Release Notes for Citrix ADC 12.1-58.15 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 12.1-58.15.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 12.1-58.15 and later builds address the security vulnerabilities described in https://support.citrix.com/article/CTX281474.
  • Additional fix in this build: NSNET-18028

What's New

The enhancements and changes that are available in Build 12.1-58.15.

Citrix ADC SDX Appliance

  • Auto-upgrade of the built-in agent without initialization
    From Citrix ADC release 12.1 build 58.xx, Citrix ADC SDX appliance has built-in agents with ADM Service Connect functionality. The Citrix ADM built-in agent available on the ADC SDX appliance starts like an active daemon and communicates with ADM service. After communication with ADM service is established, the built-in agent auto-upgrades itself to the latest software version regularly.
    [ NSSVM-3852 ]
  • Citrix ADM service connect feature to enable auto-onboarding to Citrix ADM service
    The Citrix Application Delivery Management (ADM) service connect feature enables seamless onboarding of Citrix ADC SDX appliances onto Citrix ADM service. This feature lets the ADC SDX appliance automatically connect with ADM service and send system, usage, and telemetry data to ADM service. Using this data, you can get insights and recommendations for your Citrix ADC infrastructure, on Citrix ADM service.

    By default, the Citrix ADM service connect feature is enabled when you install or upgrade Citrix ADC SDX appliance.

    For more information, see the following topics:

    - Citrix ADM service: https://docs.citrix.com/en-us/citrix-application-delivery-management-service/citrix-application-delivery-management-service.html
    - Data governance: https://docs.citrix.com/en-us/sdx/12-1/data-governance.html
    - Citrix ADM service connect: https://docs.citrix.com/en-us/sdx/12-1/adm-service-connect.html

    Note: The ADM service connect feature is now available on Citrix ADC instances and Citrix Gateway appliances, however, the corresponding functionality on Citrix ADM service is not yet available. Citrix will update this note when the corresponding functionality becomes available in ADM service so that you can leverage the complete benefit of this feature.
    [ NSSVM-3470 ]

Load Balancing

  • GSLB configuration sync on slave sites is not triggered when there is an MEP UP event for a site In a GSLB setup, configuration synchronization is no longer dependent on the MEP state. The configuration change is synced as long as there is connectivity to the remote sites irrespective of the MEP state.
    [ NSLB-4493 ]

User Interface

  • Citrix ADM service connect feature to enable auto-onboarding to Citrix ADM service
     The Citrix Application Delivery Management (ADM) service connect feature enables seamless onboarding of Citrix ADC MPX, SDX, and VPX instances, and Citrix Gateway appliances onto Citrix ADM service. This feature lets the ADC instance or Gateway appliance automatically connect with ADM service and send system, usage, and telemetry data to ADM service. Using this data, you get insights and recommendations for your Citrix ADC infrastructure on Citrix ADM service.

     By default, the Citrix ADM service connect feature is enabled when you install or upgrade Citrix ADC MPX, SDX, and VPX instances or Citrix Gateway appliance. 

    For more information, see the following topics:
    - Citrix ADM service: https://docs.citrix.com/en-us/citrix-application-delivery-management-service/citrix-application-delivery-management-service.html
    - Data governance: https://docs.citrix.com/en-us/citrix-adc/12-1/data-governance.html
    - Citrix ADM service connect: https://docs.citrix.com/en-us/citrix-adc/12-1/adm-service-connect.html

    Note: The ADM service connect feature is now available on Citrix ADC instances and Citrix Gateway appliances, however, the corresponding functionality on Citrix ADM service is not yet available. Citrix will update this note when the corresponding functionality becomes available in ADM service so that you can leverage the complete benefit of this feature.
    [ NSCONFIG-3793 ]
  • Auto-upgrade of built-in agents without initialization
    From Citrix ADC release 12.1 build 57.xx and higher, the Citrix ADM built-in agent available on Citrix ADC instances communicates with ADM service without initialization on the respective ADC instance. After communication with ADM service is established, the built-in agent auto-upgrades to the latest software version regularly.

    Previously, you had to initialize the built-in agent on Citrix ADC instances, using “mastools” commands, to establish communication with ADM service, and for regular auto-upgrades.
    [ NSCONFIG-2875 ]

Fixed Issues

The issues that are addressed in Build 12.1-58.15.

