Citrix ADC 12.1 Build 56.22 MR

Additional Changes/Fixes Available in Versions

What's New?

Citrix ADC SDX appliance

• Option to enable or disable dom0 access

  You can now enable or disable access to SDX Control Domain (dom0). With dom0 access, a user can directly access the SDX appliance and also change the configuration. Previously, dom0 access was enabled by default. Upon upgrade to 13.0 xx from previous release, dom0 access will be disabled.

  To enable dom0 access, from the SDX GUI, navigate to System > Network Configuration. Under Appliance Supportability, check the Configure Applliance Supportability box.
  [# NSPLAT-11065]

Citrix ADC VPX appliance

• Support for Intel X722 10G NIC on KVM-VPX

  A Citrix ADC VPX instance for the Linux-KVM platform now supports Intel X722 10G SR-IOV network interfaces.
  [# NSPLAT-13197]

Citrix ADC appliance

• Support to configure the ADC generated cookie attributes

  For Citrix ADC deployments, support is now added to insert additional cookie attributes to the cookies generated by Citrix ADC appliance. These additional cookie attributes help in enforcing the required policies for the ADC generated cookies based on the application access pattern.

  This feature can be used to prevent issues that can occur because of the Google Chrome upgrade (Google Chrome 80).

  For details, see https://docs.citrix.com/en-us/citrix-adc/13/load-balancing/insert-cookie-attributes.html
  [# NSLB-6068]

Citrix Gateway

• Support for SameSite attribute

  For Citrix Gateway and Citrix ADC AAA deployments, support is now added to configure the SameSite cookie attribute. This attribute helps prevent issues that might occur because of certain browsers upgrade, such as Google Chrome 80. The SameSite attribute can now be set to None, Lax or Strict, as per the requirement.

  For details, see https://docs.citrix.com/en-us/citrix-gateway/12-1/configure-samesite-attribute-for-citrix-gateway.html

  https://docs.citrix.com/en-us/citrix-adc/12-1/aaa-tm/configure-samesite-for-aaa-deployments.html
  [# NSAUTH-7531]

• Support to configure RfWebUI parameters

  You can now configure the RfWebUI parameters such as loginFormTimeout and Session timeout by editing the plugins.xml.
  [# NSHELP-19221]

High Availability

• If you upgrade a Citrix ADC appliance in a high availability (HA) setup to the software version 13.0–52.24 or later, HA synchronization and command propagation are disabled during the upgrade process.

  However, after both the appliances are upgraded to the same software version, HA synchronization and command propagation are enabled automatically.
  [# NSLB-6069]

Fixed Issues

• For no-limit admin partitions, the memory check during allocation is disabled.
  [# NSHELP-21775]

Analytics

• In the ADM GUI, under Analytics > HDX Insight > Users, when you click a specific user, all the users’ active sessions and active applications are displayed instead of the sessions and applications specific to the selected user.
  [# NSHELP-21561]

• Analytics reports do not appear on the Citrix ADM GUI if you:

  1. Install ADM 12.1.52.15 or later.

  2. Select Logstream transport mode to configure analytics on instances.
  [# NSHELP-21618]

AppFlow

• A Citrix ADC appliance might crash if you use pitboss for monitoring the metrics-collector.
  [# NSBASE-9743]

• A Citrix ADC appliance might reboot if the AppFlow collector closes in Logstream transport mode.
  [# NSHELP-19837]

• The Citrix ADC appliance might become unresponsive if you remove the AppFlow action while traffic is flowing through the appliance.
  [# NSHELP-20523, NSHELP-21692]

• An AppFlow policy bound to a VPN virtual server that is behind a content switching virtual server is not applied.
  [# NSHELP-20816]

• A Citrix ADC appliance might crash when it tries to access the corrupt collector information.
  [# NSHELP-21653]

Authentication, authorization, and auditing

• Protocol switching from HTTP to WebSockets fails when SSO is configured on a Citrix ADC appliance.
  [# NSAUTH-6354]

• The LDAP DN attribute fetched from the AD to Citrix ADC appliance is truncated if the attribute length is greater than 128 bytes.
  [# NSAUTH-7210]

• WebAuth authentication fails after multiple failovers on a Citrix Gateway appliance.
  [# NSHELP-19050]

• In rare cases, there might be memory leak issues when handling authentication, authorization, and auditing sessions.
  [# NSHELP-19703]

• RBA access to cluster nodes gets interrupted because of DHT operation issue. Additional counters are added to handle this scenario.
  [# NSHELP-20028]

• When the active sync client sends HEAD request, the Citrix ADC appliance does not authenticate the 200 OK response.
  [# NSHELP-20125]

• In rare cases, authentication fails if the connection to the LDAP server is over HTTPS.
  [# NSHELP-20181]

• In case a Citrix ADC appliance is configured for nFactor authentication, upon RADIUS authentication failure, the Citrix ADM appliance incorrectly displays the failed authentication type as "LDAP".
  [# NSHELP-20440]

• A Citrix ADC appliance might fail in the following circumstances:

  - Citrix ADC appliance configured with OAuth or SAML IdP actions along with refreshing metadata information from an external source.

  - The configuration is changed while data is fetched from the external source or if authentication is in progress. The same issue is observed when you run a ‘clear config’ command.
  [# NSHELP-20646]

• A Citrix Citrix Gateway appliance might fail when Gateway is configured as SAML IdP along with IdP chaining.
  [# NSHELP-20667]

• A Citrix ADC appliance might crash if the samlSigningCertName parameter is not configured in a samlAction command.
  [# NSHELP-20674]

• A Citrix ADC appliance might fail to authenticate the Microsoft Outlook 2016 users if the password contains Umlaut characters.
  [# NSHELP-20682]

• In rare cases, a Citrix ADC appliance might crash while serving VPN traffic.
  [# NSHELP-20751]

• A Kerberos SSO might fail when a Citrix ADC appliance is deployed in a multi-domain environment (parent-child domain) and the users are in parent domain and services are in the child domain.
  [# NSHELP-20910]

• The SAML metadataURL parameter does not work after a Citrix ADC appliance is restarted.
  [# NSHELP-21006]

• A Citrix ADC appliance deployed as SAML might occasionally fail to perform SAML based logout.
  [# NSHELP-21093]

• In rare cases, nFactor log on fails if both of the following conditions are met:

  - Citrix ADC appliance is configured for certificate authentication with a fallback to LDAP.

