Release Notes for Build 54.16 of Citrix ADC 12.1 Release
February 14, 2020|Release notes version: 2.0
Note
Build 54.16 replaces Build 54.13
This release notes document describes the enhancements and changes, lists the issues that are fixed, and specifies the issues that exist, for the Citrix ADC release 12.1 Build 54.16. See Release history.
Notes
- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- This build includes fixes for the following 13 issues that existed in the previous Citrix ADC 12.1 release build: NSHELP-19239, NSHELP-19410, NSHELP-19961, NSHELP-19095, NSSVM-135, NSHELP-19299, NSHELP-19860, NSHELP-19428, NSHELP-18707, NSHELP-19194, NSHELP-19856, NSHELP-18805, NSHELP-19824.
- The known issues section is cumulative. It includes issues newly found in this release, and issues that were not fixed in previous Citrix ADC 12.1 releases.
- The [# XXXXXX] labels under the issue descriptions are internal tracking IDs used by the Citrix ADC team.
Additional Changes/Fixes Available in Versions
Version 2.0
- Enhancements: NSNET-2848
What's New?
The enhancements and changes that are available in Build 54.16.
Authentication, authorization, and auditing
- Support for encrypting OTP data and migrating existing OTP data into an encrypted formYou can now store the OTP secret data in an encrypted format instead of plain text for enhanced security reasons. OTP data is stored in an encrypted format automatically if the required configuration is set. However, for existing OTP data in plain text, you can use the OTP encryption tool to migrate from plain text to encrypted format. Also, the OTP encryption tool can be used to update the existing certificates to new certificates.The OTP encryption tool is located in the “\var\netscaler\otptool” directory. You must download the tool from this location and run the tool with the required AD credentials and prerequisites.[# NSAUTH-5972]
Licensing
- New values for SDX minimum bandwidth and minimum instancesThe minimum bandwidth and minimum instances values for SDX appliances that support Citrix ADC pooled capacity have changed. For more information, see:[# NSSVM-2770]
Networking
- Assurance of a listener service for processing a FTP data connection requestIn a Citrix ADC appliance, if a packet engine receives an FTP data connection request before a listener service is added, then the packet engine sends an 8212 reset code to the FTP client.The FTP client interprets this code as a "connection refused" message and closes the connection.Now, the Citrix ADC appliance assures to add a listener service on the packet engine before the packet engine processes the received FTP data connection request.[# NSNET-2848, NSHELP-106, NSHELP-19983]
Fixed Issues
The issues that are addressed in Build 54.16.
- The first login using NITRO API fails for a partition user. However, the subsequent login succeeds.[# NSHELP-20159, NSCONFIG-2054]
Admin Partition
- The “stat system memory” command might display an incorrect value for “Free Memory (MB) “ field, whenever the Citrix ADC appliance reaches 100% memory usage in default partition.[# NSHELP-19239]
Authentication, authorization, and auditing
- A Citrix ADC appliance might crash upon updating the user data certificate by using “update ssl certkey” command.[# NSAUTH-5554]
- When upgrading Citrix ADC cluster setup that is on release 10.5 to a higher version, the system login to a non-CCO node on the higher version fails.[# NSHELP-18511, NSAUTH-5561]
- A Citrix ADC appliance fails to obtain Kerberos tickets through a constrained delegation, if one of the following conditions are met:- The enterprise “realm” parameter is configured for the user.- The domain name in the “keytab” parameter is in lower case.[# NSHELP-18946]
- If you set "Import Metadata URL" and later edit it by providing the redirect URL from Citrix ADC GUI, the Redirect URL is set but the Import Metadata URL is not unset. Because of this, the Citrix ADC appliance uses the metadata URL.[# NSHELP-19202]
- The base64 decoding fails if a digital signature has HTML entity encoded characters.[# NSHELP-19410]
- If a dialogue cookie in the client request is processed before checking for any existing sessions, a Citrix ADC appliance sends a change password page to the client.[# NSHELP-19528]
- If the URL contains ";" special character, the TASS cookie encodes the URL redirect at the time of login.[# NSHELP-19634]
- If user group extraction is done during an administrator login, the memory usage of Citrix ADC AAA increases gradually.[# NSHELP-19671]
- A 500 error message is observed if the following conditions are met:- Authentication, authorization, and auditing enabled traffic management virtual server gets post request without the cookie.- The post body contains newline characters.[# NSHELP-19852]
- A Citrix ADC appliance processes unauthenticated HTTP requests with OPTIONS method received from authentication, authorization, and auditing traffic management virtual server. At this point, the appliance responds with a corresponding HTTP 401 error message.[# NSHELP-19916]
- A Citrix ADC appliance sends a negative value if the maximum age value for HSTS header is set above 2,147,483,647.[# NSHELP-19945]
- The SAML attribute value in the SAML response includes multiple SAML AttributeValue lines, instead of one.[# NSHELP-19961]
- In an OpenID-Connect mechanism, OAuth Relying Party (RP) does not encode username or password properties while making password grant API call.[# NSHELP-19987]
- A Citrix ADC appliance configured as SAML Identity Provider (IdP) truncates relaystate from Service Provider (SP) if it contains quotes.[# NSHELP-20131]
- A Citrix Gateway appliance might fail if the following conditions are met:- When a user logs out of a session.- The appliance is deployed in an HDX platform.- SAML authentication is used in Citrix Gateway.[# NSHELP-20206]
- A Citrix ADC appliance might crash when you use a SAML IdP on a FIPS appliance.[# NSHELP-20282]
- A Citrix Gateway appliance might occasionally fail if users try to log in when taking VPX snapshot.[# NSHELP-20292]
- A Citrix ADC appliance configured as SAML Service Provider (SP) might fail to validate assertions sent by certain IdPs if the namespace of SAML is not defined completely.[# NSHELP-20307]
- A Citrix ADC appliance configured as a SAML Service Provider (SP) on traffic management virtual server does not send post body response to the back-end server after SAML login.[# NSHELP-20348]
- The following behavior is observed in the Citrix ADC GUI:- You cannot edit the OAuth Policies.- You can edit only OAuth Actions.- The OAuth Policies option must only be under Advanced Policies not under Basic Policies.[# NSHELP-2131]
Citrix ADC GUI
- In a cluster setup, if you add a cipher group from advanced settings using the GUI, the cipher group does not appear in the main page.[# NSHELP-19704]
- Due to some technical issues in the framework, all service groups are not displayed in the ADC GUI.[# NSUI-13754]
Citrix ADC SDX appliance
- In a VPX HA setup running on SDX appliances, when one of the switches in the virtual port channel (VPC) goes down, all the interfaces that are part of the LACP flap. This triggers HA failover.[# NSHELP-19095]
- SDX 8900 appliances might crash while you are applying the SSL configuration to set client certificate verification to optional with policy-based client authentication.[# NSHELP-19297]
- If the backup file name has any special character, restoring the SDX appliance to that backup fails. With the fix, an error message appears if the backup file has any special character.[# NSHELP-19951]
- On an SDX appliance, when you restore a VPX instance provisioned with burst throughput, the restore might fail.[# NSHELP-20013]
- On an SDX appliance, the “No additional MACs available for members of interface 10/1” error message appears when all the following conditions are met:1. You instantiate 19 VPX instances on the SDX appliance, all with the same network interface2. Then add MAC addresses to the 20th VPX instance that uses the same network interface as the previous instances.3. The number of MAC address on the 20th VPX instance is twice as great as the MAC addresses added to the 1st VPX[# NSHELP-20158]
- When configuring pooled licensing in SDX 14000 FIPS appliance, the minimum instances you could check out was 25. With this fix, the minimum instances you can check out is two.[# NSHELP-20305]
- After you have configured a VLAN from the allowed VLAN list (AVL) on a VPX instance running on an SDX appliance, the instance fails to restart automatically. As a result, communication between the VPX instance and AVL stops.[# NSSVM-135]
Citrix ADC VPX appliance
- You might not be able to access a VPX instance by using the management IP if the instance has a vCPU license. The issue is seen in all VPX instances, on-premises and cloud. If the VPX instance is running on an SDX appliance, you can access the instance from the SDX Management Service GUI.[# NSPLAT-10710]
Citrix Gateway
- With the repackaged Citrix Workspace app, if RFWebUI theme is used, the following message is displayed to the clients:"You must whitelist the ID of Citrix Receiver in Storefront."[# NSHELP-18341]
- Encapsulating Security Payload (ESP) packets in transit are dropped if LSN configuration is not enabled on the Citrix ADC appliance.[# NSHELP-18502]
- The following message incorrectly appears when Citrix Gateway is accessed from the Microsoft Edge browser, and EPA or VPN is not used."Full VPN and EPA are not supported in Edge browser. Please use different browser for a better experience."[# NSHELP-19367]
- In some cases, the Citrix Gateway appliance sets invalid cookie while processing the unauthenticated requests.[# NSHELP-19403]
- In some cases, the Citrix Gateway appliance dumps core if the appliance is accessed inthe Full VPN tunnel mode.[# NSHELP-19444]
- The Citrix Gateway plug-in for macOS cannot resolve internal host names if the Local LAN Access option is enabled on a Citrix ADC appliance.[# NSHELP-19543]
- Audio clarity for Skype calls is negatively affected when multiple applications/connections are tunneled over the VPN. This happens because of an improper memory management.[# NSHELP-19630]
- A Citrix Gateway does not recognize the logon expression policy in a Windows plug-in during nFactor authentication.[# NSHELP-19640]
- The Endpoint Analysis (EPA) scan failed to validate 4096 bit key device certificate.[# NSHELP-19697]
- If an authentication factor hosted in Azure is used in Citrix MFA, logon to Citrix Gateway using Windows plug-in fails. This happens because the MFA HTTP timeout value is lesser than the Citrix Gateway Windows plug-in timeout value.With this fix, Citrix Gateway Windows plug-in timeout value is increased to avoid logon failure. Also, the HTTP timeout value can now be configured by setting the below registry value (in seconds):Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\HttpTimeout[# NSHELP-19848]
- In some cases EPA scan fails on Windows machines.[# NSHELP-19865]
- Windows Intune enrollment check cannot be disabled on the client machines. The check is enabled by default.With this fix, Windows Intune enrollment check can be disabled.To disable the check, set the following registry entry to 1:Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\DisableIntuneDeviceEnrollment[# NSHELP-19942]
- In rare cases, the Citrix Gateway crashes while GSLB updates VPN services statistics.[# NSHELP-19992]
- A group of computers are unable to access internal and external resources when connected over VPN only and Intranet IP is configured.[# NSHELP-20011]
- Audio clarity for VOIP applications is negatively impacted when multiple applications or connections are tunneled over the VPN.[# NSHELP-20097]
- Finding URLs to rewrite for advanced clientless VPN processing results in high CPU usage. As a results, the system slows down.[# NSHELP-20122]
- In a high availability setup, the secondary node crashes whenever an authentication, authorization, and auditing session or a VPN session containing SAML related information is propagated to the primary node.[# NSHELP-20230]
- A client machine fails to reconnect to a Citrix Gateway appliance because the appliance sends an incorrect STA ticket upon STA refresh.[# NSHELP-20285]
- The VPN plug-in unblocks all TCP traffic until captive portal authentication if both of the following conditions are met:• The client machine is in configured for AlwaysOn, onlyToGateway mode.• The client machine is connected to a captive portal network.[# NSHELP-20360]
Citrix Web App Firewall
- A Citrix ADC appliance might crash if there is high memory usage and memory values are not freed up because of an application failure.[# NSHELP-18863]
- A Citrix ADC appliance might crash when processing large form bodies and if the field consistency parameter is enabled on the Citrix Web App Firewall profile.[# NSHELP-19299]
- A Citrix ADC appliance might crash when CONNECT requests are received. The issue occurs if you set the default profile settings to any value other than APPFW_BYPASS, APPFW_RESET, APPFW_DROP, APPFW_BLOCK.[# NSHELP-19603]
- Web Requests with many query parameters might receive no response if the field consistency protection parameter is enabled.[# NSHELP-19811]
- A Citrix ADC appliance fails, if the following conditions are observed:- Web App Firewall policies use HTTP body based rule, for example, HTTP.REQ.BODY(..)),- Web App Firewall feature is disabled.[# NSHELP-19879]
- A Citrix ADC appliance might crash when processing signature file regex patterns and if bigstack is unavailable.[# NSHELP-20359]
Clustering
- In a cluster setup, the cluster propagation might fail if one of the following condition is met:- Connection fails between cluster daemon and configuration daemon.- Increase in memory usage in cluster daemon.[# NSHELP-19771]
- In a cluster setup, the Citrix ADC GUI fails to upload an SSL certificate in the following conditions:• Commands are executed from the CLIP.• “sh partition” command responds with an invalid response.[# NSHELP-19905]
- In a cluster setup, you might observe continuous failure logs that indicate connection failure between ZebOS dynamic routing IMI daemon and internal cluster daemon. This issue occurs when either the ZebOS dynamic routing IMI daemon or internal cluster daemon is restarted.[# NSNET-10655]
DNS
- A Citrix ADC VPX instance running on an SDX appliance might crash if an invalid DNS request is received on a Jumbo enabled interface.[# NSHELP-19854]
GSLB
- The GSLB site backup parent list configuration is lost if both of the following conditions are met:- The triggerMonitor option is set to either MEPDOWN or MEPDOWN_SVCDOWN.- The Citrix ADC appliance is restarted.[# NSCONFIG-1760]
Gateway Insight
- In a high availability (HA) setup, the primary node might crash if AppFlow is enabled and there is a failover.[# NSHELP-19363]
- Citrix ADC appliances deployed in a high availability (HA) setup crash if both of the following conditions are met:- AppFlow is enabled- There is a high availability synchronization failure.[# NSHELP-19490]
High Availability
- A configuration loss occurs every time a high availability configuration synchronization happens along with a high availability failure.[# NSHELP-19210]
Licensing
- After upgrading an MPX perpetual license to Pooled Capacity license, the ADM GUI prompts to save the config and restart the instance. With this fix, the GUI prompts only to restart the instance.[# NSHELP-20137]
Load Balancing
- When LRTM is enabled on a monitor bound to a service group, response time is not shown.[# NSHELP-12689]
- You might run out of disk space on a Citrix ADC VPX appliance because the appliance generates multiple temporary files. When an rsync operation occurs for a particular location file, a temporary file is created for that location file. These files fill up the /var directory.[# NSHELP-20020]
NITRO
- The Citrix ADC appliance responds with an internal error message for show routerdynamicrouting NITRO API call.[# NSCONFIG-1325]
Networking
- The state of the Bidirectional Forwarding Detection (BFD) sessions might flap during re-establishment of the related dynamic routing protocol (for example, OSPF) adjacency.[# NSHELP-15931]
- The Citrix ADC appliance allows configuration through NITRO APIs even before the protocol modules are not completely initialised. Because of this reason, the write memory command fail with the following error message:“save config denied – modules not ready”[# NSHELP-19431]
- The BGP process might fail due to memory corruption if it receives bgp updates with multiple 4-byte AS numbers in the path.[# NSHELP-19860]
- The ADC appliance might not update the ECMP routes in an optimised way when an associated interface is disabled, or an associated IP address is deleted.[# NSHELP-19891]
- The Citrix ADC appliance might crash if you add a listen policy that has a dependency for a certain internal FTP service lookup.[# NSHELP-20002]
- On restart, the Citrix ADC appliance establishes BGP session with the peer devices before assigning a subnet IP (SNIP) address on the interface resulting in next-hop validation failure. Because of this issue, the Citrix ADC appliance might not learn the routes advertised from these peer devices.[# NSHELP-20211]
Optimization
- A Citrix ADC appliance restarts by itself if the following conditions are observed:- Front end optimization feature is enabled.- Cached objects are re-optimized.[# NSHELP-19428]
Platform
- Sometimes, the LCD on the front panel of a Citrix ADC appliance might display 99% memory usage when actual memory usage is less[# NSHELP-18483]
- The SDX 14000 FIPS appliance might crash and restart while configuring a FIPS HSM partition.[# NSHELP-18503]
- Ifhighspeed SNMP OID for a 50G interface shows a value of zero if the speed of the interface is set to AUTO.[# NSHELP-18707]
- On the following Citrix ADC SDX platforms, connectivity to a VPX instance might fail if it receives heavy multicast traffic when a management port is not assigned to a VPX instance and instance management is done through the data ports.- SDX 8900- SDX 14000-40G- SDX 14000-40S- SDX 15000-50G- SDX 25000-40G- SDX 25000T- SDX 25000T-40G[# NSHELP-19861]
Policies
- After an upgrade, the rewrite policy does not work for CVPN homepage2.html[# NSHELP-19481]
- In a Citrix ADC appliance, if you unbind default advanced global policies and save the configuration, the changes are not reflected on the next reboot.[# NSHELP-19867]
SSL
- Safenet directory is missing when you install a VPX instance on Citrix XenServer, VMware ESX, or Linux-KVM platform.[# NSHELP-14582]
- The DTLS handshake might fail if DTLS records of different message types are received out of order. For example, a “Server Hello Done” message is received before a “Server Hello” message.[# NSHELP-18512]
- If the client and CA certificates have different encoding, the client certificate is incorrectly rejected when -clientAuthUseBoundCAChain is ENABLED, even though the client and server certificates are issued by the same CA.[# NSHELP-19077]
- A Citrix ADC appliance might crash intermittently if both of the following conditions are met:- OCSP check and SSL interception are enabled on an SSL profile.- The SSL profile is bound to a content switching virtual server of type PROXY.[# NSHELP-19194]
- The handshake fails on a Citrix ADC SDX appliance with N2 chips, because ECDSA ciphers are not supported on this platform. With this fix, ECDSA ciphers are not advertised on this platform.[# NSHELP-19614, NSHELP-20630]
- The ssl_tot_enc_bytes counter reports incorrect plain text bytes to be encrypted.[# NSHELP-19830]
- An error message appears when you assign a DH parameter file to an SSL profile in an admin partition setup.[# NSHELP-19838]
- The following appliances might crash if they receive the “ChangeCipherSpec” message from a client but not the “Finished” message:- MPX 5900/8900- MPX 15000-50G- MPX 26000-100G[# NSHELP-19856]
- If you add a certificate with an AIA extension on a cluster IP (CLIP) address, the following error message appears when you try to remove the certificate from the CLIP:'Internal Error'.[# NSHELP-19924]
- When TLS 1.3 and SNI are both enabled on a front-end virtual server, the appliance crashes during the TLS handshake if the following sequence of events occur:1. A TLS 1.3 client includes the server_name extension in its initial ClientHello message.2. The server responds with a HelloRetryRequest message.3. The client responds with an illegal ClientHello message that omits the server_name extension.[# NSHELP-20245]
- The Citrix ADC appliance might crash and dump core when it tries to access the deleted default DTLS profile while configuring a new DTLS virtual server or service.[# NSSSL-6886]
System
- High memory issue occurs in partitioned Citrix ADC appliance.[# NSBASE-8780, NSBASE-8763]
- A transaction on HTTP/2 stream does not get terminated correctly if the client sends a "te: traielrs" header in the request to a virtual server with Transform policy bound to it.[# NSHELP-18805, NSHELP-19832]
- A Citrix ADC appliance crashes if the current_tcp_profile and current_adtcp_profile are not set.[# NSHELP-18889]
- Memory issue occurs in a Citrix ADC appliance if closed connections are not flushed completely.[# NSHELP-18891]
- The policy evaluation might fail if the following conditions are met:- 256 policy expressions have reference to a same custom header.- Custom header reference counter wraps to 0 (8 bits counter).[# NSHELP-19082]
- SNMP alarm on SDX device does not work for disk, memory, or temperature parameters but works only for CPU.[# NSHELP-19713]
- In some cases, you will see a delay or timeout in connecting to the backend server. This happens because the appliance has freed the connection and released the port. When the appliance reuses the same port to establish a new connection with the server there is a delay or timeout because the connection is in TIME_WAIT state on the server.[# NSHELP-19772]
- In rare cases, a cluster node might crash when a client or server sends an out-of-order packet followed by an in-sequence packet with the FIN message.[# NSHELP-19824]
- The Citrix ADC appliance might crash if a retransmitted TCP segment is received on an interface with MTU > 1500 bytes as:- Jumbo frames or- Set of IP fragments.[# NSHELP-19920, NSHELP-20273]
- SNMPWalk gets query response from a subnet IP (SNIP) address even if SNMP feature is disabled.[# NSHELP-20254]
- A Citrix ADC appliance initiates an HTTP/1.1 connection instead of an HTTP/2 connection if the complete request body is not received for a POST request.[# NSHELP-20289]
- The SNMP manager configuration is lost when you restart a cluster node. The issue occurs when the "add snmp manager" command fails during reboot[# NSNET-10355]
Known Issues
The issues that exist in release 12.1.
