Release Notes for Citrix ADC 13.0-71.44 Release

This release notes document describes the enhancements and changes,fixed and known issues that exist for the Citrix ADC release Build 13.0-71.44.

Notes

  • This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
  • Build 13.0-71.44 replaces Build 13.0-71.40.
  • This build adds an enhancement to eliminate the susceptibility to DDoS style attack against DTLS as described in https://support.citrix.com/article/CTX289674.
  • This build also includes fixes for the following issues that existed in the previous Citrix ADC 13.0 release build: NSAUTH-9475.

What's New

The enhancements and changes that are available in Build 13.0-71.44.

Authentication, authorization, and auditing

  • Azure Guv support for token authentication in Microsoft Intune integration

    In Citrix Gateway and Microsoft Intune integration scenario, Citrix Gateway now supports Microsoft Azure Guv infrastructure for Microsoft Active Directory Libraries (ADAL) token authentication. Previously, only Microsoft Azure commercial infrastructure was supported.

    [ NSAUTH-8246 ]

Citrix Gateway

  • Support for dynamic secure DNS update on Windows plug-in

    VPN plug-in for Windows now supports Secure DNS update. This feature is disabled by default. To enable it, create HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client\secureDNSUpdate value of type REG_DWORD and set it to 1.

    • When you set the value to 1, the VPN plug-in tries the unsecure DNS update first. If the unsecure DNS update fails, the VPN plug-in tries the secure DNS update.
    • To try only the secure DNS update, you can set the value to 2.
    [ CGOP-13788 ]

Citrix Web App Firewall

  • Device fingerprinting bot detection technique for mobile (Android) applications using Bot Mobile SDK

    The device fingerprinting bot detection mechanism is now enhanced to secure mobile (Android) applications from bot attacks. To detect bots in a mobile application, the device fingerprinting detection technique uses a bot mobile SDK. The SDK is integrated with the mobile application to intercept the mobile traffic, collect client and device details, and send the data to the appliance. On the appliance side, the device fingerprinting bot detection technique examines the data and determines whether the connection is from a bot or a human.

    [ NSWAF-5983 ]

Load Balancing

  • ConfigurableMEP timer support to avoid MEP flaps on GSLB sites

    A new parameter, MEPKeepAliveTimeout, is now added to configure the MEP timer. By default, thetimervalue is set as10 seconds.Previously, the timer had a fixed value of 4 seconds.

    If the local GSLB sitedoesnot receive any new packets (retransmitted packets and duplicate acknowledge packets are excluded) from a remote GSLB siteon the site-metric MEP connection within the time frame specified in the MEP timer, theCitrix ADC appliance marks theconnection as DOWN. And, waits for 15 more seconds withoutterminatingthe connection. If it receives any new packet, the MEP connection is retained and the status is marked as UP.

    [ NSLB-7342 ]
  • Support for file-based pattern sets

    The Citrix ADC appliance now supports file-based pattern sets.

    You can import a new pattern set file into the Citrix ADC appliance using the following command:
    import patsetfile <src> <name> -overwrite -delimiter <char> -charset <ASCII | UTF_8>

    You can update an existing pattern set file on the Citrix ADC appliance using the following command:
    update patsetfile <patset filename>

    You can add a pattern set file to the packet engine using the following command:
    add patsetfile <patset filename>

    You can bind patterns to the pattern set file using the following command:
    add patset <name> -patsetfile <patset filename>

    [ NSLB-5823 ]
  • MQTT protocol support on Citrix ADC appliances

    Citrix ADC appliances now natively support the Message Queuing Telemetry Transport (MQTT) protocol. MQTT is an OASIS standard messaging protocol for the Internet of Things (IoT). With this support, the Citrix ADC appliance can be used in IoT deployments to load balance MQTT traffic.

    Previously, you could configure MQTT on the Citrix ADC appliance by using protocol extensions. Users had to write their own extension code and import the extension file to the Citrix ADC appliance, from either a web server (using HTTP) or local workstation.

    [ NSLB-5822 ]

Networking

  • Support added in Citrix ADC CPX for Cilium CNI in a Kubernetes environment

    Citrix ADC CPX now supports Cilium CNI in a Kubernetes environment. Cilium is an open-source CNI which uses the extended version of the Berkeley Packet Filter (BPF) to improve the visibility, performance, and scalability of applications on Kubernetes.

    [ NSNET-17264 ]
  • Configure the Citrix ADC appliance to source Citrix ADC FreeBSD data traffic from a SNIP address

    Some Citrix ADC data features run on the underlying FreeBSD OS instead of on the Citrix ADC OS. Because of this reason, these features send traffic sourced from the Citrix ADC IP (NSIP) address instead of sourced from a SNIP address. Sourcing the data traffic from the NSIP address is not desirable if your setup has configurations to separate all management and data traffic.