  - The certificate authentication fails.
  [# NSHELP-21118]

• If Citrix ADC is configured for forms based SSO, and name-value pairs are specified in the configuration, these values are ignored if the values are absent in the form.
  [# NSHELP-21139]

• Full VPN does not work if the following conditions are met:

  - A Citrix ADC appliance is configured for nFactor authentication with SAML authentication being the last factor of authentication.

  - The appliance is bound to the RfWebUI portal theme.
  [# NSHELP-21157]

• When Citrix ADC is deployed as IdP for Citrix Workspace, users are not able to log on to Citrix Workspace.
  [# NSHELP-21324]

• In rare cases, a Citrix Gateway appliance might crash when an invalid HTTP packet is received.
  [# NSHELP-21342]

• A Citrix ADC appliance configured as a forward proxy does not allow NTLM authentication with HTTP 1.0 clients.
  [# NSHELP-21349]

• A Citrix ADC appliance deployed for cross-domain Kerberos might fail to perform SSO if the kcdAccount parameter is configured using a keytab file.
  [# NSHELP-21406]

• In some cases, the Citrix ADC appliance crashes because the core receives a packet to send to the client but the IIP information is not yet available.
  [# NSHELP-21522]

• The "saml:AttributeValue" tag is missing from the SAML assertion whenever "ns_saml_disable_comma_sep_attr_res nsapimgr" knob is enabled.
  [# NSHELP-21552]

• A Citrix ADC appliance might crash with StoreFront AuthAction if the following conditions are met:

  - Password is changed post the expiry date.

  - Authentication is attempted from non-nFactor old VPN clients.
  [# NSHELP-21555]

• A Citrix Gateway appliance configured as SAML IdP for Workspace login might occasionally return an HTTP 404 error during logout.
  [# NSHELP-21650]

• Form based SSO fails if the FORMSSO policies contain empty name-value pair for DYNAMIC FORMSSO.
  [# NSHELP-21753]

• A Citrix ADC appliance might dump core upon receiving a RESET command from the client while the appliance is handling VPN traffic requests.
  [# NSHELP-21817]

• In a Citrix ADC high availability and cluster setup, a delay in freeing the memory space leads to piling up the memory.
  [# NSHELP-21917]

• A Citrix ADC appliance skips the user to consider further groups in the following conditions:

  - A user is a direct member of the nested group.

  - A user is already a member of previous level groups.
  [# NSHELP-21945]

• Citrix ADC deployed as SAML SP might show a local logout page after user initiates the logout process.
  [# NSHELP-22067]

Citrix ADC CLI

• Some Citrix ADC commands fail intermittently with an error message, "Name conflicts with an existing service or service group member name". This issue occurs when the Citrix ADC appliance restarts because of an internal error.
  [# NSHELP-18339]

Citrix ADC GUI

• In some cases, CPU usage increases to 100% and memory swap fails while trying to download core files using the GUI.
  [# NSHELP-20430, NSHELP-22200]

• You cannot search for an entity using the search filter in the ADC GUI if the entity name contains a space.
  [# NSHELP-20506]

• If you access the Syslog GUI page, the following error message appears: "Cannot read property '0' of undefined".
  [# NSHELP-20574]

• After an upgrade, the Citrix ADC GUI home page does not load for admins with superuser group permission.
  [# NSHELP-20638]

Citrix ADC SDX Platform

• In some cases, the SDX 14000 appliance might become unresponsive and reboot.
  [# NSHELP-21017]

Citrix ADC SDX appliance

• After upgrading to software version 11.1 and 12.1, the appliance might send nsNotifyRestart traps.
  [# NSHELP-18308]

• The appliance loses the interface details when more than three instances are selected for reboot or shutdown.
  [# NSHELP-21040]

• On an SDX appliance, you might occasionally see events with high CPU usage. This spike is seen because appliance backup is a CPU intensive process. The high CPU usage is temporary.
  [# NSHELP-21063]

• After you upgrade an SDX appliance, the SDX Management Service might not list ethernet interfaces. This happens if the post install process part of the upgrade is not successful.
  [# NSHELP-21068]

• If you try to restart multiple VPX instances simultaneously, running on an SDX appliance, the channel and data interfaces for VPX instances disappear from the SDX Management Service.
  [# NSHELP-21124]

• When you add an LDAP server under SDX GUI > Configuration > System > Authentication > LDAP, special characters used in form input text box are not decoded before getting displayed. And, the "&" character in the Base DN field is replaced with "&amp".
  [# NSHELP-21488]

• An incorrect interface is assigned to a new VPX instance. After some time, management interface 0/1 appears as enabled even though you have provisioned the instance with only management interface 0/2.
  [# NSHELP-21765]

• On the ADC SDX 14000 and 15000 appliances, traffic loss of up to 9 seconds is observed if the following conditions are met:

  - 10G ports are connected using the LA channel to two Cisco switches that are configured in VPC setup as active or passive

  - The link to active or primary Cisco switch bounces.
  [# NSHELP-21875]

Citrix ADC VPX appliance

• In the VPX deployment on Cisco CSP 2100 platform, occasionally packets might get dropped when more than one virtual function (VF) is created out of the physical network interface card (pNIC).
  [# NSHELP-20991]

• The Citrix ADC VPX appliance crashes on Azure while initializing a NIC resource. The crash leads to a kernel dump on the boot up process. This issue occurs when there is a delay in response to certain messages that the driver needs to send to the backend hypervisor as part of the initialization process. This delay is observed in the Mellanox Connectx3 and Connectx4 platforms. The fix is to increase the timeout value so that the driver waits for a longer duration to receive the response.
  [# NSHELP-21034, NSHELP-22206]

Citrix Gateway

• In a Citrix ADC high availability and cluster setup, the appliance might crash when you upgrade the appliance from release 12.1 build 55.13 to release 12.1 build 55.18. The crash occurs if either Citrix Gateway or authentication, authorization, and auditing features are enabled on the appliance.
  [# NSAUTH-7153]

• In a high availability setup, the secondary Citrix ADC appliance might experience memory leak issues if session reliability on a high availability setup is enabled.
  [# NSHELP-18549]

• In rare cases, the Citrix ADC appliance might crash when a client plug-in sends data to another client plug-in.
  [# NSHELP-19002]

• In some cases, the external facing Citrix Gateway in a double-hop deployment with ICA Insight enabled, dumps core for a particular network traffic pattern.
  [# NSHELP-19487]

• A memory leak is observed in a Citrix ADC appliance if Gateway Insight is enabled.
  [# NSHELP-19750]

• In a high availability setup, the secondary node crashes whenever an authentication, authorization, and auditing session or a VPN session containing SAML related information is propagated to the primary node.
  [# NSHELP-20230]

• The Citrix ADC appliance might become unresponsive if HDX Insight is enabled.
  [# NSHELP-20280]

• Users are incorrectly prompted to enter the user name and password when nFactor Logon form is customized to display the dynamic Logon Type menu and OAuth is selected from the list.
  [# NSHELP-20300]

• A Citrix ADC appliance fails to decode rewritten URLs for clientless VPN if the URLs contain "%2E" in the FQDN.
  [# NSHELP-20603]

• Users cannot access Microsoft Office documents from SharePoint over advanced clientless VPN access.
  [# NSHELP-20611]

• If proxy is specified in a traffic action and proxy is set to "NOPROXY," gateway sends monitor probes to 255.255.255.255:0.
  [# NSHELP-20617]

• After you upgrade the Citrix ADC appliance to release 12.1 build 54.13 and later, the following message might appear when accessing the RDP resources.