- “An existing route relies on the presence of this subnet” error message is seen, if all of the below conditions occur:- Two or more SNIP addresses with the first octet greater than 127 are added- A route for the SNIP addresses is added on that network- You try to delete any one of the added SNIP addresses[# NSHELP-20492]
Admin Partition
- A partitioned Citrix ADC appliance might crash if you enable Video Optimization on a partition and later remove the partition on the appliance.[# NSNET-10199]
AppFlow
- Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.[# NSBASE-8506]
- A Citrix ADC appliance might reboot if the AppFlow collector closes in Logstream transport mode.[# NSHELP-19837]
Authentication, authorization, and auditing
- The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:- The Test LDAP Reachability option is opened.- Invalid login credentials are populated and submitted.- Valid login credentials are populated and submitted.Workaround: Close and open the Test LDAP Reachability option.[# NSAUTH-2147]
- The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.[# NSAUTH-6106]
- Protocol switching from HTTP to WebSockets fails when SSO is configured on a Citrix ADC appliance.[# NSAUTH-6354]
- A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.[# NSHELP-18751]
- Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.[# NSHELP-18844]
- Authentication might fail when a Citrix ADC appliance configured as SAML with WS-Fed protocol contains a special character “&” in the password.[# NSHELP-19740]
- A Citrix ADC appliance might crash in OTP manage flow if the following conditions are met:- OTP login schema is used as the first factor.- Email authentication is used as the second factor.[# NSHELP-19759]
- Memory leak is observed in a Citrix ADC appliance when the mail attribute is extracted during LDAP login.Workaround: Do not extract mail attribute during LDAP login.[# NSHELP-19955]
- A Citrix ADC appliance might fail to authenticate the Microsoft Outlook 2016 users if the password contains Umlaut characters.[# NSHELP-20682]
- In rare cases, a Citrix ADC appliance might crash while serving VPN traffic.[# NSHELP-20751]
- A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.[# NSHELP-563]
- A Citrix ADC appliance configured for Citrix ADC AAA might become unresponsive if the following conditions are met:• The samlAction parameter is configured.• The back-end server is unreachable.[# NSHELP-8220]
Citrix ADC CLI
- Some Citrix ADC commands fail intermittently with an error message, "Name conflicts with an existing service or service group member name". This issue occurs when the Citrix ADC appliance restarts because of an internal error.[# NSHELP-18339]
Citrix ADC GUI
- Users with German, Spanish, French or Italian keyboard selected as their input method, might be unable to type forward slash while creating IPv6 address prefix.Workaround: Change keyboard input method back to English.[# NSHELP-18791]
- User authentication to Citrix ADC GUI fails if an issue is observed in VAR file rollover mechanism.[# NSHELP-20229]
Citrix ADC SDX appliance
- After upgrading an SDX appliance, the LA channel and VLAN configuration on the appliance might be lost.[# NSHELP-19392, NSHELP-19610]
- The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:ERROR: Operation timed outERROR: Communication error with the packet engine[# NSNET-4312]
- After a reset operation, the transmit rate drops.Workaround: Stop all traffic, reset the interface, and resume traffic.[# NSPLAT-7792]
Citrix ADC VPX appliance
- Support for VMware vMotionFrom this release, you can migrate a Citrix ADC VPX instance by using VMware vMotion. The vMotion feature does not support Citrix ADC VPX instances configured to use SR-IOV and PCI passthrough interfaces. Supported interfaces are E1000 and VMXNET3.For more information, see Install a Citrix ADC VPX instance on VMware ESX topic: https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/install-vpx-on-esx.html[# NSHELP-15343]
- After adding the vCPU license to a VPX appliance, the VPX model ID appears incorrectly in the VPX GUI under the License and CLI in “show license” command output.[# NSHELP-19613]
- In a Citrix ADC cluster, the configuration coordinator (CCO) node does not support the set ns vpxparam -cpuyield command for controlling CPU-usage behavior.Workaround:Set the -cpuyield parameter on individual nodes by logging on to each node and adding one of the following commands to the /nsconfig/nsbefore.sh file:sysctl netscaler.ns_vpx_halt sysctl netscaler.ns_vpx_halt_method=0By default, this command specifies method=1, which reserves all CPU resources for the VM to which they have been allocated. To allow allocated but unused CPU resources to be used by another VM, specify method=0.[# NSPLAT-2156]
- Error messages appear when an SR-IOV-enabled Citrix ADC VPX instance configured with Intel X710 10G and XL710 40G NICs, running on KVM hypervisor, restarts. The error messages are harmless and can be safely ignored.[# NSPLAT-3883]
- In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.[# NSPLAT-4451]
- When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the "rm cloudprofile" command to delete the profile.[# NSPLAT-4520]
Citrix Gateway
- In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a “Critical error” dialog box. Also, the page becomes unresponsive.[# CGOP-7269]
- In some cases, in a high availability setup, the secondary appliance reboots if there is a CLI sync mismatch during the PCOIP session sync process.[# NSHELP-18740]
- In some cases, the external facing Citrix Gateway in a double-hop deployment with ICA Insight enabled, dumps core for a particular network traffic pattern.[# NSHELP-19487]
- The DTLS service on a VPN virtual server functions with a default set of ciphers that can't be altered through bind or unbind cipher commands using CLI.[# NSHELP-19561]
- If ICA insight is enabled for EDT sessions, you might experience a frozen screen or a delay in the application screen operations.Workaround: Disable the EDT Insight functionality.[# NSHELP-19934]
- The SSL handshake process fails if a domain-based service is added to a VPN session action and the Citrix ADC appliance is restarted after the configuration is saved.[# NSHELP-20022]
- If split tunneling is enabled, Citrix SSO app for macOS and iOS does not resolve internal host names.[# NSHELP-20141]
- Users are incorrectly prompted to enter the user name and password when nFactor Logon form is customized to display the dynamic Logon Type menu and OAuth is selected from the list.[# NSHELP-20300]
- A Citrix ADC appliance fails to decode rewritten URLs for clientless VPN if the URLs contain "%2E" in the FQDN.[# NSHELP-20603]
- The Citrix ADC appliance might become unresponsive if HDX Insight is enabled and there is a low memory condition.[# NSHELP-20707]
- The Citrix virtual adapter remains connected even when the VPN machine is in sleep mode and a logout is triggered. Users must terminate the application or restart the VPN machine to gain access to the network.[# NSHELP-20755]
- The Citrix ADC appliance might become unresponsive if the appliance is configured for proxy EDT connections and there is a low memory condition.[# NSHELP-20761]
- An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.[# NSHELP-7872]
- SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).Workaround: Use an IP address for VDA.[# NSHELP-8549]
- Application Launch failure records are not displayed in Citrix ADM if launch failure is due to DNS lookup failure on Citrix ADC.[# NSINSIGHT-1046, NSINSIGHT-1216]
Citrix Web App Firewall
- The Citrix Web Citrix Web App Firewall GUI interface slows down when you optimize default signatures.[# NSHELP-17975]
- Citrix Web App Firewall AppFw Field Format learned Data is different from the Export Learned Data. When aslearn configured learned data is deployed and the field types reaches aslearn supported limit, the get learnt data will not able to display total learnt data.[# NSHELP-18077]
- In a high availability setup, enabling IP reputation feature might result in high availability command propagation failures.[# NSHELP-20010]
- A Citrix ADC appliance might crash if there is an internal communication error with the sqlite library.[# NSHELP-20173]
Clustering
- A high CPU usage is observed on a Citrix ADC appliance or in a cluster setup if “show ns ip” command displays many IP addresses.[# NSHELP-11193]
- A linkset-member interface or channel is added as part of a new static ND6 entry to the Citrix ADC appliance. For the Citrix ADC appliance to accept the new static ND6 entry, you must provide the linkset VLAN.[# NSHELP-19453]
- In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.[# NSHELP-20366]
- In a cluster setup, the Citrix ADC appliance might crash for a new MPTCP connection, if the 4 tuples are reused with a different MPTCP key before the original connection has timed out on the Citrix ADC appliance.[# NSHELP-20844, NSHELP-20726]
DNS
- A Citrix ADC appliance might crash If DNS logging is enabled and the appliance receives a large DNS response.[# NSHELP-18926]
Gateway Insight
- Application launch failure due to invalid STA ticket is not reported in Gateway Insight.[# NSINSIGHT-1117]
- The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.[# NSINSIGHT-924]
HDX Insight
- HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.[# NSINSIGHT-943]
ICA
- In an HA setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.[# NSINSIGHT-2059]
- For MSI icaconnection HDX insight is not available if the transport type is Logstream.[# NSINSIGHT-2198]
Licensing
- When Citrix ADC licenses hosted on Citrix ADC Citrix ADM expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.[# NSPLAT-6417]
Load Balancing
- Redirecting an HTTPS URL fails if the URL contains the % special character.[# NSHELP-19993]
Networking
- When the Citrix ADC appliance is cleaning up large number of server connections as part of remove command, the Pitboss process might restart. This Pitboss restart might cause the ADC appliance to crash.[# NSHELP-136]
- On restarting the Citrix ADC appliance, default route is originated before the IP address of the interface is populated. Because of this issue, the next hop of a route is set to NULL leading to a martian error.[# NSHELP-16407]
- On the Citrix ADC GUI, when you go to Configuration > Network > Interfaces, and click Interface Statistics, the Interface Summary is not displayed and the “Invalid value [arg]” error message appears.[# NSHELP-19575, NSUI-13284]
- In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.[# NSNET-5233]
SSL
- In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.[# NSHELP-13466]
- The HTTPS-ECV monitor fails during an SSL handshake if all of the following conditions are met:- The monitor is bound to an SSL profile.- Session reuse is enabled on the SSL profile.- The monitor is bound to two or more back-end servers.- Different protocol versions (for example, TLS1.0 & TLS1.2) are running on the servers.[# NSHELP-18384]
- If your ADC appliance is integrated with an unsupported version of Thales HSM, the appliance crashes after generating the HSM key and certificate, installing the certificate-key pair on the appliance, and binding it to the SSL virtual server. With this fix, the appliance reports an error instead of crashing.[# NSHELP-20352]
- A Citrix ADC VPX appliance might crash if ChaChaPoly cipher is used and the client sends a truncated record to the appliance.[# NSHELP-20684]
- The DTLS handshake might fail if DTLS record fragments are received out of order.[# NSHELP-20703]
- In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.[# NSSSL-3161, NSSSL-1258, NSSSL-1264]
- An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.[# NSSSL-3184, NSSSL-1379, NSSSL-1394]
- In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.[# NSSSL-3402]
- An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.[# NSSSL-4001]
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[# NSSSL-4427]
- If you create an ECDSA key by using the GUI, the type of curve is not displayed.[# NSUI-6838]
SWG URL Filtering
- When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.[# NSSWG-849]
Security
- ICAP support for Citrix ADCA Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html[# NSBASE-825]
System
- In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.[# CGOP-6794, NSGI-1293]
- A Citrix ADC appliance might generate a false SNMP SYN flood entity trap if some internal connections cause a mismatch between the number of TCP SYN received and the number of TCP connections established.[# NSHELP-18671]
- SYSLOG log messages get truncated after 1024 bytes.[# NSHELP-19484]
- The newnslog counter does not reset to zero after reaching the maximum threshold.[# NSHELP-19937]
- In rare cases, the Call Home process might crash resulting in the appliance to restart. The issue occurs if a Call Home sub process uses the same internal process id (PID) of the previous sub process.[# NSHELP-20334]
- After you specify correct login credentials, the Citrix ADM login fails and displays “Done” on the GUI.[# NSHELP-20819]
- A TCP transaction delay is observed if a Citrix ADC appliance is unable to use the TCP connection to connect to the back-end server. In this case, the appliance opens a new connection to forward the client requests to the back-end server after some waiting period. The waiting period ranges from 400 ms to 600 ms.[# NSHELP-9118]
- In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or “staysecondary” option set.[# NSNET-1646]
- The Citrix ADC appliance may display messages that are a result of file system compatibility checks that are performed when booting up. These messages are informational only, and do not have any adverse impact on the functioning of the Citrix ADC.[# NSPLAT-4384, NSPLAT-3243, NSPLAT-3417]
- Connections might hang if the size of processing data is more than the configured default TCP buffer size.Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.[# NSPOLICY-1267]
What's New in Previous Citrix ADC 12.1 Releases
The enhancements and changes that were available in Citrix ADC 12.1 releases prior to Build 54.16. The build number provided below the issue description indicates the build in which this enhancement or change was provided.
Admin Partition
- Save configuration of all admin partitions from the default partitionAdministrators can now save the configuration of all the admin partitions at once from the default partition. This can be achieved by the following command:save ns config -allPreviously, administrators were unable to save the configuration of all the admin partitions from default partition.[From Build 53.12][# NSUI-606]
Authentication, authorization, and auditing
- Support for validating end-to-end RADIUS authenticationCitrix ADC appliance can now validate end-to-end RADIUS authentication through Citrix ADC GUI. A new “test” button is introduced in Citrix ADC GUI to validate this feature. A Citrix ADC administrator can use this feature to achieve the following benefits:- Consolidates the complete flow (packet engine – AAA daemon – external server) to provide better analysis.- Reduces time on validating and troubleshooting issues related to individual scenarios.[From Build 50.31][# NSAUTH-1097, ENH0713160]
- Custom attributes support on OpenID ConnectA Citrix ADC appliance configured as an IdP can now send extra attributes in the OpenID Connect id_token using expressions. Advanced policy expressions are used to send the custom attributes as per the requirement. The Citrix IdP evaluates the expressions corresponding to the attributes and then computes the final token with resulting values.[From Build 51.19][# NSAUTH-22]
- ADFS Proxy Integration Protocol complianceNote: This feature is under technical preview.Citrix ADC appliance now has a native proxy server that can leverage ADFS Proxy Integration Protocol (ADFSPIP) to establish trust between the proxy server and the ADFS farm.For more information, see https://docs.citrix.com/en-us/citrix-adc/13/aaa-tm/adfspip-compliance.html.[From Build 53.12][# NSAUTH-27]
- Hardware token support for Native OTPA Citrix ADC appliance with Native OTP now supports hardware token along with third-party solutions that conform to the RFC 6238 time-based one-time password (TOTP) standards. The Citrix ADC uses a time slice of 30 seconds and HMAC-SHA1 algorithm.For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/aaa-tm/native-otp-authentication.html[From Build 51.19][# NSAUTH-4]
- Metadata reading and generation support for SAML SP and IdP configurationCitrix ADC appliance now supports metadata files as means of configuration entities for both SAML Service Provider (SP) and Identity Provider (IdP). The metadata file is a structured XML file that describes the configuration of an entity. The metadata files for SP and IdP are separate. Based on deployment, and at times, one SP or IdP entity can have multiple metadata files.As an administrator, you can export and import (SAML SP and IdP) metadata files on Citrix ADC.[From Build 50.31][# NSAUTH-4008, NSHELP-595, ENH0689985]
- Encrypted tokens support on OpenID ConnectCitrix ADC appliance with OpenID Connect mechanism now supports sending of encrypted tokens along with signed tokens. The Citrix ADC appliance uses JSON web encryption specifications to compute the encrypted tokens and supports only compact serialization of encrypted tokens. To encrypt OpenID token, Citrix ADC appliance needs the public key of the relying party (RP). The public key is obtained dynamically by polling the relying party’s well-known configuration endpoint.[From Build 51.19][# NSAUTH-4167, NSAUTH-620, NSAUTH-1820]
- Support for self-service password resetCitrix ADC appliance now supports self-service password reset. Self-service password reset is a web-based password management solution that eliminates the user dependency for administrator(s) assistance to change or reset the password. It is available on both in Citrix ADC as an authentication, authorization, and auditing feature and in Citrix Gateway.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/sspr-support.html.[From Build 50.31][# NSAUTH-4204, ENH0703743]
- Support for noAuth authenticationCitrix ADC appliance now supports noAuth authentication capability that enables the customer to configure a defaultAuthenticationGroup parameter in noAuthAction command, when a user handles this policy. The administrator can verify for the presence of this group in a users group to determine user’s navigation through noAuth policy.[From Build 50.31][# NSAUTH-540, BUG0711009]
- Setting NSC_TCitrix ADM cookie for HTTPSCitrix ADC appliance sets only secure cookie (NSC_TCitrix ADM) for secure or HTTPS traffic management servers.[From Build 50.31][# NSHELP-8493]
Citrix ADC SDX Appliance
- Support for Citrix SD-WAN VPX instanceYou can deploy a Citrix SD-WAN VPX instance on Citrix ADC SDX 14XXX and SDX 115XX appliances.For more information, see https://docs.citrix.com/en-us/sdx/12-1/deploy-sd-wan-vpx.[From Build 49.37][# NSSVM-2111]
- Severity column for SNMP alarmsYou can now view severity level for SNMP alarms. To view, log on to the Citrix ADC user interface and navigate to System Alarms. Check the levels under the Severity column.[From Build 50.31][# NSHELP-12401]
- Support for new SNMP trapsThe following new SNMP traps are now supported:deviceBooteddeviceRebootedinventoryPassedlogicalDrivePassedFor more information about how to configure SNMP traps, see https://docs.citrix.com/en-us/sdx/12-1/manage-monitor-appliance-network-configuration/configuring-snmp-trap-destination.html.[From Build 50.31][# NSHELP-13543]
Citrix ADC VPX Appliance
- Support for vCPU-based perpetual licensingVirtual CPU (vCPU)-based perpetual licensing is now supported for Citrix ADC VPX instances. This licensing provides the computing power requirement of VPX on-prem and cloud customers. For each VPX model, existing Citrix ADC licensing editions apply: Citrix ADC Standard Edition, Enterprise Edition, Platinum Edition.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/licensing/netscaler-licensing-overview.html.[From Build 49.37][# NSPLAT-6155]
- Support for Azure Availability Zones in a high availability deploymentYou can deploy a pair of Citrix ADC VPX appliances with multiple NICs in an active-passive high availability setup across Azure Availability Zones. For more information about Azure Availability Zones and what they offer, see Azure documentation: https://docs.microsoft.com/en-us/azure/availability-zones/az-overview[From Build 49.37][# NSPLAT-1776, 712503]
- Support for VMware ESXi 6.7 serverCitrix ADC VPX instances now support VMware ESXi 6.7 server.For more information, see table 2 in this page: https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/supported-hypervisors-features-limitations.html.[From Build 49.37][# NSPLAT-3716]
- Support for VMware vMotionFrom this release, you can migrate a Citrix ADC VPX instance by using VMware vMotion. The vMotion feature does not support Citrix ADC VPX instances configured to use SR-IOV and PCI passthrough interfaces. Supported interfaces are E1000 and VMXNET3.For more information, see Install a Citrix ADC VPX instance on VMware ESX topic: https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/install-vpx-on-esx.html[From Build 51.19][# NSHELP-15343]
- Support for Citrix ADC VPX instance on Google Cloud PlatformYou can deploy a Citrix ADC VPX instance on Google Cloud Platform (GCP). A VPX instance in GCP enables you to leverage cloud computing capabilities of GCP and use Citrix load balancing and traffic management features for your business needs. You can deploy VPX instances in GCP as standalone instances. Both single NIC and multi NIC configurations are supported.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/deploy-vpx-google-cloud.html.[From Build 50.31][# NSPLAT-2006, ENH0709691]
- Citrix ADC VPX support for AWS China regionNow Citrix ADC VPX deployment (both standalone and high availability) is supported in AWS China region.[From Build 50.31][# NSPLAT-2237, ENH0518744]
- Support for RHEL 7.5Now RHEL version 7.5 is supported for Citrix ADC VPX instance deployment on Linux KVM. For more information, see https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/supported-hypervisors-features-limitations.html.[From Build 50.31][# NSPLAT-3755, ENH0714623]
Citrix Gateway
- nFactor authentication support using Windows VPN plug-in.nFactor authentication is now supported using a Windows VPN plug-in.[From Build 49.37][# CGOP-1163]
- Support for USB redirection in Citrix Gateway Enabled PCoIP proxyUSB devices connected to the client machine can be accessed from the virtual desktops and apps.[From Build 49.37][# CGOP-1950]
- GUI enhancements aiding STA server troubleshoot and seamless app launchThe following GUI enhancements are made:- In the XA-XD wizard under StoreFront setting Test STA Connectivity button is added to test STA servers connectivity.- In the XA-XD dashboard page, Gateway entry list shows STA server and StoreFront server status.- In the Citrix Gateway Virtual Server page, you can view STA server status bound to a VPN virtual server.[From Build 49.37][# NSHELP-12979]
- AlwaysON service establishes a VPN tunnel before user loginCitrix Gateway can now establish a VPN tunnel even before users log in to a Windows system. This enhanced capability enables the following:- Windows machine becomes a part of corporate intranet even before users log in, allowing IT administrators to access the client machine from the corporate network for debugging purposes.- Windows machine can verify user's login credential using corporate Active Directory (AD). Hence the caching of Windows credentials on the machine is avoided, allowing new corporate AD users to login to the same machine.- Windows machine remains connected with corporate network even when different users log in.For more information, see https://docs.citrix.com/en-us/citrix-gateway/12-1/vpn-user-config/alwayson-service-for-windows.html.[From Build 51.19][# CGOP-5585]
- Device Certificate in nFactor as an EPA componentYou can configure Device Certificate in nFactor as an EPA component.[From Build 50.31][# CGOP-5758, ENH0701170]
- Advanced Clientless VPN accessOutlook Web Access 2016 and SharePoint 2016 are supported for Clientless access. SharePoint no longer needs to use the default folder for rewriting URLs.[From Build 50.31][# CGOP-6174, ENH0671584]
- New virtual adapter for Windows VPN pluginMicrosoft recommends using type "Other" for a virtual network adapter. Based on this recommendation, Citrix virtual adapter type is changed from "Ethernet" to "other".[From Build 51.19][# CGOP-9519]
Citrix Secure Web Gateway
- Support for new SWG platformsCitrix Secure Web Gateway (SWG) is supported on Citrix SWG MPX 5900/8900 and Citrix SWG SDX 8900 platforms.[From Build 49.37][# NSSSL-1603]
- Integration with IPS or NGFW as inline devicesA Citrix Secure Web Gateway (SWG) appliance can now integrate with inline security devices, such as Intrusion Prevention System (IPS) and Next Generation Firewall (NGFW). This integration helps in protecting servers and users from web bound threats hidden in encrypted packets.The Citrix SWG appliance offloads TLS/SSL processing from inline devices. If there are multiple inline devices, the appliance also load balances the traffic to these devices.[From Build 50.31][# NSBASE-2703, ENH0659611]
- Configuring seed database path and cloud server nameYou can now manually configure the seed database path and cloud lookup server name details. To do this, two new parameters, “CloudHost” and “SeedDBPath”, are added to the URL filtering parameter command.For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/url-filtering/url-categorization.html[From Build 50.31][# NSSWG-399, NSSWG-475, ENH0713975]
- Performing an explicit subdomain matchYou can now perform an explicit subdomain match for an imported URL set. To do this, a new parameter, "subdomainExactMatch" is added to the “import policy URLset” command. When you enable the parameter, the URL Filtering algorithm performs an explicit subdomain match. For example, if the incoming URL is "news.example.com" and if the entry in the URL set is "example.com", the algorithm does not match the URLs.For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/url-filtering/url-list.html[From Build 50.31][# NSSWG-686, ENH0711662]
- Displaying imported URL setsYou can now display imported URL sets in addition to added URL sets. To do this, a new parameter “imported” is added to the “show urlset” command. If you enable this option, the appliance displays all imported URL sets and distinguishes the imported URL sets from the added URL sets.For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/url-filtering/url-list.html[From Build 50.31][# NSUI-1191, ENH0714076]
- Configuring seed database path and cloud server nameYou can now configure the seed database path and cloud lookup server name for manually setting of the cloud lookup server name and the seed database path. To do this, two new parameters, “CloudHost” and “SeedDBPath”, are added to the URL filtering parameter command.For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/url-filtering/url-categorization.html[From Build 50.31][# NSUI-1210, ENH0715434]
Citrix Web App Firewall
- Web Citrix Web App Firewall (WAF) support on CPX platformCitrix Web Citrix Web App Firewall (WAF) feature is now supported on CPX platform. For more information, see Citrix Web App Firewall topic.[From Build 49.37][# NSWAF-331, 622337, 622388, 625083]
- Securing web traffic with HTTP RFC complianceYou can now secure your web traffic with HTTP RFC compliance by setting the RFC profile in “Block” or “Bypass” mode. By doing this, any invalid traffic (request or response) that matches the Citrix Web App Firewall profile is implicitly blocked or bypassed accordingly.[From Build 49.37][# NSHELP-2857]
- Rebranding Citrix ADC App Firewall to Citrix Web App FirewallAccording to Citrix rebranding guidelines, the Citrix ADC App Firewall feature is now renamed as Citrix Web App Firewall in Citrix ADC GUI.[From Build 50.31][# NSUI-1219, ENH0715820]
- Bypass or block non-RFC compliance HTTP requestsA new parameter, “malformedReqAction” is now added to the application firewall global setting. You can configure this parameter to bypass or block non-RFC compliant requests. Previously, there was no option to block or bypass invalid HTTP requests and they were dropped.For example, if there is an incoming request that has a host header missing, the appliance can block or bypass such invalid requests by using the “malformedReqAction” parameter.Warning: If you disable the "block" option in the "malformedReqAction" parameter, the appliance bypasses the app firewall processing for all non-RFC compliance requests and forwards the requests to the next module.[From Build 51.19][# NSWAF-605]
Clustering
- Cluster support for ANY type of virtual serverThe Citrix ADC appliance can now support "ANY" type of virtual server while gracefully handling of nodes in a cluster deployment.[From Build 49.37][# NSNET-3039]
- GRE tunnel based steering support for L2 cluster deploymentsThe Citrix ADC appliance now supports GRE tunnel based packet steering in an L2 cluster deployment.[From Build 49.37][# NSNET-3045]
DNS
