, type:

  set ssl profile <backend_profile_name> -dynamicClientCert ENABLED

  1. Create a certificate key for the CA used to sign the generated dynamic client certificate.

  add ssl certkey <certkey_name> -cert <cert_file> -key <key_file>

  1. Bind the certificate key to the backend profile where the Dynamic Client Certificate Generation feature is enabled.

  bind ssl profile <backend_profile_name> --certkeyName <certkey_name> -forgingCACertkey

  Limitations:

  The Dynamic Client Certificate Generation feature is not supported in the following scenarios:

  • DTLS
  • Admin Partition environments

  For more information, see Dynamic Client Certificate Generation.

  [ CTXENG-69644 ]

System

• Limit the number of HTTP/2 RESET frames received on a connection in a minute

  You can now limit the number of HTTP/2 RESET frames received on an HTTP/2 connection in a minute. If the number of RESET frames exceeds the configured limit, NetScaler silently drops the packets on that connection.

  With this enhancement, you can mitigate the HTTP/2 DoS attack when an attacker opens several HTTP/2 streams and immediately cancels these streams by sending RESET STREAM frames.

  For more information, see HTTP/2 DoS mitigation.

  [ NSBASE-18564 ]

User Interface

• View FIPS status for VPX FIPS and MPX FIPS platforms on the NetScaler GUI

  You can now view FIPS status for VPX FIPS and MPX FIPS platforms in the NetScaler GUI, similar to the CLI.

  [ NSUI-20100 ]

• The download of any core files that are present on the "Diagnostic" page ("System > Diagnostic") of the NetScaler GUI might fail with an error.

  [ NSHELP-33644 ]

• Flexed/Pooled license expiry notifications

  On the *System > Licenses > ADC License > Manage Licenses* page of the NetScaler GUI, you can now see the *Days to Expiration* field that specifies the number of days remaining until the license expires.

  You must review the "Days to Expiration" information and then configure NetScaler to display an alert in the GUI upon login and periodically trigger SNMP alerts when the license is nearing expiration or has already expired. For more information, see Configure NetScaler license expiry alerts.

  [ NSCONFIG-9601 ]

• Enhancements to NetScaler CPX Express license

  The following enhancements are made to the NetScaler CPX Express license:

  • Bandwidth limit is increased from 20 Mbps to 100 Mbps.
  • All the NetScaler CPX features are available with the NetScaler CPX Express license.
  [ NSCONFIG-8059 ]

• Smart card-based authentication for system users

  NetScaler supports smart card-based authentication for NetScaler management GUI, where a user can be authenticated using the client certificate stored in the smart card. This feature simplifies the login process for smart card users, granting them access to the NetScaler management GUI without the need for entering their credentials (user name and password).

  For more information, see Smart card-based authentication for management GUI access.

  [ NSCONFIG-8034 ]

• Two-Factor Authentication Support

  Two-factor authentication (2FA) is now supported through the NetScaler management access console.

  For more information, see Two-Factor Authentication for System Users and External Users.

  [ NSCONFIG-7845 ]

• Update to LAS activation identifier

  Starting from NetScaler 14.1-60.57, NetScaler 13.1-61.26, and NetScaler FIPS 13.1-37.259, the LAS-based licensing workflow for NetScaler deployments no longer uses the IP address and host name. Instead, a system identifier (lsguid) is used by LAS to uniquely identify the NetScaler deployment.

  If you want to use the host name instead of the system identifier (lsguid), manually select the Use hostname for LAS activation blob workflow option from the NetScaler GUI.

  To activate the host name for LAS activation:

  1. Navigate to System > Licenses > LAS Activation.
  2. Turn the Use hostname for LAS activation blob workflow toggle ON.

  For information related to LAS, see License Activation Service.

