Release Notes for Citrix ADC 12.1-60.16 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 12.1-60.16.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.

What's New

The enhancements and changes that are available in Build 12.1-60.16.

Citrix ADC SDX Appliance

  • Users cannot configure a tagged VLAN on the 50G and 100G interfaces of an ADC instance without explicitly specifying the allowed VLAN list on the interface from the Management Service. The issue is seen if the ADC instance is provisioned on one of the following Citrix ADC SDX platforms:
    - SDX 15000-50G
    - SDX 26000
    - SDX 26000-50S
    - SDX 26000-100G
    [ NSSVM-3697 ]
  • After deleting an interface or a channel from an ADC instance, the instance might be unreachable from the Management Service. With this change, if your Citrix ADC SDX appliance is running release 13.0 build 71.x and later or release 12.1 build 60.x and later, you cannot delete the interface or channel on an ADC instance from the Management Service.
    [ NSSVM-3442 ]

User Interface

  • Next/Previous navigation option for Web App Firewall Profile GUI page
    In Citrix ADC GUI, the Web App Firewall Profiles page now displays the Next/Previous navigation option to view more than 25 profiles in the list pane.

    Navigation: Security->Citrix Web App Firewall->Profiles
    [ NSUI-16487 ]

Fixed Issues

The issues that are addressed in Build 12.1-60.16.

Authentication, authorization, and auditing

  • Sometimes, a Citrix ADC appliance might becomes unresponsive when a user authentication times out at the client side during a multi-factor (nFactor) authentication.
    [ NSHELP-25251 ]
  • In some cases, a Citrix ADC appliance might crash if the client closes the TCP connection before finishing the Email OTP authentication.
    [ NSHELP-25154 ]
  • In some cases, a Citrix ADC appliance crashes during the Citrix ADC Authentication, authorization, and auditing session removal on the secondary node.
    [ NSHELP-25075 ]
  • When a Citrix ADC appliance is configured for nFactor, RADIUS authentication failures are reported as LDAP authentication failures in the Citrix ADM appliance.
    [ NSHELP-24597 ]
  • In some cases, the Email OTP validation fails when the OTP request is sent by a core and the validation request is received by another core.
    [ NSHELP-24442 ]
  • LDAP authentication fails in a Citrix ADC appliance when a user's group length exceeds the defined limit.
    [ NSHELP-24373 ]
  • The login to a Citrix ADC appliance fails if the following conditions are met.
    * The appliance is configured for nFactor.
    * The login schema policy is bound to an authentication virtual server and authentication schema is set to "noschema".
    [ NSHELP-24259 ]
  • In some cases, a Citrix ADC appliance becomes unresponsive while it is doing some background tasks related to user authentication.
    [ NSHELP-23883 ]
  • In some cases, a Citrix ADC appliance becomes unresponsive when single sign-on is attempted.
    [ NSHELP-23632 ]
  • When trying to log on to the Citrix Gateway appliance, a user does not see a response if the log on attempt fails.
    [ NSHELP-23155 ]
  • Single Sign-On (SSO) with the following authentication methods does not work if the SSO configuration in Citrix ADC and Citrix Gateway is enabled only at global level and not at per traffic level.

    - CitrixAGBasic authentication
    - Kerberos authentication
    - OAuth bearer authentication
    [ NSAUTH-9166 ]
  • During IdP session creation on an authentication virtual server, any configuration made to the login schema profile associated with the first factor of authentication is not honored. If the login schema profile is configured to use the first factor credentials for the SSO functionality, the configuration is not honored.
    [ NSAUTH-8712 ]
  • In some cases, the Citrix ADC appliance crashes if any expired Authentication, authorization, and auditing session exists during the configuration clean-up.
    [ NSAUTH-7767 ]

Citrix ADC SDX Appliance

  • The Citrix ADC SDX appliance upgrade fails if the Citrix Hypervisor consumes more than 90% of the disk space.
    [ NSHELP-24873 ]
  • On the Citrix ADC SDX 8900, SDX 15000, and SDX 15000-50G platforms, a high CPU usage can be noticed on ADC instances after upgrading the SDX appliance from release 11.1 to release 12.1, or from release 11.1 to release 13.0.
    [ NSHELP-24031 ]