- Jumbo frame support for DNS to handle UDP responses of large sizesDNS now supports jumbo frames for handling UDP responses greater than 1,280 bytes. You can set the maximum UDP packet size that the appliance can handle in proxy, ADNS, and forwarder modes by configuring the Maximum UDP Packet Size parameter value.The maximum UDP packet size is 16,384 bytes.[From Build 49.37][# NSHELP-12560]
- Service discovery using DNS SRV recordsYou can use the DNS SRV records to discover the service endpoints. Citrix ADC is configured to periodically query the DNS servers with the SRV record associated with a service. On receiving the SRV record, each of the target host published in the SRV record is bound to a service group associated with the service. Each of the bindings inherits the port, priority, and weight from the SRV record. For each service deployment the user has to configure the Citrix ADC once during bring up, making it a single touch deployment for applications.For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/dns/service-discovery-using-dns-srv-records.html.[From Build 51.19][# NSHELP-18130]
GSLB
- Support for generation of SNMP traps for GSLB configuration synchronizationA Citrix ADC appliance now generates SNMP traps for both local and remote sites when you synchronize the GSLB configuration. SNMP traps are generated for both manual synchronization and real-time synchronization.[From Build 49.37][# NSHELP-3963]
- Support for GSLB parent-child topology in Citrix ADC clustersThe GSLB parent-child topology is now supported in Citrix ADC clusters.For parent and child sites to exchange aggregated statistics in metric-based load balancing methods, you must add local GSLB services on the child site.[From Build 49.37][# NSHELP-11684]
- GSLB supports multi-IP virtual serversGSLB now supports multi-IP virtual servers. In cloud deployments, for autoscaling of Citrix ADC instances, you can use IPset if Citrix ADC is used for GSLB as well as autoscaling load balancing end points.The statistics and the state of the virtual server are collected irrespective of the IP address provided to the GSLB service.Parent child topology is supported with IPset. Communication between the parent and the child sites is always using public IP address and the public port of the GSLB service. Also, site persistence works irrespective of the IP addresses associated with the GSLB service.Only one IP address is associated with a GSLB service. You cannot associate an IPset with a GSLB service.[From Build 50.31][# NSLB-424, ENH0710454]
- Gracefully aborting the GSLB configuration synchronization when the master and slave nodes are on different Citrix ADC versionsThe Citrix ADC appliance now checks for the firmware version on master and slave nodes before initiating synchronization. If the master and the slave nodes run different versions, the synchronization is aborted for that remote site to avoid pushing any incompatible changes across the versions. Also, an error message displaying the site details on which the synchronization aborted appears.[From Build 50.31][# NSLB-780, BUG0711371]
HDX Insight
- View HDX Insight reports for EDT traffic.HDX Insight reports can be viewed for the EDT traffic. By default, HDX Insight and EDT feature are disabled.[From Build 49.37][# NSINSIGHT-141]
Load Balancing
- Support for graceful shutdown of services in Citrix ADC clustersThe Citrix ADC clusters now support graceful shutdown of services.To gracefully shutdown the services, you can perform one of the following tasks.- Explicitly disable the service, and set a delay (in seconds) or enable graceful shutdown.- Add a TROFS code or string to the monitor.[From Build 49.37][# NSHELP-12258]
- Detect transport failures over established Gx connectionsA Citrix ADC appliance can now be configured to detect transport failures over established Gx connections by using device watchdog request (DWR) and device watchdog answer (DWA) messages.[From Build 51.19][# NSBASE-6545]
- Clear subscriber database when Gx interface failsThe purgeSDBonGxFailure parameter can now be used to clear all subscriber sessions if the Gx interface fails. Gx interface failure includes both DWR monitoring (if enabled) and network healthCheck (if enabled).[From Build 51.19][# NSBASE-6546]
- Increase in Citrix ADC system limit for unique load balancing monitorsThe Citrix ADC system limit for unique load balancing monitors is now increased to 16360.[From Build 50.31][# NSHELP-18135]
- Getting location details from user IP address using geo databaseCitrix ADC appliance performs geo location (policy-based) user authorization. When there is a user request from a particular location, the appliance uses the IP address to retrieve the user’s location details from a geo database. The appliance evaluates the location details using geo location (responder and rewrite) policies. The appliance also logs the location details (optional) using the audit logging mechanism.After policy evaluation, based on Citrix ADC configuration, the appliance or the back-end server sends a suitable response.[From Build 50.31][# NSLB-325, NSHELP-3740, ENH0688198]
- Creating negative session when PCRF is downIf the PCRF server is down, the Citrix ADC appliance creates negative sessions for the pending or incoming Gx subscriber requests.When the PCRF server is back up again, the Citrix ADC appliance prevents a storm of requests by waiting for the negative sessions to expire before performing the specific subscriber requests.[From Build 50.31][# NSLB-519, BUG0713709]
NITRO
- Retrieving LOM Port firmware versionThe nshardware NITRO API resource now supports retrieving the LOM port’s firmware version of a Citrix ADC appliance.[From Build 50.31][# NSHELP-4797, ENH0695712]
Networking
- USIP support on a v4-to-v6 load balancing configurationEarlier, in a v4-to-v6 load balancing configuration, the Citrix ADC used to include one of the configured IPv6 SNIP address as the source IP address in the translated IPv6 requests packet to the servers. The Citrix ADC used to include an IPv6 SNIP address even when the USIP option is enabled for the related load balancing services.Now, USIP NAT prefix parameter has been introduced for making the servers aware of the client’s IP address of the request packets. USIP NAT prefix is a global IPv6 prefix of length 96 bits (128-32=96) configured on Citrix ADC.For a load balancing service that has USIP enabled, the ADC translates the IPv4 request packet to an IPv6 packet and sets the source IP address of the translated IPv6 packet to a concatenation of the USIP NAT prefix [32/40/48/56/64/96 bits] and the IPv4 source address [32 bits] that was received in the request packet.On receiving an IPv6 response packet from the server, the ADC translates the IPv6 packet to an IPv4 packet and sets the destination IP address of the translated IPv4 packet to the last 32 bits of the destination IP address of the IPv6 packet.Note: This feature is not supported for gateway configuration and, content switching and cache redirection load balancing configurations.[From Build 49.37][# NSHELP-15478]
- Clear traps for HA-LICENSE-MISMATCH and HA-STICKY-PRIMARY SNMP alarmsThe Citrix ADC now sends SNMP clear traps to the configured trap destinations for HA-LICENSE-MISMATCH and HA-STICKY-PRIMARY SNMP alarms.[From Build 51.19][# NSHELP-286]
- Dynamic routing support on shared VLANsIn a partitioned Citrix ADC appliance, dynamic routing now supports both dedicated and shared VLAN configuration. The dynamic routing is supported on both IPv4 and IPv6 addresses.[From Build 51.19][# NSHELP-300, NSNET-5662]
- BGP ECMP support for route paths in multiple autonomous systemsThe BGP protocol in a Citrix ADC appliance now supports load balancing route traffic across equal-cost BGP neighbors in different autonomous systems.[From Build 50.31][# NSHELP-329, ENH0710330]
- Support to configure HTTP and HTTPS management portsIn a single-IP mode deployment of a Citrix ADC appliance, a single IP address is used as NSIP, SNIP, and VIP addresses. This single IP address uses different port numbers to function as NSIP, SNIP, and VIP addresses.Port numbers 80 and 443 are well-known ports for HTTP and HTTPS services. Earlier, port 80 and 443 of Citrix ADC IP address (NSIP) were dedicated ports for internal HTTP and HTTPS management services. Because these ports were reserved for internal services, you cannot use these well-known ports for providing HTTP and HTTPS data services from a VIP address, which has the same address as the NSIP address in a single-IP mode deployment.To address this requirement, you can now configure ports for internal HTTP and HTTPS management services (of the NSIP address) other than port 80 and 443.The following lists the default port numbers for internal HTTP and HTTPS management services in Citrix ADC MPX, VPX, and CPX appliances:- Citrix ADC MPX and VPX appliances: 80 (HTTP) and 443 (HTTPS)- Citrix ADC CPX appliances: 9080 (HTTP) and 9443 (HTTPS)[From Build 50.31][# NSNET-1630, BUG0708735]
- Display reason for high availability sync failureIn a high availability setup, the Citrix ADC GUI and CLI now display the reason for HA sync failure.[From Build 51.19][# NSNET-2859]
- Support for IPv4 VIP route health injection and BGP dynamic routing protocol in a Citrix ADC CPX applianceThe Citrix ADC CPX appliance now supports route health injection of IPv4 VIP addresses to its routing table and advertisement of these VIP routes to neighbor routers/networking devices using BGP dynamic routing protocol.[From Build 50.31][# NSNET-2897, ENH0709944]
Platform
- Support for Citrix ADC MPX 15000-50G platformThis release supports the Citrix ADC MPX 15000-50G platform. It includes MPX 15020-50G, MPX15030-50G, MPX 15040-50G, MPX 15060-50G, MPX 15080-50G, and MPX 15100-50G models.[From Build 50.31][# NSPLAT-4724]
- Support for Citrix ADC MPX 26000 platformThis release supports the Citrix ADC MPX 26000 platform. It includes MPX 26100, MPX 26160, and MPX 26200 models.[From Build 50.31][# NSPLAT-4909, NSPLAT-3127, NSPLAT-4087, TSK0637172]
- Support for Citrix ADC MPX 26000-100G platformThis release now supports the Citrix ADC MPX 26000-100G and Citrix ADC MPX 26000T-100G platforms. For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000-100g-26000T-100g.html.[From Build 50.31][# NSPLAT-6288, NSPLAT-3076, ENH0648922]
- Support for Citrix ADC MPX 15000 platformThis release supports the Citrix ADC MPX 15000 platform. It includes MPX 15020, MPX 15030, MPX 15040, MPX 15060, MPX 15080, and MPX 15100 models.[From Build 50.31][# NSPLAT-7566, ENH0688399]
- Support for Citrix ADC MPX 26000-50S PlatformThis release supports the MPX 26000-50S platform.[From Build 50.31][# NSPLAT-7606, NSPLAT-4122, NSPLAT-3133, NSPLAT-4047]
- Support for Citrix ADC MPX 26000-50S platformThis release supports the Citrix ADC MPX 26000-50S platform. It includes MPX 26100-50S, MPX 26160-50S, MPX 26200-50S models. For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000-50s.html.[From Build 50.31][# NSSSL-1855, NSSSL-2056, ENH0682991]
Policies
- New API support for reusing a server connection for other client connections in the server contextA Citrix ADC API support is now added for reusing a server connection for other client connections in the server context. This API can be used only if an EOM event is used (in ns.send() API) to send for sending the data in the client context.[From Build 49.37][# NSEXT-285]
- RSA encryption with no padding policy functionPolicy-based RSA encryption now supports EY_ENCRYPT_PEM_NO_PADDING() policy function for no padding operation. The policy function works similar to the PKEY_ENCRYPT_PEM() function, except it uses the RSA_NO_PADDING method instead of RSA_PKCS1_PADDING. The pkey parameter is a text string with a PEM-encoded RSA public key. Similar to PKEY_ENCRYPT_PEM(), you can use a policy expression for the key.[From Build 49.37][# NSPOLICY-623]
- API support to fetch TCP or SSL related info in the extensionCitrix ADC appliance now supports API-based protocol extension for fetching TCP or SSL-related data in the extension.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-extensions/api-reference.html#ssl-context.[From Build 50.31][# NSEXT-280, ENH0715744]
- API support for modifying trafficCitrix ADC appliance now supports API-based protocol extensions for modifying TCP stream data.[From Build 50.31][# NSEXT-281, ENH0715180]
- API support in protocol extension to send data to the client and serverCitrix ADC appliance now supports a ns.send() API to send data from extension code to client and origin server. To send or receive data directly with the client, from client context, you must use ctxt.client as the target. To send or receive data directly with the server from server context, you must use ctxt.server as the target. The data in the payload can be a TCP stream or a Lua string.[From Build 50.31][# NSEXT-283, ENH0715743]
- API support to fetch client or server IP address in the extensionCitrix ADC appliance now supports API-based protocol extension for fetching client or server IP address in the extension.For more information, see https://docs.citrix.com/en-us/citrix-adc/12-1/citrix-adc-extensions/api-reference.html.[From Build 51.19][# NSEXT-287]
- String literals for expressionsThe 255 byte limit for string literals in Advanced policy expressions has been removed and can now be as long as the policy expression. The expression is allowed to be 1499 or 8191 bytes long. Previously, the string literal was limited to 255 bytes within quotes.[From Build 51.19][# NSHELP-16014]
- Adding milliseconds to system time formatAdvanced policy expressions can now provide granular level system time format in microseconds or milliseconds. Previously, the time format was an unsigned long number in Nano format.Example: "Fri, 26 Aug 2016 12:22:01:<milliseconds>"[From Build 51.19][# NSHELP-16081]
- NSPEPI tool enhancementThe NSPEPI conversion tool has been enhanced to perform the following:1. Convert Classic policy expressions to Advanced policy expressions.2. Convert certain Classic policies and their entity bindings to Advanced policies and bindings.3. Convert a few additional deprecated features to their corresponding non-deprecated features.4. Log information in an improved manner.[From Build 51.19][# NSPOLICY-507]
SSL
- Support for AES-based PEM encodingYou can now use AES256 algorithm with PEM key format to encrypt a private key on the Citrix ADC appliance. AES with 256-bit key is mathematically efficient and secure compared to the 56-bit key of DES. Select ‘aes256’ in the following CLI command.create ssl rsakey <keyFile> <bits> [-exponent ( 3 | F4 )] [-keyform (DER | PEM )] [-des | -des3 | -aes256] {-password }[From Build 49.37][# NSHELP-13341, 710620]
- Support for DTLS protocol on the Citrix ADC MPX FIPS platformThe MPX 14000 FIPS platform now supports the DTLS protocol end-to-end. That is, the protocol is supported on the client side and the server side. The following cipher suites are supported.- TLS1-AES-256-CBC-SHA- TLS1-AES-128-CBC-SHA- TLS1-ECDHE-RSA-AES256-SHA- TLS1-ECDHE-RSA-AES128-SHA- TLS1-ECDHE-RSA-DES-CBC3-SHANote: Enlightened Data Support (EDT) is supported on the FIPS platform if all of the following conditions are met:- UDT MSS value set on StoreFront is 900.- Windows client version is 4.12 or later.- DTLS enabled VDA version is 7.17 or later.- Non-DTLS VDA version is 7.15 LTSR CU3 or later.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.[From Build 49.37][# NSHELP-14588]
- Support for TLSv1.3 protocol on the front end of Citrix ADC VPX and select MPX appliancesThe Citrix ADC VPX and N3 chip based MPX appliances now support the TLSv1.3 protocol as specified in RFC 8446. For N3 chip based MPX appliances, the support is currently only in software. That is the processing is not offloaded to the hardware (SSL acceleration chip.) To use TLS1.3, you must use a client that conforms to the RFC 8446 specification. The following ciphers are supported on the frontend:- TLS1.3-AES256-GCM-SHA384 (0x1302)- TLS1.3_CHACHA20_POLY1305_SHA256 (0x1303)- TLS1.3-AES128_GCM-SHA256 (0x1301)For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/tls13-protocol-support.html.[From Build 49.37][# NSSSL-4241, 664161]
- Support for wildcard in the subject alternative name in a certificate signing requestYou can now use wildcards in the subject alternative name (SAN) entry in the certificate signing request. For example, *.example.com.[From Build 49.37][# NSHELP-14922]
- Support for client-hello based expressions and a new bind pointA new bind point ‘CLIENTHELLO_REQ’ is now available to evaluate SSL policies when a client hello message is received. That is, the policy is evaluated after parsing the client hello message. A ‘FORWARD’ action is added to forward the client traffic to a target load balancing virtual server. The target load balancing virtual server can be of type SSL, SSL_BRIDGE or TCP.In this release, only the forward and reset actions are supported for CLIENTHELLO_REQ bind point. The following expression prefixes are available:- CLIENT.SSL.CLIENT_HELLO.CIPHERS.HAS_HEXCODE- CLIENT.SSL.CLIENT_HELLO.CLIENT_VERSION- CLIENT.SSL.CLIENT_HELLO.IS_RENEGOTIATE- CLIENT.SSL.CLIENT_HELLO.IS_REUSE- CLIENT.SSL.CLIENT_HELLO.IS_SCSV- CLIENT.SSL.CLIENT_HELLO.IS_SESSION_TICKET- CLIENT.SSL.CLIENT_HELLO.LENGTH- CLIENT.SSL.CLIENT_HELLO.SNIFor more information about the new bind point, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-actions-and-policies/bind-ssl-policies-vserver.html.For more information about the new expression prefixes, see https://docs.citrix.com/en-us/netscaler/12-1/appexpert/policies-and-expressions/ns-pi-ae-parse-ssl-certs-wrapper-con.html#parse-ssl-client-hello.[From Build 49.37][# NSSSL-169]
- Increase in the OCSP cache timeout limitThe cache timeout limit is now increased to a maximum of 43,200 minutes (30 days). Earlier the limit was 1,440 minutes (one day). The increased limit helps reduce the lookups on the OCSP server and avoids any SSL/TLS connection failures in case the OCSP server is not reachable due to network or other problems.[From Build 49.37][# NSHELP-14947]
- Support for non-secure renegotiation on a DTLS serviceNon-secure renegotiation is now supported on a DTLS service (backend) on Citrix ADC MPX and VPX appliances.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.[From Build 49.37][# NSSSL-1291]
- Support for a new SSL action to forward traffic to another virtual serverYou can now forward the traffic received on an SSL virtual server to a load balancing virtual server to avoid SSL offloading or terminating the connection on the ADC appliance. For example, if the appliance does not have a certificate or it does not support a specific cipher, instead of terminating the connection, admins can choose to forward the request to a load balancing virtual server for further action. This virtual server can be of type: SSL, TCP, or SSL_BRIDGE.[From Build 49.37][# NSSSL-341]
- Support for PFS on a DTLS virtual serverThe following cipher suites are now supported on a DTLS virtual server (frontend). These ciphers help achieve PFS (Perfect Forward Secrecy).- SSL3-EDH-RSA-DES-CBC3-SHA- SSL3-EDH-RSA-DES-CBC-SHA- TLS1-ECDHE-RSA-AES256-SHA- TLS1-ECDHE-RSA-AES128-SHA- TLS1-ECDHE-RSA-DES-CBC3-SHA- TLS1-DHE-RSA-AES-128-CBC-SHA- TLS1-DHE-RSA-AES-256-CBC-SHAFor more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.[From Build 49.37][# NSSSL-1347, 711810]
- Support for PFS on a DTLS serviceThe following cipher suites are now supported on a DTLS service (backend). These ciphers help achieve PFS (Perfect Forward Secrecy).- TLS1-ECDHE-RSA-AES256-SHA- TLS1-ECDHE-RSA-AES128-SHA- TLS1-DHE-RSA-AES-128-CBC-SHA- TLS1-DHE-RSA-AES-256-CBC-SHAFor more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.[From Build 49.37][# NSSSL-1388]
- Clear the OCSP stapling cached response of server certificateYou can now clear the cached response of the server certificate from the OCSP responder even before the timeout expires. Earlier, you had to wait until the configured timeout was over to clear the cached response.[From Build 49.37][# NSSSL-489]
- Support for SNI on a DTLS virtual serverSNI (Server Name Indication) is now supported on a DTLS virtual server (frontend) on Citrix ADC MPX and VPX appliances. You can bind multiple SNI certificates to a DTLS virtual server.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.[From Build 49.37][# NSSSL-1457, 363547]
- Support for HSTS preloadThe Citrix ADC appliance supports adding an HSTS preload in the HTTP response header. To include the preload, you must set the "preload" parameter to YES in the SSL virtual server or the SSL profile. The appliance then includes the preload in the HTTP response header to the client.[From Build 51.19][# NSHELP-13355]
- Support for KEK encryption in private keyThe password of the private key used while adding an SSL certificate-key pair is now saved using a unique encryption key for each Citrix ADC appliance.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/config-ssloffloading.html#add-or-update-a-certificate-key-pair.Important: Certificate keys are lost if you downgrade to a build earlier than release 12.1 build 50.x.[From Build 50.31][# NSHELP-14911]
- Support for PKCS#8 format in RSA, DSA, and ECDSA keysYou can now create an RSA, DSA, or ECDSA key in PKCS#8 format. Earlier, the Citrix ADC appliance did not support this format, and you had to convert the key to a supported format, such as PKCS#12, before using it on the appliance. Also, you can now create certificate signing requests and add certificate-key pairs with PKCS#8 keys.[From Build 50.31][# NSHELP-4891, ENH0673657]
- Support for DTLSv1.0 protocol on additional Citrix ADC MPX appliancesDTLSv1.0 protocol is now supported on the following additional MPX appliances.- MPX 5900- MPX/SDX 8900- MPX/SDX 26000-100G- MPX/SDX 15000-50GNote: Enlightened Data Transport (EDT) is not supported on these platforms.[From Build 50.31][# NSSSL-1943, ENH0705163]
- Support for Enlightened Data Transport (EDT) on DTLSv1.0 protocolDTLSv1.0 protocol is now supported with EDT on the following Citrix ADC appliances:- MPX 5900- MPX/SDX 8900- MPX/SDX 26000-100G- MPX/SDX 15000-50G[From Build 51.19][# NSSSL-1949]
- Software-only support for TLSv1.3 protocol on additional Citrix ADC MPX appliancesTLSv1.3 protocol (RFC 8446) is now supported on SSL virtual servers configured on the following additional Citrix ADC MPX appliances:- MPX 5900- MPX/SDX 8900- MPX/SDX 26000-100G- MPX/SDX 15000-50GThis release includes software-only implementation of TLSv1.3 and does not support hardware acceleration for cryptographic operations.[From Build 50.31][# NSSSL-1966, ENH0715273]
- SSL action to select the list of CAs based on SNI for client authenticationTypically, multiple CA certificates are bound to SSL virtual servers. These CA certificates are used to verify the client certificate during client authentication. Earlier, the list of all the CAs bound to an SSL virtual server were sent in the client certificate request from the Citrix ADC appliance to the client. With this enhancement, only the list of CA certificates is sent based on SNI (domain) in the client certificate request.Note: This feature is not supported on TLSv1.3 and DTLS connections.[From Build 50.31][# NSSSL-504, ENH0709142]
- Support for optional client certificate verification with policy based client authenticationYou can set client certificate verification to optional when you have configured policy based client authentication. Previously, mandatory was the only option. Now both optional and mandatory options are available, and configurable.[From Build 53.12][# NSSSL-690]
- Support for optional client certificate verification with policy based client authenticationYou can set client certificate verification to optional when you have configured policy based client authentication. Previously, mandatory was the only option. Now both optional and mandatory options are available, and configurable.[From Build 52.15][# NSSSL-690]
Security
- ICAP support for Citrix ADCA Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and send back responses to the appliance as modified messages. The adapted messages are either an HTTP or HTTPS response or request.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html[From Build 50.31][# NSBASE-825]
System
- Telemetry Support in CallHomeCallHome is now enhanced to send Citrix ADC usage metrics to Citrix Insight Services (CIS) periodically. Citrix collects the data to understand how the appliance works and how to improve the product. By default, CallHome sends the metrics once in every 7 days.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/system/configuring-call-home.html[From Build 49.37][# NSCALLHOME-14]
- Two factor authentication for Citrix ADC management accessCitrix ADC appliance now supports two-factor authentication for enhanced security. There is an additional layer of security added to the authentication process. As a result, the user identity is verified at two authentication levels. Only if passwords at both authentication levels are correct, the user is allowed to access the Citrix ADC appliance.Previously, in single-factor authentication process, the appliance authenticated the system user only at one level of authentication.[From Build 51.19][# NSAUTH-12]
- Inline device integration with Citrix ADCYou can now integrate a Citrix ADC appliance with inline security devices such as Intrusion Prevention System (IPS) and Next Generation Firewall (NGFW). This integration prevents security threats and provides advanced security protection.The Citrix ADC appliance performs TLS/SSL processing and offloads the data to the inline device for high volume content inspection. If there are multiple inline devices, the appliance load balances the devices for traffic distribution.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/inline-device-integration-with-citrix-adc.html[From Build 50.31][# NSBASE-4049, BUG0713041]
- Global control for content inspection loggingYou can now enable the audit log feature to log content inspection events on a Citrix ADC appliance at the global level.[From Build 52.15][# NSBASE-7470]
- Global control for content inspection loggingYou can now enable the audit log feature to log content inspection events on a Citrix ADC appliance at the global level.[From Build 53.12][# NSBASE-7470]
- Enabling TCP timestamp optionIn certain scenarios, transactions might be slow or incomplete, if you enable the TCP timestamp option on a Citrix ADC appliance.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/system/TCP_Congestion_Control_and_Optimization_General.html[From Build 50.31][# NSBASE-843, BUG0710224]
- Maximum limit for name attribute is set to 64 charactersIn rate limiting, the maximum limit for name attribute is now increased to 64 characters.[From Build 50.31][# NSHELP-11115]
- View Citrix ADC time zone and NTP server IP address on FTU screenYou can now configure the time zone and the NTP server IP address required for clock synchronization through the first-time-user (FTU) screen on the Citrix ADC GUI.[From Build 52.15][# NSUI-11641]
Telco
- Support for triggering negative TTL for partial success response code 2002You can use the following command for triggering negative TTL for partial success response code 2002.set subscriber gxinterface -negativeTTLLimitedSuccess YES[From Build 49.37][# NSLB-576, 699466]
- IP prefix NAT support for TCP and HTTP load balancing configurationsIP Prefix NAT feature is now supported for TCP and HTTP load balancing configurations. IP prefix NAT translates a part of the source IP address instead of the complete address of packets received on the Citrix ADC. IP prefix NAT includes changing one or more octets or bits of the source IP address.For more information about IP prefix NAT, see https://docs.citrix.com/en-us/netscaler/12-1/networking/ip-addressing/configuring-network-address-translation/partial-nat.html.[From Build 49.37][# NSBASE-1710]
- AppFlow support for Gx messagesThe Citrix ADC appliance now supports Gx message reporting capability that enables the customer to maintain a log of subscriber session status. All received Credit-Control and Re-Auth Request diameter messages are logged through Appflow/Logstream infrastructure.The reported records include:- diameter message information, for example, type and response code.- essential pre-selected Attribute-Value Pairs (AVPs), for example, session-id and MSISDN- information up to five customers defined AVPs[From Build 50.31][# NSBASE-1752, ENH0699467]
- Support of Gx session information in subscriber awareness AppFlow recordsThe Citrix ADC subscriber awareness functionality for L4 and L7 Appflow records have been extended to include subscriber session id along with the last Gx/diameter message time stamp information. This allows easier correlation of data-plane logs with the newly introduced Gx reporting records.[From Build 50.31][# NSBASE-2154, ENH0697881]
URL Filtering
- Display URL Categorisation result from CLI on demand (CLI implementation)URL Filtering Command Interface enables you to enter an URL and get the categorization result (category, group, and reputation score) as returned by the NetSTAR SDK database.For more information, see https://docs.citrix.com/en-us/citrix-secure-web-gateway/12-1/url-filtering/url-categorization.html[From Build 51.19][# NSSWG-887]
Fixed Issues in Previous Citrix ADC 12.1 Releases
The issues that were addressed in Citrix ADC 12.1 releases prior to Build 54.16. The build number provided below the issue description indicates the build in which this issue was addressed.