  [ CTXENG-71023 ]

• Support for additional NetScaler Fixed-term Bandwidth license codes to enable transition to LAS-based licensing

  NetScaler now supports additional NetScaler Fixed-term Bandwidth license entitlements (license codes). This allows customer with NetScaler Perpetual license to transition from file-based licensing to LAS-based licensing using NetScaler Fixed-term Bandwidth license. It also enables existing NetScaler Fixed-term Bandwidth license customer to transition from file-based licensing to LAS-based licensing.

  To use LAS, your NetScaler must be running one of the following minimum versions or later:

  • NetScaler ADC: 14.1 build 51.80, 13.1 build 60.29, 13.1 build 37.247 (FIPS)
  • NetScaler SVM: 14.1 build 51.83, 13.1 build 60.30
  [ CTXENG-69948 ]

• LAS support for NetScaler deployments for NetScaler Fixed-term Bandwidth license

  NetScaler now supports the License Activation Service (LAS) licensing mechanism. LAS is a new cloud-based licensing solution that offers a modern alternative to traditional file-based licensing. LAS introduces new modules for the activation of Citrix and NetScaler products, ensuring a seamless and modern approach to license management.

  Starting from this release, LAS is supported on the following NetScaler deployments:

  • NetScaler ADC: 14.1 build 51.80, 13.1 build 60.29, 13.1 build 37.247 (FIPS) or later
  • NetScaler SVM: 14.1 build 51.83, 13.1 build 60.30 or later

  Note:

  LAS for NetScaler deployments supports NetScaler Fixed-term Bandwidth licenses. All other forms of legacy NetScaler licenses, such as perpetual licenses, are not supported with LAS.

  For more information, see License Activation Service.

  [ CTXENG-69332 ]

• LAS Enforcement on NetScaler, NetScaler Console on-prem, and NetScaler Console Service

  File-based licensing system (also referred to as manually managed entitlements), traditionally used for activating various on-premises components, will be End of Life (EOL) on April 15, 2026. License Activation Service (LAS) is the next generation technology for product activations across the suite of Citrix products. LAS will be the only way to activate and license NetScaler instances after April 15, 2026, supporting NetScaler Flexed licenses (CPL/UHMC), legacy NetScaler Pooled licenses, and NetScaler Fixed term Bandwidth licenses. To remain supported, your NetScaler and NetScaler Console deployments must be on a LAS compatible version. The minimum required NetScaler versions that are LAS compatible are:

  • NetScaler ADCs : 14.1 -51.80, 13.1-60.29, 13.1-37.247 (FIPS)
  • NetScaler SVM: 14.1-51.83, 13.1-60.30
  • NetScaler Console Service: Supported from early September 2025.
  • NetScaler Console on-prem: 14.1-51.83

  Note: LAS support for Console on-prem is from release 14.1-51.x onwards. However, file-based licensing deprecation/EOL is from Console on-prem release 14.1-51.83 onwards and Console on-prem release 13.1-60.26 onwards.

  All the other forms of legacy NetScaler licenses such as Pooled vCPU, CICO, perpetual will not be supported with LAS. NetScaler instances leveraging perpetual licenses without an active maintenance will become unlicensed upon upgrade to the above mentioned software versions.

  LAS based licenses may not be available to customers where prohibited by law or regulations.

  Should you have questions or concerns, contact Customer Care. Citrix may limit or suspend your Citrix Maintenance for non-compliance with these requirements without liability in addition to any other remedies Citrix may have at law or equity. These requirements don't apply where prohibited by law or regulation.

  [ CTXENG-68622 ]

• Perpetual Licensing changes - SA Date enforcement and NetScaler build-specific Burn-In Date

  Starting from this release, there are some changes related to Perpetual licensing that includes SA Date enforcement and NetScaler build-specific Burn-In Date.

  Terminology description:

  • Subscription Advantage (SA) date: A date present in perpetual license files, introduced to limit upgrades to NetScaler versions released only up to a certain date.
  • Burn-In Date (BID): A date associated with every NetScaler version and build.

