Release Notes for Build 58.13 of NetScaler 11.1 Release
June 13, 2018|Release notes version: 7.0
This release notes document describes the enhancements and changes, lists the issues that are fixed, and specifies the issues that exist, for the NetScaler release 11.1 Build 58.13. See Release history.
Notes
- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- This build includes fixes for the following 13 issues that existed in the previous NetScaler 11.1 release build: 695466, 698026, 700289, 699318, 700134, 695002, 690943, 702592, 684860, 484616, 698207, 702328, 700934.
- The known issues section is cumulative. It includes issues newly found in this release, and issues that were not fixed in previous NetScaler 11.1 releases.
- The [# XXXXXX] labels under the issue descriptions are internal tracking IDs used by the NetScaler team.
Additional Changes/Fixes Available in Versions
What's New?
The enhancements and changes that are available in Build 58.13.
NetScaler SDX Appliance
- Support for SDX 26000-100G PlatformThis release supports the SDX 26000-100G platform. For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/sdx/hardware-platforms/sdx-26xxx100g.html[# 703467]
Fixed Issues
The issues that are addressed in Build 58.13.
AAA-TM
- The custom protocol used to communicate data between the traffic management virtual server and NetScaler AAA virtual server sends sensitive data through URL.[# 695466]
- The NetScaler appliance becomes unresponsive if an invalid cookie tries to merge with a body cookie, causing the cookie parsing to fail.[# 700872]
- In a high availability setup, AAA sessions on a NetScaler appliance becomes unresponsive during an upgrade from 11.1 build 57.11 to 11.1 build 58.x. To overcome this issue, you must complete the following steps:1. Disable HA sync on both primary and secondary nodes using the command set ha node –hasync disabled. Do not disable “ha prop.”2. Disable the ICA parameter using the command “set ica parameter -enableSRonHAFailover no.”3. Save the configuration.4. Upgrade the secondary appliance to 11.1 build 58.13. Do not run the “force failover” command.5. Upgrade the primary node and execute the “force failover” command.6. Enable HA sync on both primary and secondary nodes using the command “set ha node –hasync enabled.”7. Enable the ICA parameter “set ica parameter -enableSRonHAFailover yes.”8. Save the configuration.Note: During an upgrade, the state information from primary to secondary is not synched and this might cause some traffic disruption. Citrix recommends you to perform the upgrade in a special maintenance window.[# 705349, 708016]
- If you use certificate authentication method in the nFactor authentication, users observe, “401 unauthorized” error and the NetScaler appliance fails to authenticate the NetScaler AAA request.[# 706250, 707798, 704500]
- In rare cases, a NetScaler appliance might become unresponsive if the following conditions are met:• The memory location is corrupted.• The NetScaler AAA daemon fails due to unsafe access.[# 706713]
Admin Partitions
- In a rare scenario, the secondary appliance of a high availability setup fails during an HA force sync operation. The appliance fails because of a memory allocation failure in an admin partition.[# 703522, 690223]
Application Firewall
- On a NetScaler appliance, traffic is impacted due to high bandwidth utilization when binding AppFW policy to the load balancing virtual server.[# 698026, 699863, 705637, 706371]
- The NetScaler application firewall allows SQL injection attack if the Content-Type of the HTTP header is modified.[# 700289]
- NetScaler appliance resets the HTTP connection and does not upload large files when application firewall is configured.[# 701164, 702124]
- In the NetScaler Application Firewall GUI, the newly added counter in the Imports tab does not correctly retrieve the imported files because the entries for the imported objects require additional processing. The Application Firewall now allows you to import and perform additional processing in order to produce the correct number of file entries.[# 704430]
- In NetScaler release 11.0 version 1, you cannot remove the AppFW FieldFormat relaxation rules from the GUI. The relaxation rules uses a transformed string displayed in the GUI. As a result the system is unable to find a matching entry in the database for removing a rule as the learned string to remove the learned data is fixed.[# 705258]
- When you attempt to add an expression under Signature Rules Pattern in the Signature Editor, the expression is not displayed in the Name (Expression) field. The rule pattern option is reverted to Any. The same behavior is observed even if you select the URL or Name options, and specify an expression.[# 706637]
- The leading TCP window size is rounded off when the post body limit is set to 4294967295(2^32-1). The fix ensures that the limit max TCP window set by Application Firewall is 100 MB in non-streaming data and 20 MB for streaming data.[# 708394, 708678]
DNS
- If the response to a proactive update contains an invalid query ID from the back-end service, the NetScaler appliance handles this response erroneously. A subsequent response with a valid query ID results in the appliance crash.[# 699318]
- DNS policy configuration containing debug messages increased the CPU usage. With this fix, the debug messages are removed.[# 706222]
GSLB
- In a GSLB setup, uneven load balancing is observed when both of the following conditions are met:- The primary GSLB method is configured as Static Proximity with the backup method as Round Robin.- Multiple service location matches exist for multiple incoming requests.[# 700134]