AAA-General
- Feature: Authentication, authorization, and auditingSupport for push notification OTPCitrix Gateway now supports push notification OTP. You can configure Citrix Gateway such that login notifications are sent to your registered devices using push notification services. When you receive the notification OTP, you have to simply tap Allow on the notification to log in to Citrix Gateway. Once Citrix Gateway receives the OTP, it verifies the OTP, identifies source of the request, and sends response to that browser connection.[From Build 50.31][# NSAUTH-815, NSAUTH-32, ENH0695987]
Admin Partition
- The internal timer is not cleared properly during partition removal.[From Build 52.15][# NSHELP-18594]
- In a high availability setup with admin partition configuration, the audit logs generated from the secondary node are sent to SYSLOG or NSLOG server only when the SYSLOG or NSLOG server is reachable from the admin partition.[From Build 52.15][# NSHELP-19399]
- In a partitioned setup, the “diff ns config” CLI command displays misleading information.[From Build 53.12][# NSHELP-19530]
Analytics
- In some cases, the Citrix Gateway appliance dumps core during the authentication if the following conditions are met:- The Citrix ADC appliance is configured for nFactor authentication.- The Gateway Insight feature is enabled for the appliance.[From Build 50.31][# NSHELP-5271, TSK0713011]
AppFlow
- The Citrix ADC appliance might crash if SSO is configured along with AppFlow, because the appliance might try to look up HTTP headers that are not present in the request or response.[From Build 51.19][# NSHELP-18128]
- In a high availability setup, the secondary appliance might keep on restarting if AppFlow is configured for Gateway Insight.[From Build 51.19][# NSHELP-18469]
- In a high availability setup, the secondary appliance might keep on restarting if AppFlow is configured for Gateway Insight.[From Build 52.15][# NSHELP-18469]
- If you configure multiple AppFlow collectors in an AppFlow action there can be a buffer overflow leading to an appliance failure.[From Build 52.15][# NSHELP-18562, NSHELP-18563]
- An AppFlow policy is not triggered if it is bound to a load balancing virtual server that is behind a content switching virtual server.[From Build 53.12][# NSHELP-18782]
- If an Internet Protocol Flow Information Export (IPFIX) message header is not in a correct sequence, the IPFIX collector drops the AppFlow records.[From Build 52.15][# NSHELP-18903]
- If you enable AppFlow and select logstream as the transport mode, the server processing time and the server network latency values may appear same.[From Build 52.15][# NSHELP-19306]
- The Citrix ADC appliance might crash when a new user logs on. The crash happens if AppFlow logging is enabled on a VPN virtual server and memory allocation fails.[From Build 52.15][# NSHELP-19360]
- The Citrix ADC appliance crashes if you bind a user-defined analytics profile, other than the internally bound profile, to an AppFlow action.[From Build 52.15][# NSHELP-19362]
- When the AppFlow "client side measurements" feature is enabled, the Citrix ADC appliance unexpectedly parses the CSS files of an HTML page. Any error during the CSS parse can cause the HTML page to load incorrectly.[From Build 53.12][# NSHELP-19375]
- The Citrix ADC appliance might crash if AppFlow is disabled but front-end optimization (FEO) is enabled with client side measurements, in the FEO action.[From Build 53.12][# NSHELP-19531]
Authentication, authorization, and auditing
- A Citrix ADC appliance is unable to evaluate an advanced policy expression if you either bind the policy to a virtual server or to an authentication, authorization, and auditing group.[From Build 49.37][# NSHELP-968]
- A Citrix ADC appliance becomes unresponsive because of memory corruption when it handles jumbo frames.[From Build 49.37][# NSHELP-445, 712490, 711718, 698974, 714419, 712489]
- The Citrix ADC appliance might fail to establish an SSO connection to a back-end server, if the form-SSO has a hidden value containing special characters such as &, <, >, and ‘.[From Build 49.37][# NSHELP-939]
- In case of nFactor authentication, the extracted authentication, authorization, and auditing group name from certificate-factor are concatenated with the first extracted group from LDAP-factor without any delimiter.[From Build 49.37][# NSHELP-538]
- The authentication, authorization, and auditing feature does not evaluate the advanced authorization policies that are bound to authentication, authorization, and auditing user and group entities.[From Build 49.37][# NSAUTH-2218]
- The Citrix ADC appliance might become unresponsive if both of the following conditions are met:• Login schema policy with reset action provokes the reset function to send reset packet, and then free it later.• The same packet is freed again, resulting in a duplicate packet free condition.[From Build 49.37][# NSHELP-8346]
- The request to the back-end server fails if the following conditions are met:• Request URL to the back-end server is encoded prior to establishing authentication, authorization, and auditing session.• Citrix ADC appliance decodes the URL after log on.[From Build 49.37][# NSHELP-963, 711806, 713423]
- If you configure "add kcdaccount xxx -keytab yyy" on release 12.1 build 49.x, the Citrix ADC appliance might become unresponsive.[From Build 49.37][# NSHELP-618, 713603, 713300]
- A Citrix ADC appliance with two factor SAML authentication might eternally cause authentication loop.[From Build 49.37][# NSHELP-644, 714736]
- The self-service password reset knowledge-based question and answer validation might fail if the size of the certificate bound to VPN global is greater than 1024 bytes.[From Build 51.19][# NSAUTH-5342]
- You might fail to access a Citrix ADC appliance if you attempt to reach the protected resources through a POST request without valid authentication, authorization, and auditing cookie.[From Build 51.19][# NSAUTH-81]
- A gradual memory leak is observed on a Citrix ADC appliance for the following occurrences:- nFactor authentication is used.- There are no default or true authentication policies used.[From Build 50.31][# NSHELP-1642, TSK0717322]
- XML parsing fails if Citrix ADC appliance adds an extra character to the SAML assertion.[From Build 51.19][# NSHELP-18158]
- A Citrix ADC appliance might crash if clear config command is invoked when authentication, authorization, and auditing actions are handled.[From Build 51.19][# NSHELP-18165]
- The title page from the Portal customization page of Citrix GUI does not update the title for authentication, authorization, and auditing portal.[From Build 51.19][# NSHELP-18168]
- The AAAD daemon might crash because of a memory corruption if the following conditions are met:- The nested group extraction is enabled on an active directory.- The extracted group length is between 52-56 bytes.[From Build 51.19][# NSHELP-18239, NSHELP-18258, NSHELP-18306]
- The AAAD daemon might crash because of a memory corruption if the following conditions are met:- The nested group extraction is enabled on an active directory.- The extracted group length is between 52-56 bytes.[From Build 50.31][# NSHELP-18239, NSHELP-18258, NSHELP-18306]
- The SNMP sends traps even after the SSH public key authentication is succeeded.[From Build 53.12][# NSHELP-18303]
- The probe server command provides an appropriate message when the TACACS server closes the TCP connection with FIN or RST packets without sending an authentication response.[From Build 52.15][# NSHELP-18399]
- In a Citrix ADC appliance with two-factor authentication, the appliance prompts you to change the authentication password if the existing password has expired. During this prompt time, the appliance deletes the authentication, authorization, and auditing information.The Citrix ADC appliance might crash when it attempts to access the deleted authentication, authorization, and auditing information.[From Build 52.15][# NSHELP-18474]
- A Citrix ADC appliance might fail when logging in end users to traffic management resources behind Citrix Gateway appliance.[From Build 52.15][# NSHELP-18517]
- A Citrix ADC appliance configured as SAML SP fails if the server sends a large RelayState parameter name along with assertion.[From Build 52.15][# NSHELP-18559]
- If a Citrix ADC appliance is deployed for SAML SP solution, SAML assertions are occasionally rejected.[From Build 52.15][# NSHELP-18574]
- A Citrix ADC appliance might fail if the authentication, authorization, and auditing feature is disabled while accessing Citrix Gateway appliance.[From Build 52.15][# NSHELP-18601]
- If the related policy evaluation fails during an end-point analysis authentication, the Citrix ADC appliance might close the authentication, authorization, and auditing session. This closure of the session might result in the appliance to fail.[From Build 52.15][# NSHELP-18638]
- When a Citrix ADC appliance is configured for SAML IdP, the requests from certain SAML SP containing URL encoded in RelayState parameter might cause an issue after login.[From Build 52.15][# NSHELP-18694]
- A Citrix ADC appliance might crash while parsing an invalid SAML response.[From Build 52.15][# NSHELP-18701]
- The Citrix GUI displays the configured server IP address in the Server Name field for an authentication radius action if all the following conditions are true:* If you set the Server IP address parameter after setting the Server Name parameter.* If the Server Name Length parameter is not set to zero.[From Build 52.15][# NSHELP-18703]
- If the SAML Service Provider (SP) does not send sessionIndex in the logout request to SAML Identity Provider (IdP), then SAML IdP returns an error instead of completing the logout process.[From Build 52.15][# NSHELP-18722]
- The FormSSO fails if any of the form fields is more than 1365 bytes in length.[From Build 52.15][# NSHELP-18783]
- When you access StepUp load balancing virtual server home page with SelfAuth bookmark, the user name is not prepopulated in the next login screen.[From Build 52.15][# NSHELP-18875]
- In rare cases, a Citrix Gateway appliance redirects the user to SAML Identity Provider (IdP) to log in again if the following conditions are met:- SAML with two factors is occupied for user authentication.- User fails to validate the second factor on the Citrix Gateway portal.[From Build 52.15][# NSHELP-18912, NSHELP-644]
- A Citrix ADC appliance fails to obtain Kerberos tickets through a constrained delegation, if one of the following conditions are met:- The enterprise “realm” parameter is configured for the user.- The domain name in the “keytab” parameter is in lower case.[From Build 53.12][# NSHELP-18946]
- A Citrix ADC appliance fails to obtain Kerberos tickets through a constrained delegation, if one of the following conditions are met:- The enterprise “realm” parameter is configured for the user.- The domain name in the “keytab” parameter is in lower case.[From Build 52.15][# NSHELP-18946]
- The following behavior is observed on the Authentication Virtual Server page of Citrix ADC GUI:- Unable to edit the Basic Settings in the non-addressable type of authentication, authorization, and auditing virtual server.- The Port field must have a valid Port value.[From Build 52.15][# NSHELP-18980]
- A Citrix ADC appliance configured for SAML Service Provider (SP) does not perform HTML entity decoding of the attributes retrieved from the SAML assertion.[From Build 52.15][# NSHELP-19003]
- Authentication fails if a Citrix ADC proxy is configured with two-factor authentication along with advanced policies.[From Build 52.15][# NSHELP-19020]
- A Citrix ADC appliance does not drop unauthenticated HTTP OPTIONS requests if User-Agent contains one of the patterns mentioned in ns_aaa_activesync_useragents.[From Build 52.15][# NSHELP-19024]
- A Citrix ADC appliance does not drop unauthenticated HTTP OPTIONS requests if User-Agent contains one of the patterns mentioned in ns_aaa_activesync_useragents.[From Build 53.12][# NSHELP-19024]
- A Citrix ADC appliance might crash if the following conditions are met:- Password change option is enabled in an LDAP action command.- LDAP action with authentication, authorization, and auditing session run into session propagation issue.[From Build 53.12][# NSHELP-19053]
- A Citrix ADC appliance might crash if the following conditions are met:- Password change option is enabled in an LDAP action command.- LDAP action with authentication, authorization, and auditing session run into session propagation issue.[From Build 52.15][# NSHELP-19053]
- In a Citrix Gateway deployment, if the load balancing virtual server home page is accessed after VPN authentication, the page is not accessible.[From Build 52.15][# NSHELP-19075]
- The memory usage of a Citrix ADC appliance increases when Citrix Gateway or traffic management virtual server uses Kerberos authentication.[From Build 52.15][# NSHELP-19085]
- If the metadataURL parameter is configured and the Citrix appliance is rebooted, then the SAMLAction command is not saved and the configuration is lost.[From Build 53.12][# NSHELP-19140]
- A Citrix ADC traffic management virtual server occasionally returns 500 error message after the first-time login and in the following conditions:- Additional login redirect.- An SSL backend service is behind HTTP traffic management virtual server.[From Build 52.15][# NSHELP-19160]
- The Citrix ADC appliance might reply with a 404 error page for client requests, which contains the term ‘Data’ in the URL. For example, http://www.hostname.com/XYZData/ABC.[From Build 52.15][# NSHELP-19169]
- A Citrix ADC appliance might crash if the input to Citrix GUI or NITRO API login request has an invalid username or password value.[From Build 52.15][# NSHELP-19254]
- When a SAML assertion contains attributes with entity encoding, a Citrix ADC appliance does not decode the attributes after parsing them.[From Build 52.15][# NSHELP-19256]
- EPA fails if it is configured after SAML as a passthrough factor.[From Build 52.15][# NSHELP-19285]
- The Citrix appliance might crash if an authentication login schema policy is set to noschema.[From Build 52.15][# NSHELP-19292]
- A Citrix ADC appliance occasionally fails if a defaultAuthenticationGroup parameter is configured in a samlIdPProfile command.[From Build 52.15][# NSHELP-19301]
- System user login from Citrix GUI or NITRO API using role-based access (RBA) authentication fails when the Citrix ADC management is accessed through load balancing virtual server and load balancing service.[From Build 52.15][# NSHELP-19385]
- Active Directory Federation Services (ADFS) fails to import metadata generated by the Citrix ADC SAML Service Provider (SP).[From Build 52.15][# NSHELP-19390]
- A Citrix ADC appliance configured for SAML Identity Provider (IdP) fails to authenticate incoming authentication request for certain applications.[From Build 52.15][# NSHELP-19443]
- A 500 error message is observed if the following conditions are met:- Authentication, authorization, and auditing enabled traffic management virtual server gets post request without the cookie.- The post body contains newline characters.[From Build 53.12][# NSHELP-19852]
- A Citrix ADC appliance processes unauthenticated HTTP requests with OPTIONS method received from authentication, authorization, and auditing traffic management virtual server. At this point, the appliance responds with a corresponding HTTP 401 error message.[From Build 53.12][# NSHELP-19916]
- In an OpenID-Connect mechanism, OAuth Relying Party (RP) does not encode username or password properties while making password grant API call.[From Build 53.12][# NSHELP-19987]
- A Citrix ADC appliance configured as SAML Service Provider (SP) with artifact bindings occasionally return assertion replay when there is no replay.[From Build 50.31][# NSHELP-2132, TSK0714920]
- A Citrix ADC appliance becomes unresponsive because of memory corruption when it handles jumbo frames.[From Build 50.31][# NSHELP-445, NSHELP-515, NSHELP-579, TSK0705972]
- In a rare case, a Citrix ADC appliance restarts if it tries to access a memory that was previously freed.[From Build 50.31][# NSHELP-449, NSHELP-432, NSHELP-587, NSHELP-589, TSK0714441]
- A Citrix ADC appliance configured for SAML IdP might not perform Cross-site scripting (XSS) checks on an incoming RelayState parameter.[From Build 50.31][# NSHELP-453, BUG0714801]
- An SSO to Office 365 fails if objectGUID of a user contains a NULL character.[From Build 50.31][# NSHELP-455, TSK0717549]
- If you configure "add kcdaccount xxx -keytab yyy" on release 12.1 build 49.x, the Citrix ADC appliance might become unresponsive.[From Build 50.31][# NSHELP-618, NSAUTH-1854, NSHELP-2276, NSHELP-2306, TSK0712411]
- A Citrix ADC appliance with two factor SAML authentication might eternally cause authentication loop.[From Build 50.31][# NSHELP-644, NSHELP-575, TSK0714523]
- A Syslog message reports the client IP and server IP in a reverse hexadecimal format.[From Build 50.31][# NSHELP-663, TSK0715098]
- A Citrix ADC appliance might become unresponsive if there is a high CPU usage.[From Build 51.19][# NSHELP-8356]
- CPU utilization increases and the DNS data packet keeps looping if Citrix ADC AAA uses port 3000 to send a DNS query to an LDAP or a RADIUS server. With this fix, Citrix ADC AAA uses source port 10000 and above to send DNS queries to LDAP or RADIUS servers.[From Build 50.31][# NSHELP-8416]
- A Citrix ADC appliance might become unresponsive if the function specifies a wrong async handler.[From Build 50.31][# NSHELP-8440]
- In a SAML de-serialize function, the Citrix ADC appliance might crash due to invalid memory access.[From Build 51.19][# NSHELP-8464]
- A Citrix ADC appliance with authentication, authorization, and auditing feature might crash in a low memory condition.[From Build 52.15][# NSHELP-8498]
- A Citrix ADC appliance might crash if the following conditions are met:- Changes in metadata URL.- The existing user session is disconnected.[From Build 51.19][# NSHELP-8504]
- A Citrix ADC appliance might crash if the following conditions are met:- Changes in metadata URL.- The existing user session is disconnected.[From Build 50.31][# NSHELP-8504]
- Occasionally, a Citrix Gateway appliance might fail when it receives /vpns/services.html request from a client.[From Build 52.15][# NSHELP-8513]
- A Citrix ADC appliance might crash if there is a memory corruption due to a buffer overflow.[From Build 50.31][# NSHELP-8537]
- The Citrix ADC appliance might fail to establish an SSO connection to a back-end server, if the form-SSO has a hidden value containing special characters such as &, <, >, and ‘.[From Build 50.31][# NSHELP-939, TSK0707018]
- A Citrix ADC AAA session observes an accounting error on the logout method.[From Build 50.31][# NSHELP-979, BUG0712813]
- A Citrix ADC appliance might crash if a replay packet is received after authentication has generated a response.[From Build 50.31][# NSHELP-982, NSHELP-676, TSK0714057]
- When a Citrix ADC appliance configured for SAML SP sends a request to SAML IdP, the following issues are identified:- URL is decoded sent from the traffic management virtual server.- Incorrect URL is displayed when authentication is complete.[From Build 50.31][# NSHELP-995, TSK0716958]
Base
- ABR video connections are throttled in nature and thus can negatively impact the correctness of Connection Quality Analytics (CQA).So, CQA metrics produced for ABR video transactions should be discarded.[From Build 51.19][# NSBASE-1116]
CLI
- If a user tries to log on to a Citrix ADC appliance through any console, the system displays a log message with an incorrect client type. For example, if the user logs on to the appliance through the XenServer console, the system displays the log message as follows:"Apr 9 12:27:02 <local0.info> 10.102.201.11 04/09/2018:06:57:02 GMT 0-PPE-0 : default UI CMD_EXECUTED 502 0 : User nsroot - Remote_ip 127.0.0.1 - Command "login nsroot "********"" - Status "Success"[From Build 49.37][# NSHELP-4864]
- If a user tries to log on to a Citrix ADC appliance through any console, the system displays a log message with an incorrect client type. For example, if the user logs on to the appliance through the XenServer console, the system displays the log message as follows:"Apr 9 12:27:02 <local0.info> 10.102.201.11 04/09/2018:06:57:02 GMT 0-PPE-0 : default UI CMD_EXECUTED 502 0 : User nsroot - Remote_ip 127.0.0.1 - Command "login nsroot "********"" - Status "Success"[From Build 50.31][# NSHELP-4864, TSK0701582]
Cache
- A Citrix ADC appliance crashes if the following conditions are met:- The cache contentgroup's memory limit exceeds the threshold.- The PINNED option is enabled on the cache contentgroup.[From Build 50.31][# NSHELP-3629, TSK0714583]
Citrix ADC CLI
- When logged in as nsrecover user, nscli -U commands are throwing error.[From Build 52.15][# NSCONFIG-1414]
- If you run a command that contains the symbol "@" remotely, the following error message appears:"No such argument"[From Build 52.15][# NSHELP-12000]
- A TCP connection that is not closed after a Remote Procedure Call (RPC) timeout results in an IOCTL response mismatch.[From Build 53.12][# NSHELP-18682]
- A Citrix ADC appliance becomes unresponsive, if it hits the maximum number of user sessions (approximately 1000 sessions) and if the management interface stops responding.[From Build 53.12][# NSHELP-19212, NSCONFIG-1369]
Citrix ADC GUI
- A time zone setting ("set timezone” command) in a Citrix ADC appliance running release 11.1 might get lost after you upgrade it to a later release.[From Build 52.15][# NSHELP-11550]
- After an upgrade from Citrix ADC 11.1 build 56.x to Citrix ADC 12.1 build 49.x, the login to Citrix ADC GUI fails. The issue occurs if the password contains an escape sequence, such as "" or " ".[From Build 51.19][# NSHELP-18178]
- Only the custom reports created in the current viewing partition or in the cluster appear in the Citrix ADC GUI.[From Build 52.15][# NSHELP-18841]
- The following error message appears after you perform steps 1 through 4."Ambiguous argument value []"1. Create an SSL profile with default values.2. Bind the profile to an SSL virtual server.3. Edit SSL parameters, but do not change any values.4. Select OK to close the SSL parameters dialog box.[From Build 52.15][# NSHELP-19402]
- In rare cases, a Citrix ADC appliance displays an ‘Error in retrieving Certificate-key pair. Unable to get property match of undefined or null reference’ error message if you update certkey from the Certificates tab.[From Build 50.31][# NSUI-6885, NSHELP-5180, BUG0706444]
Citrix ADC MPX Appliance
- In a Citrix ADC MPX appliance, the GUI and command interface is unable to distinguish between Mellanox 100G and 50G interfaces. As a result, the interfaces allow you to set 50G on 100G interface.[From Build 50.31][# NSHELP-14761]
- In some cases, the 50G NIC on the MPX 15081-50G and MPX 15041 appliances does not restore to normal state after toggling the power control of the interface.[From Build 52.15][# NSHELP-18786]
Citrix ADC SDX Appliance
- When you create or delete a 10G LACP or static channel, transmission stalls on the member interfaces of the channel, and therefore those interfaces stop processing traffic.[From Build 49.37][# NSHELP-2398, 697276, 704954]
- On Citrix ADC SDX 26000 and SDX 15000-50G platforms, the virtual router ID (VRID) configuration on a static or a link aggregation control protocol (LACP) channel does not work if any one of the following conditions is met:- The VPX instance configured with the VRID restarts.- The SDX appliance on which the VPX instance is running restarts.[From Build 49.37][# NSPLAT-4076]
- The message "Appliance license expired" appears when you log on to the Citrix ADC SDX GUI, after upgrading from any previous Citrix ADC version to 12.1 48.13/12.0-58.15. This is a harmless message and can be ignored safely.[From Build 49.37][# NSHELP-11980]
- The VPX instance restarts by itself in the following case.- You change the admin profile associated with a Citrix ADC VPX instance with channel configuration; and- The Citrix ADC VPX instance is running on Citrix ADC SDX 26XXX and 15XXX appliances.[From Build 49.37][# NSHELP-12377]
- The VPX instance restarts by itself in the following case.- You change the admin profile associated with a Citrix ADC VPX instance with channel configuration; and- The Citrix ADC VPX instance is running on Citrix ADC SDX 26XXX and 15XXX appliances.[From Build 50.31][# NSHELP-12377]
- The management IP (NSIP) of a Citrix ADC VPX instance running on SDX 14000 platform becomes unreachable when the following conditions are met:- An LACP channel comprising 10G or 40G interfaces is assigned as VPX management NIC.- One of the member interfaces in the LACP channel goes down.[From Build 50.31][# NSHELP-13895]