  The following changes are introduced in Perpetual licensing:

  Change 1: SA Date check and enforcement:

  This check and enforcement is introduced to block NetScaler customers who are running their NetScaler instances on perpetual licenses with expired maintenance, resulting in unsupported deployments.

  If the Burn-In Date of the NetScaler build you are trying to upgrade to is later than the SA date in the perpetual license file used on your NetScaler instance, your NetScaler instance becomes unlicensed after the upgrade. Some NetScaler VPX versions already had this check and enforcement. It is now introduced for NetScaler form-factors: VPX, MPX, and SDX starting from the following NetScaler releases:

  • NetScaler ADCs: 14.1 51.x, 13.1-60.x, 13.1-37.x (FIPS)
  • NetScaler SVM: 14.1 51.x, 13.1-60.x

  This check occurs during boot up after a NetScaler upgrade. To avoid your NetScaler instance becoming unlicensed, obtain a supported NetScaler license with active maintenance.

  Note: If you are using a perpetual license on your NetScaler instance and have active maintenance, you must use the latest file that you received during your most recent maintenance renewal. Otherwise, your NetScaler becomes unlicensed after upgrading to the above mentioned NetScaler builds.

  Change 2: Burn-In Date specific to each build:

  Earlier, the Burn-In Date for all builds across a major NetScaler version used to be the same. Now, each unique NetScaler build has its own Burn-In Date (approximately based on its release date) starting from the following NetScaler releases:

  • NetScaler ADCs: 14.1-51.x, 13.1 60.x, 13.1 37.x (FIPS)
  • NetScaler SVM: 14.1-51.x, 13.1 60.x
  [ CTXENG-68283 ]

Analytics Infrastructure

• When an advanced syslog policy is bound to Syslog Global, some messages related to the SSLVPN do not appear in the ns.log file:

  • SSLVPN LOGIN
  • SSLVPN LOGOUT
  [ NSHELP-37051 ]

• The `show syslogAction` command displays an unresolved IP address in the output when both of the following conditions are met:

  • SYSLOG action with a domain name on transport mode UDP is used.
  • ICMP is disabled on the server.

  This issue occurs because the ping-default monitor marks the service as DOWN since the server is not reachable through ICMP. Therefore, the IP address is not displayed in the output even if it is resolved.

  [ NSHELP-32886, NSHELP-33392 ]

• The `ns.log` file generates the debug logs even when the audit log level is set to none and therefore exceeds the configured file size limit. The issue occurs because the advanced policy is bound to local logging even though it is not necessary.

  [ NSHELP-32404, NSHELP-32641 ]

• On NetScaler ADC 14.1-29.x release, adding a syslog action in an admin partition throws an "Operation not permitted" error.

  [ NSANINFRA-5997 ]

AppFlow

• Metrics collector in the NetScaler instance stops to respond intermittently. As a result, whenever the metrics collector stops to respond, one interval (30 seconds) of analytics data might not get exported.

  [ NSHELP-34048 ]

Authentication, authorization, and auditing

• When you click Resend Notification, the error message "Failed Validate TOTP or resend Notification" appears on the screen. This issue occurs because the resend push functionality fails after the push timeout period due to the absence of an OTP value. As a result, the authentication fails.

  [ NSHELP-40806 ]

• SAML authentications might fail if NetScaler is configured as a SAML on MPX/SDX 14000 FIPS. This issue occurs when the context is not saved across the asynchronous code path while signing a SAML requests.

  [ NSHELP-38211 ]

• In an HA setup, when the secondary NetScaler is configured as an OAuth IdP, a memory leak is observed if one of the following conditions are met:

  • Session times out.
  • Session is killed during the HA synchronization.

  [ NSHELP-37585 ]

• NetScaler crashes when users attempt to re-login before the stale entries are cleared (prior to DHT timeout) after being logged out due to an expired Kerberos ticket.