  "error :not a privileged user"
  [# NSHELP-20678]

• In rare cases, the Citrix Gateway appliance crashes if AAA user session is transferred and Intranet IP is enabled.
  [# NSHELP-20680]

• The Citrix ADC appliance might become unresponsive if HDX Insight is enabled and there is a low memory condition.
  [# NSHELP-20707]

• The Citrix virtual adapter remains connected even when the VPN machine is in sleep mode and a logout is triggered. Users must terminate the application or restart the VPN machine to gain access to the network.
  [# NSHELP-20755]

• The Citrix ADC appliance might become unresponsive if the appliance is configured for proxy EDT connections and there is a low memory condition.
  [# NSHELP-20761]

• nFactor authentication fails if Online Certificate Status Protocol (OCSP) is enabled for device certificate check.
  [# NSHELP-20855]

• The apps configured on the StoreFront do not appear on the Citrix Gateway home page if all of the following conditions are met:

  - WiHome is configured.

  - Advanced clientless VPN access is enabled.

  - User logs on either from an Internet Explorer or Firefox.
  [# NSHELP-20888]

• Users cannot access internal resources even if VPN is successfully connected, but the DNS servers are not correctly configured for the Citrix Virtual Adapter.
  [# NSHELP-20892]

• The Citrix Gateway appliance might crash if the following conditions are met:

  - The client or server connection has a dangling pointer instead of a link.

  - The linked connection is already freed.

  - The appliance tries to flush the connection to free the link.
  [# NSHELP-20901]

• The Citrix ADC appliance might crash if the log level is set to "Debug" and the appliance is serving gateway traffic.
  [# NSHELP-20951]

• In rare cases, the Citrix Gateway appliance might fail when users are challenged for a one-time code.
  [# NSHELP-20967]

• If you have configured advanced clientless VPN access, SAP application bookmarks cannot be viewed properly if encoding, such as ('\x3a' or '&#x3a' for ':'), is used in the Enterprise Web apps.
  [# NSHELP-21072]

• In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.
  [# NSHELP-21075]

• The Citrix Gateway user interface does not refresh the page after an entity is unbound from the VPN virtual server.
  [# NSHELP-21085]

• Users cannot log on to Citrix Gateway if the VPN virtual server host name contains "cvpn" in its name.
  [# NSHELP-21119]

• Sometimes, the Citrix ADC appliance might crash during transfer login.
  [# NSHELP-21134]

• In a Citrix Gateway high availability setup, the secondary node crashes if a syslog policy is bound globally to Citrix Web App Firewall and one of the following conditions is met:

  - You perform a force failover.

  - You clear the configuration.
  [# NSHELP-21167]

• If two or more client machines try to establish a VPN tunnel connection to the same gateway, the ping connectivity from one client machine to another machine fails.
  [# NSHELP-21169]

• In a Citrix Gateway high availability setup, the secondary node might crash if Gateway Insight is enabled.
  [# NSHELP-21184]

• In a Citrix Gateway high availability setup, the secondary node crashes during high availability synchronization if logging is enabled on Citrix Web App Firewall global.
  [# NSHELP-21254]

• On some machines, the EPA prompt window buttons (YES, NO, ALWAYS) do not appear on the EPA plug-in’s screen.
  [# NSHELP-21276]

• In some cases, Citrix Gateway dumps core if the following conditions are met:

  - EDT Insight functionality is enabled for the Citrix Gateway appliance.

  - The appliance receives an out of order CGP BINDRESP packet from VDA.
  [# NSHELP-21296]

• You cannot launch an application using advanced clientless VPN through bookmarks if the clientless VPN application's POST body contains html encoded ' (single quotes) or " (double quotes).
  [# NSHELP-21361]

• App enumeration does not occur if the number of desktops is lesser than the number of apps.
  [# NSHELP-21377]

• You cannot access links that start with “1https” or “0https”.
  [# NSHELP-21469]

• The VPN plug-in retains DNS suffixes that are added on Wi-Fi or Ethernet adapter while over the VPN connection.
  [# NSHELP-21492]

• Sometimes, the Citrix ADC appliance might crash while handling server initiated connection.
  [# NSHELP-21532]

• UDP applications performance might be affected sometimes because of traffic congestion.
  [# NSHELP-21599]

• The Citrix Gateway appliance might crash if there are multiple cores and Intranet IP address is enabled with RfWebUI theme.
  [# NSHELP-21722]

• The Citrix Gateway logon page becomes unresponsive if RfWebUI based custom themes or nFactor with custom themes are used.
  [# NSHELP-21763]

• The Enterprise Web apps might display an error if the cookies were set and expire at the same time.
  [# NSHELP-21772]

• The Citrix ADC appliance might crash when configured for Advanced Clientless VPN.
  [# NSHELP-21819]

• When EPA is configured in nFactor mode, messages related to EPA plug-in installation are not displayed in the VPN plug-in window.
  [# NSHELP-21939]

• The Windows VPN plug-in crashes if the plug-in client’s language is set to Chinese.
  [# NSHELP-21946]

• In a Citrix Gateway high availability setup, the secondary node might crash during core-to-core communication.
  [# NSHELP-21991]

• The Citrix Gateway appliance might crash if you attempt to print over full VPN tunnel when Intranet IP address is assigned.