Citrix Gateway

  • In rare cases, the Citrix Gateway appliance might crash during session synchronization with the secondary appliance or during Intranet IP assignment.
    [ NSHELP-25221 ]
  • If ICA smart policy is enabled and there is some residual AppFlow configuration, you might observe a high latency connection.
    [ NSHELP-24908 ]
  • The Citrix ADC appliance might crash when UDP audio is enabled and the internal malloc system call returns an error.
    [ NSHELP-24890 ]
  • EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.
    [ NSHELP-24848 ]
  • In rare cases, a Citrix Gateway appliance crashes when the syslog transport type is modified due to a memory corruption.
    [ NSHELP-24794 ]
  • The Citrix ADC appliance might crash when configured for clientless VPN.
    [ NSHELP-24430 ]
  • In a rare case, the Citrix ADC appliance crashes during transfer login when the old session has expired.
    [ NSHELP-24286 ]
  • The Citrix Gateway appliance might reboot if the RDP server profile bound to the VPN virtual server does not have the RDP IP address configured and the same port is used by the RDP server profile and the VPN virtual server.
    [ NSHELP-24199 ]
  • In rare cases, the Citrix Gateway appliance might crash if intranet IP (IIP) address is enabled and there are server-initiated connections to the IIP address.
    [ NSHELP-23819 ]
  • The Windows plug-in displays the “Gateway not reachable” message if the client machine has multiple instances of the Hyper-V and WiFi direct access virtual adapters.
    [ NSHELP-23794 ]
  • Packet drops are observed when a UDP application server sends packets that are larger than MTU and if the packets are fragmented. 
    [ NSHELP-23770 ]
  • The Citrix ADC appliance might crash during a Authentication, authorization, and auditing session logout if the user logs in from Citrix Workspace.
    [ NSHELP-23623 ]
  • Support for CredSSP protocol version 2 is removed. Only CredSSP protocol versions 5 and 6 are supported on the Windows operating systems.
    [ CGOP-14308 ]

Citrix Web App Firewall

  • File Descriptor leak in aslearn when displaying some XML learn data.
    [ NSWAF-6648 ]
  • Support for "cs7" in CEF log messages
    The Citrix Web App Firewall Common Event Format (CEF) log messages now include one more parameter, "cs7" for audit log expression name. 
    [ NSWAF-6593 ]
  • A Citrix ADC appliance removes the status code from the response if the following issues are observed:
    * The reason phrase is missing and
    * The status code is not followed by a space. 
    [ NSHELP-24489 ]
  • Soap envelope validation might fail for XML data.
    [ NSHELP-24412 ]

Load Balancing

  • When you upgrade the Citrix ADC appliance to release 12.0 build 63.13, you might see some duplicate configuration entries for load balancing persistence groups. For example, the "show running config" command might display the "add lb group" command multiple times. This is only a display issue and does not impact the functionality. However, the "show running config" command might take slightly more time to execute than usual.
    [ NSHELP-23050 ]
  • For DNS UDP requests the subscriber session is created based on the destination IP address instead of the source IP address, if both a subscriber expression and a DNS expression are used in the same policy.
    [ NSHELP-22521 ]
  • In a cluster setup, when you execute the "unset lb vserver test -redirectFromPort" command, the HTTP redirect port for load balancing virtual server does not get cleared from the database.
    [ NSHELP-20518 ]

Networking

  • The output of a show channel link redundant interface set might incorrectly display the state of the member interface as inactive.
    [ NSHELP-16195 ]

Platform

  • A Citrix ADC VPX instance crashes when frequent link flaps are seen on 50G and 100G interfaces.
    [ NSPLAT-16852 ]
  • NITRO API request or GUI access to a Citrix ADC appliance fails if the appliance remains idle from management activity over HTTP(S) for more than six days.