    The following Citrix ADC data features run on the underlying FreeBSD OS and send traffic sourced from the Citrix ADC IP (NSIP) address:

    • Load balancing scriptable monitors
    • GSLB autosync

    To resolve this issue, a global Layer-2 parameter "useNetprofileBSDtraffic" has been introduced. When this parameter is enabled, the Citrix ADC features send traffic sourced from one of the SNIP addresses in a netprofile associated with the feature.

    Currently, the global Layer-2 parameter "useNetprofileBSDtraffic" is supported only for load balancing scriptable monitors.

    For configuring the Citrix ADC appliance to source GSLB autosync traffic from a SNIP address, you can use extended ACL and RNAT rules as a workaround.

    [ NSNET-16274 ]
  • Dataset based extended ACLs

    A large number of ACLs are required in an enterprise. Configuring and managing a large number of ACLs is very difficult and cumbersome when they require frequent changes.

    A Citrix ADC appliance now supports datasets in extended ACLs. Dataset is an existing feature of a Citrix ADC appliance. A dataset is an array of indexed patterns of types: number (integer), IPv4 address, or IPv6 address.

    Dataset support in extended ACLs is useful for creating multiple ACL rules, which require common ACL parameters. While creating an ACL rule, instead of specifying the common parameters, you can specify an dataset, which includes these common parameters.

    Any changes made in the dataset are automatically reflected in the ACL rules that are using this dataset. ACLs with datasets are easier to configure and manage. They are also smaller and easier to read than the conventional ACLs.

    Currently, the Citrix ADC appliance supports only the IPv4 address type dataset for extended ACLs.

    [ NSNET-8252 ]

Platform

  • VMware ESX 7.0 support on Citrix ADC VPX instance

    The Citrix ADC VPX instance now supports the VMware ESX hypervisor 7.0 build 1632494.

    [ NSPLAT-16902 ]
  • AWS Top Secret (C2S) region support extended for all the Citrix ADC editions

    The AWS Top Secret (C2S) region now supports all the following Citrix ADC editions along with Bring Your Own License (BYOL):

    • Standard Edition
    • Advanced Edition
    • Premium Edition

    Previously, the AWS Top Secret region supported only the BYOL subscription.
    The AWS Top Secret region is readily available through the Commercial Cloud Services (C2S) contract with AWS.

    [ NSPLAT-9195 ]

Policies

  • Support for dynamic expressions in the CONTAINS function for optimizing advanced policy usage.

    Argument for the following methods are static:

    • contains()
    • after_str()
    • before_str()
    • substr(),
    • strip_end_chars()
    • strip_chars()
    • strip_start_chars()
    [ NSPOLICY-3545 ]

SSL

  • Support to offload crypto operations to Intel Coleto crypto chips in TLS 1.3 connections

    In TLS 1.3 connections, support is now added to offload crypto operations to Intel Coleto crypto chips on specific Citrix ADC MPX platforms.

    The following appliances that ship with Intel Coleto chips are supported:
    MPX 5900
    MPX/SDX 8900
    MPX/SDX 15000
    MPX/SDX 15000-50G
    MPX/SDX 26000
    MPX/SDX 26000-50S
    MPX/SDX 26000-100G

    Software-only support for the TLSv1.3 protocol is available on all other Citrix ADC MPX and SDX appliances except Citrix ADC FIPS appliances.

    [ NSSSL-7453 ]
  • All subject alternate name (SAN) values are now displayed in a certificate

    A Citrix ADC appliance now displays all the SAN values when the details of a certificates are displayed.

    [ NSSSL-5978 ]
  • Policy support for TLSv1.3 protocol

    When TLSv1.3 protocol is negotiated for a connection, policy rules that inspect TLS data received from the client now trigger the configured action.
    For example, if the following policy rule returns true, the traffic is forwarded to the virtual server defined in the action.
    add ssl action action1 -forward vserver2
    add ssl policy pol1 -rule client.ssl.client_hello.sni.contains(xyz) -action action1

    [ NSSSL-869 ]

System

  • Display CPU usage (in parts per thousand) for a load balancing virtual server

    A new counter, "CPU-PM" now displays the statistical data for the CPU usagein per-Mille (parts per thousand). For example,500 must be read as 500/1000 which is equal to 50 percent.

    In GUI, navigate to Traffic Management > Virtual Servers > Load Balancing > Statistics

    [ NSBASE-11304 ]
  • Support for request retry on timeout

    Request retry is now available for one more scenario where,ifa back-end server takes more time to respond to requests, the appliance performs re-load balancing upon timeout and forwards the request to the next available server. Previously, the appliance kept waiting for server response which led to an increased RTT.
    To perform timeout, a new parameterretryOnTimeout in <milli-secs> is configurable in appqoe action. Minimum value: 30
    Maximum value: 2000.

    To configure request retry on timeout by using the CLI:
    addappqoe action <name> -retryOnTimeout <msecs>

    Example
    add appqoe action appact1 -retryOnTimeout 35

    [ NSBASE-10914 ]
  • Process local and retain connections support for MPTCP cluster deployments

    MPTCP connections now support "Process Local" and "Retain Connections" features in the cloud and on-premises Citrix ADC cluster deployments.