  This issue is observed in HP printers that use hp-status and WSDAPI protocols.
  [# NSHELP-22191]

• In a multicore environment, the Citrix Gateway appliance dumps core during login transfer when intranet IP address is enabled in VPN.
  [# NSHELP-8164, NSHELP-7078, NSHELP-7082, NSHELP-17438, NSHELP-18156, NSHELP-18368]

• Application launch failure records are not displayed in Citrix ADM if launch failure is due to DNS lookup failure on Citrix ADC.
  [# NSINSIGHT-1046, NSINSIGHT-1216]

• In a Citrix Gateway high availability setup, the appliance might crash if Gateway Insight is enabled.
  [# NSINSIGHT-2147]

Citrix Web App Firewall

• In a high availability setup, enabling IP reputation feature might result in high availability command propagation failures.
  [# NSHELP-20010]

• After an upgrade, if you bind a signature to the Web App Firewall profile, the appliance silently drops an incoming request.
  [# NSHELP-20201, NSWAF-3427, NSHELP-20599]

• A Citrix ADC appliance might crash if the following conditions are observed:

  - IP reputation policy expression is used in a load balancing virtual server of type TCP.

  - Security Insight is enabled.
  [# NSHELP-20410]

• After an upgrade from build 12.0-58.15 to 12.0-62.8, the URL transformation feature is not working for some URLs. The issue is caused by incorrect canonicalization when rewriting URLs.
  [# NSHELP-20460]

• A Citrix ADC appliance resets the connection if an incoming GWT request has a query string in the URL.
  [# NSHELP-20564]

• A Citrix ADC appliance might crash if the signature feature is enabled and a specific request pattern is detected.
  [# NSHELP-20884, NSHELP-19583]

• A Citrix ADC appliance might crash because of memory allocation failure.
  [# NSHELP-21071]

• The Citrix ADC appliance might crash because of memory failure if the Citrix Web App Firewall feature is enabled.
  [# NSHELP-21201]

• A Citrix ADC appliance might crash when APPFW_DROP and APPFW_RESET are used as Web App Firewall policy actions.
  [# NSHELP-21220]

• A Citrix ADC appliance might crash if a Web App Firewall profile uses APPFW_DROP and APPFW_RESET policy actions.
  [# NSHELP-21283]

• The "/var/" directory is full if:

  - Citrix ADC appliance is under stress.

  - Learning feature is enabled in the Citrix Web App Firewall profile.
  [# NSHELP-21378]

• A memory leak is observed on a Citrix ADC appliance if you enable StartURL Closure protection check.
  [# NSHELP-21472]

• The Citrix ADC appliance blocks Closure URLs after two minutes if URL closure protection is enabled.
  [# NSWAF-3292]

• Requests coming from Tor proxy IP addresses are not blocked by the IP reputation Tor proxy category using CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(PROXY) policy expression.
  [# NSWAF-3611]

Clustering

• A high CPU usage is observed on a Citrix ADC appliance or in a cluster setup if “show ns ip” command displays many IP addresses.
  [# NSHELP-11193]

• In a single-node cluster, sometimes, you cannot SSH to CLIP under the following conditions:

  - USIP mode is enabled.

  - State of the cluster node is set to passive.
  [# NSHELP-20210]

• In a cluster setup, when a CCO node is rebooted or upgraded, there might be a mismatch of AAA keys across the cluster. This can result in gateway authentication failures for the client.
  [# NSHELP-20294]

• In a cluster setup, if timestamp is enabled, some of the requests sent to the server might be dropped.
  [# NSHELP-20394]

• When you execute the show techsupport -scope cluster command, the following error is displayed for all the Citrix ADC SDX appliances:

  “This is a low bandwidth instance”
  [# NSHELP-20666]

• In a cluster setup, the Citrix ADC appliance might crash for a new MPTCP connection, if the 4 tuples are reused with a different MPTCP key before the original connection has timed out on the Citrix ADC appliance.
  [# NSHELP-20844, NSHELP-20726]

• In an OpenStack, the command propagation might fail under the following condition:

  When you remove a node from the 3-node cluster, if you get an older heartbeat from the removed node.
  [# NSHELP-21432]

• In a cluster setup, the configuration for diameter identity is lost when a node is upgraded to a newer version.
  [# NSHELP-21444]

• In a clustered setup, a Citrix ADC appliance might crash, if the following conditions are observed:

  - The connection is steered from the Flow Processor to the Flow Receiver.

  - TCP out-of-order packets are processed in the Time-Wait state.
  [# NSHELP-21792]

• In a Citrix ADC cluster setup with IPv4 and IPv6 policy-based backplane steering (PBS) configurations, ICMPv6 error packets might loop between the cluster nodes when all of the following conditions are true:

  - The inner IP packets of the ICMPv6 error packets have the same IP tuple as in one of the active TCP sessions.

  - A different IPv4 mapped address is present on each cluster node for the same IPv6 address.
  [# NSHELP-21815]

• An issue is observed if you set the GUI option as secureonly on CLIP while the issue is not observed on the NSIP address.

  The issue is observed only when you trigger the "set ns ip gui" configuration.
  [# NSNET-14364]

• In a cluster topology, on node upgrade or downgrade, the "set snmp mib" command for non-cco nodes is failing. This results in a configuration loss.
  [# NSNET-14562]

GSLB

• For a GSLB setup in a cluster, when you run the “set rpcnode” command, the Source IP address in a RPC node changes to the NSIP address. Therefore, GSLB uses the NSIP address instead of SNIP address while initiating a MEP connection.
  [# NSHELP-20552]

• After you upgrade the Citrix ADC appliance from release 11.1 build 56.19 to release 12.1 build 53.12, the effective state of the GSLB service is set to DOWN even though the load balancing virtual server is UP.
  [# NSHELP-21025, NSLB-5570]

• In a GSLB setup with gateway deployment, the Citrix ADC appliance might fail to resolve the domain name for a GSLB service in the following condition:

  When the primary load balancing virtual server is DOWN, even if the backup load balancing virtual server is UP.
  [# NSHELP-21061]

• The Citrix ADC appliance might crash during GSLB synchronization. This issue occurs when the “set gslb service” command is executed on a non-existent GSLB service.
  [# NSHELP-21304]

• When the configuration difference between GSLB sites is huge and the autosync is enabled, the filesystem might get full. The following error message is displayed:

  “write failed, filesystem is full.”
  [# NSHELP-21796]

• A Citrix ADC appliance crashes when a set command is issued on a CNAME-based GSLB service.
  [# NSLB-5433, NSLB-5562]

Licensing

• If the SDX appliance is in grace period for pooled licensing, the remaining grace period shows zero instead of 30 days.
  [# NSHELP-19615]

• A vCPU license is not applied on a warm reboot if it is configured on a Citrix ADC appliance running software versions 12.1.55.13 or 12.1.55.18.
  [# NSUI-14844]

• The Citrix ADC pooled capacity licensing might fail if latency is high between ADC and ADM. This issue occurs if latency is greater than 200 ms.