Authentication, authorization, and auditing

  • If a Citrix ADC appliance is configured for the OTP login and the OTP field is left blank, the authentication fails. In such a scenario, the appliance logs the user password in ns.log leading to a security concern.
    [ NSHELP-24027 ]
  • A Citrix ADC appliance configured as an Identity Provider (IdP) for Citrix Workspace might crash when users are part of a large number of active directory groups.
    [ NSHELP-23899 ]
  • In rare cases, a Citrix ADC appliance crashes upon handling authentication request if a DUP-FREE (trying to free an already free resource) scenario arises.
    [ NSHELP-23565 ]
  • VPN session policies bound to a Authentication, authorization, and auditing user or group are not applied if the Citrix ADC appliance is accessed by VPN client using webview nFactor authentication method. 
    [ NSHELP-23526 ]
  • The Citrix ADC GUI under "System Global Authentication Policy Binding" page has the following errors:
    - Goto Expression field incorrectly displays "END" instead of "NEXT".
    - The bound next factor policy is not reflected under the "Next Factor" field.
    [ NSHELP-23474 ]
  • If a Citrix ADC appliance is configured for nFactor with no groups available in the last factor, then the groups pertaining to the previous factor are not incorporated to the final Authentication, authorization, and auditing session. This affects the group-based policies and the corresponding functionalities.
    [ NSHELP-23135 ]
  • In certain scenarios, authentication fails for custom login schemas.
    [ NSHELP-22929 ]
  • The _AltEmailRegister.xml_ login schema used for alternate email ID registration does not work as intended.
    [ NSHELP-22912 ]
  • In a cluster setup, if the "set authentication radiusAction" command is run, the Citrix ADC appliance specifies the network access server (NAS) IP address as 0.0.0.0 in access-requests sent to the RADIUS server.
    [ NSHELP-22580 ]
  • In rare cases, a Citrix ADC appliance dumps core when classic pre-authentication EPA policies are used in combination with nFactor advanced authentication policies.

    As a recommendation, Citrix suggests to migrate EPA as a factor in the nFactor authentication flow.
    [ NSHELP-22553 ]
  • In some cases, a Citrix ADC appliance crashes because of the memory corruption caused by a buffer overwrite for the list of OTP devices.
    [ NSHELP-22478 ]
  • In rare cases, a virtual server configured with front-end NTLM authentication causes the Citrix ADC appliance to dump core.
    [ NSHELP-22372 ]
  • Sometimes, the form-based SSO authentication fails for the first time if a Set-Cookie is contained in the HTTP response header of the HTML form.
    [ NSHELP-21740 ]
  • You cannot access Citrix ADC management console via GUI when special characters are used for the "nsroot" password.
    [ NSHELP-21630 ]
  • A Citrix ADC appliance might crash when policy infrastructure (PI) assignment action is used in an authentication policy.
    [ NSAUTH-5913 ]

Citrix ADC SDX Appliance

  • You cannot include a hash (%23) in community strings for SNMP managers and trap destinations configured on a Citrix ADC SDX appliance.
    [ NSHELP-23989 ]
  • If you take a backup of one SDX appliance, restoring the instances on another SDX appliance fails. 
    [ NSHELP-23947 ]
  • On a Citrix ADC SDX 8900 appliance, the number of instances available for provisioning are reduced after you upgrade the appliance.
    [ NSHELP-23808 ]
  • If a VPX instance was provisioned on an old 11.1 build, update operations on the VPX instance using the SDX CLI fail if the following conditions are met:
    - The "Shell/SFTP/SCP Access" option was selected.
    - The "Add Instance Administration" option was not selected.
    These options were available under "Instance Administration."
    [ NSHELP-23683 ]
  • The SDX GUI might not be accessible after you upgrade a Citrix ADC SDX appliance to release 12.1 build 56.x.
    [ NSHELP-23637 ]
  • In some cases, the licenses are not read correctly by the Management Service after you restart a Citrix ADC SDX appliance.
    [ NSHELP-23619 ]
  • Upgrading a Citrix ADC SDX appliance to release 12.1 build 57.x might fail because a process in the Management Service is unresponsive.
    [ NSHELP-23612 ]
  • A VPX instance hosted on a Citrix ADC SDX 15000-50G or SDX 26000 appliance is unreachable from the Management Service after you change some properties, such as description and host name.
    [ NSHELP-23491 ]
  • If the IP address of a Citrix ADC SDX appliance that is configured using pooled licensing is changed in SDX, the Citrix ADM managing the SDX appliance continues to show the old SDX IP address.
    [ NSHELP-23490 ]
  • You will receive email notifications for a few categories in the following scenarios:
    - Event configuration is suppressed on the Citrix ADC SDX appliance.
    - Event configuration is updated on the Citrix ADC SDX appliance.
    [ NSHELP-22701 ]
  • Upgrading a Citrix ADC SDX appliance to release 12.1 build 56.x might timeout due to a latency in interprocess communication.
    [ NSHELP-22644 ]
  • On the Citrix ADC SDX appliance, a user with read-only permissions can transfer files to Management Service using a file transfer utility, such as SCP or SFTP.
    [ NSHELP-22638 ]
  • The NTP service of Citrix ADC SDX Management Service responds to NTP queries. However, Management Service does not have any option to configure restrictions for NTP queries.