    [ NSBASE-10734 ]
  • Responder response-related information in AppFlow records

    The AppFlow records generated by the Citrix ADC appliance now include the responder response-related information.

    [ NSBASE-10634 ]
  • Support for larger HTTP header size

    Citrix ADC appliance can now handle a large header size HTTP requests to accommodate the L7 application request. The header size of an HTTP request is increased to 128 KB.

    [ NSBASE-7957 ]

Fixed Issues

The issues that are addressed in Build 13.0-71.44.

Authentication, authorization, and auditing

  • In some cases, after the user password is changed, the following error message appears, Cannot complete your request.

    The error occurs because the modified password is corrupted after encryption.

    [ NSHELP-25437 ]
  • In some cases, a Citrix ADC appliance might crash if the client closes the TCP connection before finishing the Email OTP authentication.

    [ NSHELP-25154 ]
  • In some cases, a Citrix ADC appliance crashes during the Citrix ADC Authentication, authorization, and auditing session removal on the secondary node.

    [ NSHELP-25075 ]
  • In some cases, when Citrix ADC is used as an IdP to Citrix Cloud, Authentication, authorization, and auditingD crashes while performing nested group extraction activity in AD because of memory buffer overflow.

    [ NSHELP-24884 ]
  • LDAP authentication fails in a Citrix ADC appliance when a user's group length exceeds the defined limit.

    [ NSHELP-24373 ]
  • When trying to log on to the Citrix Gateway appliance, a user does not see a response if the log on attempt fails.

    [ NSHELP-23155 ]
  • A Citrix ADC appliance responds with a 400 error code when the header size of a Citrix Gateway user interface related request exceeds 1024 characters.

    [ NSAUTH-9475 ]
  • The configuration of the non-addressable authentication virtual server is not restored after a reboot if the following conditions are met:

    • The Citrix ADC appliance has a Standard edition license
    • The appliance is configured for nFactor authentication using Citrix Gateway
    [ NSAUTH-9263 ]

Caching

  • A Citrix ADC appliance might randomly crash if the following conditions are observed:

    • Integrated caching feature is enabled.
    • 100 GB or more memory is allocated for integrated caching.

    Allocate less than 100 GB of memory.

    [ NSHELP-20854 ]

CallHome

  • On the Citrix AC MPX 22000 platform, the show techsupport command incorrectly shows that the hard drive is not mounted.

    [ NSHELP-24223 ]

Citrix ADC SDX Appliance

  • The Citrix ADC SDX appliance upgrade fails if the Citrix Hypervisor consumes more than 90% of the disk space.

    [ NSHELP-24873 ]
  • On the Citrix ADC SDX 8900, SDX 15000, and SDX 15000-50G platforms, a high CPU usage can be noticed on ADC instances after upgrading the SDX appliance from release 11.1 to release 12.1, or from release 11.1 to release 13.0.

    [ NSHELP-24031 ]

Citrix Gateway

  • In rare cases, the Citrix Gateway appliance might crash during session synchronization with the secondary appliance or during Intranet IP assignment.

    [ NSHELP-25221 ]
  • The UrlName parameter is appended to the session and other policy bindings when classic VPN URL is also bound leading to configuration addition on save and reboot.

    [ NSHELP-25072 ]
  • The Citrix Gateway IIP registration fails if Split DNS is set to "Both" or "Local".

    [ NSHELP-24928 ]
  • If ICA smart policy is enabled and there is some residual AppFlow configuration, you might observe a high latency connection.

    [ NSHELP-24908 ]
  • The Citrix ADC appliance might crash when UDP audio is enabled and the internal malloc system call returns an error.

    [ NSHELP-24890 ]
  • In rare cases, a Citrix Gateway appliance crashes when the syslog transport type is modified due to a memory corruption.

    [ NSHELP-24794 ]
  • The Citrix Gateway appliance does not extract the common-name from UTF8String encoded device certificates.

    [ NSHELP-24741 ]
  • The Citrix Gateway appliance crashes on removal of an intranet app whose hostName value exceeds 160 characters.

    [ NSHELP-24524 ]
  • If location detection is enabled, the Always On VPN's machine level tunnel takes a long time to get established after the client machine is restarted.

    [ NSHELP-24508 ]
  • The Citrix ADC appliance might crash when configured for clientless VPN.

    [ NSHELP-24430 ]
  • The Citrix Gateway appliance might reboot if the RDP server profile bound to the VPN virtual server does not have the RDP IP address configured and the same port is used by the RDP server profile and the VPN virtual server.

    [ NSHELP-24199 ]
  • A new, optimized pattern set, "ns_cvpn_v2_fast_regex_light_ver",is introduced for high CPU alerts. If a spike in CPU is intermittently observed with the default pattern set"ns_cvpn_v2_fast_regex", you can switch to the new pattern set.

    [ NSHELP-24085 ]
  • The Citrix Gateway appliance might go down in an EDT proxy deployment if the "kill icaconnection" command is run while an EDT connection establishment is in progress.