- On Citrix ADC SDX 26000 and SDX 15000-50G platforms, the virtual router ID (VRID) configuration on a static or a link aggregation control protocol (LACP) channel does not work if any one of the following conditions is met:- The VPX instance configured with the VRID restarts.- The SDX appliance on which the VPX instance is running restarts.[From Build 50.31][# NSPLAT-4076, BUG0710320]
- The virtual router ID (VRID) configuration on a static or a link aggregation control protocol (LACP) channel does not work on SDX 26000 and SDX 15000-50G platforms.[From Build 50.31][# NSPLAT-7364, BUG0709182]
- Upgrade to release 12.1 build 50.x and later, release 12.0 build 60.1 and later, release 11.1 build 60.7 and later might result in one of the following outcomes:- VLAN filtering on SDX channels is disabled.- The SDX Management Service becomes unresponsive, even though the upgrade is successful, if the channels on the SDX appliance have VLAN filtering enabled and VPX instances have L2 mode enabled[From Build 51.19][# NSSVM-2540]
- After upgrading an SDX appliance to 12.1 or 12.0 (any build) from any previous version, Management Service becomes unreachable if the CPU assigned to Management Service is used by another instance on the SDX appliance. The issue occurs in platforms SDX 15XXX, 26XXX, 14XXX 40S, 14XXX FIPS, and 89XX.[From Build 51.19][# NSSVM-311]
- In an SDX appliance, after a clean installation from any older version to 12.1 50.x, you might be unable to recover the network configuration and fail to access to SDX appliance (Dom0 and Management Service).[From Build 50.31][# NSSVM-452]
- In an SDX appliance, after a clean installation from any older version to 12.1 50.x, you might be unable to recover the network configuration and fail to access to SDX appliance (Dom0 and Management Service).[From Build 51.19][# NSSVM-452]
Citrix ADC SDX appliance
- The maximum number of cores that you can configure now on a VPX instance depends on the available cores on the particular SDX platform. Earlier, you could configure a maximum of only five cores even if more cores were available.For information about maximum number of cores you can assign to a VPX instance, see https://docs.citrix.com/en-us/sdx/13/provision-netscaler-instances.html[From Build 52.15][# NSHELP-18632]
- A VPX instance running on a Citrix ADC SDX appliance fails to free the allocated ports after a client connection is closed. This failure might cause the instance to restart continuously.[From Build 52.15][# NSHELP-18729]
- After an SDX appliance is restored, partition MACs from the backup file were not restored on the respective VPX instances running on the SDX appliance.[From Build 52.15][# NSHELP-19008]
- After an SDX appliance is restored, partition MACs from the backup file were not restored on the respective VPX instances running on the SDX appliance.[From Build 53.12][# NSHELP-19008]
- SDX image upgrade to 12.1 52.x might fail during Management Service image upgrade.[From Build 52.15][# NSHELP-19168]
- SDX image upgrade to 12.1 52.x might fail during Management Service image upgrade.[From Build 53.12][# NSHELP-19168]
- On an SDX appliance, if you use the Intel i40e network driver and restart the VPX instance one or more times, the SDX appliance might crash.[From Build 53.12][# NSPLAT-9416, NSPLAT-9405]
- Upgrade to release 12.1 build 50.x and later, release 12.0 build 60.1 and later, release 11.1 build 60.7 and later might result in one of the following outcomes:- VLAN filtering on SDX channels is disabled.- The SDX Management Service becomes unresponsive, even though the upgrade is successful, if the channels on the SDX appliance have VLAN filtering enabled and VPX instances have L2 mode enabled[From Build 52.15][# NSSVM-2540]
- When provisioning a Citrix VPX instance by using the Citrix SDX GUI, an error message "IP Address not a proper IP Address" appears if you select IPv6.[From Build 52.15][# NSSVM-2603]
Citrix ADC UI
- A Citrix ADC appliance adds a "\" (backslash) before a " "(space) for organization name, locality name, and other fields in the certificate signing request (CSR) if the following conditions are met:- A user without shell access, tries to connect to an upgraded Citrix ADC appliance by using the CLI, GUI, or NITRO.- The user creates a CSR.[From Build 52.15][# NSHELP-4521]
Citrix ADC VPX Appliance
- A Citrix ADC VPX instance configured with VMXNET3 interfaces and running on VMware ESX server might crash if the ESX server sends a zero-length packet through these interfaces.[From Build 49.37][# NSHELP-2647, 706660, 707542]
- If vCPUs are more than 12, password-based authentication does not work in Citrix ADC VPX instances running in Azure and AWS. However, you can log on by using ssh private key.[From Build 49.37][# NSPLAT-4781, 714490]
- The SNS topic required for AWS back-end auto scale feature to work is not updated automatically.[From Build 49.37][# NSPLAT-1818]
- The VPX instance removes two servers instead of one when the following conditions are met:- The remove 1 server parameter is set in the scale down policy of the EC2 auto scaling group.- Back-end auto scale feature is configured on the VPX instance.[From Build 49.37][# NSPLAT-1554]
- The Citrix ADC VPX instance, configured with AWS back- end auto scaling feature, removes the EC2 auto scale group alarm.[From Build 49.37][# NSPLAT-1587]
- In a multizone cluster deployment, the Citrix ADC VPX instance configured with AWS back-end auto scaling fails to create multiple SNS topics.[From Build 49.37][# NSPLAT-1622]
- The Citrix ADC VPX instance configured with AWS back-end auto scaling does not detect the back-end servers bound to the EC2 auto scaling group, and the following error message appears."Your AutoScaling Group:<autoscalegroup> can't have more than 10 topics"[From Build 49.37][# NSPLAT-1652]
- The first-time user screen appears even on subsequent logons or every time the logon page is refreshed. By design, the first-time user screen should appear only when the user logs on to the VPX instance for the first time.[From Build 49.37][# NSPLAT-1710]
- In a hypervised environment, the management CPU usages could appear high if the hypervisor schedules the management CPUs incorrectly.[From Build 50.31][# NSHELP-18184]
- A Citrix ADC VPX instance configured with VMXNET3 interfaces and running on VMware ESX server might crash if the ESX server sends a zero-length packet through these interfaces.[From Build 50.31][# NSHELP-2647, NSHELP-2393, NSHELP-2394, TSK0695358]
- The VPX instance removes two servers instead of one when the following conditions are met:- The remove 1 server parameter is set in the scale down policy of the EC2 auto scaling group.- Back-end auto scale feature is configured on the VPX instance.[From Build 50.31][# NSPLAT-1554, BUG0716006]
- The Citrix ADC VPX instance, configured with AWS back- end auto scaling feature, removes the EC2 auto scale group alarm.[From Build 50.31][# NSPLAT-1587, BUG0716030]
- In a multizone cluster deployment, the Citrix ADC VPX instance configured with AWS back-end auto-scaling fails to create multiple SNS topics.[From Build 50.31][# NSPLAT-1622, BUG0716031]
- The Citrix ADC VPX instance configured with AWS back-end auto scaling does not detect the back-end servers bound to the EC2 auto scaling group, and the following error message appears."Your AutoScaling Group:<autoscalegroup> can't have more than 10 topics"[From Build 50.31][# NSPLAT-1652, BUG0716101]
- The first-time user screen appears even on subsequent logons or every time the logon page is refreshed. By design, the first-time user screen should appear only when the user logs on to the VPX instance for the first time.[From Build 50.31][# NSPLAT-1710, BUG0716714]
- The SNS topic required for AWS back-end auto scale feature to work is not updated automatically.[From Build 50.31][# NSPLAT-1818, BUG0715919]
- Support for Citrix ADC VPX instance on Google Cloud PlatformYou can deploy a Citrix ADC VPX instance on Google Cloud Platform (GCP). A VPX instance in GCP enables you to leverage cloud computing capabilities of GCP and use Citrix load balancing and traffic management features for your business needs. You can deploy VPX instances in GCP as standalone instances. Both single NIC and multi NIC configurations are supported.For more information, see https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/deploy-vpx-google-cloud.html.[From Build 51.19][# NSPLAT-2006]
- The cloud profile configuration for Azure autoscale shows the load balancing protocol as HTTP irrespective of the protocol selected while configuring the cloud profile. This issue appears both in GUI and CLI.[From Build 50.31][# NSPLAT-4343, NSPLAT-4216, BUG0705295]
- If vCPUs are more than 12, password-based authentication does not work in Citrix ADC VPX instances running in Azure and AWS. However, you can log on by using ssh private key.[From Build 50.31][# NSPLAT-4781, BUG0712146]
- Tagged VLAN traffic might fail after upgrading a VPX instance to release 12.1 50.28, running on the following Citrix ADC SDX platforms:11500,13500, 14500, 16500, 18500, 20500, 11515, 11520, 11530, 11540, 11542,17500, 19500, 21500, 17550, 19550, 20550, 21550, 8400, 8600, 8010, 8015, 22040, 22060, 22080, 22100, 22120, 22040, 22060, 22080, 22100, 22120, 24100, 24150, 14020, 14030, 14040, 14060, 14080, 14100, 14020 FIPS, 14030 FIPS, 14060 FIPS, 14080 FIPS[From Build 50.31][# NSPLAT-7863]
- When a Citrix ADC VPX instance running on KVM hypervisor is provisioned with one or more ntel XL710 40G NICs, the 40G interface does not initialize correctly inside the VPX instance. Also, the interface name or MAC address appears incorrectly.[From Build 51.19][# NSPLAT-8533]
Citrix ADC VPX appliance
- Cluster and high availability (same zones and across zones) on AWS do not work.[From Build 51.20][# NSPLAT-9407]
- Cluster and high availability (same zones and across zones) on AWS do not work.[From Build 52.15][# NSPLAT-9407]
Citrix GUI
- An error message, "Cannot read property 'get' of undefined." appears when you click Action in the Stream Identifiers GUI page.[From Build 53.12][# NSHELP-19369]
Citrix Gateway
- Citrix Gateway appliance dumps core upon freeing the NSB memory twice.[From Build 49.37][# NSHELP-1790]
- In rare cases, a Citrix Gateway appliance configured for EDT becomes unresponsive because of memory corruption.[From Build 49.37][# NSHELP-1685, 709305, 709349, 706229, 705896, 710041, 710117, 707924, 709493, 709911, 710415, 710907, 710891, 711509, 711523, 710808, 712343, 715140, 715145]
- A Citrix Gateway appliance does not fallback to the LDAP policy if the following conditions are met:- Certificate authentication and LDAP are configured as the first factor and LDAP checks data from login Schema.- The certificate authentication fails.[From Build 49.37][# NSHELP-1853]
- In a Citrix Gateway deployment, the log out operation for Outlook Web Access (OWA) application intermittently fails.[From Build 49.37][# NSHELP-1054, 710636, 709652, 710570]
- In rare cases, the Citrix Gateway appliance dumps core when DTLS is enabled on a VPN virtual server.[From Build 49.37][# NSHELP-1971, 709315, 711421, 710131]
- POST request has some non-required fields.[From Build 49.37][# NSHELP-428]
- Connectionlist corruption occurs if VMware horizon client reuses the same SPI for UDP connections, resulting in eventual crashes when show or kill command is executed.[From Build 49.37][# NSHELP-6905]
- In case of network errors, cached client certificates were removed, prompting user to select the certificate from the drop-down menu manually.[From Build 49.37][# NSHELP-423]
- In rare cases, the VPN plug-in crashes.[From Build 49.37][# NSHELP-1454]
- When IPv6 is disabled globally, the connection reset is mandated, if the IPv6 packet arrives on MUX channel.[From Build 49.37][# NSHELP-1606]
- A Citrix Gateway appliance dumps core if a Regex in a patset takes a long time to execute.[From Build 49.37][# NSHELP-6706, 710642]
- In rare cases, the Citrix Gateway appliance dumps core when a client machine tries to open more than one DTLS connection.[From Build 49.37][# NSHELP-1135]
- The session through a Citrix Gateway appliance using RfWebUI goes to unresponsive mode after you click cancel on the "Change Password" error window.[From Build 49.37][# NSHELP-569]
- The Citrix Gateway appliance does not display the right logon form when the user clicks the "Go Back" button in the following case:The session initialization fails because the user does not belong to any of the groups configured on the Citrix ADC appliance.[From Build 49.37][# NSHELP-583]
- If StoreFront is load balanced using an internal load balanced virtual server, IPv6 clients is not evenly load balanced.[From Build 49.37][# NSHELP-8597]
- Authentication fails when Citrix Gateway is configured with advanced policies, that is nFactor, and the client is configured only for certificate authentication.[From Build 49.37][# NSHELP-598]
- Accessing a Citrix Gateway appliance results in 404 error, if the Citrix Gateway and Authentication, authorization, and auditing are deployed on the same Citrix ADC appliance in the same domain but outside of Citrix Gateway domain.[From Build 49.37][# NSHELP-8636]
- The VPN plug-in for Citrix Gateway becomes unresponsive once the client machine moves to active mode from standby mode.[From Build 49.37][# NSHELP-8015, 710161, 716058]
- Upon using the Citrix Gateway plug-in to logon to VPN, the RADIUS challenge message is displayed on Citrix Receiver instead of the Citrix Gateway plug-in.[From Build 49.37][# NSHELP-8024]
- Pre-authentication EPA check fails when total length of single EPA expression (not separated by any logical operators) is greater than 1024 characters.[From Build 49.37][# NSHELP-6835]
- Windows Gateway Plugin displays incorrect message on the user interface when the VPN virtual server with Citrix Gateway is in disabled or in out of order state.[From Build 49.37][# NSHELP-6760]
- In some cases, the Citrix Gateway appliance with multiple core crashes if the HDX Insight feature is enabled.[From Build 49.37][# NSHELP-15792, 712124, 712553, 714141, 714351, 714721]
- Allowed login groups parameters in session action do not take effect with advanced session policies.[From Build 49.37][# NSHELP-1728]
- A Citrix Gateway appliance does not allow post body expressions for relaystateRule parameter when sending SAML assertions.[From Build 49.37][# NSHELP-628]
- While repairing the Citrix Gateway plug-in, a re-installation for the plug-in is initiated without checking if the plug-in is already installed. This creates a new virtual adapter instance.[From Build 49.37][# NSHELP-1473]
- EPA fails when Citrix Gateway is configured for nFactor authentication.[From Build 49.37][# NSHELP-8642]
- User initiated password change request using the Citrix Gateway user interface fails.[From Build 49.37][# NSAUTH-4502]
- In some cases, if the Citrix Gateway appliance accesses a null pointer, the appliance dumps core.[From Build 52.15][# CGOP-10756]
- In a multi-core environment, device certificate failed intermittently due to syncing issues.[From Build 50.31][# CGOP-3666, BUG0711654]
- Citrix Gateway does not support WebView or V3 Auth protocol for iOS devices. V3 Auth protocol is used for SAML or a similar advanced authentication mechanism.[From Build 51.19][# CGOP-3800, NSHELP-1359, NSHELP-7943]
- If VDA protocol is set to BLAST on a VMware connection server, upon launching apps or desktops, the Citrix ADC appliance crashes.[From Build 51.19][# CGOP-6145, NSHELP-19551]
- The users connected to the Citrix Gateway appliance are unable to ping each other using the Intranet IP (IIP).[From Build 50.31][# CGOP-878, BUG0470679]
- Citrix Gateway now supports a new version of NetworkAccessControl (NAC) checks using Microsoft Enterprise Mobility (Microsoft Intune) suite. This variant uses a signed device information of the end client for validation. To use this feature, you need a compatible version of the Citrix SSO app.[From Build 50.31][# NSAUTH-4239, BUG0716353]
- User initiated password change request using the Citrix Gateway user interface fails .[From Build 50.31][# NSAUTH-4502]
- In a Citrix Gateway deployment, the log out operation for Outlook Web Access (OWA) application intermittently fails.[From Build 50.31][# NSHELP-1054, NSHELP-1429, NSHELP-3235, NSHELP-559, TSK0708643]
- Admin UI calls from all IP addresses are now allowed.Earlier, some of these calls were blocked because of a deny rule in the httpd.conf file.[From Build 51.19][# NSHELP-1478]
- All admin UI calls are now allowed.Earlier, some of these calls were blocked because of a deny rule in the httpd.conf file.[From Build 50.31][# NSHELP-1478]
- Windows can add a best route for any On-link interface to route traffic. The addition of a new route for the internal network address on the virtual adapter's interface results in connectivity issues over VPN connection.[From Build 50.31][# NSHELP-1479, TSK0715217]
- In some cases, the Citrix Gateway appliance with multiple cores crashes if the HDX Insight feature is enabled, during a session reconnect.[From Build 50.31][# NSHELP-15792, NSHELP-15687, NSHELP-15689, NSHELP-17901]
- When IPv6 is disabled globally, the connection reset is mandated, if the IPv6 packet arrives on MUX channel.[From Build 50.31][# NSHELP-1606, TSK0709903]
- In rare cases, the Citrix Gateway appliance dumps core when a proxy server is configured.[From Build 50.31][# NSHELP-1616, TSK0713474]
- In some cases, the Citrix Gateway appliance dumps core if the following conditions are met:- The Citrix Gateway appliance hosts connections to Citrix XenDesktop 7.16 and above the supports UDT.- A DTLS service with the same IP:PORT as the VDA is added.[From Build 50.31][# NSHELP-1692, TSK0708188]
- The Citrix Gateway appliance displays incorrect http content for STA ticket refresh request.[From Build 50.31][# NSHELP-1721, TSK0713473]
- Allowed login groups parameters in session action do not take effect with advanced session policies.[From Build 50.31][# NSHELP-1728, TSK0712705]
- Citrix Gateway appliance dumps core upon freeing the NSB memory twice.[From Build 50.31][# NSHELP-1790, TSK0701843]
- Files and folders hosted under the following SharePoint default folder cannot be accessed.- SitesPages- Shared Documents[From Build 51.19][# NSHELP-18114]
- Files and folders hosted under the SharePoint default folder "PublishingImages" cannot be accessed.[From Build 51.19][# NSHELP-18116]
- A Citrix ADC appliance might become unresponsive if the following conditions are met.- The appliance is configured for EDT proxy.- Audit log for TCP is enabled.[From Build 51.19][# NSHELP-18120]
- A Citrix ADC appliance might crash if the following conditions are met:- The appliance is configured for Citrix Gateway with EDT proxy functionality enabled.- The appliance is running low on memory.[From Build 51.19][# NSHELP-18121]
- In a Citrix Gateway appliance configured for nFactor authentication, the secondary factor of authentication is ignored if the following conditions are met:- Primary factor of authentication is certificate policy.- Secondary factor of authentication is group extraction.[From Build 51.19][# NSHELP-18139]
- If you click an RDP bookmark, a .rdp file is downloaded.Earlier, when the RDP bookmark was clicked, it opened in a new tab.[From Build 51.19][# NSHELP-18140]
- If you click an RDP bookmark, a .rdp file is downloaded.Earlier, when the RDP bookmark was clicked, it opened in a new tab.[From Build 50.31][# NSHELP-18140]
- Citrix Gateway appliance dumps core when STA server closes the connection abruptly.[From Build 51.19][# NSHELP-18141]
- In some cases, logging out from Citrix Gateway is not supported.[From Build 51.19][# NSHELP-18144]
- On the user authentication screen for VPN plug-in, you had to click on the password field before entering the password. Now, you do not need to click on the password field before entering the password as the cursor moves to the password field automatically after the username field is auto-filled.[From Build 51.19][# NSHELP-18338]
- On the user authentication screen for VPN plug-in, you had to click on the password field before entering the password. Now, you do not need to click on the password field before entering the password as the cursor moves to the password field automatically after the username field is auto-filled.[From Build 52.15][# NSHELP-18338]
- The VPN homepage appears blank after you log in to your company VPN using Citrix Gateway plugin through macOS Safari browser.[From Build 51.19][# NSHELP-18400]
- After a successful logoff from a Citrix Gateway appliance, the client browser window must be closed and a new browser window must be opened for a new login. This is required if the following authentication methods are selected:- SAML with IdP enabled- Smartcard[From Build 52.15][# NSHELP-18519, NSHELP-18422]
- After a successful logoff from a Citrix Gateway appliance, the client browser window must be closed and a new browser window must be opened for a new login.This is required, if the following authentication methods are selected:- SAML with IdP enabled- Smartcard[From Build 51.19][# NSHELP-18519, NSHELP-18422]
- In some cases, upon landing on the Citrix Gateway virtual server logon page, the "Cannot complete your request" error message is displayed.[From Build 52.15][# NSHELP-18564, NSHELP-19093]
- In a high availability setup, the secondary node might crash if SAML is configured.[From Build 52.15][# NSHELP-18691]
- If an RDP server profile is set to the same port number and IP address as that of the content switching virtual server, the content switching configuration is lost after reboot.[From Build 52.15][# NSHELP-18818]
- Memory leaks during authorization policy evaluation for DNS resolutions, UDP, and ICMP authorizations when the default authorization action is set to "deny".[From Build 52.15][# NSHELP-18872]
- In some cases, upon accessing the Citrix Gateway appliance using an IE browser, the Citrix Gateway logon page appears only after a refresh.[From Build 53.12][# NSHELP-18938]
- Citrix Gateway plug-in for Windows fails to detect some captive portals because the RFC guidelines to manage the captive portals are missing.[From Build 52.15][# NSHELP-19005]
- In a high availability setup, the secondary node crashes if the removed user information is not synced with the node.[From Build 53.12][# NSHELP-19065]
- User interface for the Citrix Gateway plug-in for Windows goes out of scale when the screen resolution is greater than 100%.[From Build 52.15][# NSHELP-19083]
- UDP, DNS, and ICMP authorization policies do not get applied for the connections between a client in the internal network and a VPN client (server initiated connections).[From Build 52.15][# NSHELP-19142]
- Advanced End-point Analysis (EPA) scan fails for the macOS devices.[From Build 52.15][# NSHELP-19328]
- In some cases, a Citrix ADC appliance dumps core, if the following conditions are met.- Two-factor authentication is enabled for the native VMware horizon client.- Radius is configured as the first factor of authentication.- Radius server responds with the group names upon successful authentication.[From Build 52.15][# NSHELP-19333]
- In some cases, log out from Windows VPN plug-in takes longer than expected.[From Build 52.15][# NSHELP-19394]
- In some cases, the Citrix Gateway appliance sets invalid cookie while processing the unauthenticated requests.[From Build 53.12][# NSHELP-19403]
- In some cases, a Citrix Gateway appliance dumps core, if PCOIP virtual server profile is set on a VPN virtual server but pcoipProfile is not set under session action.[From Build 53.12][# NSHELP-19412]
- In some cases, the Citrix Gateway appliance dumps core if the appliance is accessed inthe Full VPN tunnel mode.[From Build 53.12][# NSHELP-19444]
- StoreFront server cannot be accessed because the Citrix Gateway appliance uses the IP address of the client machine instead of using the SNIP to send traffic to the StoreFront server.[From Build 53.12][# NSHELP-19476]
- The Citrix Gateway plug-in for macOS cannot resolve internal host names if the Local LAN Access option is enabled on a Citrix ADC appliance.[From Build 53.12][# NSHELP-19543]
- Audio for Skype calls are negatively affected when multiple applications/connections are tunneled over the VPN. This happens because of an improper memory management.[From Build 53.12][# NSHELP-19630]
- A Citrix Gateway does not recognize the logon expression policy in a Windows plug-in during nFactor authentication.[From Build 53.12][# NSHELP-19640]
- The "Location based awareness" functionality doesn't work on client machines when the machine is brought into a network connected zone [Internet or intranet] from a no-network zone.[From Build 53.12][# NSHELP-19657]