    [ NSHELP-12246 ]

Citrix Gateway

  • The Citrix Gateway appliance might crash when adding a cookie_watch JavaScript while serving clientless VPN traffic.
    [ NSHELP-24096 ]
  • In rare cases, a Citrix Gateway appliance might crash while handling transfer logon or logout requests.
    [ NSHELP-23863 ]
  • SAP CFolders do not work as intended when accessed over advanced clientless VPN.
    [ NSHELP-23561 ]
  • If you use a French keyboard on a VPN plug-in, characters entered using CTRL+ALT do not work.
    [ NSHELP-23556 ]
  • If you have configured nFactor authentication with advanced policies and if the Gateway Insight feature is enabled, the following details are not reported to the Citrix Application Delivery Management system.
    * Device type
    * Browser type
    * Operating system
    * Device details
    [ NSHELP-23549 ]
  • In the Citrix Gateway Always On service mode, when the machine is rebooted, the tunnel is not established if an Intranet IP address is configured.
    [ NSHELP-23304 ]
  • Users cannot access resources over the VPN when the machines resume from sleep or hibernate state.
    [ NSHELP-23024 ]
  • When you reboot or power up a client Windows 10 machine, the Always On VPN plug-in 13.0 falls back to classic authentication even if nFactor authentication is configured.
    [ NSHELP-22795 ]
  • The logon screen for Windows might display incorrect fields if you configure a proxy on a client machine and if the proxy is not applicable to the VPN FQDN.
    [ NSHELP-22618 ]
  • In a multicore processor setup, the Citrix Gateway appliance crashes if the following two conditions are met:
    * Gateway Insight feature is enabled.
    * A request is received on a non-owner core.
    [ NSHELP-22524 ]
  • The Citrix Gateway appliance might crash while launching an app if the VDA FQDN resolution fails. 
    [ NSHELP-22454 ]
  • In a Citrix Gateway setup with AlwaysOn feature enabled, AlwaysOn cannot establish a seamless VPN connection after a client is restarted.
    [ NSHELP-22420 ]
  • The Citrix Gateway appliance crashes if the ICA file length is greater than 2,048 characters and if Gateway Insight is enabled.
    [ NSHELP-22387 ]
  • The Citrix Gateway appliance might crash intermittently if a syslog policy is configured.
    [ NSHELP-22304 ]
  • In the Citrix ADC appliance GUI, you cannot unbind an authorization policy binding from an Authentication, authorization, and auditing group.
    [ NSHELP-22167 ]
  • The Web Interface feature might not work as intended after upgrading the Citrix ADC appliance.
    [ NSHELP-21899 ]
  • When the syslog server is configured through TCP, intermittently some logs are not sent to the syslog server.
    [ NSHELP-21624 ]
  • If you have configured clientless VPN (CVPN) on Citrix Gateway, the appliance might crash because of erroneous rewrite handling.
    [ NSHELP-21244 ]

Citrix Web App Firewall

  • POST requests with content-type "application/octet-stream" are not processed if Streaming is enabled without a signature set.
    [ NSHELP-22668 ]
  • A Citrix ADC appliance might strip off the response body if the response body signature rules are enabled.
    [ NSHELP-20872 ]
  • In a high availability setup, the Web App Firewall session in the secondary node is a stale session.
    [ NSHELP-20288 ]