    [ NSHELP-23882 ]
  • The Windows plug-in displays the Gateway not reachable message if the client machine has multiple instances of the Hyper-V and WiFi direct access virtual adapters.

    [ NSHELP-23794 ]
  • A Citrix Gateway appliance might crash when trying to parse an incoming packet.

    [ NSHELP-23747 ]
  • The Citrix Gateway appliance crashes when using UDP audio while accessing the Virtual Desktop.

    Use EDT audio instead of UDP audio.

    [ NSHELP-23514 ]
  • The UDP/ICMP/DNS based authorization policy denials for VPN do not show up in the ns.log file.

    [ NSHELP-23410 ]
  • The Citrix ADC appliance might crash during failover if UDP audio is enabled.

    [ NSHELP-22850 ]

Citrix Web App Firewall

  • Communication errors are observed in aslearn when you reset the Citrix Web App Firewall learning data in a cluster configuration.

    [ NSWAF-6768 ]
  • In a cluster configuration, theWeb Services Interoperability (WSI) Check value with space is considered as an invalid input although it is valid in a Citrix ADC core appliance.

    [ NSWAF-6745 ]
  • The default credit card name configuration details for basic or advanced Web App Firewall profiles are missing in a cluster deployment.

    [ NSWAF-6675 ]
  • The default XML DOS binding for default Web App Firewall advanced profile is missing in a cluster deployment.

    [ NSWAF-6672 ]
  • In a cluster configuration, unable to bind the "safeobject" rule with a "safeobject" expression length of more than 255 characters.

    [ NSWAF-6670 ]
  • The default value for "FileUploadTypesAction" configuration for basic or advanced Web App Firewall profile is missing in a cluster deployment.

    [ NSWAF-6669 ]
  • Incorrect default "CMDInjectionAction" configuration is observed for Web App Firewall basic or advanced profile in a cluster deployment.

    [ NSWAF-6668 ]
  • A Citrix ADC cluster setup might crash if there are DHT transport errors between the cluster nodes, and the field consistency protection feature is enabled.

    [ NSWAF-6560 ]
  • The Citrix Web App Firewall cookie consistency check removes the SameSite cookie attribute in the response sent by the back-end server.

    [ NSHELP-24313 ]

Load Balancing

  • When a GSLB deployment uses the round trip time (RTT) method for load balance, the Citrix ADC appliance might fail if you delete or unbind a GSLB service during the traffic flow.

    [ NSHELP-24425 ]
  • The Citrix ADC appliance might crash if the association between Distributed Hash Table (DHT) entry and persistence session is deleted while freeing up the persistence session.

    [ NSHELP-24213 ]
  • Feature: Load Balancing
    If a service group member is assigned a wildcard port (port *), the monitor details for that service group member can be viewed from the Monitor Details page.

    [ NSHELP-9409 ]

Networking

  • In a Citrix ADC BLX or Citrix ADC CPX appliance, installing OSPF or BGP routes to the appliance's routing table might fail.

    [ NSNET-18707 ]
  • RNAT with "useproxyport" disabled might not work as expected for source ports that are numbered lesser than 1024.

    [ NSHELP-25162 ]
  • In a high availability setup with INC mode, any RNAT rule that has a VIP address set as the NAT IP address is removed during HA synchronization.

    [ NSHELP-24893 ]
  • Loading the Citrix ADC SNMP MIB to an SNMP manager might fail because of the presence of a duplicate object name "urlfiltDbUpdateStatus" in the SNMP MIB. The same object name "urlfiltDbUpdateStatus" is used for an SNMP trap and an SNMP trap variable binding.

    With the fix, the "urlfiltDbUpdateStatus" SNMP trap variable binding is changed to "urlFilterDbUpdateStatus".

    [ NSHELP-24778 ]
  • A Citrix ADC appliance might crash because of an internal memory synchronization issue in the LSN module.

    [ NSHELP-24623 ]
  • IPv6 policy based routes (PBR6) on a Citrix AC appliance might not work as expected.

    [ NSHELP-23161 ]
  • In a high availability setup, one of the Citrix ADC appliances might crash if you perform In Service Software Upgrade (ISSU) from Citrix ADC software version 13.0 47.24 or previous, to a later version.

    [ NSHELP-21701 ]

Platform

  • The Citrix ADC MPX 8000-1G platform supports pooled licensing.

    [ NSPLAT-17354 ]
  • A Citrix ADC VPX instance, on which NSVLAN and two link aggregation (LA) channels are configured, is not reachable when the following conditions are met:

    • First LA channel is disabled.
    • The VPX instance is rebooted.
    [ NSPLAT-16082 ]
  • If a Citrix ADC instance uses ADM-based licensing, the Citrix ADC licensing might not work when the ADM version is lesser than the ADC version. Therefore, when you upgrade the ADC version, ensure the corresponding ADM version is the same as or higher than the current ADC version.