  [ NSHELP-37528 ]

• NetScaler might reboot due to invalid memory access. This issue occurs when you enable the Appflow feature to collect metrics and access the metric collection authentication sessions even if the session is unavailable.

  [ NSHELP-37143 ]

• After an upgrade, the message "AAA DHT : VPN entry resume notification failed due to invalid subtype 1" appears repeatedly in the NetScaler log file.

  [ NSHELP-35649 ]

• Kerberos SSO might fail when there are large number of incoming requests at the same time.

  [ NSHELP-34177 ]

• When NetScaler is configured as a SAML service provider, the SAML assertion validation might fail because of a parsing issue in the saml:statusCode tag.

  [ NSHELP-33574 ]

• When NetScaler is used as an OpenID provider (OAuth IdP) and GSLB is configured with it, OAuth authentication with the relying party (RP) fails during token validation which might result in an authentication failure at the OAuth Relaying Party (RP).

  [ NSHELP-33455 ]

• The NetScaler appliance might crash when it is configured as a SAML service provider and the SSL certificates are updated.

  [ NSHELP-33243, NSHELP-33242, NSHELP-32966 ]

• Kerberos SSO impersonation with advanced encryption types might fail when an incorrect user principal name is used in the SSO credentials.

  [ NSHELP-32890 ]

• NetScaler might crash if one of the following authentication methods is used as a second factor and there are subsequent factors that are configured and require user interaction in an nFactor flow.

  • SAML
  • OAuth
  • Client certificate
  [ NSHELP-29573, NSHELP-32631, NSHELP-32765 ]

• In an HA setup, users frequently reboot the secondary NetScaler instances due to memory leaks.

  [ NSHELP-28659 ]

• In an HA deployment, users must re-login to the Advanced Authentication and Authorization - Traffic Management (AAA-TM) virtual server or the NetScaler Gateway virtual server after both nodes are upgraded to the latest version.
  In a cluster deployment, users might encounter authentication failures or repeated re-authentication prompts until all nodes are upgraded to the latest version.

  [ NSAUTH-16503 ]

• In a SAML SP setup, SAML authentication fails if the authentication virtual server name (authnVsName) parameter is configured in a load balancing virtual server.

  [ NSAUTH-14566 ]

Bot Management

• In rare cases, a memory leak might occur on the device when the bot trap feature is enabled on a bot profile.

  [ NSHELP-39662 ]

Load Balancing

• NetScaler might crash when traffic reaches a GSLB virtual server and the following conditions are met:

  • The GSLB virtual server is initially bound to a GSLB service group without a priority order.
  • Later a priority order is configured by using the set command.
  [ NSHELP-40036 ]

• NetScaler might crash when multiple partitions are added, deleted, and re-added.

  [ NSHELP-38252 ]

• In rare cases, an active NetScaler CLI session is aborted when you run the `add dns key` command.

  [ NSHELP-36938 ]

• In a HA setup, the DNS server might send an empty response for a GSLB domain query intermittently when the following conditions are met:

  • Persistence is configured on the GSLB virtual server.
  • A large number of load balancing deployments are configured.
  • HA failover occurs.
  [ NSHELP-35981 ]

• The NTLM monitor does not support the following options:

  • Concurrent probing by monitors of both NTLM version 1 and version 2 configurations.
  • Directing the probe to the IP address of the server when the URL in "scriptArg" parameter resolves to a different IP address.
  • NTLM version 2.
  [ NSHELP-35185 ]

• The probes to the StoreFront user monitor might fail due to an incorrect timeout calculation. This issue occurs when the timeout value is set to 1 or 2 seconds when configuring the StoreFront user monitor.

  [ NSHELP-34418 ]

• The "show server name" command displays the service status as unknown even though the service is bound to the server.

  [ NSHELP-33668 ]

• NetScaler might crash when the following conditions are met:

  • A load balancing virtual server is configured with a redirect URL in multiple partitions.
  • A memory recovery is triggered.
  [ NSHELP-33638 ]

• The secondary node might crash if you use the same GSLB virtual server as the backup for multiple GSLB virtual servers.