    - add serviceGroup mgmt_http_svc HTTP -maxClient 0 -maxReq 0 -cip DISABLED -usip NO -useproxyport YES -cltTimeout 180 -svrTimeout 360 -CKA NO -TCPB NO -CMP YES

    - bind serviceGroup mgmt_http_svc 127.0.0.1 80
    [ NSHELP-22849 ]
  • You need to reboot a Citrix ADC SDX appliance to reset and initialize an SSL card when the card returns an error. With this fix, reboot is not required.
    [ NSHELP-22725 ]

Policies

  • The target field in the responder action of "NOOP" action type is not saved in the configuration file (ns.conf). As a result, when you restart your appliance, there is a configuration loss.
    [ NSHELP-23772 ]
  • An error message “Directory does not exist" appears on the HTML Page Import Object GUI page after you upgrade the Citrix ADC appliance release 11.1 build 63.15.
    [ NSHELP-22826 ]

SSL

  • A Citrix ADC MPX/SDX 11542, MPX/SDX 14000, MPX 22000/24000/25000, or MPX/SDX 14000 FIPS appliance might crash if the following conditions are met:
    - ECDHE/ECDSA hybrid model is enabled.
    - DTLS traffic is received when the CPU utilization is already high.
    [ NSHELP-24405 ]
  • The Citrix ADC appliance crashes if NULL or RC2 ciphers are used by the SSL backend service on the following platforms:
    * MPX 5900
    * MPX 8900
    * MPX 15000
    * MPX 15000-50G
    * MPX 26000
    * MPX 26000-50S
    * MPX 26000-100G
    [ NSHELP-24308 ]

System

  • A Citrix ADC appliance might crash because of memory corruption when the HTTP/2 feature is enabled.
    [ NSHELP-25005 ]
  • A Citrix ADC appliance might crash if AppFlow is enabled after the server-side connection is established.
    [ NSHELP-24546 ]
  • If the rewrite module or the HTTP strict transport security (HSTS) header modifies a packet and splits it into two, the intrusion prevention system (IPS) frees the second packet. This results in corrupting the packet flow to the client and thereby allowing only a partial response forwarded to the client.
    [ NSHELP-24294 ]
  • The analytics records are not sent to the Citrix ADM if the following conditions are observed:

    - IPFIX collector is configured in the admin partition of the Citrix ADC appliance.

    - Collector is in a subnet other than SNIP address.
    [ NSHELP-24283 ]
  • In the case of TLS v1.2 session reuse protocol, the following behavior is observed in the Citrix ADC appliance:
    - The categorization information is saved in the server PCB, and the domain information is saved in the client PCB.
    - Data is sent to AppFlow only from the client PCB, hence for session reuse cases, categorization information is sent as null.
    [ NSHELP-23542 ]
  • A Citrix appliance with connection chaining parameter enabled might crash if the following conditions are met:
    - The incoming packet has TCP options of more than 20 bytes.
    - The appliance tries to insert an extra 20 bytes, which leads to TCP overflow.
    [ NSHELP-23322 ]
  • A Citrix ADC appliance might crash if the following conditions are observed:
    - HTTP/2 enabled in the HTTP profile bound to load balancing virtual server of type HTTP/SSL or service.
    - Connection multiplexing option disabled in the HTTP Profile bound to load balancing virtual server or service.
    [ NSHELP-21202 ]

User Interface

  • In a cluster setup, unwanted extra binding configuration gets saved in the ns.conf file.
    [ NSHELP-24636 ]
  • The Citrix ADC GUI displays less number of cached objects when compared to the command interface.
    [ NSHELP-24337 ]
  • The following temporary files present in the /var/tmp folder of a Citrix ADC appliance is causing memory full state.
    - “sh.runn.audit.<pid>” file created by nsconfigaudit tool.
    - “tmp_ns.conf.<pid>” file created by “show run” command for partition.
    [ NSHELP-24092 ]
  • For a "routerdynamicrouting" NITRO API request, the Citrix ADC appliance might return JSON data with formatting errors if the response size is large.
    [ NSHELP-19913 ]
  • A Citrix ADC appliance becomes unstable if you use the -outfilename parameter in diffnsconfig command. As a result, the diffnsconfig output is large to completely fill the root disk.
    [ NSHELP-19345 ]

Known Issues

The issues that exist in release 12.1-60.16.