    [ NSPLAT-15184 ]
  • While upgrading a Citrix ADC SDX appliance, if an SSD fails during one of the many reboots, the corresponding RAID pair volume becomes inactive after the appliance reboots. You can observe the following:
    The volume appears as "not created" in the GUI.
    The failed SSD slot is reported as "not present."
    The corresponding VPX-SR also shows up as degraded.
    As a result, ADC instances residing on the VPX-SR might not boot or remain in a halted state.

    [ NSHELP-24751 ]
  • Feature: Platform
    When multiple LA channels are configured on an SDX appliance without any management interfaces (0/1, 0/2) and if the first LA channel is disabled through the VPX CLI, the VPX appliance might be unreachable.

    [ NSHELP-21889 ]
  • Feature: Citrix ADC SDX appliance
    On the ADC SDX 14000 and 15000 appliances, traffic loss of up to 9 seconds is observed if the following conditions are met:

    • 10G ports are connected using the LA channel to two Cisco switches that are configured in VPC setup as active or passive
    • The link to active or primary Cisco switch bounces.
    [ NSHELP-21875 ]

Policies

  • A Citrix ADC appliance might crash if global scope variables are used in invalid HTTP requests.

    [ NSHELP-25369 ]

SSL

  • On the following Citrix ADC SDX platforms, the SSL card might go down if the external client uses ECDSA P224/521 curve for signature during SSL handshake for client authentication:

    • SDX 11515/11520/11530/11540/11542
    • SDX 22040/22060/22080/22100/22120
    • SDX 24100/24150
    • SDX 14000
    • SDX 14000-40S
    • SDX 14000-40G
    • SDX 14000 FIPS
    • SDX 25000
    • SDX 25000A
    [ NSSSL-9324 ]
  • A Citrix ADC appliance does not propose ECDHE ciphers in the client hello message after you reboot the appliance and if the following conditions are met:

    • The default profile is disabled.
    • A secure monitor is bound to a non-SSL service.
    [ NSHELP-24706 ]
  • The SSL handshake at the back end fails when the back-end server sends a single SSL record containing the following messages: 'Server Hello', 'Server Certificate', 'Server Key Exchange' and 'Server Hello Done'.

    [ NSHELP-24615 ]
  • A Citrix ADC appliance closes a DTLS session by sending an alert if the maximum retry timeout value is reached.

    [ NSHELP-24560 ]
  • A Citrix ADC MPX/SDX 11542, MPX/SDX 14000, MPX 22000/24000/25000, or MPX/SDX 14000 FIPS appliance might crash if the following conditions are met:

    • ECDHE/ECDSA hybrid model is enabled.
    • DTLS traffic is received when the CPU utilization is already high.
    [ NSHELP-24405 ]
  • A Citrix ADC appliance might not propose ECDHE ciphers in the client hello message if the following conditions are met:

    • HA synchronization is in progress.
    • Monitor probes are sent before the synchronization is complete.
    [ NSHELP-24355 ]
  • The Citrix ADC appliance crashes if NULL or RC2 ciphers are used by the SSL backend service on the following platforms:

    • MPX 5900
    • MPX 8900
    • MPX 15000
    • MPX 15000-50G
    • MPX 26000
    • MPX 26000-50S
    • MPX 26000-100G
    [ NSHELP-24308 ]
  • A Citrix ADC appliance might crash when configuring a DTLS virtual server if the appliance is low on disk space.

    [ NSHELP-24201 ]
  • A Citrix ADC appliance does not propose ECDHE ciphers in the client hello message after you reboot the appliance and if the following conditions are met:

    • The default profile is enabled.
    • A secure monitor is bound to a non-SSL service.
    [ NSHELP-24037 ]
  • In a cluster setup, an invalid "bind ssl certkey" command is added to the ns.conf file when you save the configuration. The invalid command is added if a CRL distribution point extension is part of a certificate on the Citrix ADC appliance.

    [ NSHELP-23963 ]

System

  • A lightweight CPX instance might crash if you use an analytics profile without setting the collector.

    [ NSHELP-25239 ]
  • Configure HTTP/2 Initial Connection Window Size

    As per RFC 7540, the flow-control window for HTTP2 stream and connection must be initializedto 64K (65535) octets, and any change to this value must be communicated to the peer. The ADC appliance communicates the change in flow-control window size as follows:

    • Using the SETTINGS frame for the stream level flow-control window.
    • Using the WINDOW_UPDATE frame for the connection level flow-control window.

    In an HTTP profile, you can configure the http2InitialWindowSize parameter to set the initial window size at the stream level.

    Because of an internal system error, the ADC appliance initializes the flow-control window for the connection also with the value configured for "http2InitialWindowSize". When there is a change in the configured flow-control window for the stream, the ADC appliance communicates to the peer using the SETTINGS frame. But the ADC appliance fails to communicate the change in the flow-control window for the connection using the WINDOW_UPDATE frame. This leads to a connection freeze.

    To overcome the issue, the http2InitialConnWindowSize parameter (in bytes) is now added to control the connection level flow-control window.By using separate configurable parameters namely http2InitialWindowSize and http2InitialConnWindowSize, you can nowconfigure the flow-controlwindow size at both stream and connection levels.