  [ NSHELP-33400 ]

• NetScaler might crash when the monitor probe fails for a few internal virtual servers.

  [ NSHELP-30985 ]

• The NetScaler VPX appliance crashes when the following conditions are met:

  1. The autosync option is used to synchronize the configuration with other GSLB sites.
  2. The incarnation number that is used to fetch the GSLB cache is a multiple of 1024.
  [ NSHELP-30075 ]

• In a GSLB setup, the SSL certificate is missing from the subordinate sites. This issue occurs when the auto-sync option is enabled, and the subordinate sites have SSL certificates that are not available on the master site.

  [ NSHELP-29309 ]

NetScaler Content Inspection

• A NetScaler appliance might crash when it tries to access resources on the freed ICAP. This condition happens when the ICAP is in response modification (RESPMOD) mode.

  [ NSHELP-33403 ]

NetScaler Gateway

• After an upgrade, the NetScaler Gateway portal fails to display the customized login schema and the RfWebUI theme settings. Instead, it shows the default settings. This issue occurs when the default CSP header is enabled on NetScaler Gateway.

  [ NSHELP-38000 ]

• In an HA mode, the secondary NetScaler instance crashes when processing the ICA packets.

  [ NSHELP-37256 ]

• The Traffic Management > SSL > SSL Files option is missing in the GUI if the following conditions are met:

  • A NetScaler Gateway license is used.
  • The software is upgraded to NetScaler release 13.0 build 91.x.
  [ NSHELP-36186 ]

• After an upgrade, NetScaler Gateway proxy settings fail to work in a full VPN mode.

  [ NSHELP-35853 ]

• The NetScaler Gateway home page might fail to enumerate the apps when you try to access it on clientless VPN mode using a mobile browser.

  [ NSHELP-35541 ]

• NetScaler configured with HDX Insight might reboot when the secondary node receives the packets for processing.

  [ NSHELP-34152 ]

• A NetScaler Gateway appliance crashes when evaluating a policy for a VPN URL.

  [ NSHELP-33683, NSHELP-34100, NSHELP-34077, NSHELP-34180, NSHELP-34076 ]

• After upgrading a NetScaler appliance, the RDP proxy URLs do not work with the X1 portal theme and the message
  "Http/1.1 Object Not Found" appears.

  [ NSHELP-33676, NSHELP-33921, NSHELP-33845 ]

• When a NetScaler appliance is upgraded, the appliance might crash while processing the UDP traffic.

  [ NSHELP-33417 ]

• Some of the VPN sessions might get cleared or removed from the secondary ADC appliance after a failover.

  [ NSHELP-33125 ]

• After upgrading a NetScaler Gateway appliance, the Configuration > Integrate with Citrix Products section is not displayed in the NetScaler GUI.

  [ NSHELP-32335 ]

• NetScaler log files contain gateway insight logs even if NetScaler Gateway insights are disabled.

  [ GOPHDX-5091 ]

• NetScaler crashes when an EDT ICA connection is launched. This issue occurs when the AppFlow analytics profile for HDX insight is bound to a VPN virtual server.

  [ GOPHDX-5014 ]

• When clearing the configurations by using the GUI or CLI, a NetScaler appliance might crash when the Secure Token Authority (STA) related entities are cleared.

  [ GOPHDX-1743 ]

NetScaler Web App Firewall

• The load balancing virtual server might not be accessible after a high availability failover. This issue occurs when the URL transform action is performed on the request or response based on the order of adding the configuration, instead of the priority.

  [ NSHELP-36761 ]

• NetScaler might crash when Web App Firewall takes longer to perform the command injection protection check than the expected time.

  [ NSHELP-36343, NSHELP-37692 ]

• The NetScaler might crash when "VerboseLogLevel" is set to "patternPayloadHeader" in the Web App Firewall profile.