  The Citrix ADC licensing client attempts repeatedly to check out the licenses from ADM. In a high availability and cluster setup, licensing configurations are unnecessarily reapplied whenever synchronization is triggered. Propagation and synchronization of the pooled licensing commands are disabled. Each node must be licensed independently by logging in to the NSIP of the node. You can execute only show commands on the Cluster IP.
  [# NSUI-14868, NSHELP-22045]

• After upgrading to build 12.1-55.x, the appliance might boot up unlicensed if pool licensing is configured. As a result, all the features are disabled and any configuration that is license dependent is missing in the running configuration. Perform a warm reboot to restore the pool license and the configuration.

  Caution: Do not run “save config” or force an HA failover on an unlicensed appliance.
  [# NSUI-7869]

Load Balancing

• A Citrix ADC appliance crashes if the virtual server is of type ANY and spillover persistence is enabled on the virtual server.
  [# NSHELP-19540]

• The Citrix ADC appliance might crash when persistence is enabled in the IPv6 high availability setup.
  [# NSHELP-20219]

• A Citrix ADC appliance might crash if traffic domain is configured on a load balancing virtual server of type SIP.
  [# NSHELP-20286]

• The Citrix ADC appliance might crash intermittently if device watchdog request

  (DWR) probing is enabled for Policy and Charging Rules Function (PCRF), and the PCRF becomes unreachable.
  [# NSHELP-20827]

• After connection failover, when the secondary appliance becomes the new primary appliance, packet loss is observed.
  [# NSHELP-21155]

• For the requests from NAT-aware clients, the Citrix ADC appliance might crash when the media section in Session Description Protocol (SDP) payload contains the NAT IP address.
  [# NSHELP-21438]

• During high availability synchronization, the connectivity to a secondary device might be lost when pooled license is configured.
  [# NSHELP-21556]

NITRO

• For Python applications using Citrix ADC NITRO API SDK, GET operation to a Citrix ADC appliance might display values of some parameters even when the appliance has not sent these values.
  [# NSHELP-20655]

Networking

• On restarting the Citrix ADC appliance, default route is originated before the IP address of the interface is populated. Because of this issue, the next hop of a route is set to NULL leading to a martian error.
  [# NSHELP-16407]

• The ADC appliance might not update the ECMP routes in an optimised way when an associated interface is disabled, or an associated IP address is deleted.
  [# NSHELP-19891]

• The BGP daemon on a Citrix ADC appliance might incorrectly install learned routes with next-hops as 0.0.0.0/0.
  [# NSHELP-19900]

• For traffic accessing a load balancing setup through a Citrix ADC Access Gateway, the Citrix ADC appliance might apply MAC Based Forwarding (MBF) on this traffic even without properly adding the Layer 2 information to the connection table entry.
  [# NSHELP-20064]

• A Citrix ADC appliance, acting as a proxy server, might apply a PBR rule based on Layer 2 information to a traffic even though the traffic does not match the PBR rule.
  [# NSHELP-20317]

• “An existing route relies on the presence of this subnet” error message is seen, if all of the below conditions occur:

  - Two or more SNIP addresses with the first octet greater than 127 are added

  - A route for the SNIP addresses is added on that network

  - You try to delete any one of the added SNIP addresses
  [# NSHELP-20492]

• The Citrix ADC appliance might skip Policy-based routes (PBR) rules for outgoing monitor packets of type UDP and ICMP.
  [# NSHELP-20545]

• The Citrix ADC appliance might not update ECMP routes properly when multiple BGP

  sessions go to "DOWN" state simultaneously.
  [# NSHELP-20664]

• After a system restart, the Citrix ADC appliance advertises routes with a reduced metric for 180 seconds.
  [# NSHELP-20842]

• The BGP daemon might display duplicate warning messages for a route removed from the Citrix ADC routing table.
  [# NSHELP-20906]

• “sh IP BGP summary” command on the VTYSH command line incorrectly displays the 32 bit ASN values as negative values.
  [# NSHELP-21234]

• In a high availability setup in INC mode, after a failover, the new secondary node might not withdraw the default route (learned from other BGP peers) that it advertised when it was functioning as primary. Because of this issue, the data traffic can arrive on the new secondary node as well.
  [# NSHELP-21720]

• The CLI of a Citrix ADC appliance displays unwanted debug messages when the appliance processes IPv6 fragmented packets.
  [# NSNET-12704, NSHELP-20990]

Platform

• On the Citrix ADC MPX platform, a 50G port that is a member of a link aggregation group continues to be DOWN if the following actions are performed:

  1. The 50G port is disabled.

  2. The port on the peer switch is disabled.

  3. The port on the peer switch is enabled.

  4. The 50G port is enabled.

  The 50G port does not come up even after it is enabled. As a result, traffic cannot pass through the 50G port.
  [# NSHELP-20529]

• On SDX platforms with Fortville interfaces, the 10G & 40G Fortville interfaces can run into TX stalls when Jumbo is enabled on them.
  [# NSHELP-20605]

• Tx stall might be observed on appliances contain Fortville interfaces if a packet spans more than eight descriptors. The stall might cause the interface to go into error-disabled state.
  [# NSHELP-20800]

• In a cluster setup, when the 50G port of a MPX 15000 appliance is configured as part of the backplane, the MTU of the 50G port is set to zero instead of 1578.
  [# NSHELP-21113]

• In some cases, provisioning a VPX instance on a Citrix ADC SDX appliance containing Intel Coleto chips might fail because the SSL Coleto chip initialization failed.
  [# NSHELP-22033]

• Tx stalls can occur on Citrix ADC MPX appliances that use 10G IXGBE ports and Citrix ADC SDX appliances that use 10G IXGBEVF ports.
  [# NSPLAT-13338]

• Config wipe scripts fail on some Citrix ADC platforms. With this fix, the date code of the scripts is updated to 01/14/20 and all platforms are supported.
  [# NSPLAT-13498]

Policies

• A Citrix ADC appliance might crash if there are few network buffers when rewriting chunked data.
  [# NSHELP-20847]

• A Citrix ADC appliance might crash if appQoE action fails.
  [# NSHELP-21393]

SSL

• For SNI enabled sessions, the ADC appliance can control how the host header is validated. A new parameter “SNIHTTPHostMatch” is added to SSL profile and SSL global parameters to have better control on this validation. This parameter can take three values; CERT, STRICT, and NONE. SNI must be enabled on the SSL virtual server or the profile bound to the virtual server, and the HTTP request must contain the host header.
  [# NSHELP-13370]