- VPN tunneling is ceased because Windows firewall on Citrix virtual adapter drops the packets. The packet drop is caused because of cross firewall profile switch (profile switch from domain to public) for any inbound connection.[From Build 50.31][# NSHELP-1975, NSHELP-1138, NSHELP-1398, NSHELP-2089, TSK0710165]
- If an authentication factor hosted in Azure is used in Citrix MFA, logon to Citrix Gateway using Windows plug-in fails. This happens because the MFA HTTP timeout value is lesser than the Citrix Gateway Windows plug-in timeout value.With this fix, Citrix Gateway Windows plug-in timeout value is increased to avoid logon failure. Also, the HTTP timeout value can now be configured by setting the below registry value (in seconds):Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\HttpTimeout[From Build 53.12][# NSHELP-19848]
- You might fail to access the resources in the following conditions:- Multiple authentication factors are used either in classic or advanced policies.- First factor is not added to the authentication, authorization, and auditing session.[From Build 53.12][# NSHELP-19863]
- Windows Intune enrollment check cannot be disabled on the client machines. The check is enabled by default.With this fix, Windows Intune enrollment check can be disabled.To disable the check, set the following registry entry to 1:Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\DisableIntuneDeviceEnrollment[From Build 53.12][# NSHELP-19942]
- For a non-admin user, Citrix Gateway service is not able to get the admin privileges.[From Build 50.31][# NSHELP-2040, BUG0714332]
- In some cases, the Citrix Gateway appliance dumps core based on a particular sequence of events, if the appliance is configured for EDT proxy.[From Build 50.31][# NSHELP-2134, TSK0715713]
- A Citrix Gateway appliance configured for nFactor authentication becomes unresponsive when the following conditions are met.- SAML is configured as the first factor of authentication.- EPA is configured as the last factor of authentication.[From Build 50.31][# NSHELP-2137, TSK0715167]
- In some cases, applications accessed using Citrix Gateway become unresponsive because excessive logon redirects causes memory build up in the appliance.[From Build 50.31][# NSHELP-2138, TSK0717351]
- In case of network errors, cached client certificates were removed, prompting user to select the certificate from the drop-down menu manually.[From Build 50.31][# NSHELP-423, TSK0709689]
- POST request has some non-required fields.[From Build 50.31][# NSHELP-428, TSK0709243]
- The Citrix Gateway appliance dumps core if the following conditions are met:• HTTP websites are accessed.• Memory allocation is low.• Memory allocation for code compression feature fails.[From Build 50.31][# NSHELP-5747, TSK0706402]
- In some cases, performing certificate related operations after changing the RDP listeners by setting and unsetting RDP ServerProfile result in a crash.[From Build 50.31][# NSHELP-5756, TSK0714720]
- Authentication fails when Citrix Gateway is configured with advanced policies, that is nFactor, and the client is configured only for certificate authentication.[From Build 50.31][# NSHELP-598, BUG0710801]
- After an upgrade to version 11.1, the Citrix Gateway logon page does not appear on the Citrix ADC GUI.[From Build 50.31][# NSHELP-6458]
- When a user enters an incorrect password for logon, "Bad Pass" error message is displayed. This happens when "enhancedAuthenticationFeedback" feature is enabled.[From Build 51.19][# NSHELP-6508]
- jQuery version 1.12.4 used for the RfWebUI portal has security concerns.[From Build 51.19][# NSHELP-6662]
- A client machine that has Chrome or Firefox set as default browser does not fall back to ICA proxy mode after the post authentication EPA scan fails.[From Build 50.31][# NSHELP-6692]
- A Citrix Gateway appliance fails to process a SAML response on an existing connection.[From Build 50.31][# NSHELP-670, BUG0715920]
- URLs are not rewritten if SharePoint is configured with IT folder. Also, URLs with Unicode encoding for the following special character “\” are broken and hence are not rewritten.[From Build 50.31][# NSHELP-6709]
- In CVPN mode, when Workspace Control is enabled for Citrix StoreFront, the app sessions are lost upon disconnecting and logging on again.[From Build 52.15][# NSHELP-6722]
- Citrix Gateway server invariably downloads the plug-in configuration files from the Citrix downloads page, ignoring the settings pushed from the Citrix StoreFront server.[From Build 51.19][# NSHELP-6724]
- Pre-authentication EPA check fails when total length of single EPA expression (not separated by any logical operators) is greater than 1024 characters.[From Build 50.31][# NSHELP-6835]
- Chrome does not trigger EPA plug-in when multiple EPA factors configured.[From Build 51.19][# NSHELP-6840]
- In some cases, when Citrix Gateway is configured for nFactor authentication, quarantine group is not evaluated during post authentication EPA.[From Build 50.31][# NSHELP-6843]
- In Citrix ADC GUI, the options under file upload browse button incorrectly displays "object" and not the option name.[From Build 51.19][# NSHELP-7191]
- The global settings for the graphical user interface are not shown correctly.[From Build 52.15][# NSHELP-7740]
- The VPN plug-in for Citrix Gateway becomes unresponsive once the client machine moves to active mode from standby mode.[From Build 50.31][# NSHELP-8015]
- The VPN plug-in for Citrix Gateway becomes unresponsive once the client machine moves to active mode from standby mode.[From Build 49.37][# NSHELP-8015]
- In a multicore environment, the Citrix Gateway appliance dumps core during login transfer when intranet IP address is enabled in VPN.[From Build 52.15][# NSHELP-8164, NSHELP-7078, NSHELP-7082, NSHELP-17438, NSHELP-18156, NSHELP-18368]
- In a multicore environment, the Citrix Gateway appliance dumps core during login transfer when intranet IP address is enabled in VPN.[From Build 51.19][# NSHELP-8164, NSHELP-7078, NSHELP-7082, NSHELP-17438, NSHELP-18156, NSHELP-18368]
- If StoreFront is load balanced using an internal load balanced virtual server, IPv6 clients is not evenly load balanced.[From Build 50.31][# NSHELP-8597]
- EPA fails when Citrix Gateway is configured for nFactor authentication.[From Build 50.31][# NSHELP-8642]
- In some cases, Citrix Gateway appliance dumps core during freeing up the VPN session.[From Build 50.31][# NSHELP-8664]
- Upon attempting to bind a previously bound VPN virtual server to a CS virtual server, the following error message is displayed, "ERROR: Only one VPN vserver can be bound to a CS vserver."[From Build 51.19][# NSHELP-8672]
- In some cases, a Citrix Gateway appliance dumps core because the pending STA refresh operations build up infinitely.[From Build 53.12][# NSHELP-8684]
- In some cases, users experience application launch failures or frozen sessions for EDT sessions, if Citrix Gateway is configured to generate Insights for EDT.[From Build 52.15][# NSINSIGHT-1791]
- In some cases, users experience application launch failures or frozen sessions for EDT sessions, if Citrix Gateway is configured to generate Insights for EDT.[From Build 51.19][# NSINSIGHT-1791]
- In some cases, a Citrix ADC appliance dumps core if the Citrix Gateway is configured for EDT Proxy and the EDT Insight functionality is enabled.[From Build 51.19][# NSINSIGHT-1948]
- In some cases, a Citrix ADC appliance dumps core if the Citrix Gateway is configured for EDT Proxy and the EDT Insight functionality is enabled.[From Build 52.15][# NSINSIGHT-1948]
Citrix Gateway plugin
- If the Citrix Gateway plug-in for macOS is not installed and if the user tries to access VPN from Safari, an error message appears.[From Build 53.12][# CGOP-11240]
Citrix Web App Firewall
- When you deploy CSRF learned rules from the application firewall GUI, the rules do not get deleted and the following error "The CrossSiteRequestForgery check is already in use" is displayed if you try to redeploy the rules.[From Build 49.37][# NSHELP-2817]
- The cluster upgrade to a 12.1 build with Citrix Web App Firewall enabled on a Citrix ADC appliance is not supported.[From Build 49.37][# NSWAF-262]
- The leading TCP window size is rounded off when the post body limit is set to 4294967295(2^32-1). The fix ensures that the limit max TCP window set by Citrix Web App Firewall is 100 MB in non-streaming data and 20 MB for streaming data.As a workaround, please add the post body limit on profile to values <=512MB, preferably to value 100MB. Also when requests are of larger sizes, please ensure that the profile has streaming enabled. Enable streaming only if backend server is able to accept chunked requests.[From Build 49.37][# NSHELP-17873, 708678, 707955, 708851, 711014]
- When you use special characters in AppFW SessionCookieName, the AppFirewall policy resets website URLs. The issue is resolved, if you remove special characters and use alphabets in the cookie name.[From Build 49.37][# NSHELP-16795]
- After an upgrade to Citrix ADC 11.1 build 57.13, the URL transformation policy for cookie domains is not applied to application secure cookies.[From Build 49.37][# NSHELP-2771]
- A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.[From Build 49.37][# NSHELP-2851, 710841]
- Citrix Web App Firewall Cookie proxying feature is not working in Cluster 12.1 deployment.[From Build 49.37][# NSWAF-628]
- After a software upgrade, the Citrix ADC appliance crashes with AppFW violation data record when the AppFlow feature is disabled.[From Build 49.37][# NSHELP-18106]
- A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.[From Build 49.37][# NSHELP-2820]
- After an upgrade, if Applicable Firewall is enabled on a Citrix ADC appliance, it causes memory leak leading to a high memory usage.[From Build 49.37][# NSHELP-17915, 711993]
- A Citrix ADC application firewall appliance intermittently blocks requests for some URLs under heavy traffic loads when advance application firewall start url check is enabled.[From Build 52.15][# NSHELP-16678]
- A high availability setup that has an application firewall profile with starurl closure enabled, experiences high CPU usage and system failover. The issue occurs if response pages contain many URLs.[From Build 50.31][# NSHELP-16694]
- A high availability set up might crash when you upgrade the secondary node to version 11.1 build 56.x and the failover becomes the primary node.[From Build 52.15][# NSHELP-17644]
- The functionality for importing Citrix Web App Firewall profile configuration fails, if the profile contains user-defined field types and if the field types are used in multiple relaxation rules.[From Build 50.31][# NSHELP-17851]
- A Citrix ADC appliance might crash if there is a Cross-Site Request Forgery (CSRF) tag failure.[From Build 51.19][# NSHELP-17940]
- A Citrix ADC appliance might crash if the WSDL schema includes an "anyAttribute" element.[From Build 52.15][# NSHELP-17943]
- Memory leak is observed in a Citrix ADC appliance, if the Integrated Cache and the Web Citrix Web App Firewall features are enabled.[From Build 51.19][# NSHELP-17969, NSHELP-17158]
- Citrix Web App Firewall resets an incoming request if the following conditions are observed:- The SQL comment size is greater than 4k bytes- The configured action is log or stats.[From Build 52.15][# NSHELP-18073]
- In a rare case, when Citrix Web App Firewall Learning option is enabled, the resulting aslearn.log file can consume a high amount of hard disk space, starving other disk users.[From Build 50.31][# NSHELP-18083]
- After a software upgrade, the Citrix ADC appliance crashes with AppFW violation data record when the AppFlow feature is disabled.[From Build 49.37][# NSHELP-18106]
- A Citrix ADC appliance might crash if the Citrix Web App Firewall feature is enabled and there is a memory allocation failure on the appliance.[From Build 52.15][# NSHELP-18161]
- A user cannot send an HTTP request from a website if the Web App Firewall profile has the following options enabled:- Streaming- signature bound with post body rules.[From Build 51.19][# NSHELP-18238]
- A user cannot send an HTTP request from a website if the Web App Firewall profile has the following options enabled:- Streaming.- Signature bound with post body rules.[From Build 52.15][# NSHELP-18238]
- Citrix Web App Firewall is unable to import or export firewall profiles on a Citrix ADC appliance. This issue occurs if there are many stale empty directories prefixed "appfwXXXXXX" under "/tmp/" folder and if the auto-update is enabled for signatures.[From Build 52.15][# NSHELP-18472]
- The DHT update failure warnings are logged in the ns.log file if cookie proxy is enabled on the Citrix ADC appliance.[From Build 52.15][# NSHELP-18616]
- If the token size is greater than 128k, the token buffer is reset multiple times leading to the loss of some data.[From Build 52.15][# NSHELP-18741]
- When a command is set to netsvc and if the secondary node takes more than 15 secs to respond, the setsvc command logs or increments the propagation failure counter. If the secondary node takes more than 10 secs to respond, some failure is logged at the secondary configd and the corresponding timer is updated with an SNMP trap.[From Build 52.15][# NSHELP-18834, NSHELP-18568]
- When a command is set to netsvc and if the secondary node takes more than 15 secs to respond, the setsvc command logs or increments the propagation failure counter. If the secondary node takes more than 10 secs to respond, some failure is logged at the secondary configd and the corresponding timer is updated with an SNMP trap.[From Build 53.12][# NSHELP-18834, NSHELP-18568]
- A configuration loss is observed when you reboot a high availability or cluster setup with rfcprofile option enabled in the running configuration.[From Build 52.15][# NSHELP-18856]
- A Citrix ADC appliance might crash if there is high memory usage and memory values are not freed up because of an application failure.[From Build 53.12][# NSHELP-18863]
- A Citrix ADC appliance might crash if the Citrix Web App Firewall configuration changes are not handled properly in a cluster setup.[From Build 53.12][# NSHELP-18870]
- After you add a relaxation rule, similar URLs are not getting deleted from the learned rules list.[From Build 53.12][# NSHELP-19298]
- A Citrix ADC appliance might reset client connections when there is a high XML traffic.[From Build 53.12][# NSHELP-19314]
- If you enable the URL transform policy and if the response from a body attribute value contains special characters, the ContentSwitching in an SSL offload might replace the special characters as entity encoded values.[From Build 53.12][# NSHELP-19356]
- A Citrix ADC appliance might crash when CONNECT requests are received. The issue occurs if you set the default profile settings to any value other than APPFW_BYPASS, APPFW_RESET, APPFW_DROP, APPFW_BLOCK.[From Build 53.12][# NSHELP-19603]
- The following behavior is observed in the Citrix Web App Firewall configurations:- CLI and GUI option shows different learned rules.- GUI displays only some part of the learned rule.[From Build 53.12][# NSHELP-19820]
- A Citrix ADC appliance fails, if the following conditions are observed:- Web App Firewall policies use HTTP body based rule, for example, HTTP.REQ.BODY(..)),- Web App Firewall feature is disabled.[From Build 53.12][# NSHELP-19879]
- A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.[From Build 50.31][# NSHELP-2820, BUG0710596]
- A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.[From Build 50.31][# NSHELP-2851, NSHELP-2760, NSHELP-2770, NSWAF-446, TSK0709465]
- Citrix Web App Firewall is unable to block requests with Wordpress vulnerabilities.[From Build 52.15][# NSWAF-2521]
- New option to limit post body bytes inspected by signatureAfter you upgrade your appliance to Citrix ADC version 13.0, you can now see a new profile option, "Signature Post Body Limit (Bytes)" with a default value of 8192 bytes. Your appliance upgrade will set the option to the default value. You can change this option to limit the request payload (in bytes) inspected for signatures with the location specified as 'HTTP_POST_BODY'.Previously, Web Citrix Web App Firewall had no option to limit payload inspection and keep CPU under check.Navigation: Configuration > Security > Citrix Web App Firewall > Profiles > Profile Settings.[From Build 53.12][# NSWAF-2887, NSUI-13251]
- Citrix Web App Firewall Cookie proxying feature is not working in Cluster 12.1 deployment.[From Build 50.31][# NSWAF-628, BUG0710139]
Clustering
- In a layer 3 cluster deployment, fragmented traffic steered through a GRE tunnel might cause packet loops, which result in high traffic load.[From Build 49.37][# NSHELP-3447]
- In a Citrix ADC cluster setup, you might find some inconsistencies in the server state in the database and in the packet engine, if you perform the following tasks in a sequence:1. Add a server in DISABLED state.2. Enable the server.If you use this server when executing the “bind servicegroup” command, the servicegroup members are added in OUT OF SERVICE state.[From Build 50.31][# NSHELP-10943]
- In a cluster setup, the ‘show cluster node’ command displays the interfaces on which the heartbeat is turned off in a "Interfaces on which heartbeats are not seen" parameter.[From Build 52.15][# NSHELP-16123]
- In a cluster setup, the ‘show cluster node’ command displays the interfaces on which the heartbeat is turned off in a "Interfaces on which heartbeats are not seen" parameter.[From Build 53.12][# NSHELP-16123]
- In a cluster setup, if one of the nodes connectivity is lost with the backplane, the other nodes do not do a proxy ARP for the IP address of that node.[From Build 53.12][# NSHELP-16139]
- In a cluster setup, version mismatch issue is observed even if there are two cluster nodes of the same version. However, the version mismatch does not cause any functional issues but generates an SNMP trap which you can ignore.[From Build 52.15][# NSHELP-18292]
- The following behavior is observed in a clustered setup:- The node addition or deletion commands are not sent to ZebOS daemons when there is no cluster view change.- The node mismatch information is observed in ZebOS daemon and packet engine.- Errors are seen while configuring vtysh command.- ZebOS configuration is not cleared when a node is deleted.[From Build 52.15][# NSHELP-18494]
- In a cluster setup, a VIP address in disabled state might automatically become enabled after a reboot.[From Build 52.15][# NSHELP-18589]
- In a cluster setup with ACL6 configuration, the ICMPv6 error packets loop between the nodes causing high CPU usage.[From Build 53.12][# NSHELP-19535]
- In a cluster setup, the cluster propagation might fail if one of the following condition is met:- Connection fails between cluster daemon and configuration daemon.- Increase in memory usage in cluster daemon.[From Build 53.12][# NSHELP-19771]
- In a cluster setup, the Citrix ADC GUI fails to upload an SSL certificate in the following conditions:• Commands are executed from the CLIP.• “sh partition” command responds with an invalid response.[From Build 53.12][# NSHELP-19905]
- The following behavior is observed in a cluster setup:- There is a configuration mismatch if you execute enable/disable servicegroupmember, service group, and server command.- The unset command does not reset the netprofile for service/service group.[From Build 53.12][# NSNET-9599]
- The following behavior is observed in a cluster setup:- There is a configuration mismatch if you execute enable/disable servicegroupmember, service group, and server command.- The unset command does not reset the netprofile for service/service group.[From Build 52.15][# NSNET-9599]
DNS
- A Citrix ADC appliance crashes when negative responses for root domain are cached.[From Build 50.31][# NSHELP-12589]
- The Citrix ADC appliance might fail for proactive update DNS queries if there is an ICMP error.[From Build 50.31][# NSHELP-18132]
- When an AAAA response is delayed and an A request is sent to the same domain, the query ID in both AAAA and A records remain the same. On processing the delayed AAAA response from the server, the Citrix ADC appliance might crash.[From Build 52.15][# NSHELP-18742]
- When sending a DNS query for domain based service, the Citrix ADC appliance inserts an OPT record in the query. This record can have incorrect values if the fields are not cleared before inserting the record in the query.[From Build 52.15][# NSHELP-18819]
- The Citrix ADC appliances might crash when filling cached negative response for a DNS ANY query for an authoritative zone.[From Build 53.12][# NSHELP-19496]
- You can add a wildcard domain for the zone you own.[From Build 53.12][# NSHELP-19498]
- A Citrix ADC VPX instance running on an SDX appliance might crash if an invalid DNS request is received on a Jumbo enabled interface.[From Build 53.12][# NSHELP-19854]
GSLB
- In a GSLB cluster setup, when a parent site is removed, the corresponding child site and its services are also removed.[From Build 49.37][# NSLB-880]
- You might find GSLB service state inconsistencies among the cores when the MEP connection goes DOWN and the connection is back UP within a short time.[From Build 50.31][# NSHELP-11872]
- In a GSLB deployment, GSLB full sync operation might fail after a backup GSLB virtual server is removed.[From Build 52.15][# NSHELP-11946]
- The Citrix ADC appliance might stop responding in the following case:- There are cached DNS records- The show gslb domain command is executed[From Build 50.31][# NSHELP-18131]
- A Citrix ADC appliance might crash if both of the following conditions are met:- IPv6 protocol translation feature is disabled on any of the sites participating in GSLB.- RTT method is configured as the GSLB method.[From Build 52.15][# NSHELP-18181]
- In admin partitions, the GSLB global parameters are not saved in the configuration (ns.conf) file. As a result, the settings are lost when you restart the appliance.[From Build 52.15][# NSHELP-18621]
- Sometimes, the "show gslb runningConfig" command does not display the newly added name server. The new server is not displayed if the IP address of the GSLB service is changed to a new server and in this scenario the GSLB service flag does not get set.[From Build 52.15][# NSHELP-18956]
- GSLB configuration synchronization failed because the "set ssl servicegroup"command was also synchronized. With this fix, the command is not synchronized. As a result, the GSLB configuration is synchronized successfully.[From Build 50.31][# NSHELP-4058, NSHELP-3090, TSK0709722]
- In a GSLB cluster setup, when a parent site is removed, the corresponding child site and its services are also removed.[From Build 50.31][# NSLB-880, BUG0713908]
GUI
- A Citrix ADC appliance might crash if some entity names in the database have quotations and if a closing quotation is found missing. The issue is resolved if you upgrade your appliance to the latest version.[From Build 49.37][# NSHELP-11933]
- A time zone setting ("set timezone” command) in a Citrix ADC appliance running release 11.1 might get lost after you upgrade it to a later release.[From Build 50.31][# NSHELP-11550]
- After you upgrade a Citric ADC appliance when a non-shell access user creates a certificate signing request (CSR), the appliance adds a "\" (backslash) appears before a " "(space) for organization name, locality name, etc.[From Build 50.31][# NSHELP-4521, BUG0713382]
Gateway Insight
- Receivers which are not white-listed fail to launch apps using Citrix Gateway with HDX Insight feature enabled.[From Build 49.37][# NSHELP-5260, 712929]
- Receivers which are not white-listed fail to launch apps using Citrix Gateway with HDX Insight feature enabled.[From Build 50.31][# NSHELP-5260, TSK0710678]
HDX Insight
- On the Citrix ADM user interface, retransmission stats values are incorrectly displayed. The values displayed are cumulative values because the Citrix ADC appliance does not reinitialize these values after reporting it once.[From Build 52.15][# NSHELP-18851]
- When Citrix Gateway appliance is used with NSAP enabled for VDAs (7.16 and above) and if HDX Insight is configured, the Citrix Gateway might fail.[From Build 50.31][# NSHELP-5259, NSINSIGHT-1192, TSK0710363]
ICA
- In a certain scenario, the Citrix ADC appliance might become unresponsive if ICA AppFlow or SmartControl feature is enabled.[From Build 51.19][# NSHELP-15475]
- In certain scenarios, if SR-HA feature is enabled for ICA AppFlow, the secondary Citrix ADC appliance in the high-availability deployment might fail.[From Build 50.31][# NSHELP-15811]
- A Citrix ADC appliance might become unresponsive in a multi-core environment if ICA AppFlow or SmartControl feature is enabled.[From Build 50.31][# NSHELP-15834]
