Release Notes for Citrix ADM 13.0-64.35 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADM release Build 13.0-64.35.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.

What's New

The enhancements and changes that are available in Build 13.0-64.35.

Analytics

  • View Ingress details for troubleshooting issues
    In service graph, you can now view:
    * Ingress metrics
    * Ingress details (drill down)
    * The type of ingress used
    ** *Tier 1 ingress* – Citrix Ingress Controller inside the Kubernetes cluster configures a Citrix ADC instance (VPX/MPX/SDX/BLX) outside the Kubernetes cluster.
    ** *Tier 2 ingress* – Citrix Ingress Controller running as a sidecar along with Citrix ADC CPX instance inside the Kubernetes cluster.

    *Note*: You can view Tier 1 ingress and Tier 2 ingress only if you have configured two-tier architecture (tier 1 ADC as MPX/VPX/SDX/BLX and tier 2 ADC as CPX) in the Kubernetes cluster. For any other configuration, you can view only a single ingress.

    For more information, see https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/application-analytics-and-management/ingress-details.html
    [ NSADM-53755 ]
  • View Post Body violation report in Security Insight
    In *Security Insight*, you can now view Post Body Limit violation report. If the Post Body limit exceeds the limit for a particular request that is configured in ADC Appfw profile, Citrix ADM generates a report.
    [ NSADM-52943 ]
  • Active sessions, terminated sessions, and logout reasons information in Gateway Insight
    In Gateway Insight, you can now view the following enhancements for the gateway users. As an administrator, these enhancements enable you to get a complete user information when you export the report. Navigate to *Analytics > Gateway Insight > Users* and select a user to view:
    * The user *Active Sessions* and *Terminated Sessions*.
    * The gateway domain name and gateway IP address in *Active Sessions*.
    * The user login duration.
    * The reason for the user logout session. The logout reasons can be:
    ** Session timed out
    ** Logged out because of internal error
    ** Logged out because of inactive session timed out
    ** User has logged out
    ** Administrator has stopped the session
    [ NSADM-52764 ]
  • View metrics in Gateway Insight
    In *Gateway Insight*, you can now view the following enhancements:
    * *User details* - You can view insights for each user associated with the ADC Gateway appliances. Navigate to *Analytics* > *Gateway Insight* > *Users* and click a user to view insights for the selected user such as Session Mode, Operating System, and Browsers.
    * *Users and applications for the selected gateway* - Navigate to *Analytics* > *Gateway Insight* > *Gateway* and click a gateway domain name to view the top 10 applications and top 10 users that are associated with the selected gateway.
    * *View more option for applications and users* – For more than 10 applications and users, you can click the more icon in Applications and Users to view all users and applications details that are associated with the selected gateway.
    * *View details by clicking the bar graph* – When you click a bar graph, you can view the relevant details. For example, navigate to *Analytics > Gateway Insight > Gateway* and click the gateway bar graph to view the gateway details.
    [ NSADM-52763 ]
  • App Security Violations - Network
    In *App Security Violations,* you can now view *Bleichenbacher Attack* under the *Network* violation category. For more information, see [https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/analytics/security/network-violations.html%23bleichenbacher-attack]

     
    [ NSADM-49468 ]
  • App Security Violations - Network
    In *App Security Violations,* you can now view *HTTP Desync Attack* under the *Network* violation category. For more information, see [https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/analytics/security/network-violations.html%23http-desync-attack]
    [ NSADM-46460 ]

Management and Monitoring

  • Autoscale group applications in Azure support UDP traffic The Autoscale group applications that are in Azure can now receive UDP traffic. When you configure an application to the Autoscale group, select the UDP protocol and port value to allow UDP traffic.