• If your ADC appliance is integrated with an unsupported version of Thales HSM, the appliance crashes after generating the HSM key and certificate, installing the certificate-key pair on the appliance, and binding it to the SSL virtual server. With this fix, the appliance reports an error instead of crashing.
  [# NSHELP-20352]

• A Citrix ADC VPX appliance might crash if ChaChaPoly cipher is used and the client sends a truncated record to the appliance.
  [# NSHELP-20684]

• The DTLS handshake might fail if DTLS record fragments are received out of order.
  [# NSHELP-20703]

• A Citrix ADC appliance might show spikes in memory usage if a secure HTTP monitor is configured and the response size is large.
  [# NSHELP-20712]

• There is a discrepancy in memory allocation on partitioned Citrix ADC MPX appliances containing Intel Coleto chips.
  [# NSHELP-20853]

• A Citrix ADC appliance might crash and dump core if the memory allocation for client and server process control blocks fails.
  [# NSHELP-20961]

• Policy-based client authentication with mandatory certificate verification fails if client authentication with optional client-certificate is also configured on the virtual server.
  [# NSHELP-21190]

• Information about the SSL profile bound to a load balancing monitor is lost if default SSL profile is enabled and the appliance reboots.
  [# NSHELP-21321]

• The Citrix ADC appliance might crash under heavy traffic if both syslogging and DTLS are enabled on a VPN virtual server.
  [# NSHELP-22195]

• The Citrix ADC appliance might crash while running the SSL forward action at REQUEST bind point. With this fix, you cannot bind a policy with action type FORWARD to REQUEST bind point.
  [# NSSSL-6688]

• The forward action in SSL policy did not allow virtual server of type SSL_TCP. With this fix, you can forward SSL traffic based on SSL policy to an SSL_TCP virtual server. This feature helps customers who want SSL offloading but do not want to parse application data for the forwarded connection.
  [# NSSSL-7133]

• In some cases, the following appliances might crash while running SSL traffic:

  - MPX 59xx

  - MPX/SDX 89xx

  - MPX/SDX MPX 26xxx

  - MPX/SDX 26xxx-50S

  - MPX/SDX 26xxx-100G

  - MPX/SDX 15xxx-50G
  [# NSSSL-7606]

System

• A Citrix ADC appliance might crash because of memory allocation failure in a TCP timestamp scenario. As a result, the appliance resets the client connection.
  [# NSBASE-9297]

• The show connectiontable command displays a few entries that do not satisfy the mentioned filter in the following conditions:

  - Command is run under high traffic.

  - Command is used with an IP or port filter.
  [# NSBASE-9509]

• In client IP header insertion (for example, -X-Forwarded-for) if the IP address to be inserted is not as long as the buffer, the header pads spaces at the end of the client IP address.
  [# NSHELP-10079]

• In a cluster setup, a Citrix ADC appliance might restart if logstream is enabled.
  [# NSHELP-20008]

• During a partition deployment, a partitioned appliance might crash if you run the "uiinternal" commands and then "clear config" in the default partition.
  [# NSHELP-20247]

• In rare cases, the Call Home process might crash resulting in the appliance to restart. The issue occurs if a Call Home sub process uses the same internal process id (PID) of the previous sub process.
  [# NSHELP-20334]

• A Citrix ADC appliance might crash if one SYN buffers are properly freed while the other buffer is removed and not freed in the retransmission queue.
  [# NSHELP-20424]

• A Citrix ADC appliance resets MPTCP subflows if a subflow is alive and active for more than the idle timeout period.
  [# NSHELP-20648]

• A Citrix ADC appliance resets an MPTCP subflow if it receives a plain acknowledgment before the subflow is confirmed as MTPCP.
  [# NSHELP-20649]

• Configuration loss is detected if you bind both classic policy and advanced policy to an aaa user and an aaa user group.
  [# NSHELP-20744]

• A Citrix ADC appliance that is deployed on the transit node, might restart while processing the fragmented Encapsulating Security Payload (ESP) packets.
  [# NSHELP-20925]

• A Citrix ADC appliance might crash if Appflow Client-Side Measurements is enabled when serving large HTTP responses.
  [# NSHELP-21099]

• A Citrix ADC appliance might crash if it receives an HTTP/1.1 request with an HTTP/2.0 version in it. For any client request with an HTTP/2.0 version, the appliance considers it as an HTTP/2.0 request and processes it. This leads to a crash.
  [# NSHELP-21187]

• On a Citrix ADC appliance, management connections to IPv6 Subnet IP addresses might get reset when you perform the clear config basic operation.
  [# NSHELP-21206]

• An HTTP transaction might fail if a Citrix ADC appliance sends an HTTP/2 request with multiple cookie name-value pairs to the back-end server.
  [# NSHELP-21373]

• A Citrix ADC appliance might crash if there is a memory allocation failure for HTTP/2 secure monitor.
  [# NSHELP-21400]

• A Citrix ADC appliance does not forward a response to the client if it contains both trailer and content-length headers.
  [# NSHELP-21427]

• A client connection becomes unresponsive if you enable multiplexing in an HTTP/2 profile on a Citrix ADC appliance.
  [# NSHELP-21434]

• A Citrix ADC appliance does not reset HTTP/2 streams on a client connection with an HTTP/2 RST_STREAM after an idle timeout.
  [# NSHELP-21537]

• A Citrix ADC appliance might crash during audit logging if the user authentication is prompted with an extra sign-in request such as a password change or a RADIUS challenge.
  [# NSHELP-21703]

• A TCP transaction delay is observed if a Citrix ADC appliance is unable to use the TCP connection to connect to the back-end server. In this case, the appliance opens a new connection to forward the client requests to the back-end server after some waiting period. The waiting period ranges from 400 ms to 600 ms.
  [# NSHELP-9118]

Telco Video Optimization

• A Citrix ADC appliance might crash because of memory corruption.
  [# NSVIDEOOPT-912]

URL Filtering

• URL filtering categorization fails if an incoming URL has a double slash after the domain name. The "http://" scheme is prepended. For example, www.example.com//index.html
  [# NSSWG-1082]

• Memory management error is observed on clustered and high availability configurations which stop Citrix ADC GUI HTTPS access and null appflow URL filtering records.
  [# NSSWG-1220]

Known Issues

AppFlow

• Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.
  [# NSBASE-8506]

• A Citrix ADC appliance might crash if a timing issue is observed when the appflow action is removed after a transaction is completed and before a connection is closed.
  [# NSBASE-9345]

Authentication, authorization, and auditing

• The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:

  - The Test LDAP Reachability option is opened.

  - Invalid login credentials are populated and submitted.

  - Valid login credentials are populated and submitted.