AppFlow

  • HDX Insight does not report an application launch failure caused by a user trying to launch an application or desktop to which the user does not have access.
    [ NSINSIGHT-943 ]

Authentication, authorization, and auditing

  • SSO to StoreFront using Citrix ADC fails if the following conditions are met:
    - The Citrix ADC appliance is configured for multi-factor authentication.
    - Citrix ADC session times out before examining the configured authentication factors.
    [ NSHELP-21466 ]
  • An FQDN in the SSL certificate might crash in a Citrix ADC appliance because of a buffer overflow.
    [ NSHELP-20476 ]
  • Admin login to Citrix ADC MPX 14000 FIPS hardware fails intermittently.
    [ NSHELP-18844 ]
  • A Citrix authentication, authorization, and auditing logout message occasionally display incorrect virtual server name.
    [ NSHELP-18751 ]
  • A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.
    [ NSHELP-563 ]
  • If you edit the authentication virtual server using the "End-to-end login test” or “Test End User Connection” options from the Create Authentication LDAP Server page in the Citrix ADC GUI, an error message appears.
    Workaround: To edit the authentication virtual server by using the Citrix ADC GUI, navigate to Security > Authentication, authorization, and auditing – Application Traffic > Authentication Virtual Servers.
    [ NSAUTH-6339 ]
  • The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.
    [ NSAUTH-6106 ]
  • The Configure Authentication LDAP Server page on the Citrix ADC GUI becomes unresponsive if you pursue the following steps:
    - The Test LDAP Reachability option is opened.
    - Invalid login credentials are populated and submitted.
    - Valid login credentials are populated and submitted.

    Workaround: Close and open the Test LDAP Reachability option.
    [ NSAUTH-2147 ]

Caching

  • A Citrix ADC appliance might randomly crash if the following conditions are observed:
    * Integrated caching feature is enabled.
    * 100 GB or more memory is allocated for integrated caching.

    Workaround: Allocate less than 100 GB of memory. 
    [ NSHELP-20854 ]

CallHome

  • On the Citrix AC MPX 22000 platform, the “show techsupport” command incorrectly shows that the hard drive is not mounted.
    [ NSHELP-24223 ]

Citrix ADC SDX Appliance

  • Packet drops are seen on a VPX instance hosted on a Citrix ADC SDX appliance if the following conditions are met:
    - Throughput allocation mode is burst.
    - There is a large difference between the throughput and the maximum burst capacity.
    [ NSHELP-21992 ]
  • SNMPv3 queries work only for a few minutes after changing the password.
    [ NSHELP-19313 ]
  • SNMPwalk application fails if an SNMPv3 user bound to an SNMPv3 trap destination has an authentication failure (incorrect password, community or key).
    [ NSHELP-18541 ]

Citrix Gateway

  • Citrix SSO for iOS and macOS fails to transfer logon if classic authentication is enabled.
    [ NSHELP-24491 ]
  • The Gateway Insight does not display accurate information on the VPN users.
    [ NSHELP-23937 ]
  • The Citrix Gateway appliance might go down in an EDT proxy deployment if the "kill icaconnection" command is run while an EDT connection establishment is in progress.
    [ NSHELP-23882 ]
  • The UDP/ICMP/DNS based authorization policy denials for VPN do not show up in the ns.log file.
    [ NSHELP-23410 ]
  • When manual proxy is configured on a local machine, the user tunnel cannot be established automatically after a service tunnel is established.
    [ NSHELP-22831 ]
  • In rare cases, the Citrix Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.
    [ NSHELP-22349 ]
  • If reverse split tunneling is enabled, intranet routes are either added with wrong prefix values or not added at all.
    [ NSHELP-20825 ]
  • Device certificate is not supported with Citrix SSO for macOS when it is added as part of the nFactor scans.
    [ NSHELP-20722 ]
  • A blank screen appears and StoreFront apps are not enumerated during transfer login if both of the following conditions are met:
    - SplitTunnel is set to ON.
    - IP address pool (Intranet IP) option is set to NoSpillOver.
    [ NSHELP-20584 ]
  • In a high availability setup, during Citrix ADC failover, icons of some of the apps in the /var/netscaler/logon folder are not visible.
    [ NSHELP-20573 ]
  • The EPA plug-in screen becomes unresponsive on the second scan if Internet Explorer is used.
    [ NSHELP-20189 ]
  • SYSLOG log messages get truncated after 1024 bytes.
    [ NSHELP-19484 ]
  • SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).
    Workaround: Use an IP address for VDA.