    For more information, see the following links:

    AWS - https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/hybrid-multi-cloud-deployments/autoscale-for-aws/autoscale-for-aws-configuration.html%23configure-application-using-stylebooks

    Microsoft Azure - https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/hybrid-multi-cloud-deployments/autoscale-for-azure/autoscale-for-azure-configuration.html%23step-5-configure-an-application-for-the-autoscale-group
    [ NSADM-53288 ]
  • Support for Authentication, authorization, and auditing polling and network reports Citrix ADM now polls authentication, authorization, and auditing event counters from an ADC instance and allows you to visualize their trend on the Network Reporting dashboard.The ADM GUI includes the following Authentication, authorization, and auditing network reports to create the dashboard:
    - HTTP Authentication Success vs Failures
    - Non-HTTP Authentication Success vs Failures
    - Authentication, authorization, and auditing Sessions
    - Current Authentication, authorization, and auditing Sessions
    - Current ICAOnly Sessions
    - Current ICAOnly Connections
    - Current ICA(SmartAccess) Connection
    - Authentication Success and Failures

    Select the required reports in the Select Reports tab when you create a network dashboard.
    [ NSADM-52769 ]

Orchestration

  • Support for OpenStack Rocky Citrix ADM now supports OpenStack version Rocky.
    [ NSADM-34232 ]

StyleBooks

  • Associate StyleBook tags with their configuration pack In StyleBooks, labels are now called tags and they come with added functionalities. You can associate the tags with their configuration pack and search the configuration pack using the tags.
    When you create a configuration pack, use one the following options in the Tag Association section:
    - Associate all present and future StyleBook tags with the configuration: this option associates all the StyleBook tags to a configuration pack. It also associates the new tags that you might add to the StyleBook in the future.
    - Select tags: this option displays the tags of a selected StyleBook. You can select the required StyleBook tags and associate them with a configuration pack.

    For more information, see [https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/stylebooks/how-to-view-stylebooks.html%23create-a-tag-for-the-stylebook]
    [ NSADM-53600 ]
  • View users who created or updated a StyleBook configuration IIn StyleBooks > Configurations, a new column is added that displays the user who created or last updated the configuration pack. If you want to filter configuration packs by users, select the Created By option from the properties list to filter configuration packs.
    [ NSADM-52336 ]
  • StyleBooks support conditional parameters
    You can now dynamically control a parameter’s appearance or its initial value in the StyleBook configuration form based on the value specified in another parameter. To do so, use *dependent-parameters* attribute in the parameter definition. This attribute is newly added as a new *gui* sub-attribute. Specify this attribute on a source parameter that controls the parameter’s behavior on the form. You can include multiple conditions. For example, a source parameter _protocol_ can have a dependent-parameter _certificate_, which only appears if _protocol_ parameter value is _SSL_.

    Each condition can have the following attributes:
    * *target-parameter*: Specify the target parameter to which this condition applies.
    * *matching-values*: Specify the list of values of the source parameter that trigger the action.
    * *action*: Specify one of the following actions on the targeted parameter:
    ** ‘read-only`: The parameter is made read-only.
    ** ‘show’: The parameter appears in the form if it is hidden.
    ** ‘hide’: The parameter is removed from the form.
    ** ‘set-value’: The parameter value is set to the value specified in the value attribute
    * *value*: The value of the target parameter if action is ‘set-value’.

    When a user input matches the specified values on the source parameter, the target parameter’s appearance or value changes according to the specified action.

    For more information, see https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/stylebooks/stylebooks-grammar/parameters-section.html%23dependent-parameters
    [ NSADM-52329 ]
  • Select multiple target instances at one time When you create a configuration pack, you can select multiple target instances at one time. Earlier, you could select only one instance at one time.
    [ NSADM-50115 ]

User Interface

  • Export ADM reports in a tabular format You can now export ADM reports in a tabular format or a snapshot. You can also choose how many data records to export in a tabular format. Earlier, you could export reports only as a snapshot.

    For more information, see [https://docs.citrix.com/en-us/citrix-application-delivery-management-service/setting-up/export-or-schedule-export-reports.html]
    [ NSADM-52461 ]
  • Generate network reports for load-balancing service groups You can now create a network-reporting dashboard for both load-balancing service groups and services. Earlier, you were able to create a dashboard for load-balancing services only.
    This dashboard can display the following reports for the selected service groups:
    - Connections: for the client and server connections counters.
    - Throughput: for request and response bytes counters.
    - Time to First Byte (TTFB): for average time taken to send a request packet to a service group and receive the first packet from the service group. This response time is called as TTFB.