  Workaround: Close and open the Test LDAP Reachability option.
  [# NSAUTH-2147]

• The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
  [# NSAUTH-6106]

• A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.
  [# NSHELP-18751]

• Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.
  [# NSHELP-18844]

• SSO to StoreFront using Citrix ADC fails if the following conditions are met:

  - The Citrix ADC appliance is configured for multi-factor authentication.

  - Citrix ADC session times out before examining the configured authentication factors.
  [# NSHELP-21466]

• You cannot access Citrix ADC management console via GUI when special characters are used for the "nsroot" password.
  [# NSHELP-21630]

• In some cases, a Citrix ADC appliance dumps core because SYN packets going towards TACACS server are filled with wrong partition values.
  [# NSHELP-22030]

• In some cases, the Citrix ADC appliance crashes because the core receives a packet to send to the client but the IIP information is not yet available. in NSHELP-21522 we fix in ns_iip6.c, this is add fix in ns_iip.c
  [# NSHELP-22411]

• A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.
  [# NSHELP-563]

• A Citrix ADC appliance configured for Citrix ADC AAA might become unresponsive if the following conditions are met:

  • The samlAction parameter is configured.

  • The back-end server is unreachable.
  [# NSHELP-8220]

Citrix ADC GUI

• The top-level page title is missing on all security check GUI pages.
  [# NSHELP-18607]

• In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.
  [# NSUI-14752]

Citrix ADC MPX appliance

• The 25G (Fortville) interface goes to an error disabled state when it is connected to a switch that has LLDP enabled with DCBXP TLV set. The following platforms have this interface:

  - MPX 26000

  - MPX 26000-50S

  - MPX 15000-25G

  Workaround: Disable DCBXP TLV on the port.
  [# NSPLAT-8831]

Citrix ADC SDX appliance

• The NTP service of Citrix ADC SDX Management Service responds to NTP queries. However, Management Service does not have any option to configure restrictions for NTP queries.

  Workaround: Manually modify /flash/mpsconfig/ntp.conf, and then from Management Service enable NTP Synchronization again to make the change effective. However, this change is lost if the NTP server configurations are changed.
  [# NSHELP-12246]

• On Citrix ADC SDX 15XXX and SDX 26XXX platforms, you cannot provision multiple VPX instances in L2 mode.
  [# NSHELP-21367]

• The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:

  ERROR: Operation timed out

  ERROR: Communication error with the packet engine
  [# NSNET-4312]

Citrix ADC VPX appliance

• After adding the vCPU license to a VPX appliance, the VPX model ID appears incorrectly in the VPX GUI under the License and CLI in “show license” command output.
  [# NSHELP-19613]

• In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.

  Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.
  [# NSPLAT-4451]

• When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the "rm cloudprofile" command to delete the profile.
  [# NSPLAT-4520]

Citrix Gateway

• In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
  [# CGOP-13511]

• The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).

  Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.
  [# CGOP-13532]

• Application launch failure due to invalid STA ticket is not reported in Gateway Insight.
  [# CGOP-13621]

• In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a “Critical error” dialog box. Also, the page becomes unresponsive.
  [# CGOP-7269]

• The Citrix ADC appliance might crash when a net profile is added to a service.
  [# NSHELP-19569]

• The EPA plug-in screen becomes unresponsive on the second scan if Internet Explorer is used.
  [# NSHELP-20189]

• VPN is sometimes frozen after macOS wakes from sleep.
  [# NSHELP-20656]

• Device certificate is not supported with Citrix SSO for macOS when it is added as part of the nFactor scans.
  [# NSHELP-20722]

• If reverse split tunneling is enabled, intranet routes are either added with wrong prefix values or not added at all.
  [# NSHELP-20825]

• If you have configured clientless VPN (CVPN) on Citrix Gateway, the appliance might crash because of erroneous rewrite handling.
  [# NSHELP-21244]

• Intranet IP address is used for communicating with back-end servers instead of SNIP if the ICA app or desktop is launched in a full VPN session.
  [# NSHELP-21533]

• In a Citrix Gateway with nFactor authentication, EPA as a factor might sometimes fail.
  [# NSHELP-21557]

• You might intermittently see a 403 access forbidden error for portal files.
  [# NSHELP-21620]

• When the syslog server is configured through TCP, intermittently some logs are not sent to the syslog server.
  [# NSHELP-21624]

• The Web Interface feature might not work as intended after upgrading the Citrix ADC appliance.
  [# NSHELP-21899]

• The Linux VPN client might crash if you download a large file (approximately 3 GB).
  [# NSHELP-22032]

• Sometimes, the PCoIP app or desktop might fail to launch.
  [# NSHELP-22041]

• In a full tunnel setup and classic client certificate authentication with RfWebUI, the appliance responds with a blank page or “Client not capable” error after login.
  [# NSHELP-22084]

• Sometimes, Citrix Gateway allows macOS clients to access internal resources even if the EPA scan fails on the client machine.

  This issue occurs only in n-core machines containing the following configuration:

  - A session policy is created with the "clientSecurityGroup" parameter.

  - A responder policy is created to perform some action on the users who are part of this client security group.
  [# NSHELP-22262]

• The Citrix Gateway appliance might intermittently crash if the following conditions are met.

  - If a server initiated UDP connection to an intranet IP address is assigned to a user.

  - The server does not send UDP packets for a long time after the first packet is sent.
  [# NSHELP-22583]

• An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.
  [# NSHELP-7872]

• SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).

  Workaround: Use an IP address for VDA.
  [# NSHELP-8549]

• In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
  [# NSINSIGHT-2059]

• The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).

  Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.
  [# NSINSIGHT-924]

Citrix Web App Firewall

• Citrix Web App Firewall AppFw Field Format learned Data is different from the Export Learned Data. When aslearn configured learned data is deployed and the field types reaches aslearn supported limit, the get learnt data will not able to display total learnt data.
  [# NSHELP-18077]

• A Citrix ADC appliance might crash if you enable the XML Wellformedness protection check in log mode.
  [# NSHELP-18737]

• A Citrix ADC appliance might crash if an error case was handled incorrectly for the credit card verification process.
  [# NSHELP-20562]

• NITRO does not allow SDK customers to configure WAF if the XML security check "xmlmaxnodescheck" option is enabled.
  [# NSHELP-22111]

Clustering

• In a cluster setup, a Citrix ADC appliance might crash when it receives a node-to-node steered ICMP error message from the server. The crash occurs because the received packet does not contain the interface-related information.
  [# NSHELP-18401]

• In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.
  [# NSHELP-20366]

• When you add a slave interface with jumbo MTU to link aggregation channel that is used as backplane, the following warning message incorrectly appears:

  “The MTU for a backplane interface must be large enough to handle all packets. It must be equal to <MTU value>. If recommended value is not configurable, please review MTU of jumbo interfaces.”