    [ NSHELP-8549 ]
  • An authentication, authorization, and auditing virtual server login page displays an error code number instead of a meaningful error message.
    [ NSHELP-7872 ]
  • Application launch failure due to invalid STA ticket is not reported in Gateway Insight.
    [ CGOP-13621 ]
  • The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).
    Workaround: Upgrade the receiver to the latest version of Citrix Workspace app.
    [ CGOP-13532 ]
  • In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.
    [ CGOP-13511 ]
  • In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.
    [ CGOP-7269 ]
  • In a cluster deployment, if you run "force cluster sync" command on a non-CCO node, the ns.log file contains duplicate log entries.
    [ CGOP-6794 ]
  • If a Windows user name has non-ASCII characters, the user is unable to collect logfiles by using the Collect Log button.
    [ CGOP-3359 ]
  • The Citrix SSO app automatically selects a client or a device certificate for authentication if only one of them is present in the keychain.
    [ CGOP-251 ]
  • The Endpoint Analysis scan to check if antiphishing is enabled is now supported on Citrix SSO.

    [ CGOP-249 ]
  • In the Citrix SSO app for macOS, the EULA checkbox is not cleared, by default.
    [ CGOP-245 ]
  • Citrix SSO app does not display proper error messages when maximum number of users is reached.
    [ CGOP-231 ]

Citrix Web App Firewall

  • The Citrix Web App Firewall cookie consistency check removes the SameSite cookie attribute in the response sent by the back-end server.
    [ NSHELP-24313 ]
  • When aslearn configured learned data is deployed and if the field types reach a threshold, the total learned data is not displayed correctly. As a result, the Field Format learned data is not as same as the exported learned data.
    [ NSHELP-18077 ]

Clustering

  • In a L3 cluster setup, the local nodegroup wrongly send the Gratuitous Address Resolution Protocol (GARP) requests to the IP addresses owned by the peer nodegroup. This results in a loop of cluster heartbeat packets.
    [ NSHELP-20366 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.
    [ NSLB-7679 ]
  • The Citrix ADC appliance might crash if the association between Distributed Hash Table (DHT) entry and persistence session is deleted while freeing up the persistence session.
    [ NSHELP-24213 ]
  • The custom location entries might be removed when you run the “add locationfile” or “add locationfile6" commands in a high-availability setup.
    [ NSHELP-23775 ]
  • The packet engines (NSPPE) might crash when it receives the first RTSP data packet with an incomplete header, followed by an ACK before receiving the complete header.
    [ NSHELP-22099 ]
  • A Citrix ADC appliance might crash when DNS logging is enabled and a malformed DNS query is received.
    [ NSHELP-21959 ]
  • In a cluster setup, the “set ratecontrol” command works only after restarting the Citrix ADC appliance.

    Workaround: Use the “nsapimgr_wr.sh -ys icmp_rate_threshold=<new value>” command.
    [ NSHELP-21811 ]
  • In a NITRO API, the "tickssincelaststatechange" field for a service group does not get updated properly after the state of the service group changes.
    [ NSHELP-21425 ]
  • When you execute the "set service <servicename>" command, the following error message is displayed:
    "IP Address cannot be set on a domain based server."

    This error message is displayed when the server is configured with a name greater than 32 characters.
    [ NSHELP-20939 ]
  • The Citrix ADC appliance sends a reset to the client intermittently because the MySQL virtual server is not able to select a backend server.
    [ NSHELP-20608 ]
  • In a cluster setup, the GSLB service IP address is not displayed in GUI when accessed through GSLB virtual server bindings. This is only a display issue, and there is no impact on the functionality.
    [ NSHELP-20406 ]
  • Redirecting an HTTPS URL fails if the URL contains the % special character.
    [ NSHELP-19993 ]

Miscellaneous

  • When a forced synchronization takes place in a high availability setup, the appliance executes the "set urlfiltering parameter" command in the secondary node.
    As a result, the secondary node skips any scheduled update until the next scheduled time mentioned in the "TimeOfDayToUpdateDB" parameter.
    [ NSSWG-849 ]
  • A Citrix ADC appliance might restart due to management CPU stagnation if connectivity issue occurs with the URLFiltering third party vendor.
    [ NSHELP-22409 ]