    For more information, see https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/networks/network-reporting.html
    [ NSADM-51596 ]
  • View ADC FIPS instance pool under the Pooled Capacity page The ADC FIPS instances can now check out licenses from the FIPS instance pool. Therefore, the ADM GUI displays the allocated pooled licenses to FIPS instances under Networks > Licenses > Bandwidth Licenses > Pooled Capacity page.
    [ NSADM-51207 ]
  • View the instance distribution by their minor versions
    The Instance Dashboard now displays the managed instances’ distribution by their minor versions. The Version graph helps you visualize the device count for every minor versions.
    [ NSADM-42183 ]

Fixed Issues

The issues that are addressed in Build 13.0-64.35.

Analytics

  • The ADM consumes high CPU when the following conditions are met:

    -  Enable HDX and Gateway insights on ADC instances.
    -  The ADM server receives a high traffic.

    With this fix, logs causing high CPU consumption are disabled by default.
    [ NSHELP-23736 ]
  • In HDX Insight, sometimes, you might not be able to see the required data. This issue occurs when user details have fields with UTF-8 characters, which results to failure in inserting data to database.
    [ NSHELP-23568 ]
  • In HDX Insight > Instances, the host name sometimes displays the secondary ADC node host name instead of primary ADC node.
    [ NSHELP-23211 ]

Management and Monitoring

  • In a multi-tenant environment, when a tenant adds an ADC instance, the ADM GUI displays services, servers, and service groups that belongs to other tenants.
    [ NSHELP-24238 ]
  • The SDX backup file is corrupted when you repack it. This issue occurs only if the backup file has no password.
    [ NSHELP-24168 ]
  • When you poll one of the bound members in the service group, ADM updates the port numbers of the other bound members. And the port numbers become same as the port number of the member that you've polled. For example, if you poll server1 with port 22, after polling the port numbers of other members also change to port 22.

    As a result, duplicate data appears on the ADM GUI.
    [ NSHELP-24039 ]
  • When you restore the ADM high-availability deployment, the ADM database fails to restore.
    [ NSHELP-23773 ]

StyleBooks

  • The ADM GUI fails to display StyleBooks for the users who meet the following conditions:
    -  Log in using an external authentication.
    -  Associate with more than 100 user groups.
    [ NSHELP-24242 ]
  • In a configuration pack, you cannot specify a CIDR value along with an IP address. This issue occurs for the instance configuration that accepts a CIDR value.

    Example: The "trustedlearningclients" parameter of the "appfwprofile_trustedlearningclients_binding" component cannot accept a CIDR value while creating a configuration pack.
    [ NSADM-59295 ]
  • The update operation on a configuration pack fails if the following conditions are met:
    * The instance used to deploy the configuration pack is removed.
    * The instance is re-added with the same IP address.
    [ NSADM-54909 ]
  • When you upload a new signature file to a configuration pack, the update operation fails.
    [ NSADM-54588 ]

User Interface

  • When you poll multiple entities, the ADM GUI incorrectly displays the following message:

    "Entity polling initiated successfully."

    With this fix, the message is replaced as follows:

    "Entity polling completed successfully."
    [ NSHELP-24448 ]
  • In System > User Administration > Groups, after selecting an existing group and clicking the Add option, the same parameters available for the existing group are not loaded.
    [ NSHELP-24323 ]
  • An Onboarding page to add instances to ADM was presented to new users even if the user is not authorized to manage ADC instances. User always has to skip the flow and move forward to use ADM. This behaviour now has been changed to skip the default landing page if the user is not authorized to any instances.
    [ NSHELP-24322 ]

Known Issues

The issues that exist in release 13.0-64.35.

Analytics

  • The CPU usage is high when Citrix ADM triggers app score calculation.

     
    [ NSADM-61404 ]

High Availability

  • Database streaming between the ADM HA nodes breaks when SSL certificate expires, and the join_streaming_replication.sh" command does not restore the streaming.

    Workaround:

    1.  Run "/var/mps/db_pgsql/data/pg_hba.conf" on the ADM primary node to verify if the following entries are present.

              hostssl replication masrepuser <ADM Primary IP address>/32 cert clientcert=1

              hostssl replication masrepuser <ADM Secondary IP address>/32 cert clientcert=1

    2.  If any of these entries is missing, run "su -l mpspostgres /mps/scripts/pgsql/reloadpgsql.sh" to add these entries with a valid IP address.