Load Balancing

  • After upgrading a Citrix ADC appliance, the GSLB config sync might fail if the "/var/tmp/gslbsync" directory does not exist on the appliance.
    [ NSHELP-22796 ]
  • If some commands fail to run but a name server is configured successfully, the state of the name server stays DOWN.
    [ NSHELP-22750 ]
  • The Citrix ADC appliance might rarely crash when an integer value is truncated after series of operations related to Stream Identifier.
    [ NSHELP-22489 ]
  • The Citrix ADC appliance might run out of memory when a client sends packets at regular intervals but the first packet is blocked in the appliance. As a result, packets are queued up and the appliance runs out of memory to store the packets.
    [ NSHELP-20871 ]

Miscellaneous

  • Some commands present in the rc.netscaler file are not applied correctly after a Citrix ADC appliance is restarted because of which the appliance might not work as intended.
    [ NSHELP-22507 ]

Networking

  • After an upgrade to Citrix ADC 12.1 build 58.x, any one command propagation failure from the CCO node might lead to complete propagation failure. As a result, the further commands might fail from CCO node to non-CCO nodes.
    [ NSNET-18028 ]
  • Deny ACL6 rules might drop IPv6 traffic for an established session.
    [ NSNET-11409 ]
  • When the L2 mode is enabled, the Citrix ADC appliance forwards the DHCP broadcast packets received in the default partition.
    [ NSHELP-23957 ]
  • In a high availability set up in INC mode, BFD sessions are lost after a failover.
    [ NSHELP-23648 ]
  • A packet with an invalid virtual MAC address as the destination address is wrongly classified as a packet having the Citrix ADC owned MAC address.
    [ NSHELP-22697 ]
  • In a cluster setup with retainConnectionsOnCluster option enabled, a cluster node might crash when it receives fragmented packets followed by non-fragmented packets.
    [ NSHELP-21674 ]
  • The Citrix ADC fails to install Intermediate System to Intermediate System (IS-IS) next-hop because of missing authentication (AUTH) information on the received large Link State PDUs (LSPs).
    [ NSHELP-21062 ]
  • In a cluster setup, the following behavior is observed when an ADNS service is bound to a node group:
    * RHI processing is not properly updated.
    * The IP address is not advertised.
    [ NSHELP-18567 ]

Platform

  • On the Citrix ADC SDX 26000-100G platform, the interface might not come up after you restart the appliance.
    [ NSPLAT-11985 ]
  • Upgrading a Citrix ADC SDX appliance to software version 12.1 might fail if the Citrix Hypervisor version is 6.1.
    [ NSHELP-24036 ]
  • In some cases, the network interfaces might not show up if a Citrix ADC SDX appliance crashes and restarts.
    [ NSHELP-23756 ]
  • In some cases on a Citrix ADC SDX appliance, configuring some virtual instances with 50G and 100G Mellanox interfaces exhausts the memory.
    [ NSHELP-23394 ]
  • On the Citrix ADC SDX 15000-50G platform, some files from the NIC dump might not be cleared from the /tmp directory when the Citrix Hypervisor support bundle is collected multiple times. These files might disrupt a successful reboot of the appliance.
    [ NSHELP-22903 ]

SSL

  • When a Citrix ADC appliance is configured to use SSL session tickets and client authentication is enabled, the appliance might crash when the clients send a large client certificate. For example, an RSA certificate containing 4096 bits key.
    [ NSHELP-21662 ]
  • OCSP signature verification fails when an empty extension is received in the "SingleResponse" field of the OCSP response.
    [ NSHELP-20997 ]

System

  • A Citrix ADC appliance might crash when detecting duplicate TCP retransmissions. The appliance crashes because of the divide-by-zero operation in the TCP congestion control algorithm.