- In a GSLB setup, the GSLB configuration sync operation is aborted when all of the following conditions are met:- NetScaler appliance is configured for GSLB in an admin partition.- The slave site is a high availability setup.[# 703753]
Integrated Caching
- A NetScaler appliance might become unresponsive when the Integrated Cache (IC) module processes a byte range request for a large content.[# 695002]
- The NetScaler appliance might fail to respond if the buffer size of a TCP profile is set to a high value with Integrated Caching (IC) being configured.[# 695083]
Load Balancing
- In a cluster setup, you cannot disable a service group if there are no services bound to it.[# 690943]
- The NetScaler AutoScale service group does not honor network profile configuration.[# 702592]
- The NetScaler packet processing engine crashes when both of the following conditions are met:- Delete a server bound to a node group without unbinding the associated service.- Access the service associated with the deleted server.[# 704052]
- A NetScaler appliance crashes if you add a Rate Limiting expression to a DNS responder policy.[# 708722]
NetScaler GUI
- After an upgrade, the NetScaler GUI randomly displays the management usage of a NetScaler appliance as high.[# 704054]
NetScaler Gateway
- The NetScaler Gateway appliance dumps core intermittently while validating an STA ticket in FrameHawk channel, if either of the following conditions is met:- ICA Session Timeout is set ON in global settings.- An ICA policy is bound to the appliance.[# 638859, 685618, 701704]
- The NetScaler Gateway appliance is unable to handle the new Secure Ticket Authority (STA) server request if the following conditions are met:- The NetScaler Gateway appliance uses the previous STA request information.- The host FQDN information does not match with the one in the new STA request.[# 702679, 697065]
- The VPN plug-in displays an upgrade prompt if the following conditions are met:• User login is from a browser to a NetScaler Gateway appliance.• VPN plug-in cannot connect to a VPN gateway.[# 704718, 707228]
NetScaler Insight Center
- NetScaler Gateway fails after a duplicate memory-free operation if you have enabled HDX Insight for ICA applications.[# 701320, 700412, 703435, 702111, 704081, 704573]
NetScaler SDX Appliance
- In NetScaler SDX 26000-100 G platform, VLAN bindings are not displayed in the user interface though they are propagated to the VPX instances hosted on the appliance.[# 706948]
NetScaler VPX Appliance
- A NetScaler VPX instance running on a NetScaler SDX appliance does not receive any traffic under the following set of conditions:- The Intel 710 series NICs of the NetScaler SDX appliance are connected to a switch with an LLDP-enabled port.- That port has been disabled and then enabled.[# 684860, 703400]
Networking
- If ECMP routes are present in a NetScaler appliance and a new route is added for the same prefix with a lower metric or a distance, not all existing connections are updated with the new route. Only connections pointing to the first route of the ECMP set are updated with the new route.[# 703782]
Policies
- The available memory on a NetScaler appliance can be exhausted, degrading the performance of the appliance, when an authorization policy with a default syntax/advanced/not classic rule is bound to a AAA user or group, or when an authentication policy with a default/syntax/advanced/not classic rule is bound to an authentication service with a nextFactor parameter.[# 701044, 706078, 707776]
SSL
- In rare cases, on the MPX 22040/22060/22080/22100/22120 and MPX 11515/11520/11530/11540/11542 platforms, TLS renegotiation with a different cipher is notsupported.[# 484616]
- On the MPX 5900/8900 and SDX 8900 platforms memory allocation fails in some partitions when the memory allocated from one partition is freed in another partition. This results in incorrect memory accounting across partitions causing memory allocation failures.[# 697089, 707041]
- If two SSL connections use the same SSL session ID, session reuse fails if one of the connections renegotiates the session.[# 698207]
- A NetScaler MPX 5900, MPX 8900, or SDX 8900 appliance might crash if you enable policy based renegotiation.[# 702328]
- The symmetric operations fail because the SSL card becomes unresponsive.[# 708375]
System
- The NetScaler appliance might fail in responding to SNMP requests because of an internal buffer issue.[# 702683, 698872, 705377]
- A NetScaler appliance gives priority to a TCP Cookie option instead of an MPTCP MP_CAPABLE option when responding with an SYN/ACK (synchronize-acknowledgment) to the client. The issue occurs if the appliance does not have sufficient space to fit both the options in the TCP options space.[# 702766]
- A NetScaler appliance might crash if it tries to reoptimize object that is already cached. The issue occurs when you change the Front End Optimization (FEO) action or enable FEO feature after some objects have already been cached on the appliance.[# 706285]
Telco
- The NetScaler appliance might translate the subscriber’s packets related to an LSN configuration with the NAT IP of the other LSN configuration if both of the following conditions are met:- the same subscriber IP address is present as part of these two LSN configurations- the first LSN configuration’s IP pooling type is paired[# 700934]
Known Issues
The issues that exist in Build 58.13.