  This is only a display issue, and there is no impact on the functionality.
  [# NSHELP-20794]

• In a cluster setup, ACL rules with VLAN settings do not take effect resulting in packets hitting other ACL rules.

  This issue occurs when you delete a virtual server on the cluster setup resulting in the cluster nodes not adding VLAN information on the steered packets.
  [# NSHELP-22103]

GSLB

• In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.
  [# NSHELP-20406]

• In an admin partition setup, when you execute the "stat gslb site" command, the Metric Exchange or Network Metric Exchange state between two GSLB sites is shown as DOWN. This is only a display issue, and there is no impact on the functionality.
  [# NSHELP-21895]

HDX Insight

• HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.
  [# NSINSIGHT-943]

High Availability

• In a high availability (HA) setup, if Gratuitous ARP (GARP) is disabled, the upstream router might not direct the traffic to the new primary after an HA failover.
  [# NSHELP-20796]

• In a high availability (HA) setup, when the secondary node restarts, the primary node might crash during connection mirroring of sessions to the secondary node.
  [# NSHELP-21715]

• In a high availability (HA) setup, secondary node might crash during the restart process. This issue occurs if several sessions (>3M) are present for connection mirroring.
  [# NSHELP-22119]

Integrated Cache

• A Citrix ADC appliance might crash if the following two conditions are true:

  - When using a selector configured with "HTTP.REQ.URL.SET_TEXT_MODE(URLENCODED).SET_TEXT_MODE(IGNORECASE).PATH" expression

  - If URL encoded request is sent.
  [# NSHELP-20875]

Licensing

• When Citrix ADC licenses hosted on Citrix ADC Citrix ADM expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.
  [# NSPLAT-6417]

Load Balancing

• The Citrix ADC appliance sends a reset to the client intermittently because the MySQL virtual server is not able to select a backend server.
  [# NSHELP-20608]

• In a high availability setup, the primary node cannot find a relevant PORT after maximum attempts to establish connection to a specific core on a secondary node. Therefore, the secondary connection table is not fully synchronised with the primary connection table.
  [# NSHELP-21420]

• In a NITRO API, the “tickssincelaststatechange” field for a service group does not get updated properly after the state of the service group changes.
  [# NSHELP-21425]

Networking

• When the Citrix ADC appliance is cleaning up large number of server connections as part of remove command, the Pitboss process might restart. This Pitboss restart might cause the ADC appliance to crash.
  [# NSHELP-136]

• The Citrix ADC fails to install Intermediate System to Intermediate System (IS-IS) next-hop because of missing authentication (AUTH) information on the received large Link State PDUs (LSPs).
  [# NSHELP-21062]

• If an INAT rule is added for a VIP address, the Citrix ADC appliance incorrectly allows the addition of a load balancing configuration in which the virtual server is of type ANY and is set with the same VIP address.
  [# NSHELP-21288]

• In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
  [# NSNET-5233]

Policies

• The binary (ASCII) character set now allows all string and character literals, which includes binary characters. The UTF-8 character set still requires string and character literals to be valid UTF-8. Earlier we allowed only valid UTF-8 string and character literals. This was true for both UTF-8 and binary (ASCII) character sets.
  [# NSPOLICY-2362]

SSL

• In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.
  [# NSHELP-13466]

• A partitioned Citrix ADC appliance might not respond as expected if you perform the following actions:

  1) Create two OCSP responders in different partitions.

  2) Clear the config in one partition.

  3) Remove the OCSP responder in the other partition.
  [# NSHELP-20861]

• The SSL action points to the old virtual server even after the virtual server is renamed.
  [# NSHELP-21584]

• The Citrix ADC appliance might crash and dump core if OCSP stapling is configured and the appliance is low on memory.
  [# NSHELP-21661]

• The Citrix ADC appliance might crash if you use classic policies in gateway configuration.

  Workaround: Migrate to advanced policies.
  [# NSHELP-21932]

• In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
  [# NSSSL-3161, NSSSL-1258, NSSSL-1264]

• An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
  [# NSSSL-3184, NSSSL-1379, NSSSL-1394]

• In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.
  [# NSSSL-3402]

• An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
  [# NSSSL-4001]

• Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
  [# NSSSL-4427]

• If you create an ECDSA key by using the GUI, the type of curve is not displayed.
  [# NSUI-6838]

SWG URL Filtering

• When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.

  As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.
  [# NSSWG-849]

Security

• ICAP support for Citrix ADC

  A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html
  [# NSBASE-825]

System

• In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.
  [# CGOP-6794, NSGI-1293]

• The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.
  [# NSHELP-10972]

• A Citrix ADC appliance becomes unstable if you use the -outfilename parameter in diffnsconfig command. As a result, the diffnsconfig output is large to completely fill the root disk.
  [# NSHELP-19345]

• SYSLOG log messages get truncated after 1024 bytes.
  [# NSHELP-19484]

• In Multi-path TCP (MPTCP) the si_cur_Clients and si_cur_clnt_ConnOpenEst counters are incremented twice.
  [# NSHELP-19896]

• In certain scenarios, the user name (specified with a ‘%u’ character) in the prompt string does not display correctly.
  [# NSHELP-19991]

• High memory usage is observed if you enable HTTP/2 feature and if there is a large file download (if the file size is greater than or equal to one GB). The issue occurs with slow clients if the downloaded data buffers leading to an excessive resource utilization.
  [# NSHELP-20531]

• In MPTCP cluster deployment, the packet loop between the cluster nodes causes high bandwidth usage.
  [# NSHELP-20675]

• The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.
  [# NSHELP-21240]

• A Citrix ADC appliance might crash if:

  - An HTTP/2 client sends a connection reset in the middle of a download with cache enabled.

  - The back-end server closes the connection with FIN termination.
  [# NSHELP-21605]

• In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or “staysecondary” option set.
  [# NSNET-1646]

• The Citrix ADC appliance may display messages that are a result of file system compatibility checks that are performed when booting up. These messages are informational only, and do not have any adverse impact on the functioning of the Citrix ADC.
  [# NSPLAT-4384, NSPLAT-3243, NSPLAT-3417]

• Connections might hang if the size of processing data is more than the configured default TCP buffer size.

  Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
  [# NSPOLICY-1267]

Telco Video Optimization

• A Citrix ADC appliance might crash because of a corrupted hash entry in the memory.
  [# NSHELP-22066]

Release history