  [ NSHELP-35915 ]

• The NetScaler appliance might crash due to invalid HTTP header information. This issue occurs when the following conditions are met:

  • SQL/XSS violation occurs in the HTTP request body.
  • The verbose logging is set to "patternPayloadHeader".

  [ NSHELP-35297 ]

• The cookie hijacking redirect drops the query parameters from the request URL. As a result, the redirected request might fail.

  [ NSHELP-33633 ]

Networking

• In an HA setup, the NetScaler VPX secondary node crashes after upgrading to release 13.1 build 53.17.

  [ NSHELP-37950 ]

• The NetScaler appliance might crash when you configure a dataset based ACL.

  [ NSHELP-35744 ]

• NetScaler sends VOLTAGE-LOW traps immediately after reboot before the system stabilises.

  [ NSHELP-35672 ]

• When a NetScaler appliance, which contains a large integrated cache or a large scale NAT configuration, is upgraded from release 12.1 or 13.0 to release 13.1 or 14.1, the recovery time from a packet engine crash is relatively longer than the pre upgraded version.

  [ NSHELP-33797 ]

• For internal SSL services on a non-default HTTPS port, even if you change the default SSL certificate binding and restart the appliance, the default certificate continues to be bound to internal services.

  [ NSHELP-24034 ]

Platform

• NetScaler VPX instances running on Microsoft Azure might experience SSH and TCP session failures. This issue can occur randomly after a VPX reboot or upgrade and is caused due to changes in Azure hypervisor layer.

  [ NSPLAT-33590 ]

• The updated time log is not captured under /var/log/ns.log and /var/log/notice.log after a user updates the date by using the "date" command.

  [ NSPLAT-30021 ]

• When the interface configuration is disabled, the Tx Laser might not be OFF after the appliance is restarted.

  [ NSPLAT-28484 ]

• The NetScaler appliance crashes if VRID is bound to an LA channel that does not have member interfaces configured.

  [ NSPLAT-26707 ]

• After you upgrade the ADC appliance to release 13.1 build 42.47, on some public cloud VPX deployments, you might observe the HTTP and TCP services flap between UP and DOWN states.

  [ NSPLAT-26310 ]

• For a NetScaler VPX release 13.1 build 37.38 on VMware ESX hypervisor with VMXNET3 interfaces, you see the following behaviour in the HA setup:

  The NetScaler VPX HA pair is not configured because the communication between the HA nodes is not established. As a result, the peer node status is displayed as UNKNOWN.

  [ NSPLAT-25677 ]

• NetScaler VPX instances using AWS Elastic Network Adapter (ENA) interfaces are incorrectly reporting Cyclic Redundancy Check (CRC) errors for certain rare packet types, resulting in legitimate packets being dropped.

  [ NSHELP-39964 ]

• The rc.netscaler file fails to run due to an internal error.

  [ NSHELP-39034, NSHELP-40113 ]

• In some cases, nic_err_rx_crc errors might occur on NetScaler MPX. However, the "show interface" command output does not display these RX errors.

  [ NSHELP-38817 ]

• The jumbo packet transfer might not work without an additional reset after rebooting a NetScaler MPX containing Fortville NICs (10G, 25G, 40G).

  [ NSHELP-38646 ]

• The NetScaler VPX instance drops packets from a client if both of the following conditions are met:

  • The VPX instance is hosted on VMware Cloud on AWS using a VMXNET3 adapter.
  • The VMXNET3 adapter fails to generate the RSS hash for the packet.
  [ NSHELP-33150 ]

SSL

• When you run the 'show fipsstatus' command from the NetScaler CLI, the output displays the details about NetScaler Crypto Library on MPX FIPS and VPX FIPS.

  [ NSSSL-14391 ]

• On NetScaler MPX FIPS and VPX FIPS, any unbound ECC curves are rebound to the SSL service after a reboot.

  [ NSSSL-14369 ]

• When a corrupt encrypted finish message is received from the back-end server, the SSL handshake fails on NetScaler MPX but the SSL audit log is not updated.