- A Citrix ADC appliance might become unresponsive in certain traffic patterns if AppFlow feature is enabled for ICA traffic.[From Build 51.19][# NSHELP-15858]
- In some cases, when the Citrix Gateway virtual server is configured for EDT, the ICA sessions become unresponsive.[From Build 52.15][# NSHELP-18191]
- In some cases, when the Citrix Gateway virtual server is configured for EDT, the ICA sessions become unresponsive.[From Build 51.19][# NSHELP-18191]
- A Citrix ADC appliance dumps core for a particular traffic pattern if AppFlow for ICA is enabled.[From Build 52.15][# NSHELP-18288]
- A Citrix ADC appliance dumps core for a particular traffic pattern if AppFlow for ICA is enabled.[From Build 51.19][# NSHELP-18288]
- In rare cases, in a high availability setup with session reliability feature enabled (SR+HA), the secondary Citrix ADC appliance experiences memory leak. The leak is caused because the HDX session allocations in the secondary Citrix ADC appliance are not released as expected.[From Build 52.15][# NSHELP-18549]
- In a high availability setup, the secondary Citrix ADC appliance might crash if session reliability on a high availability setup is enabled.[From Build 49.37][# NSHELP-5257, NSINSIGHT-1208, NSHELP-3807, NSHELP-3808, NSHELP-5414, NSHELP-5417, NSHELP-5428, NSHELP-17883, NSHELP-17894, NSHELP-17904]
- if SR-HA feature is enabled, the output throughput on the primary Citrix ADC appliance is comparatively higher than the input throughput of the appliance.[From Build 50.31][# NSHELP-5261, BUG0714250]
Licensing
- When the connection between a Citrix ADC appliance (MPX, SDX, or VPX) and the Citrix ADC Citrix ADM licensing server is lost, the Citrix ADC appliance revokes the licensing capacity immediately. As a result, the throughput drops.After the connection with the Citrix ADM licensing server is established, you must manually reconfigure the license to restore.[From Build 49.37][# NSHELP-4804]
- When the connection between a Citrix ADC appliance (MPX, SDX, or VPX) and the Citrix ADC Citrix ADM licensing server is lost, the Citrix ADC appliance revokes the licensing capacity immediately. As a result, the throughput drops.After the connection with the Citrix ADM licensing server is established, you must manually reconfigure the license to restore.[From Build 50.31][# NSHELP-4804, TSK0712434]
Load Balancing
- A Citrix ADC appliance crashes if you add a Rate-Limiting expression to a DNS responder policy.[From Build 49.37][# NSHELP-3884]
- Traffic disruptions might occur if the encoded redirect URL is greater than 2048 bytes.[From Build 49.37][# NSHELP-9843]
- If the REGISTER request processing for a specific service fails during the Session Initiation Protocol (SIP) call, the memory usage of the Citrix ADC appliance starts building up.[From Build 49.37][# NSHELP-4147]
- The “Operation not permitted” error appears when you try to execute the set operation on domain name based service group member.[From Build 49.37][# NSHELP-18134]
- After an upgrade to 12.1 build 51.x from any 12.1 previous build and after the appliance is rebooted, the argument -vlan is not applicable in the static subscriber profile commands.As a result, you must execute the add, remove, show subscriber profile commands without the argument "-vlan."Example commands:- Adding subscriber with IP address 1.1.1.1 and VLAN 22: add subscriber profile 1.1.1.1 22- Adding subscriber with IP address 1.1.1.1 and no defined VLAN: add subscriber profile 1.1.1.1- Removing subscriber with IP address 1.1.1.1 and no defined VLAN: rm subscriber profile 1.1.1.1If your running configuration includes subscriber profile commands with the "-vlan," argument, after the upgrade, you must define these subscriber profiles according to the new format.[From Build 51.19][# NSBASE-6561]
- If a wildcard TCP-based virtual server is moved to a wildcard HTTP-based virtual server or vice versa, there might be a possibility of linking TCP and HTTP sessions resulting in an unexpected behavior.[From Build 50.31][# NSHELP-10014]
- Memory can build up on a Citrix ADC appliance, if the following conditions are met:- You have added a UDP nameserver (but no TCP nameserver).- You have configured a DNS autoscale servicegroup.- The truncated bit is set in the DNS response.Because the truncated bit and there is no TCP nameserver configured, the DNS resolution is tried over UDP and some memory is allocated for each IP address sent as part of UDP responses. The cycle continues and results in memory buildup.[From Build 50.31][# NSHELP-10053]
- When you modify a server name or its IP address, the service group entity binding table is not updated. As a result, there might be cluster configuration inconsistency between CLIP and NSIP for service group member.[From Build 52.15][# NSHELP-10142]
- In a rare case, a Citrix ADC appliance might fail if the following conditions are observed:- Health monitor is set to OFF for a DBS service or a service group.- A DBS IPv6 server is bound to the DBS service or a service group for which health monitor is set to OFF.- SourceIP, SSL session ID, or rule based persistence is configured on a load balancing virtual server bound to the DBS service or a service group for which health monitor is set to OFF.- Failover is executed or if secondary becomes primary.[From Build 51.19][# NSHELP-10148]
- In some cases, monitor binding for a service group with autoscaling enabled might be missing in the running configuration.[From Build 52.15][# NSHELP-10168]
- If the command for configuring load balancing virtual server with listen policy fails, the Citrix ADC appliance might stop responding while freeing the allocated memory.[From Build 51.19][# NSHELP-10186]
- A Citrix ADC appliance might crash in the following case:A new HTTP request is received when changing the persistence type from COOKIEINSERT to other type.[From Build 50.31][# NSHELP-10921]
- A Citrix ADC appliance might crash if a stream selector with rate limiting objects gets deleted and added again with overlapping selectlets.[From Build 52.15][# NSHELP-11131]
- In a Citrix ADC GSLB parent-site topology setup, the appliance might crash, if the following conditions are observed:1. A child site has requested some information from a parent site because of site persistence.2. A client connection is terminated at the child site before the parent sends the response.3. An MEP connection is terminated after step 2.[From Build 50.31][# NSHELP-18129]
- For a monitor bound to an SSL profile and certificate, the number of characters allowed in the monitor name is limited to 31.[From Build 51.19][# NSHELP-18148]
- In a rare condition, the Citrix ADC appliance might fail if SYS.VSERVER("").THROUGHPUT expression is used in a policy.[From Build 52.15][# NSHELP-18330]
- The inactive services number for a load balancing virtual server might return a large value for few seconds after some services or service group members are unbound from the load balancing virtual server. This is a display issue and does not impact any functionality.[From Build 52.15][# NSHELP-19400]
- If a service group member is assigned a wildcard port (port *), the monitor details for that service group member can be viewed from the Monitor Details page.[From Build 52.15][# NSHELP-9409]
- In a high availability setup, the running config displays unwanted port information for service group monitor bindings when you execute the show ns runningConfig command.This results in loss of service group monitor binding after a reboot or a failover. The service group member bindings are unaffected.[From Build 51.19][# NSLB-4418]
- In a high availability setup, the running config displays unwanted port information for service group monitor bindings when you execute the show ns runningConfig command.This results in loss of service group monitor binding after a reboot or a failover. The service group member bindings are unaffected.[From Build 52.15][# NSLB-4418]
Logging
- Citrix ADC CPX or VPX stops archiving newnslog files after it reaches 200 files.[From Build 52.15][# NSNET-8749]
NITRO
- The Citrix ADC appliance responds with an internal error message for show routerdynamicrouting NITRO API call.[From Build 53.12][# NSCONFIG-1325]
- Retrieving a specific system file using the systemfile Java SDK is not supported.[From Build 52.15][# NSHELP-18645]
- In Python NITRO SDK, UPDATE operation fails with an error message if a GET method response object is used in the UPDATE operation.[From Build 52.15][# NSHELP-19111]
- System login API fails with "Invalid username or password" error if the login account password has ‘=‘ character.[From Build 50.31][# NSHELP-4801, TSK0714487]
- Firing curl command "curl -u nsroot:nsroot http://<IP_Address>/nitro/v1/config/" causing httpd to crash.[From Build 50.31][# NSUI-7739, BUG0714963]
Networking
- In some deployments, ICMP error packets, sourced from the NSIP address and destined to 127.0.0.2 address, might go in loops within the Citrix ADC appliance causing high CPU usage in the appliance.[From Build 49.37][# NSHELP-167]
- In a high availability configuration in INC mode, dynamic routing parameters might not get set properly because of the conversion errors.[From Build 49.37][# NSHELP-253]
- In a Citrix ADC appliance, BGP daemon fails when a routemap, which includes a 'match ip peer' command entry, is applied to the kernel routes.[From Build 49.37][# NSHELP-224]
- In a cluster setup, a node has the following entities in the same traffic domain:- a VIP address and,- a load balancing virtual server with the same VIP address.When the traffic domain is removed, virtual server configuration is removed but the VIP address is not removed. The node crashes when it sends out a GARP message for this VIP address.[From Build 49.37][# NSHELP-81, 711605]
- HTTPS access to a SNIP address in a traffic domain fails because the appliance performs port allocation in non-default traffic domain when accessing the NSIP address internally from underlying FreeBSD operating system.[From Build 49.37][# NSHELP-83]
- BGP IPv6 address family configuration might not get saved in a cluster setup.[From Build 49.37][# NSHELP-225]
- In a high availability setup, the Citrix ADC appliance does not send jumbo frames on interfaces that are Jumbo enabled. This issue cause the state of the LACP channels and interfaces to flap, which in turn results in repetitive HA failover in the setup.[From Build 50.31][# NSHELP-16172]
- In a Citrix Gateway appliance, responder and rewrite policies bound to VPN virtual servers might not process the packets that matched the policy rules.[From Build 50.31][# NSHELP-18311]
- In a Citrix Gateway appliance, responder and rewrite policies bound to VPN virtual servers might not process the packets that matched the policy rules.[From Build 51.19][# NSHELP-18311]
- Enabling secure access (secureonly) to Citrix ADC GUI on the NSIP or SNIP addresses fails to disable HTTP (insecure) GUI access.[From Build 51.19][# NSHELP-18353]
- Enabling secure access (secureonly) to Citrix ADC GUI on the NSIP or SNIP addresses fails to disable HTTP (insecure) GUI access.[From Build 50.31][# NSHELP-18353]
- For a default-originate routing setting, the Citrix ADC appliance sends a learned default route instead of a self-originated default route to the neighbor device. The learned default routes are dropped in the network because of the route map.[From Build 52.15][# NSHELP-18431]
- The IS-IS dynamic routing module in a Citrix ADC appliance might incorrectly mark the default route as an invalid prefix during the shortest-path-first (SPF) calculation. Because of this reason, the route is not installed.[From Build 52.15][# NSHELP-18498]
- In a high availability setup with OSPF dynamic routing configured, the new primary node does not generate the OSPF MD5 sequence number in an increasing order after a failover.This issue has been fixed. For the fix to work properly, you must synchronize the time between the primary and secondary nodes either manually or by using NTP.[From Build 52.15][# NSHELP-18958]
- If a high availability setup is upgraded to release 12.1 build 51.16, the high availability nodes might not advertise OSPF VIP routes after a failover.[From Build 52.15][# NSHELP-19056]
- If a high availability setup is upgraded to release 12.1 build 51.16, the high availability nodes might not advertise OSPF VIP routes after a failover.[From Build 51.19][# NSHELP-19056]
- When a PBR rule with next hop parameter set to NULL is added for a load balancing service or a monitor, the Citrix ADC appliance might become unresponsive.[From Build 53.12][# NSHELP-19245]
- A Citrix ADC appliance might create an SYN+ACK packet loop, which in turn cause high CPU usage, when all the following conditions are true:* If an outstanding RNAT probe connection to an IP address, which is not currently Citrix ADC owned IP address, is present in the ADC appliance.* If you make this IP address as ADC owned IP address as part of the ADC configuration. For example, adding a load balancing virtual server with this IP address.[From Build 52.15][# NSHELP-19376]
- The Citrix ADC appliance might drop IPv6 traffic intermittently.[From Build 52.15][# NSHELP-19397]
- In some rare cases in a high availability setup, the secondary node might establish BGP session over the Citrix ADC IP address (NSIP).[From Build 53.12][# NSHELP-19720]
- In a high availability configuration in INC mode, dynamic routing parameters might not get set properly because of the conversion errors.[From Build 50.31][# NSHELP-253, BUG0708496]
- If a Citrix ADC appliance has data sessions from a client, and if you add a virtual server with the same IP address as that of the client, flushing the client's sessions might result in the appliance to become unresponsive.[From Build 51.19][# NSHELP-255]
- The Citrix ADC appliance might not remove monitors, which have a netprofile bound to a route, during a clear config extended+ operation. These monitors point to the associated netprofile, which was removed during the during a clear config extended+ operation, causing the Citrix ADC appliance to crash.[From Build 50.31][# NSHELP-80, BUG0710015]
- In a cluster setup, a node has the following entities in the same traffic domain:- a VIP address and,- a load balancing virtual server with the same VIP address.When the traffic domain is removed, virtual server configuration is removed but the VIP address is not removed. The node crashes when it sends out a GARP message for this VIP address.[From Build 50.31][# NSHELP-81, NSNET-553, TSK0710326]
- Trivial File Transfer Protocol (TFTP) might not work in Citrix VPX instances running on VMware ESX server with VMXNET3 network interfaces.[From Build 50.31][# NSHELP-85, NSHELP-107, NSHELP-3633, NSHELP-452, TSK0711445]
- The Citrix ADC appliance might not completely remove the RNAT global configuration during a clear config operation.[From Build 50.31][# NSHELP-86, TSK0712215]
- In some cases, when a net profile is bound to VPN virtual server, the Citrix Gateway logon page does not load and the Citrix ADC admin user interface becomes inaccessible.[From Build 50.31][# NSHELP-92, TSK0715048]
- The appliance might fail in unbinding NAT rules, with 32-bit netmask, from a netprofile.[From Build 50.31][# NSHELP-93, TSK0715128]
- A Citrix ADC appliance does not allow traffic domain configuration inside admin partition context.[From Build 50.31][# NSNET-4562, BUG0647744]
- On the Citrix ADC GUI, when you go to Configuration > Network > Interfaces, and click Interface Statistics, the Interface Summary is not displayed and the “Invalid value [arg]” error message appears.[From Build 53.12][# NSUI-13043]
- On the Citrix ADC GUI, when you go to Configuration > Network > Interfaces, and click Interface Statistics, the Interface Summary is not displayed and the “Invalid value [arg]” error message appears.[From Build 52.15][# NSUI-13043]
Optimization
- The Lazy Loading mode does not load images in a simple web page that are above the fold with no attributes such as height or width.[From Build 53.12][# NSHELP-19193]
Platform
- You might see a Tx stall issue on MPX platforms that contain Intel XL710 NICs.[From Build 50.31][# NSHELP-14786]
- In some cases, packets can be corrupted on the MPX-26000-100G and MPX-26000T-100G appliances.[From Build 50.31][# NSHELP-14823]
- You cannot configure two MPX 26xxx appliances in a high availability setup if you do not have the correct licenses for the two models.[From Build 51.19][# NSHELP-14880]
- Bandwidth settings configured using the “set interface” command are overwritten when the ring buffer size is changed.[From Build 52.15][# NSHELP-18929]
- On some MPX 115xx, 11500, 17550, 17550T and T1100 appliances, the power supply labels on the back panel are reversed to what is shown in software.[From Build 51.19][# NSPLAT-1639]
Policies
- An error is encountered when you convert a classic policy expression with domain option to advanced policy expression using NSPEPI tool.[From Build 49.37][# NSHELP-467]
- In a cluster setup, if the same key has multiple values bound to a string-map, then output for “show policy stringmap <name>” command is different for CLIP and NSIP addresses.[From Build 51.19][# NSHELP-15386, NSPOLICY-2002]
- A Citrix ADC appliance might crash if the configuration has responder action with respondwithhtmlpage as an action type.[From Build 53.12][# NSHELP-5821]
- In a cluster setup, if a rewrite or responder policy is bound to more than 127 bind points, there might be an issue in displaying the policy bindings and policy stats.[From Build 53.12][# NSPOLICY-3065]
- A Citrix ADC appliance might crash if you use responder action of redirect action type.[From Build 53.12][# NSPOLICY-3196]
Rewrite
- Policy Bindings for LB VServer of types TCP, SIP UDP, MYSQL, MSSQL, ORACLE, NAT, DIAMETER, RADIUS, SIP TCP, DNS, and SSL do not contain the REQUEST or RESPONSE type within saved configuration. A workaround is to manually issue the bind command with proper REQUEST or RESPONSE binding type. Another workaround is to place the corrected bind commands in file /nsconfig/nsafter.sh. However, those commands need to be updated if any change is made to the policy bindings as well. Those commands must be removed once the system is upgraded to a build containing the fix.[From Build 50.31][# NSHELP-471, TSK0715617]
SNMP
- When configuring entity-Down and entity-Up traps, the entity state alarms do not work as expected. This issue is observed if an extra suffix (_UP or _DOWN) is added to the entity name "varbind" for configuring the UP and DOWN traps.[From Build 50.31][# NSHELP-16607]
- After an upgrade in a high availability set up from release 12.1 build 49.23 to release 12.1 build 49.37, the primary node does not send an SNMP coldstart trap message during a restart.[From Build 53.12][# NSHELP-18631]
- SNMP code was setting some device flags wrongly from the beginning, recent fixes from NS-aggregator exposed this gaps which turned into this problem scenario.[From Build 50.31][# NSHELP-359, NSHELP-400, TSK0713612]
SSL
- A Citrix ADC MPX/SDX 14000 FIPS appliance becomes unresponsive if it receives a packet of size > 18 KB from the backend server.[From Build 49.37][# NSHELP-14133]
- The symmetric operations fail because the SSL card becomes unresponsive.[From Build 49.37][# NSHELP-14855, 709406, 708978, 708923, 711264, 711404, 712257]
- A Citrix ADC appliance might crash if an OCSP responder is configured with nonce disabled and the integrated caching feature is enabled so that OCSP objects are cached.[From Build 49.37][# NSHELP-5093, 707452, 710458, 707610]
- The “No Certificates present in the certificate bundle file" error appears when you try to add a PFX file using the Citrix ADC GUI.[From Build 49.37][# NSSSL-139]
- GSLB virtual servers are not accessible if you make any changes to the enabled default SSL profile.With this fix, any change to the SSL profile does not affect the state of the GSLB virtual servers.[From Build 49.37][# NSHELP-5077, 710428]
- Ciphers bound to an SSL service group are not included in the running config if the following commands are run in a sequence:1. set ssl servicegroup <servicegroup name> -sslprofile <profile name>2. bind ssl servicegroup <servicegroup name> -ciphername <profile name>As a result, after you save the config and restart your appliance, the ciphers are not bound to the service group.With this fix, the commands are included in the running config. However, you must run the bind command once after upgrading your appliance to include the command in the running and saved configuration files.[From Build 49.37][# NSHELP-5052]
- In rare cases, an attempt to install a new certificate on an MPX 9700/10500/12500/15500 appliance might fail with the “bad pkcs error” counter incremented if the private key “CRT Params” size is not equal to the maximum size allowed.[From Build 49.37][# NSHELP-14157, 706981]
- ECC curve bindings to a DTLS virtual server are not saved in the configuration (ns.conf) after you enable the SSL default profile in the the global SSL parameter.[From Build 49.37][# NSSSL-283]
- The ADC appliance might occasionally send extra data to the client if both of the following conditions are met:- The appliance is connected to the backend server through SSL.- The size of the data received from the server exceeds 9k.[From Build 52.15][# NSHELP-11183]
- Incorrect values appear in the output of "stat ssl vserver" for total session hits rate/sec.[From Build 52.15][# NSHELP-13228]
- On a Citrix ADC VPX appliance, memory leak is observed when policy-based renegotiation happens.[From Build 50.31][# NSHELP-13294, NSHELP-17903]
- You might see heartbeat failures eventually leading to a high availability failover. The issue is seen when secure monitors are enabled on a Citrix ADC VPX appliance and the appliance performs DH-key exchange with the backend servers. The failures happen because some CPU intensive DH operations are performed inline.[From Build 52.15][# NSHELP-13321]
- In a high availability configuration, the cipher binding to a service group might be lost if you force a node to failover.[From Build 52.15][# NSHELP-13329]
- You can directly upgrade from build 11.1-48.x or earlier to build 11.1-60.x and to build 12.1-50.x without losing the PFX certificate-key pairs.For earlier builds, you must upgrade incrementally as follows:11.1-48.10 --> 11.1-50.10 --> 11.1-59.10OR11.1-48.10 --> 11.1-50.10 --> 12.1-49.23[From Build 50.31][# NSHELP-13337]
- In a cluster setup, an OCSP responder is not unbound from the SSL certificate-key pair on the CLIP if the CA option is specified. However, the OCSP responder is unbound from the SSL certificate-key pair on the other nodes of the cluster.After you upgrade to this build, you must explicitly unbind the OCSP responder on the CLIP again.[From Build 52.15][# NSHELP-13359]
- In rare cases, an attempt to install a new certificate on an MPX 9700/10500/12500/15500 appliance might fail with the “bad pkcs error” counter incremented if the private key “CRT Params” size is not equal to the maximum size allowed.[From Build 50.31][# NSHELP-14157]
- Memory allocation might fail leading to memory leak in a heavy traffic scenario.[From Build 50.31][# NSHELP-14606]
- In a cluster setup, if you bind a custom certificate to the internal services, and then run the "clear config basic" command, the default certificate (ns-server-certificate) is no longer bound to the internal services on the cluster IP (CLIP) node.On the other nodes, the default certificate is bound to the internal services.[From Build 52.15][# NSHELP-18187]
- In a cluster setup, the running configuration on the CLIP address and the nodes differs if the following conditions are met:- You add a certificate-key pair with a password.- Update this certificate-key pair with another certificate and a key without a password.The running configuration on the CLIP address shows a password for the updated certificate even though there is no password. However, it does not show a password for the updated certificate on the nodes.[From Build 52.15][# NSHELP-18189]
- If the appliance receives the "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" cipher more than once in a client hello message, the message is no longer blocked. Earlier, such client hello messages were blocked.[From Build 51.19][# NSHELP-18190, NSUAT-212]
- When a Citrix ADC appliance receives a TLS Close Notify alert message from a TLS peer, the appliance does not treat the message as the end of incoming application data.[From Build 52.15][# NSHELP-18291]
- Backend SSL service monitors fail because SSL handshakes take longer than expected. The delay is because the SSL handshake waits for the configured response timeout when the OCSP response received is not valid.[From Build 52.15][# NSHELP-18319]