Networking

  • A partitioned Citrix ADC appliance might crash if you enable Video Optimization on a partition and later remove the partition on the appliance.
    [ NSNET-10199 ]
  • In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
    [ NSNET-5233 ]
  • In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or “staysecondary” option set.
    [ NSNET-1646 ]
  • A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.
    [ NSHELP-24623 ]
  • For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.
    [ NSHELP-24034 ]
  • IPv6 policy based routes (PBR6) on a Citrix AC appliance might not work as expected.
    [ NSHELP-23161 ]
  • If an INAT rule is added for a VIP address, the Citrix ADC appliance incorrectly allows the addition of a load balancing configuration in which the virtual server is of type ANY and is set with the same VIP address.
    [ NSHELP-21288 ]
  • In a high availability (HA) setup, if Gratuitous ARP (GARP) is disabled, the upstream router might not direct the traffic to the new primary after an HA failover.
    [ NSHELP-20796 ]
  • When you add a slave interface with jumbo MTU to link aggregation channel that is used as backplane, the following warning message incorrectly appears:

    "The MTU for a backplane interface must be large enough to handle all packets. It must be equal to the (MTU value). If recommended value is not configurable, please review MTU of jumbo interfaces."

    This is only a display issue, and there is no impact on the functionality.
    [ NSHELP-20794 ]

Platform

  • The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the Citrix ADC instance:
    ERROR: Operation timed out
    ERROR: Communication error with the packet engine
    [ NSPLAT-17546 ]
  • A Citrix ADC VPX instance, on which NSVLAN and two link aggregation (LA) channels are configured, is not reachable when the following conditions are met:
    - First LA channel is disabled.
    - The VPX instance is rebooted.
    [ NSPLAT-16082 ]
  • If a Citrix ADC instance uses ADM-based licensing, the Citrix ADC licensing might not work when the ADM version is lesser than the ADC version. Therefore, when you upgrade the ADC version, ensure the corresponding ADM version is the same as or higher than the current ADC version.
    [ NSPLAT-15184 ]
  • When NetScaler licenses hosted on NetScaler MAS expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.
    [ NSPLAT-6417 ]
  • When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the "rm cloudprofile" command to delete the profile.
    [ NSPLAT-4520 ]
  • In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.
    Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.
    [ NSPLAT-4451 ]

Policies

  • A Citrix ADC might crash when evaluating a large number of embedded expressions in an HTML page.
    [ NSPOLICY-1462 ]
  • Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
    [ NSPOLICY-1267 ]

SSL

  • Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
    [ NSSSL-4427 ]
  • An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
    [ NSSSL-4001 ]
  • In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.
    [ NSSSL-3402 ]
  • An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
    [ NSSSL-3184 ]
  • In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
    [ NSSSL-3161 ]
  • You cannot bind two certificates with public keys signed by different algorithms (for example, RSA and ECDSA) to a virtual server, as an SNI certificate if the domain name is the same.
    [ NSSSL-2560 ]
  • A Citrix ADC appliance does not propose ECDHE ciphers in the client hello message after you reboot the appliance and if the following conditions are met:
    - The default profile is disabled.
    - A secure monitor is bound to a non-SSL service.
    [ NSHELP-24706 ]
  • The SSL handshake at the back end fails when the back-end server sends a single SSL record containing the following messages: 'Server Hello', 'Server Certificate', 'Server Key Exchange' and 'Server Hello Done'.
    [ NSHELP-24615 ]
  • A Citrix ADC appliance closes a DTLS session by sending an alert if the maximum retry timeout value is reached.
    [ NSHELP-24560 ]
  • A Citrix ADC appliance might not propose ECDHE ciphers in the client hello message if the following conditions are met:
    - HA synchronization is in progress.
    - Monitor probes are sent before the synchronization is complete.
    [ NSHELP-24355 ]
  • A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.
    [ NSHELP-24201 ]
  • A Citrix ADC appliance does not propose ECDHE ciphers in the client hello message after you reboot the appliance and if the following conditions are met:

    - The default profile is enabled.
    - A secure monitor is bound to a non-SSL service.
    [ NSHELP-24037 ]
  • In a cluster setup, an invalid "bind ssl certkey" command is added to the ns.conf file when you save the configuration. The invalid command is added if a CRL distribution point extension is part of a certificate on the Citrix ADC appliance.
    [ NSHELP-23963 ]
  • A Citrix ADC appliance might crash if the following conditions are met:
    - A certificate-key pair is added with the expiry monitor option enabled.
    - The certificate date is earlier than 01/01/1970.
    [ NSHELP-22934 ]
  • In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.
    [ NSHELP-13466 ]

System

  • An HTTP/2 connection becomes unresponsive if the "http2InitialWindowSize" parameter value is set to 131070 or any value greater than 131070.
    Workaround: Set the parameter value to less than 131070.
    [ NSHELP-25155 ]
  • For non-CCO nodes in a cluster setup, when you run the snmpwalk command for string objects, you might see an inconsistency in the output. For snmpwalk on CLIP, the output is appended with a dot at the end. Whereas for snmpwalk on NSIP, the output is not appended with a dot at the end.
    [ NSHELP-22684 ]
  • When the Intrusion Prevention System (IPS) is processing data before the cache module, the “PayloadInfo” variable is not cleared properly. Eventually, when the cache module accesses the variable it causes a Citrix ADC appliance to crash.
    [ NSHELP-21907 ]
  • The MAX_CONCURRENT_STREAMS value is set to 100 by default if the appliance does not receive the max_concurrent_stream settings frame from the client.
    [ NSHELP-21240 ]
  • When a Citrix ADC appliance sends a "tcpSynFloodAttack" SNMP trap, the "unackSynCount" log message has string characters instead of integer values.
    [ NSHELP-20401 ]
  • The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.
    [ NSHELP-10972 ]
  • Client IP and Server IP is inverted in HDX Insight SkipFlow record when LogStream transport type is configured for Insight.
    [ NSBASE-8506 ]
  • ICAP support for Citrix ADC A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and respond back to the appliance as modified messages. The adapted messages are either an HTTP or an HTTPS response or request.

    For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html
    [ NSBASE-825 ]

User Interface

  • In Citrix ADC GUI, the "Help" link present under the "Dashboard" tab is broken.
    [ NSUI-14752 ]
  • The Global Binding and Show Binding options are not working on the Content Inspection Policy GUI page. As an alternative, you can configure these parameters through the command interface.
    [ NSUI-13193 ]
  • If you create an ECDSA key by using the GUI, the type of curve is not displayed.
    [ NSUI-6838 ]
  • A Citrix ADC appliance might crash if the /tmp directory is full.
    [ NSHELP-21809 ]
  • You can now set client authentication to optional, in the SSL parameters of a virtual server, using the GUI. Earlier, client authentication changed to mandatory if you used the GUI to change any SSL parameters.
    [ NSHELP-21060 ]
  • The Citrix ADC command interface and the GUI do not display the system time parameter setting for few SNMP alarms.
    [ NSHELP-19958 ]
  • The top-level page title is missing on all security check GUI pages.
    [ NSHELP-18607 ]
  • In a cluster setup, when you start a new trace (System > Diagnostics > Start new trace), the start trace operation succeeds. But the GUI, incorrectly displays the following error:
    “Trace not started”
    [ NSHELP-18566 ]
  • A Citrix ADC appliance incorrectly logs "Not logged in" error message when you access the reporting tab in Citrix ADC GUI.

    Example:

     "Jul 21 11:20:14 <<a href="http://local0.info/"> local0.info</a>> 203.0.113.18 07/21/2016:08:20:14 GMT T1100-16-2 0-PPE-10 : default UI CMD_EXECUTED 290 0 :  User (null) - Remote_ip  - Command "show ns hardware" - Status "ERROR: Not logged in" "
    [ NSHELP-12534 ]
  • In a cluster setup, the certificate-key pair might sync to the non-CCO nodes with some delay. As a result, it is possible that the certificate-key pair is added to the CCO node but fails on the non-CCO nodes with no error message.
    [ NSHELP-12037 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:
    * 13.0 52.24 build
    * 12.1 57.18 build
    * 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword [-config <full path of the configuration file (ns.conf)>]"

    Workaround:

    To fix this issue, use one of the following independent options:
    * If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    * Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    * If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
    [ NSCONFIG-3188 ]