    ConfigureHTTP/2 initial connection-levelflow-control window size parameter by using the CLI

    At the command prompt, type:

    set httpprofile p1 -http2InitialConnWindowSize <window-size>

    Where, http2InitialConnWindowSize is the initial window size for connection level flow control, in bytes.
    Default value: 65535
    Minimum value: 65535
    Maximum value: 67108864

    [ NSHELP-25155 ]
  • A Citrix ADC appliance might crash because of memory corruption when the HTTP/2 feature is enabled.

    [ NSHELP-25005 ]
  • In a cluster setup, the validation of default values in surge protection is handled differently on the database and packet engine.

    [ NSHELP-24455 ]
  • The analytics records are not sent to the Citrix ADM if the following conditions are observed:

    -IPFIX collector is configured in the admin partition of the Citrix ADC appliance.

    -Collector is in a subnet other than SNIP address.

    [ NSHELP-24283 ]
  • High CPU usage is observed in the Citrix ADC web logging (NSWL) client running on a Linux platform if thepolling interval is not set properly.

    [ NSHELP-24266 ]
  • When you enable Appflow on an ADC instance, the ADM does not display HDX Insight of that instance. This issue occurs because ADM fails to process the Logstream data received from the instance.

    [ NSHELP-24227 ]
  • Deleting a TCP profile bound to a content switching virtual server leads to a configuration inconsistency in the cluster database.

    Add a database reference count to the TCP profile.

    [ NSHELP-24004 ]
  • A Citrix ADC appliance might crash while clearing the configuration when it tries to access the ICAP server details. The server details information is not removed from the monitor list when the ICAP content inspection configuration is cleared.

    [ NSHELP-23945 ]
  • A Citrix ADC appliance might crash if the following conditions are observed:

    • HTTP/2 enabled in the HTTP profile bound to load balancing virtual server of type HTTP/SSL or service.
    • Connection multiplexing option disabled in the HTTP Profile bound to load balancing virtual server or service.
    [ NSHELP-21202 ]
  • Feature: AppFlow
    A Citrix ADC appliance with connection chaining and SSL enabled might send more MTU data.

    [ NSHELP-9411 ]
  • Enabling metrics collector in the default partition might fail if it is already enabled in the admin partition setup.

    Do not enable metrics collector in the admin partition setup.

    [ NSBASE-12623 ]

User Interface

  • The diff ns config command displays an ERROR: Failed to get UID for command: apply ns pbr6 error message. It happens when the apply ns pbr6 command is saved in ns.conf or running-config files.

    [ NSHELP-25373 ]
  • In a cluster setup, unwanted extra binding configuration gets saved in the ns.conf file.

    [ NSHELP-24636 ]
  • The following error conditions are observed in the Citrix Gateway GUI:

    • When a policy is bound to primary authentication in the VPN virtual server, the GUI incorrectly shows that the policy is bound to the secondary authentication and the group authentication.
    • When the VPN virtual server is bound to a server certificate, the server GUI incorrectly shows that the VPN virtual server is bound to CA cert as well.
    [ NSHELP-24494 ]
  • On a Citrix ADC SDX platform, the following error message appears while loading the GUI:
    Operation not supported by device&%2391;Pooled licensing not supported on this platform&%2393;

    [ NSHELP-24474 ]
  • On the Citrix ADC GUI, you are unable to view the "Custom Reports" created for a specific partition.

    [ NSHELP-24370 ]
  • The following temporary files present in the /var/tmp folder of a Citrix ADC appliance is causing memory full state.

    • sh.runn.audit.<pid> file created by nsconfigaudit tool.
    • tmp_ns.conf.<pid> file created by show run command for partition.
    [ NSHELP-24092 ]
  • For a "routerdynamicrouting" NITRO API request, the Citrix ADC appliance might return JSON data with formatting errors if the response size is large.

    [ NSHELP-19913 ]
  • Feature: System
    A Citrix ADC appliance becomes unstable if you use the -outfilename parameter in diffnsconfig command. As a result, the diffnsconfig output is large to completely fill the root disk.

    [ NSHELP-19345 ]

Known Issues

The issues that exist in release 13.0-71.44.

Authentication, authorization, and auditing

  • In some cases, a Citrix ADC appliance crashes when user tries to configure a customized EULA login schema.

    Use default EULA login schema.

    [ NSHELP-25570 ]
  • If a Citrix ADC appliance is configured for nFactor authentication and is upgraded to version 13.0, the endpoint (example iPad) used to access the Citrix ADC appliance is presented with 401-based authentication instead of Form-based authentication.

    [ NSHELP-25309 ]
  • Feature: Authentication, authorization, and auditing-TM
    A Citrix ADC appliance does not authenticate duplicate password login attempts and prevents account lockouts.

    [ NSHELP-563 ]
  • Feature: Authentication, authorization, and auditing

    The DualAuthPushOrOTP.xml LoginSchema is not appearing properly in the login schema editor screen of Citrix ADC GUI.