    [ NSHELP-22693 ]
  • A Citrix ADC appliance might crash if the following conditions are observed:
    - Flash Cache is enabled.
    - The client connection is reset.
    - Client request in the queue to be serviced as part of the caching process.
    [ NSHELP-21872 ]
  • In a clustered setup, a Citrix ADC appliance might crash, if the following conditions are observed:
    - The connection is steered from the Flow Processor to the Flow Receiver.
    - TCP out-of-order packets are processed in the Time-Wait state.
    [ NSHELP-21792 ]
  • For synflood trap generation, if you do not reset the varbinding values, the appliance uses the old trap varbinding values instead of the current and threshold values.
    [ NSHELP-20653 ]
  • In Multi-path TCP (MPTCP) the si_cur_Clients and si_cur_clnt_ConnOpenEst counters are incremented twice.
    [ NSHELP-19896 ]

User Interface

  • A FIPS key created on a primary node is not synched to the secondary node using Enable SIM option in the Citrix ADC GUI.
    [ NSUI-16016 ]
  • A Citrix ADC appliance might crash when an internal process restarts for a maximum number of times.
    [ NSHELP-23378 ]
  • When you configure cookie consistency security settings in a Web App Firewall profile through Citrix ADC GUI, the following issues are observed:
    - GUI error is observed in the browser debugging console.
    - Selected settings do not get saved. 
    [ NSHELP-23201 ]
  • Earlier, the Actions field listed both the Assignments and Rewrite Actions together but the Add/Edit functionality was only intended for Rewrite actions not for Assignments. Now we removed Add/Edit options and provided "Configure Assignments", "Configure Rewrite Actions" as hyperlinks to configure them independently.
    [ NSHELP-23095 ]
  • Only the last three digits of the year are displayed in "Up since (Local)" line of the "stat system" command.
    [ NSHELP-22960 ]
  • Saved v/s Running config utility may display differences for 'bind serviceGroup' command even after saving the configuration.
    [ NSHELP-22459 ]
  • Adding a service group member directly is successful. However, the operation fails if you perform the following steps:

    1. Navigate to Traffic Management > Load Balancing > Service Groups.

    2. Select a service group and click Service Group Members.

    3. Right click one of the entries and select Add.

    4. In the Create Service Group Member, change the IP address and click Create.
    [ NSHELP-21925 ]
  • In a high availability setup, a synchronization issue might replace the secondary node's license file with the primary node's license file.

    The presence of the primary node’s license file cause a host ID mismatch for this file on the secondary node. Because of this host ID mismatch, all the Citrix ADC features are disabled when the secondary node takes over as primary after a failover.
    [ NSHELP-21871 ]
  • A Citrix ADC appliance becomes unstable if you use the -outfilename parameter in diffnsconfig command. As a result, the diffnsconfig output is large to completely fill the root disk.
    [ NSHELP-19345 ]
  • NITRO API (routerdynamicrouting) for fetching the ZebOS running configuration does not fetch the complete output for large configurations (more than 25 lines).
    [ NSCONFIG-3535 ]

Known Issues

The issues that exist in release 12.1-58.15.

AppFlow

  • HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.
    [ NSINSIGHT-943 ]

Authentication, authorization, and auditing

  • Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.
    [ NSHELP-18844 ]
  • A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.
    [ NSHELP-18751 ]
  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.
    [ NSHELP-563 ]
  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
    [ NSAUTH-6106 ]
  • The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:
    - The Test LDAP Reachability option is opened.
    - Invalid login credentials are populated and submitted.
    - Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.
    [ NSAUTH-2147 ]

Caching

  • A Citrix ADC appliance might randomly crash if the following conditions are observed:
    * Integrated caching feature is enabled.
    * 100 GB or more memory is allocated for integrated caching.

    Workaround: Allocate less than 100 GB of memory. 
    [ NSHELP-20854 ]

Citrix ADC SDX Appliance

  • On the Citrix ADC SDX 8900, SDX 15000, and SDX 15000-50G platforms, a high CPU usage can be noticed on ADC instances after upgrading the SDX appliance from release 11.1 to release 12.1, or from release 11.1 to release 13.0.
    [ NSHELP-24031 ]
  • Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:
    - Throughput allocation mode is burst.
    - There is a large difference between the throughput and the maximum burst capacity.
    [ NSHELP-21992 ]