  [ NSSSL-14368 ]

• A virtual server crashes due to a failed TLS1.3 connection, because the NetScaler appliance runs out of memory and a memory allocation request fails during the start of a TLS 1.3 handshake.

  With this fix, the TLS 1.3 connection fails but the appliance does not crash.

  [ NSSSL-12200 ]

• The NetScaler GUI, when accessed through a Cluster IP (CLIP) address, does not display the server certificate bindings to an SSL service, service group, and internal services.

  [ NSSSL-12191 ]

• On NetScaler MPX and NetScaler SDX platforms containing Intel SSL chips, cards might fail to come up after the first reboot or after a warm reboot.

  [ NSHELP-36506 ]

• NetScaler might crash after repeated login attempts if the following conditions are met:

  • Client authentication is enabled.
  • The client tries to authenticate with the root certificate.
  [ NSHELP-36094 ]

• Cross-signed certificate validation fails when there is a long chain and one of the intermediate certificates in the chain is a cross-signed root certificate.

  [ NSHELP-34615 ]

• A virtual server may incorrectly terminate a TLS 1.3 handshake with a `decrypt_error` alert if the following conditions are met:

  • The client is authenticating with a certificate.
  • The virtual server is configured to perform a certificate status check using OCSP or a CRL.
  • The client sends both Certificate and CertificateVerify messages in the same TLS record.
  [ NSHELP-33355 ]

System

• NetScaler might stop the data transfer if the following conditions are met:

  • Multiple features are enabled.
  • More than one feature tries to delete the same part of the TCP or HTTP payload.
  [ NSHELP-33793 ]

• In some cases, a NetScaler appliance might crash while processing a corrective acknowledgment sent by a server connection that is in the TIME_WAIT state.

  [ NSHELP-33469 ]

• NetScaler might stall the data transfer on an HTTP/2 connection when an HTTP-based feature tries to buffer a large amount of application data.

  [ NSHELP-32612, NSHELP-36243 ]

• The NetScaler appliance might crash if it processes a corrective ACK packet related to a server-side TCP connection.

  [ NSHELP-32290 ]

• The NetScaler appliance configured with an SSL service crashes when the appliance receives a TCP FIN control packet followed by a TCP RESET control packet.

  [ NSHELP-31656 ]

• A memory leak might occur in the NetScaler appliance if both the following conditions are met:

  • HTTP compression feature is enabled.
  • The connection is reset in the middle of the transaction.
  [ NSHELP-30631 ]

• NetScaler Weblog and Auditserver components might crash after completing any addns parameter operation that adds the details of NetScaler to the log configuration file.

  [ NSBASE-19384 ]

User Interface

• WebSocket connections might fail when the `sshd_config` file is modified to remove RSA keys from the supported hash algorithms. This issue affects the user interface by preventing access to essential features such as Generate Tech Support, Ping, and other diagnostic tools.

  [ NSUI-20210 ]

• NetScaler upgrade might fail when pooled licensing is configured, but the license server is unreachable. When the license server is unreachable, the system displays a warning about the risk of NetScaler becoming unlicensed. You can ignore this warning and continue with the upgrade.

  [ NSHELP-42252 ]

• The command apply laslicense might time out if the management CPU or disk IO wait is high.

  [ NSHELP-41834 ]

• When there is a high availability (HA) version mismatch between the primary and secondary nodes, the FileSync daemon (nsfsyncd) continuously writes to ns.log. This leads to the /var disk filling up, ultimately disabling access to the GUI.

  [ NSHELP-41210 ]

• SSH login to the NetScaler might fail when multiple streams or channels attempt to authenticate using the same SSH connection concurrently.

  [ NSHELP-39989 ]

• The NetScaler storage drive fills up rapidly due to daily PHP log files created for logging class initialization.

