Release Notes for NetScaler 13.1-37.268 FIPS Build

Authentication, authorization, and auditing

• Client IP address validation using X-Forwarded-For (XFF) in AAA sessions

  In Gateway and AAA deployments, stolen session cookies can be reused by attackers to hijack authenticated sessions. This risk increases in proxy or NAT environments where the direct source IP address seen by NetScaler does not represent the real client IP address. NetScaler tries to capture the clients real IP address and associates it with the authenticated AAA session. Earlier, this capability was based on the client source IP address. NetScaler now associates the IP address in the X-Forwarded-For header as a user attribute, along with the client IP address seen in the IP address header, to optimize proxy and NAT-based deployments. By validating the client IP address using XFF instead of only the source IP address, NetScaler enforces stronger session integrity even when traffic passes through intermediate devices. This significantly reduces the attack surface for session hijacking in complex network topologies.

  For more information related to client IP address validation , see Client IP address validation using X-Forwarded-For (XFF) in AAA sessions.

  [ CTXENG-69689 ]

Platform

• Support for an extra Management CPU core on NetScaler VPX

  NetScaler VPX appliances typically use a single CPU core for management tasks, such as configuration, monitoring and control operations. In environments with significant management demands, this default configuration may lead to performance bottlenecks, resulting in slower response times and potential delays in management operations.

  This feature allows administrators to allocate an additional CPU core specifically for management functions. This enhancement enables a more efficient allocation of resources, leading to improved management operations without compromising data traffic processing capability. Users benefit from increased responsiveness and better management performance, particularly in environments with high management workload requirements.

  Important considerations:

  • This feature is supported only on NetScaler VPX instances with at least 4 vCPUs and more than two packet engines.
  • Activating this feature decreases the CPU cores allocated for data traffic processing.
  • Schedule this configuration change during a maintenance window, as the appliance must be rebooted for the changes to take effect.

  Configure an extra Management CPU core by using the CLI

  To enable the extra Management CPU core, use the following command:

  enable extramgmtcpu

  To disable the extra Management CPU core, use the following command:

  disable extramgmtcpu

  Note: A reboot is required for the configuration changes to take effect.

  To verify whether the extra management CPU core feature is enabled or disabled, use the following command:

  show extramgmtcpu
  ConfiguredState: DISABLED, EffectiveState: DISABLED

  This command returns the configured and effective states of the extra management CPU core. This command helps administrators to quickly assess its operational status and determine if any further actions are needed to enable or disable it.

  Configure an extra Management CPU core by using the GUI

  1. Navigate to Configuration > System > Settings.

  2. Select the Configure Extra Management CPU option.

  3. In the Configured State drop-down menu, select ENABLED, and then click OK.

  4. To apply the changes, go back to Configuration > System and click Reboot. Confirm the action by clicking OK.

  Note: To disable the feature, select DISABLED in the Configured State drop-down menu.

  For more information, see https://docs.netscaler.com/en-us/vpx/current-release/configure-extra-management-cpu.

  [ CTXENG-68452 ]

• Support for extra management CPU on NetScaler MPX 9100 and MPX 8900 platforms

  NetScaler MPX 9100 and MPX 8900 platforms now support an extra management CPU.

  [ NSPLAT-33479 ]

User Interface

• LAS Enforcement on NetScaler, NetScaler Console on-prem, and NetScaler Console Service

  File-based licensing system (also referred to as manually managed entitlements), traditionally used for activating various on-premises components, will be End of Life (EOL) on April 15, 2026. License Activation Service (LAS) is the next generation technology for product activations across the suite of Citrix products. LAS will be the only way to activate and license NetScaler instances after April 15, 2026, supporting NetScaler Flexed licenses (CPL/UHMC), legacy NetScaler Pooled licenses, and NetScaler Fixed term Bandwidth licenses. To remain supported, your NetScaler and NetScaler Console deployments must be on a LAS compatible version. The minimum required NetScaler versions that are LAS compatible are:

  • NetScaler ADCs : 14.1 -51.80, 13.1-60.29, 13.1-37.247 (FIPS)
  • NetScaler SVM: 14.1-51.83, 13.1-60.30
  • NetScaler Console Service: Supported from early September 2025.
  • NetScaler Console on-prem: 14.1-51.83

  Note: LAS support for Console on-prem is from release 14.1-51.x onwards. However, file-based licensing deprecation/EOL is from Console on-prem release 14.1-51.83 onwards and Console on-prem release 13.1-60.26 onwards.

  All the other forms of legacy NetScaler licenses such as Pooled vCPU, CICO, perpetual will not be supported with LAS. NetScaler instances leveraging perpetual licenses without an active maintenance will become unlicensed upon upgrade to the above mentioned software versions.

  LAS based licenses may not be available to customers where prohibited by law or regulations.

  Should you have questions or concerns, contact Customer Care. Citrix may limit or suspend your Citrix Maintenance for non-compliance with these requirements without liability in addition to any other remedies Citrix may have at law or equity. These requirements don't apply where prohibited by law or regulation.

  [ CTXENG-68622 ]

Analytics Infrastructure

• The following log files might consume more disk space if the management log export feature is configured:

  • /var/log/export_mgmtlog_status.log
  • /var/log/export_mgmtlog_cron.log
  [ NSHELP-39206 ]

Authentication, authorization, and auditing

• In an HA deployment, NetScaler might crash while updating SSL certificates. This issue occurs when NetScaler is configured as either a SAML Service Provider (SP) or as a SAML Identity Provider (IdP).

  [ NSHELP-40758 ]

Infrastructure

• NetScaler FIPS appliances might not be able to connect to NetScaler Console service in Government Cloud using the built-in agent.

  [ NSADM-127655 ]

NetScaler Gateway

• NetScaler crashes approximately every 3 minutes when accessing a VPN virtual server with a full VPN configuration and an analytics profile bound to it.

  [ NSHELP-39929 ]

Platform

• In rare scenarios, the data transfer over a TCP connection might stall completely if the following parameters or settings are configured:

  • SSL record length
  • TCP MSS settings
  • Mellanox Interface Jumbo MTU (more than 1500)
  [ NSHELP-42209 ]

User Interface

• The command apply laslicense might time out if the management CPU or disk IO wait is high.

  [ NSHELP-41834 ]

• NetScaler upgrade might fail when pooled licensing is configured, but the license server is unreachable. When the license server is unreachable, the system displays a warning about the risk of NetScaler becoming unlicensed. You can ignore this warning and continue with the upgrade.

  [ NSHELP-42252 ]

NetScaler Gateway

• The Audit server file, in Windows machines, crashes when the log level is set to INFO on NetScaler.

  [ NSHELP-25692 ]

User Interface

• NetScaler might crash in scenarios of high memory consumption.

  [ NSCONFIG-7972, NSCONFIG-7716 ]