    [ NSAUTH-6106 ]
  • Feature: Authentication, authorization, and auditing

    ADFS proxy profile can be configured in a cluster deployment. The status for a proxy profile is incorrectly displayed as blank upon issuing the following command.
    "show adfsproxyprofile <profile name>"

    Connect to the primary active Citrix ADC in the cluster and run the "show adfsproxyprofile <profile name>" command. It would display the proxy profile status.

    [ NSAUTH-5916 ]
  • Feature: Authentication, authorization, and auditing
    You might see a No such policy exists message on the nFactor Flow page in nFactor Visualizer when you try to unbind a policy from a factor. The unbind option work as expected.

    [ NSAUTH-5821 ]

Caching

  • A Citrix ADC appliance might crash if the Integrated Caching feature is enabled and the appliance is low on memory.

    [ NSHELP-22942 ]
  • When configuring cache content group, invalid wide spaces are observed in the cache-control header max-age value.

    [ NSHELP-20066 ]

Citrix Gateway

  • If an FQDN is used for configuring wiHome or StoreFront over an SSL connection, ECDHE ciphers are not negotiated during the boot-up process.

    [ NSHELP-25144 ]
  • EPA plug-in for Windows does not use local machine's configured proxy and connects directly to the gateway server.

    [ NSHELP-24848 ]
  • You might face issues when editing documents using the web based office apps linked in SharePoint when these apps are accessed through the advanced clientless VPN.

    [ NSHELP-23364 ]
  • Sometimes while browsing through schemas, the error message "Cannot read property 'type' of undefined" appears.

    [ NSHELP-21897 ]
  • The filter action configuration is not saved if the configuration has a reference to any service. You must reboot the Citrix Gateway appliance and apply the configuration again.

    [ NSHELP-6889 ]
  • Feature: Citrix Gateway
    A Citrix Gateway appliance does not fallback to the LDAP policy if the following conditions are met:

    • Certificate authentication and LDAP are configured as the first factor and LDAP checks data from login Schema.
    • The certificate authentication fails.
    [ NSHELP-1853 ]
  • Memory leak is observed if HDX Insight with advanced encryption is enabled.

    Use HDX Insight with basic encryption instead of advanced encryption.

    [ CGOP-15689 ]
  • Transfer Logon does not work if the following two conditions are met:

    • nFactor authentication is configured.
    • Citrix ADC theme is set to Default.
    [ CGOP-14092 ]
  • Feature: Citrix Gateway
    The Gateway Insight report incorrectly displays the value "Local" instead of "SAML" in the Authentication Type field for SAML error failures.

    [ CGOP-13584 ]
  • Feature: Citrix Gateway
    The ICA connection results in a skip parse during ICA parsing if users are using MAC receiver along with version 6.5 of Citrix Virtual App and Desktops (formerly Citrix XenApp and XenDesktop).
    Upgrade the receiver to the latest version of Citrix Workspace app.

    [ CGOP-13532 ]
  • Feature: Citrix Gateway
    In a high availability setup, during Citrix ADC failover, SR count increments instead of the failover count in Citrix ADM.

    [ CGOP-13511 ]
  • While accepting local host connections from the browser, the Accept Connection dialog box for macOS displays content in the English language irrespective of the language selected.

    [ CGOP-13050 ]
  • The text "Home Page" in the Citrix SSO app > Home page is truncated for some languages.

    [ CGOP-13049 ]
  • Feature: Citrix Gateway
    An error message appears when you add or edit a session policy from the Citrix ADC GUI.

    [ CGOP-11830 ]
  • In Outlook Web App (OWA) 2013, clicking "Options" under the Setting menu displays a "Critical error" dialog box. Also, the page becomes unresponsive.

    [ CGOP-7269 ]

Citrix Web App Firewall

  • The aslearn process does not start automatically after the Citrix ADC appliance has crashed.

    [ NSWAF-6766 ]
  • Bot log expression

    The Citrix bot management profile now enables you to capture additional data as log messages if the incoming traffic is identified as a bot. The data can be any request side tcp or http information such as:

    • Request URL
    • Source IP address
    • Source port

    [ NSWAF-22 ]
  • Soap envelope validation might fail for XML data.

    [ NSHELP-24412 ]

Load Balancing

  • In a high-availability setup, subscriber sessions of the primary node might not be synchronized to the secondary node. This is a rare case.

    [ NSLB-7679 ]
  • The generation of SNMP alarms might be delayed if thesynchronization of configuration from the master site to subordinate sites fails.

    [ NSHELP-23391 ]
  • A Citrix ADC appliance might crash when DNS logging is enabled and a malformed DNS query is received.

    [ NSHELP-21959 ]

Networking

  • WhenyoupushconfigurationstotheclusterinstancesusingaStyleBook,thecommandsfail withthe"Command propagation failed" error message.
    Onsuccessive failures,theclusterretainsthepartialconfiguration.

    1.Identifythefailedcommandsfromthelog.
    2.Manuallyapplytherecoverycommandstothefailedcommands.