    3. Verify the SSL certificate is expired or is valid < 30 days. You can validate the certificate expiry date using:

        openssl x509 -enddate -noout -in /var/mps/pg_certs/client/masrepuser/pg_masrepuser.crt

    If the certificate has already expired, log on to Citrix ADM primary node using an SSH client and perform the following steps:

    1.  printf "[ req ] \n distinguished_name = req_distinguished_name \n prompt = no \n\n [ req_distinguished_name ] \n C = US \n ST = California \n L = San Jose \n O = Citrix ADC SDX \n OU = Internal \n CN = masrepuser \n" > /var/mps/pg_certs/client/masrepuser/pg_masrepuser_csr.config ;

    2.  openssl genrsa -out /var/mps/pg_certs/client/masrepuser/pg_masrepuser.key 2048 ;

    3.  openssl req -days 1000000 -new -key /var/mps/pg_certs/client/masrepuser/pg_masrepuser.key -out /var/mps/pg_certs/client/masrepuser/pg_masrepuser.csr -config /var/mps/pg_certs/client/masrepuser/pg_masrepuser_csr.config ;

    4.  openssl x509 -req -days 1000000 -in /var/mps/pg_certs/client/masrepuser/pg_masrepuser.csr -CA /var/mps/pg_certs/server/root.crt -CAkey /var/mps/pg_certs/server/pg_server.key -out /var/mps/pg_certs/client/masrepuser/pg_masrepuser.crt -CAcreateserial ;

    5.  rm /var/mps/pg_certs/client/masrepuser/pg_masrepuser.csr;

    6.  rm /var/mps/pg_certs/client/masrepuser/pg_masrepuser_csr.config;

    7.  cp -R /var/mps/pg_certs/client /var/mps/db_pgsql/data/;

    8.  chown -R mpspostgres:nobody /var/mps/db_pgsql/data/client;

    9.  chmod 700 /var/mps/db_pgsql/data/client;

    10.  chmod 600 /var/mps/db_pgsql/data/client/masrepuser/*key;

    11.  chmod 600 /var/mps/db_pgsql/data/client/pg_rewind/*key;

    12.  touch /var/mps/adm_upgrade_pg_generate_certs;

    13.  masd restart

      
    [ NSADM-61363 ]

Management and Monitoring

  • Memory consumption of an ADM primary node crosses 80% because of the ADM high-availability monitoring process "mas_hb_monit".
    [ NSHELP-22071 ]
  • If the database synchronization lag with the ADM disaster recovery node is more than 10 MB, ADM generates alert every five minutes.
    [ NSADM-60545 ]
  • When you export a dashboard or schedule an export report on the Network Reporting Dashboard page, the report is generated based on the duration and not the start and end time.
    [ NSADM-20017 ]

Miscellaneous

  • After upgrading ADM to version 13.0 67.x, the ADM GUI displays the "Page not found" error.
    Workaround: Re-load the ADM GUI.
    [ NSADM-61600 ]

Orchestration

  • When you create a member on OpenStack Lbaas using ADM orchestration, the member creation fails on OpenStack intermittently. This issue happens when a proxy request from ADM to orchestration services times out after 30 seconds.

    With this fix, the request timeout for orchestration APIs has increased to 120 seconds.
    [ NSHELP-21490 ]
  • If you are using OpenStack Queens for LBaas workflow, the Load Balancing virtual server is not bound to Content Switching virtual server. This issue impacts the traffic.
    Workaround:
    1. Create a pool with Load Balancing virtual server.
    2. Create a listener with the pool ID.
    If you already have a listener, update the listener with the pool ID.
    [ NSADM-36631 ]

StyleBooks

  • When you edit a configuration pack to replace a signature file on an ADC instance, the ADM fails to update the changes. This issue occurs if you manually delete the signature file from the ADC instance.  
    [ NSADM-60226 ]

User Interface

  • The Export Now option or Export Report > Scheduled Report does not generate the PDF and CSV report with the selected time duration. By default, the report generates the last 30 days logs.
    [ NSHELP-25019 ]
  • When you allocate licenses to unmanaged instances, license allocation percentage appears incorrectly in the donut chart.
    [ NSADM-60798 ]

Top