Citrix Gateway

  • You cannot use Scandinavian letters in the EULA after upgrading the Citrix ADC appliance from release 11.1 to 12.1.
    [ NSHELP-24394 ]
  • The Citrix Gateway appliance might go down in an EDT proxy deployment if the "kill icaconnection" command is run while an EDT connection establishment is in progress.
    [ NSHELP-23882 ]
  • The UDP/ICMP/DNS based authorization policy denials for VPN do not show up in the ns.log file.
    [ NSHELP-23410 ]
  • In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.
    [ NSHELP-22349 ]
  • The Linux VPN client might crash if you download a large file (approximately 3 GB).
    [ NSHELP-22032 ]
  • If reverse split tunneling is enabled, intranet routes are either added with wrong prefix values or not added at all.
    [ NSHELP-20825 ]
  • Device certificate is not supported with Citrix SSO for macOS when it is added as part of the nFactor scans.
    [ NSHELP-20722 ]
  • The EPA plug-in screen becomes unresponsive on the second scan if Internet Explorer is used.
    [ NSHELP-20189 ]
  • SYSLOG log messages get truncated after 1024 bytes.
    [ NSHELP-19484 ]
  • You can now configure the RfWebUI parameters such as loginFormTimeout and Session timeout by editing the plugins.xml.
    [ NSHELP-19221 ]
  • SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).
    Workaround: Use an IP address for VDA.

    [ NSHELP-8549 ]
  • An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.
    [ NSHELP-7872 ]
  • Application launch failure due to invalid STA ticket is not reported in Gateway Insight.
    [ CGOP-13621 ]
  • The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).
    Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.
    [ CGOP-13532 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
    [ CGOP-13511 ]
  • In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.
    [ CGOP-7269 ]
  • In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.
    [ CGOP-6794 ]

Citrix Web App Firewall

  • When aslearn configured learned data is deployed and if the field types reach a threshold, the total learned data is not displayed correctly. As a result, the Field Format learned data is not as same as the exported learned data.
    [ NSHELP-18077 ]

Clustering

  • In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.
    [ NSHELP-20366 ]

Load Balancing

  • When you upgrade the Citrix ADC appliance to release 12.0 build 63.13, you might see some duplicate configuration entries for load balancing persistence groups. For example, the "show running config" command might display the "add lb group" command multiple times. This is only a display issue and does not impact the functionality. However, the "show running config" command might take slightly more time to execute than usual.
    [ NSHELP-23050 ]
  • For DNS UDP requests the subscriber session is created based on the destination IP address instead of the source IP address, if both a subscriber expression and a DNS expression are used in the same policy.
    [ NSHELP-22521 ]
  • The packet engines (NSPPE) might crash when it receives the first RTSP data packet with an incomplete header, followed by an ACK before receiving the complete header.
    [ NSHELP-22099 ]
  • In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.
    [ NSHELP-21425 ]
  • The Citrix ADC appliance sends a reset to the client intermittently because the MySQL virtual server is not able to select a backend server.
    [ NSHELP-20608 ]
  • In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.
    [ NSHELP-20406 ]

Miscellaneous

  • When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.
    [ NSSWG-849 ]
  • The Citrix ADC appliance might take more time to process and respond to the NITRO API calls in the background for GUI access. Because of this issue, you might observe latency issues in accessing the GUI.
    [ NSHELP-24065 ]
  • A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URLFiltering third party vendor.
    [ NSHELP-22409 ]
  • In a cluster setup, the “set ratecontrol” command works only after restarting the Citrix ADC appliance.

    Workaround: Use the “nsapimgr_wr.sh -ys icmp_rate_threshold=<new value>” command.
    [ NSHELP-21811 ]

Networking

  • A partitioned Citrix ADC appliance might crash if you enable Video Optimization on a partition and later remove the partition on the appliance.
    [ NSNET-10199 ]
  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
    [ NSNET-5233 ]
  • The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:
    ERROR: Operation timed out
    ERROR: Communication error with the packet engine
    [ NSNET-4312 ]
  • In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or “staysecondary” option set.
    [ NSNET-1646 ]
  • For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.
    [ NSHELP-24034 ]
  • IPv6 policy based routes (PBR6) on a Citrix AC appliance might not work as expected.
    [ NSHELP-23161 ]
  • A Citrix ADC appliance might crash during deployment if the following conditions are observed:
    - Multipath TCP (MPTCP) is enabled with MBF and PMTUD
    - MPTCP traffic is received and the response causes ICMP Fragmentation Needed error.
    [ NSHELP-22418 ]
  • In a high availability (HA) setup, if Gratuitous ARP (GARP) is disabled, the upstream router might not direct the traffic to the new primary after an HA failover.
    [ NSHELP-20796 ]
  • When you add a slave interface with jumbo MTU to link aggregation channel that is used as backplane, the following warning message incorrectly appears:

    "The MTU for a backplane interface must be large enough to handle all packets. It must be equal to the (MTU value). If recommended value is not configurable, please review MTU of jumbo interfaces."