- Backend SSL service monitors fail because SSL handshakes take longer than expected. The delay is because the SSL handshake waits for the configured response timeout when the OCSP response received is not valid.[From Build 53.12][# NSHELP-18319]
- A Citrix ADC appliance might crash if a partition is configured and session ticket is enabled. The crash occurs in one of the following scenarios:- Force failover is done in an HA setup and the primary node crashes.- A partition is removed, or the extended configuration is cleared (clear config -f extended) in an nCore setup.[From Build 52.15][# NSHELP-18622, NSHELP-13516]
- The Citrix ADC appliance crashes if you link a certificate back to itself. For example, you link certificate C1 to certificate C2, certificate C2 to certificate C3, and certificate C3 to certificate C1. That is, any certificate link that creates a loop causes the appliance to crash.[From Build 52.15][# NSHELP-18627]
- The Citrix ADC appliance might crash if a certificate with a null DNS (SAN) entry is bound to an SSL virtual server.[From Build 52.15][# NSHELP-18672]
- The Citrix ADC appliance might crash and dump core if certificates with a large number of SAN entries are bound to an SSL virtual server.[From Build 52.15][# NSHELP-18905]
- A Citrix ADC appliance might crash when you execute an audit log message action based on the expression "ssl.origin.server_cert”. The log action is bound to a responder policy.[From Build 53.12][# NSHELP-19014]
- A Citrix ADC appliance might crash when you execute an audit log message action based on the expression "ssl.origin.server_cert”. The log action is bound to a responder policy.[From Build 52.15][# NSHELP-19014]
- A Citrix ADC appliance might crash while executing the SSL action "clientcertFingerprint" to insert the client certificate’s fingerprint into the HTTP header of the request to be sent to the server, if both of the following conditions are met:- Session ticket is enabled.- SSL policy is bound at request bind point.[From Build 52.15][# NSHELP-19331]
- An SSL virtual server may reset the connection with reset code 9820 instead of fragmenting the record into multiple TCP packets as expected, if the following conditions are met:- A TLSv1.3 enabled virtual server encrypts application data from the backend application server to send to a TLSv1.3 client.- The resulting encrypted record length is exactly one byte larger than the TCP maximum segment size.[From Build 52.15][# NSHELP-19466]
- CRL refresh takes the old IP address instead of the new one, if the URL is changed from IP-based address to domain name-based address.[From Build 53.12][# NSHELP-19648]
- The ssl_tot_enc_bytes counter reports incorrect plain text bytes to be encrypted.[From Build 53.12][# NSHELP-19830]
- Ciphers bound to an SSL service group are not included in the running config if the following commands are run in a sequence:1. set ssl servicegroup <servicegroup name> -sslprofile <profile name>2. bind ssl servicegroup <servicegroup name> -ciphername <profile name>As a result, after you save the config and restart your appliance, the ciphers are not bound to the service group.With this fix, the commands are included in the running config. However, you must run the bind command once after upgrading your appliance to include the command in the running and saved configuration files.[From Build 50.31][# NSHELP-5052, TSK0710573]
- In a cluster setup, cipher suites bound to a custom cipher group are lost from the CLIP node after you upgrade the setup.[From Build 50.31][# NSHELP-5056, NSSSL-1679, BUG0707738]
- GSLB virtual servers are not accessible if you make any changes to the enabled default SSL profile.With this fix, any change to the SSL profile does not affect the state of the GSLB virtual servers.[From Build 50.31][# NSHELP-5077, NSHELP-3801, TSK0710207]
- On an SDX 14000 FIPS appliance, the FIPS card resets if all of the following conditions are met:- You created a partition in release 11.x.- The partition name is greater than 12 characters.- You upgrade the appliance to release 12.x.[From Build 50.31][# NSHELP-5101, BUG0714338]
- An application using the DTLS protocol might become unresponsive if one of the following conditions are met:- You bind an unsupported DTLS cipher to a virtual server.- You bind a cipher group that does not contain even one DTLS supported cipher to a virtual server.[From Build 51.19][# NSHELP-8634]
- A memory leak is observed if all of the following conditions are met:- TLS 1.3 protocol and certificate-based client authentication are enabled on the same virtual server.- TLS 1.3 is negotiated for a connection.- Client sends a `CertificateVerify` message.[From Build 50.31][# NSSSL-1152, BUG0715127]
- The server now aborts the handshake by sending a fatal 'inappropriate_fallback' alert if the following conditions are met:- Both TLSv1.2 and TLSv1.3 are enabled on an SSL virtual server- The client sends a TLSv1.2 ClientHello with TLS_FALLBACK_SCSVEarlier, the server proceeded with a TLSv1.2 handshake. This issue caused the maximum possible SSL Labs rating for a TLSv1.3 virtual server to drop from A+ to A, since the scanner detected that the server did not appear to support TLS_FALLBACK_SCSV in all cases.[From Build 50.31][# NSSSL-1226, BUG0715561]
- If you configure an MPX/SDX 14000 FIPS appliance for the first time, the appliance restarts after you run the "reset fips" command.[From Build 50.31][# NSSSL-2433, BUG0713370]
- ECC curve bindings to a DTLS virtual server are not saved in the configuration (ns.conf) after you enable the SSL default profile in the the global SSL parameter.[From Build 50.31][# NSSSL-283, BUG0713913]
- The MPX 5900/8900/15000-50G/26100-100G (Intel Coleto SSL chip based) platforms might crash if you configure SSL3 or RC2 based ciphers. These platforms do not support hardware offload of these ciphers. As a result, these ciphers are processed in software causing the appliance to occasionally crash.[From Build 51.19][# NSSSL-5813]
- In a cluster setup, the 'set ssl service' command on any internal service throws an error and does not set any parameter for the internal service.[From Build 52.15][# NSSSL-5834]
- In a cluster setup, the 'set ssl service' command on any internal service throws an error and does not set any parameter for the internal service.[From Build 53.12][# NSSSL-5834]
- A TLS 1.3-enabled browser that implements the TLS 1.3 anti-downgrade mechanism described in RFC 8446 might fail to connect to the management GUI over HTTPS if you enable TLS 1.3 in the default frontend profile.[From Build 52.15][# NSSSL-6359]
- The SSL handshake fails on the following platforms if the Client Key Exchange and Client Verify messages come in a single record.- MPX 59xx- MPX/SDX 89xx- MPX/SDX 261xx-100G- MPX/SDX 15xxx-50G[From Build 53.12][# NSSSL-6703, NSHELP-19751]
- You cannot remove an SSL log profile if it is attached to the SSL default profile and client authentication is enabled on the SSL default profile.[From Build 51.19][# NSSSL-885]
- Key file installation fails if you are using the GUI to install the bundle containing the certificates and the key file.[From Build 51.19][# NSUI-11392]
- The SSL parameters do no appear correctly in the service view.[From Build 50.31][# NSUI-11414]
- The SSL parameters do no appear correctly in the service view.[From Build 51.19][# NSUI-11414]
- Installing a certificate bundle from the GUI installs only the certificates and not the private key included in the bundle.[From Build 51.19][# NSUI-7463]
SWG URL Filtering
- During content filtering, a rare race condition occurs between policy evaluation and obfuscation of a private URL set. This issue generates an AppFlow record that contains the URL as a clear text and not as "ILLEGAL".[From Build 52.15][# NSSWG-890]
- When you import an IWG JSON-based list, a trailing slash is incorrectly added to URLs that include file names. Adding of trailing slash leads to incorrect URL matching.[From Build 52.15][# NSSWG-911]
- A Citrix ADC appliance might crash if the URL_CATEGORIZE expression is used in a responder policy when the nstrace command is running.[From Build 52.15][# NSSWG-915]
System
- For HTTP 2 streams, the stat counters does not increment correctly. For example, when a new stream of data arrives, the counts fails to increment, but decrements correctly, when the stream is closed. This incorrect operation leads to a wrong count of action performed on the HTTP2 streams.[From Build 49.37][# NSBASE-4196, 683374, 694695, 678994]
- A Citrix ADC appliance might crash if it sends messages from one processor to another processor, for deleting a steering session in some error cases.[From Build 49.37][# NSHELP-10930]
- A Citrix ADC appliance crashes because of a timer issue. The issue occurs if the stats are collected after the SYSLOGUDP connection is deleted, but before the appliance deletes the SYSLOGUDP service.[From Build 49.37][# NSHELP-5733]
- If you configure an HTTP type load balancing virtual server with HTTP/2 option enabled on the HTTP profile, the appliance fails to load balance gRPC traffic.[From Build 49.37][# NSHELP-3501]
- If the trace aggregator processor leak opens a file descriptors every time you execute the nstrace command, the Citrix ADC appliance might display the following error message: "kern.maxfiles limit exceeded".[From Build 49.37][# NSHELP-3520, 712687, 712970]
- A Citrix ADC appliance might crash if an external authentication server takes more than 20 seconds to respond.[From Build 49.37][# NSHELP-12016]
- If flash cache option is enabled on a Citrix ADC appliance and also receives client requests to the same resource, the appliance resets the connection before it sends the response to the client.[From Build 49.37][# NSHELP-3503]
- Market specific violation is caused, if you have CallHome enabled by default on a Citrix ADC 12.1 appliance. The feature should be configured as an user's opt-in feature.[From Build 49.37][# NSCALLHOME-82]
- Service state synchronization is not happening in a cluster node deployment, if the following conditions are observed:- Cluster setup is upgraded from 11.1 builds.- Audit log action (SYSLOG or NSLOG) is configured with SYSLOG or NSLOG server's domain name.[From Build 50.31][# CGOP-6813, BUG0711841]
- At a given time, you can configure the domain name of the server only for one SYSLOG action or NSLOG action. If you try to add another action (either an SYSLOG action or NSLOG action) with the server's domain name, the system displays an error message.Example:> add syslogaction act1 syslog.server.com -loglevel allDone> add nslogaction act2 nslog.server.com -loglevel allERROR: Name conflicts with an existing service or service group member name> add syslogaction act3 syslog2.server.com -loglevel allERROR: Name conflicts with an existing service or service group member name[From Build 50.31][# CGOP-6838, BUG0715341]
- Market specific violation is caused, if you have CallHome enabled by default on a Citrix ADC 12.1 appliance. The feature should be configured as an user's opt-in feature.[From Build 51.19][# NSCALLHOME-82]
- In Citrix ADC 11.1 build 58.13, when you create a Certificate Signed Request (CSR), the appliance adds a backslash before space for organization name, locality name text fields.[From Build 52.15][# NSCONFIG-1087]
- A weblogging client crashes, if a clustered setup on a VMware ESX platform with VMXNET3 interfaces encounters time synchronization issues.[From Build 50.31][# NSHELP-10850]
- A Citrix ADC appliance crashes if invalid MP_JOIN options of MP_JOIN SYN packet are sent in an MP_CAPABLE subflow.[From Build 50.31][# NSHELP-10986]
- When a client sends an HTTP2 request to a Citrix ADC appliance and if the MSS value is lesser than the response generated by the appliance, an internal parsing issue occurs.[From Build 50.31][# NSHELP-11542]
- A Citrix ADC appliance might crash if several memory dumps are generated on the appliance. This occurs when you upgrade the appliance from version 12.0 build 58.15 to version 12.0 build 57.11.[From Build 51.19][# NSHELP-11554]
- A Citrix ADC appliance might crash if you observe the following conditions:- Fail to respond to the client with reset stream.- Drop request body when more packets arrive from the client.[From Build 51.19][# NSHELP-11614]
- The timezone is inconsistent in Citrix ADC GUI and CLI.[From Build 51.19][# NSHELP-11971]
- A Citrix ADC appliance might crash if HTTP callout uses the IP address and port of an SSL virtual server.[From Build 52.15][# NSHELP-13508, NSHELP-14166]
- If the “Stale Cache Group Table” devices reside in the SNMP AVL tree, the SNMP walk operation fails. As a result, the SNMP walk operation does not return an error message for the subsequent SNMP table counters.[From Build 50.31][# NSHELP-15094]
- The ipFreePorts counter value is always zero.[From Build 52.15][# NSHELP-16587]
- In a Citrix ADC appliance, an issue occurs when both classic auditlog policy and advanced authentication policy are globally bound to the system. As a result, the "bind system global" command is not applied successfully and if either of the following conditions is observed:- If you upgrade the appliance.- If a secondary node is added to a high availability setup.[From Build 51.19][# NSHELP-18119]
- In a Citrix ADC appliance, an issue occurs when a Classic auditlog policy and an Advanced authentication policy are globally bound to the system. As a result, the "bind system global" command is not applied successfully and if any of the following conditions are observed:- If you upgrade the appliance.- If a secondary node is added to a high availability setup.[From Build 51.19][# NSHELP-18127]
- When you enable the Strong Password option in the system parameters, the appliance does not allow you to set the encryption key and hmac key.[From Build 51.19][# NSHELP-18182]
- A connection request to Citrix ADC appliance for ignoring content-length fails.[From Build 52.15][# NSHELP-18294]
- After an upgrade, the system log time on the Citrix ADC GUI dashboard is not the same as the configured timezone on the appliance.[From Build 52.15][# NSHELP-18613]
- A Citrix ADC appliance might crash if the following conditions are observed:- A packet trace is started and if an LACP packet is received at the same time.- The appliance uses advanced policy expressions as nstrace filter expressions.[From Build 52.15][# NSHELP-18811]
- If the primary node wrongly updates the secondary node's engine boot value, then the following conditions are observed:- The SNMP manager gets the wrong engine boot value from the secondary node.- The Citrix ADC appliance rejects all SNMP v3 traps from the secondary node and displays a “timewindow” error message.[From Build 52.15][# NSHELP-18992]
- In a corner case, A Citrix ADC appliance terminates zombie connections without a reset. When the peer side connections send packets if they are active and the appliance resets the connection when processing them.[From Build 53.12][# NSHELP-18998]
- In a high availability setup, SNMP engine ID setting is lost on the secondary node after a restart.[From Build 52.15][# NSHELP-19027]
- The policy evaluation might fail if the following conditions are met:- 256 policy expressions have reference to a same custom header.- Custom header reference counter wraps to 0 (8 bits counter).[From Build 53.12][# NSHELP-19082]
- The primary node is unable to read the response from the secondary causing the connection to reset. As a result, the connection closes on the secondary node.[From Build 53.12][# NSHELP-19432]
- Strong password validation is done on MONITOR passwords created for external servers. When you enable Strong password configuration (system > global setting) on a Citrix ADC appliance, you do not allow the appliance to configure a weak password for LDAP monitor.[From Build 53.12][# NSHELP-19582]
- If flash cache option is enabled on a Citrix ADC appliance and also receives client requests to the same resource, the appliance resets the connection before it sends the response to the client.[From Build 50.31][# NSHELP-3503, TSK0711508]
- The "sh audit messages" command does not display log messages in the following case:If you configure the log facility parameter with a value other than LOCAL0 in the "syslogparams" or "syslogaction" command.[From Build 50.31][# NSHELP-5736, TSK0709464]
- A Citrix ADC appliance might crash if the following two conditions are observed:- An auditlog SYSLOG policy is bound to an authentication virtual server.- An internal issue is observed in the auditlog module.[From Build 51.19][# NSHELP-6906]
- In a high availability setup, when the secondary node becomes the primary node, the BGP route update might fail on the new primary node because of a TCP timestamp overflow.[From Build 50.31][# NSHELP-8844]
- A Citrix ADC appliance performance is affected if you use the initial timestamp value for a new request on the same TCP connection.[From Build 52.15][# NSHELP-8883]
- gPRC transactions fail under the following conditions:- If the initial client request goes to an HTTP/2 enabled virtual server and service but a response is not received.- If the server sends a trailer header with multiple header entries.[From Build 50.31][# NSHELP-9308]
- In a clustered setup, a latency issue is observed, if:- Client reuses the TCP port number to send requests- Citrix ADC appliance takes a longer time to respond.[From Build 51.19][# NSHELP-9497]
- The additional SNMP MIB objects appended at the end of MIB notification are not ordered as per RFC 2578.[From Build 53.12][# NSNET-3251]
TCP
- During a TCP handshake, if the server responds with a TCP window size of 0 bytes, the appliance keeps the connection in TCP persist mode. Later, if the server opens the TCP window, the connection remains in persist mode and is not removed. As a result, the persist and keep-alive lists get mixed up and the appliance crashes when it tries to free the connection.[From Build 50.31][# NSHELP-5706, TSK0711131]
Telco
- The Citrix ADC appliance might take more time than usual to delete idle large scale NAT sessions. The delay occurs because of a poor hash distribution when an RSS symmetric key is used for hashing. This poor distribution causes internal hash collisions and build-up of idle LSN sessions, which in turn cause memory allocation errors to large scale NAT resources.[From Build 52.15][# NSHELP-18728]
- A Citrix ADC appliance might crash if both of the following conditions are met:• The appliance receives two HTTP requests when retrieving subscriber information.• There is an incorrect operation to resume normal traffic flow.[From Build 52.15][# NSHELP-18955]
Telco GUI
- The libqos actions are displayed in the QOS action page of the Citrix ADC T-series platform GUI.[From Build 49.37][# NSUI-6339]
Telco Networking
- The data connection to the back-end server uses the client IP if the following conditions are met:- Global use source IP (USIP) is enabled.- Origin USIP on cache redirection (CR) virtual server is disabled.[From Build 50.31][# NSNET-4155, BUG0627692]
Telco Traffic Management
- GUI settings are missing in the Traffic Management page of the Citrix ADC T-series platform i.e the following ones:- Cache redirection- Subscriber- Service chaining- UserAs a workaround, one can visit Citrix ADM and configure a configuration job to run the relevant commands for the missing configuration. Please refer to the citrix documentation for exact details.[From Build 49.37][# NSUI-7265]
- GUI settings are missing in the Traffic Management page of the Citrix ADC T-series platform i.e the following ones:- Cache redirection- Subscriber- Service chaining- UserAs a workaround, one can visit Citrix ADM and configure a configuration job to run the relevant commands for the missing configuration. Please refer to the citrix documentation for exact details.[From Build 50.31][# NSUI-7265, BUG0712839]
Telco Video Optimization
- Memory leak is observed in the SSL detected domain extraction algorithm. The issue occurs if the SSL detected domain is extracted by the server certificate. The memory leak eventually causes the Citrix ADC appliance to become unresponsive.[From Build 50.31][# NSHELP-5780, NSHELP-5787, BUG0714470]
- The Citrix ADC appliance might crash when it runs body detection algorithm on chunked content. This issue is fixed now. As part of the fix, boundary checks were added.[From Build 50.31][# NSVIDEOOPT-167, BUG0714058]
URL Categorization
- If you execute the command "show urlset <urlset_name>", the Citrix ADC appliance returns information for the requested urlset and any other urlsets added after it.[From Build 49.37][# NSSWG-615]
- When a cloud categorization lookup failure is observed, a Citrix ADC appliance displays a generic error for level 4 logs.[From Build 51.19][# NSSWG-397]
URL Filtering
- During long policy evaluation, a Citrix ADC appliance might crash when obfuscating an Internet Watch Foundation (IWF) domain. The issue occurs when a TCP connection is closed.[From Build 51.19][# NSHELP-18365, NSSWG-538]
- The “show urlset” command displays only url sets that are imported and not that are added[From Build 50.31][# NSSWG-670, NSSWG-747, NSSWG-788, BUG0667361]
Video Optimization
- The Citrix ADC TCP/IP processing module (also known as, Packet Processing Engine (PPE)) crashes when a TCP connection attached to a non-master TCP processing module stays open for more than 3,276 seconds.[From Build 51.19][# NSHELP-8799]
- In a corner case, a Citrix ADC appliance reboots when an internal function performs Server Name Indication (SNI) extraction from server certificate. This happens because server side certificate is invalid with a zero-length DNS name.[From Build 51.19][# NSHELP-8803]
- The Video Optimization burst period implementation is not working properly in a Citrix ADC appliance.[From Build 51.19][# NSVIDEOOPT-215]
- The ABR video detection algorithm is unable to detect videos from xvideos.com domain (vid-egc.xvideos-cdn.com)[From Build 51.19][# NSVIDEOOPT-424]
- When handling QUIC ABR video traffic, a Citrix ADC appliance might crash during a video optimization policy evaluation.[From Build 51.19][# NSVIDEOOPT-649, NSHELP-5781]
- During video optimization, buffering occurs because of a conflict between the Nile congestion handler and the pacing scheduler.[From Build 51.19][# NSVIDEOOPT-758]
- In a rare scenario, a Citrix ADC appliance might crash, if Video Optimization releases the allocated memory in the event of a double free error.[From Build 52.15][# NSVIDEOOPT-770]
- The Application Flags field in AppFlow records are not correctly populated for video-paced connections. As a result, the ADM TCP Insight reports for Download Speed might display lower values. Also, external AppFlow consumers always report connections as unoptimized.[From Build 51.19][# NSVIDEOOPT-771]
- A Citrix ADC appliance might crash because of memory corruption, if:- Video optimization is enabled.- Video pacing is applied.[From Build 52.15][# NSVIDEOOPT-778]
Web App Firewall
- A Citrix ADC appliance crashes when it attempts to access the return address of a stack frame which is not present in an XML payload.[From Build 49.37][# NSWAF-112, 712938, 714297]
- In a content switching deployment, the load balancing virtual server details are not captured in the AppFlow records. As a result, the Security Insight reports are generated at the content switching virtual server level and not at the load balancing virtual server level.[From Build 50.31][# NSHELP-17152]
- In a cluster setup, when you deploy a Learned Rule for HTML Cross-Site Scripting check, the Citrix ADC appliance displays an error, "The CrossSiteScripting Check is already in use".[From Build 50.31][# NSHELP-18085]
- The Web App Firewall profile import fails under the following conditions:- The WSDL file is configured in the XML message validation check under Relaxation Rules, and- The end-point check is set as RELATIVE.[From Build 50.31][# NSHELP-2876, TSK0713580]
- A Citrix ADC appliance crashes when it attempts to access the return address of a stack frame which is not present in an XML payload.[From Build 50.31][# NSWAF-112, NSHELP-2757, NSHELP-2762, BUG0703461]
Web Citrix Web App Firewall
- Memory leak is observed in a Citrix ADC appliance, if the Integrated Cache and the Web Citrix Web App Firewall features are enabled.[From Build 50.31][# NSHELP-17969, NSHELP-17158]
Release history
For details of a specific release, see the corresponding release notes.
- Build 54.16 (2019-10-17) (Current build) Replaces: 54.13
- Build 53.12 (2019-07-18)
- Build 52.15 (2019-07-17)
- Build 51.19 (2019-05-28)
- Build 51.20 (2019-04-22)
- Build 50.31 (2018-11-30) Replaces: 50.28
- Build 49.37 (2018-08-28) Replaces: 49.23