    [ NSHELP-24910 ]
  • In a high availability setup, the SNMP module might crash repeatedly because of improper handling of data by the packet engines and internal networking modules.
    This repeated crash of the SNMP module triggers HA failover.

    [ NSHELP-24434 ]
  • For internal SSL services on a non-default HTTPS port, SSL certificate bindings might revert to the default setting after the appliance is restarted.

    [ NSHELP-24034 ]

Platform

  • A Citrix ADC VPX instance crashes when frequent link flaps are seen on 50G and 100G interfaces.

    [ NSPLAT-16852 ]
  • On the Citrix ADC SDX 14000 and SDX 25000 platforms, a core dump is not generated through the lights out management Non-Maskable Interrupt (NMI) button.

    [ NSHELP-25091 ]

Policies

  • Feature: System
    Connections might hang if the size of processing data is more than the configured default TCP buffer size.

    Set the TCP buffer size to maximum size of data that needs to be processed.

    [ NSPOLICY-1267 ]

SSL

  • Feature: SSL
    Update command is not available for the following add commands:

    • add azure application
    • add azure keyvault
    • add ssl certkey with hsmkey option
    [ NSSSL-6484 ]
  • Feature: SSL
    You cannot add an Azure Key Vault object if an authentication Azure Key Vault object is already added.

    [ NSSSL-6478 ]
  • Feature: SSL
    You can create multiple Azure Application entities with the same client ID and client secret. The Citrix ADC appliance does not return an error.

    [ NSSSL-6213 ]
  • Feature: SSL
    The following incorrect error message appears when you remove an HSM key without specifying KEYVAULT as the HSM type.
    ERROR: crl refresh disabled

    [ NSSSL-6106 ]
  • Feature: SSL
    Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)

    [ NSSSL-4427 ]
  • Feature: SSL
    An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.

    [ NSSSL-4001 ]
  • Feature: SSL
    In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.

    [ NSSSL-3161 ]
  • In a cluster setup, certificate configuration changes are not allowed if any certificate or key files are removed.

    [ NSHELP-24913 ]
  • After you add an SSL_TCP virtual server and attach an SSL profile to it, the "redirectPortRewrite" setting might be incorrectly enabled. As a result, there might be some configuration loss in a future upgrade.

    The redirectPortRewrite setting is valid only for an HTTP virtual server.

    [ NSHELP-22984 ]
  • When the "forward" ssl action is triggered, the counter "Current Client Est connections" incorrectly shows a large value in the output of statistics for the virtual server to which traffic is forwarded.

    [ NSHELP-22825 ]
  • Feature: SSL
    In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.

    [ NSHELP-13466 ]

System

  • A Citrix ADC appliance is unable to handle server-side connections and cannot log correct AppFlow records if the following conditions are observed:

    • The domain name which matches a private urlset is not obfuscated correctly from the AppFlow records.
    • The Responder Action, Policy Matched, and Matched ID fields are incorrectly populated in the AppFlow records.
    [ NSHELP-24824 ]
  • When Citrix ADC CPX is deployed as a sidecar and if the environment variable MGMT_HTTP_PORT is not set, NITRO API calls are not working

    When you deploy Citrix ADC CPX in as a sidecar, you must setthe MGMT_HTTP_PORT environment variable. You can assign any unassigned port number including 9080.

    [ NSBASE-12800 ]

User Interface

  • Feature: Cloudbridge connector

    Create/Monitor CloudBridge Connector wizard might become unresponsive or fails to configure a cloudbridge connector.

    Configure cloudbridge connectors by adding IPSec profiles, IP tunnels, and PBR rules by using the Citrix ADC GUI or CLI.

    [ NSUI-13024 ]
  • Refresh button does not work while checking Stream Sessions (AppExpert > Action Analytics > Stream Identifier) in the GUI.

    [ NSHELP-24195 ]
  • Uploading and adding a certificate revocation list (CRL) file fails in an admin partition setup.

    [ NSHELP-20988 ]
  • Sometimes it takes a long time for the Application firewall signatures to sync to non-CCO nodes. As a result, commands using these files might fail.

    [ NSCONFIG-4330 ]
  • If you (system administrator) perform all the following steps on a Citrix ADC appliance, the system users might fail to log in to the downgraded Citrix ADC appliance.

    1. Upgrade the Citrix ADC appliance to one of the builds:

    • 13.0 52.24 build
    • 12.1 57.18 build
    • 11.1 65.10 build

    2. Add a system user, or change the password of an existing system user, and save the configuration, and
    3. Downgrade the Citrix ADC appliance to any older build.

    To display the list of these system users by using the CLI:
    At the command prompt, type:

    "query ns config -changedpassword &%2391;-config <full path of the configuration file (ns.conf)>&%2393;"

    To fix this issue, use one of the following independent options:

    • If the Citrix ADC appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the Citrix ADC appliance using a previously backed up configuration file (ns.conf) of the same release build.
    • Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
    • If none of the above options work, a system administrator can reset the system user passwords.

    For more information, see https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html

    [ NSCONFIG-3188 ]