    This is only a display issue, and there is no impact on the functionality.
    [ NSHELP-20794 ]
  • The output of a show channel link redundant interface set might incorrectly display the state of the member interface as inactive.
    [ NSHELP-16195 ]

Platform

  • When NetScaler licenses hosted on NetScaler MAS expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.
    [ NSPLAT-6417 ]
  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the "rm cloudprofile" command to delete the profile.
    [ NSPLAT-4520 ]
  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.
    [ NSPLAT-4451 ]

Policies

  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
    [ NSPOLICY-1267 ]
  • A Citrix ADC appliance might crash if you configure the MATCHES_LOCATION() function in a policy expression and you start nstrace using a filter expression.
    [ NSHELP-22687 ]

SSL

  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
    [ NSSSL-4001 ]
  • In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.
    [ NSSSL-3402 ]
  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
    [ NSSSL-3184 ]
  • In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
    [ NSSSL-3161 ]
  • A Citrix ADC MPX/SDX 11542, MPX/SDX 14000, MPX 22000/24000/25000, or MPX/SDX 14000 FIPS appliance might crash if the following conditions are met:
    - ECDHE/ECDSA hybrid model is enabled.
    - DTLS traffic is received when the CPU utilization is already high.
    [ NSHELP-24405 ]
  • The Citrix ADC appliance crashes if NULL or RC2 ciphers are used by the SSL backend service on the following platforms:
    * MPX 5900
    * MPX 8900
    * MPX 15000
    * MPX 15000-50G
    * MPX 26000
    * MPX 26000-50S
    * MPX 26000-100G
    [ NSHELP-24308 ]
  • A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.
    [ NSHELP-24201 ]
  • In a cluster setup, an invalid "bind ssl certkey" command is added to the ns.conf file when you save the configuration. The invalid command is added if a CRL distribution point extension is part of a certificate on the Citrix ADC appliance.
    [ NSHELP-23963 ]
  • A Citrix ADC appliance might crash if the following conditions are met:
    - A certificate-key pair is added with the expiry monitor option enabled.
    - The certificate date is earlier than 01/01/1970.
    [ NSHELP-22934 ]
  • In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.
    [ NSHELP-13466 ]

System

  • If a service, representing an inline device, is down when traffic is being inspected, a resource is not freed properly. The Citrix ADC appliance crashes when this freed resource is accessed again.
    [ NSHELP-23145 ]
  • For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output. For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.
    [ NSHELP-22684 ]
  • When the Intrusion Prevention System (IPS) is processing data before the cache module, the “PayloadInfo” variable is not cleared properly. Eventually, when the cache module accesses the variable it causes a Citrix ADC appliance to crash.
    [ NSHELP-21907 ]
  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.
    [ NSHELP-21240 ]
  • A Citrix ADC appliance might crash if the following conditions are observed:
    - HTTP/2 enabled in the HTTP profile bound to load balancing virtual server of type HTTP/SSL or service.
    - Connection multiplexing option disabled in the HTTP Profile bound to load balancing virtual server or service.
    [ NSHELP-21202 ]
  • When a Citrix ADC appliance sends a "tcpSynFloodAttack" SNMP trap, the "unackSynCount" log message has string characters instead of integer values.
    [ NSHELP-20401 ]
  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.
    [ NSHELP-10972 ]
  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.
    [ NSBASE-8506 ]
  • ICAP support for Citrix ADC A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.

    For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html
    [ NSBASE-825 ]

User Interface

  • In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.
    [ NSUI-14752 ]
  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.
    [ NSUI-6838 ]
  • The top-level page title is missing on all security check GUI pages.
    [ NSHELP-18607 ]
  • In a cluster setup, the certificate-key pair might sync to the non-CCO nodes with some delay. As a result, it is possible that the certificate-key pair is added to the CCO node but fails on the non-CCO nodes with no error message.
    [ NSHELP-12037 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:
    * 13.0 52.24 build
    * 12.1 57.18 build
    * 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"

    Workaround:

    To fix this issue, use one of the following independent options:
    * If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    * Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    * If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
    [ NSCONFIG-3188 ]

Top