  [ NSHELP-39536 ]

• You might encounter the following issues when using the NetScaler GUI:

  • Downloading PFX files might fail.
  • The SSL Files tab might not display details as intended.
  [ NSHELP-39448 ]

• When using the NetScaler GUI, downloading SSL keys and PFX files from the SSL Files tab might fail.

  [ NSHELP-39432 ]

• Web applications might crash or be vulnerable to attacks due to using moment.js version 2.29.4. To resolve this issue, moment.js is upgraded to the latest version 2.30.1.

  [ NSHELP-39368 ]

• The NetScaler GUI is inaccessible with an IPv6 address.

  [ NSHELP-38811 ]

• The reporting functionality in NetScaler GUI fails when upgrading PHP and CodeIgniter based web applications.

  [ NSHELP-38754 ]

• The following error message appears when you try to modify an extended ACL by using the GUI:

  "Invalid argument [network_range_src]"

  [ NSHELP-38693 ]

• SSL keys might not appear in the GUI, but appear in the CLI.

  [ NSHELP-38530 ]

• If the number of services configured on NetScaler exceeds 500, NetScaler processes might be unable to write data to the disk. This issue results in missing data in the `newnslog` file.

  [ NSHELP-37597 ]

• You cannot unbind a Log Action from NetScaler GUI but works using NetScaler CLI.

  [ NSHELP-36973 ]

• In an HA setup, even though you have unique SSL certificates for the NSIP address of the primary and secondary node, the secondary node certificate is overwritten by the primary node certificate.

  [ NSHELP-35938 ]

• When you configure a responder policy or a rewrite policy on the NetScaler GUI without adding any values in the Log Action and AppFlow Action fields, which are not mandatory, the following error is displayed:

  "Invalid name; names must begin with an alphanumeric character or underscore and must contain only alphanumerics, '_', '%23', '.', ' ', ':', '@', '=' or '-' [logAction, ]"

  [ NSHELP-35726 ]

• A user login to a non-default partition might fail when the GUI or the NITRO API is used.

  [ NSHELP-34849 ]

• You might observe high management CPU usage in a NetScaler appliance when both of the following conditions are met:

  • Admin partitions are configured on the appliance.

  • The appliance is managed by NetScaler ADM.
  [ NSHELP-34825 ]

• When binding the AppFW profile to the log expression, the state parameter is set to enabled by default. However, when the system is upgraded, the parameter is reset to disabled.

  [ NSHELP-34187 ]

• A few built-in configurations are not available when a NetScaler ADC instance is created.

  [ NSHELP-33451, NSHELP-39684 ]

• In a high-availability setup configured with a large number (thousands) of SSL certificates, configuration synchronization might take longer than usual. As a result, you might see the synchronization state in progress for a long time.

  [ NSHELP-32959, NSHELP-35003 ]

• The following error appears on the NetScaler UI when there is a huge difference between the saved and the running configuration:

  "Error in fetching the configuration"

  [ NSHELP-32752 ]

• On the NetScaler GUI, the System Log Files page (Configuration > System > Auditing > Syslog messages) and the Logs page (Configuration > Authentication > Logs) fail to load the log files.

  [ NSHELP-30868 ]

• The /var/log/notice.log file does not capture the log details when a user initiates the upgrade by using the "install" command.

  [ NSCONFIG-9823 ]

Authentication, authorization, and auditing

• Web logging authentication on NetScaler might fail if the username is truncated during external authentication.

  [ NSHELP-38864, NSHELP-39282 ]

Miscellaneous

• Weblog client binaries fail to install on Linux hosts with GLIBC versions earlier than 2.38 due to a recent build infrastructure change.

  [ NSHELP-40566 ]

NetScaler Gateway

• The Audit server file, in Windows machines, crashes when the log level is set to INFO on NetScaler.

  [ NSHELP-25692 ]

User Interface

• NetScaler might crash in scenarios of high memory consumption.

  [ NSCONFIG-7972, NSCONFIG-7716 ]