AAA-TM
- Despite binding loginSchema policies to AAA virtual server, an administrator is able to bind Classic authentication policies. However, these are not used unless authentication policies are advanced.[# 631362]
- SHA256 digest algorithm is not supported on a NetScaler FIPS appliance configured for SAML authentication or as a SAML IDP. However, an appropriate error message does not appear in the browser.[# 639349]
- If a user name containing special characters is prefilled in the login forms, the RfWeb user interface fails to render the form.Workaround: Escape the angular brackets.Example:Username is prefilled in the login forms on the basis of the value of the InitialValue tag in the authentication schema file.Change<InitialValue>${http.req.user.name}</InitialValue>To<InitialValue><![CDATA[${http.req.user.name}]]></InitialValue>[# 646139]
- A NetScaler appliance configured for NetScaler AAA with LDAP over SSL can become unresponsive when the LDAP server is very slow to respond to requests. At this point, the packet engine is unable to process anymore authentication requests.[# 660065, 674005]
- If the back-end server's domain name does not include a dot, DNS resolution fails during Kerberos Single Sign-ON (SSO).[# 667953]
- In rare scenarios, response cookie from OWA 2013 server is not greater than 70 bytes when the NetScaler appliance is configured with Forms Based SSO. Hence, length check for cookie value in success-rule configured in Forms SSO action on the NetScaler appliance needs to be updated with an appropriate value.[# 676450]
- If the primary and secondary passwords in a logon request are the same, and the first-factor authentication server prompts the user to change the password, the second-factor server uses the password that was sent in the logon request.Workaround: Configure the second-factor authentication server to use the http.req.user.passwd expression if the first-factor server requests a password change.[# 678553]
- If forms based Single Sign-On (SSO) is configured for Outlook Web Access (OWA) 2013 servers, the "successRule" configured in the forms SSO action must be corrected, because the server sends 64 byte cookie upon successful SSO.[# 681730]
- If a NetScaler appliance configured for SAML Identity Provider (IdP) contains AAA.USER.GROUP_as_xml() attribute in the “samlIdPProfile” command, an extra AttributeValue tag is getting opened.[# 686070]
- The back end is not accessible through a clientless VPN (CVPN). The issue occurs when SSO is ON, the proxy is specified in a traffic action, and the back-end credentials are different from the logon credentials.Workaround:Create a traffic policy based on back-end URL and create a trafficAction with SSO OFF and No Proxy. The backend should be accessible.[# 689153]
- The client authentication request from a NetScaler AAA might become unresponsive while receiving an authentication response from the back-end server because the client has dropped the connection.[# 697237, 707200]
- If you have to set a domain wide cookie for an authentication domain, you must enable authentication profile on a load balancing virtual server.[# 697727]
- A NetScaler appliance configured for NetScaler AAA to protect traffic management resources might leak memory and becomes unresponsive.[# 706190, 706270, 707244, 707722, 707504]
- The NetScaler appliance might fail to establish an SSO connection to a back-end server, if the form-SSO has a hidden value containing special characters such as &, <, >, and ‘.[# 707018]
- A NetScaler appliance might crash if there is a configuration change in the system global bindings in-between the response time from NetScaler AAA daemon.[# 707816]
Admin Partitions
- After adding an admin partition, make sure you save the configurations on the default partition. Otherwise, the partition setup configurations will be lost upon system restart.[# 493668, 516396]
- In a non-default partition, if the network traffic exceeds the partition bandwidth limit, the FTP control connection fails but the data connection remains established.[# 620673]
Analytics
- NetScaler Insight Center does not report an application-launch failure caused by a user trying to launch an application or desktop to which the user does not have access.[# 609604]
AppFlow
- If multiple AppFlow policies are bound to the same bind point, only the last policy is chosen.[# 603177, 647386]
Application Firewall
- The application firewall graphical user interface might display a warning when the Qualys signature file is uploaded to the NetScaler appliance. The transformation program that reads the input file is treating a warning message as an error.[# 547282]
- In the Visualizer, some buttons might not work if you use Mozilla Firefox or Internet Explorer.Workaround: Use the Google Chrome browser.[# 648272]
- The information that the GUI displays for the application firewall web services interoperability (WSI) check does not say that it is a prerequisite and cannot be disabled.[# 650789, 650317, 658472]
- The NetScaler application firewall should bypass requests from application firewall processing after the system reaches a specified CPU/memory usage limit, but there is currently no policy for reviewing CPU and memory capacity and bypassing the application firewall.[# 660546]
- If you upgrade a NetScaler appliance in a high availability (HA) setup from version 10.5.56.15 to version 11.1.51.1901 and skip 250 rules with active traffic, the GUI or CLI displays a "failed to skip some rules" error message and an operation time-out error message.Workaround: Turn off the Learning feature when skipping learned rules.[# 671807]
- In an HA environment, a NetScaler appliance running release 11.0 does not learn new rules when the application firewall feature is enabled.[# 672864]
- Application Firewall port information about open ports, such as port 443, is not suppressed. It can therefore be detected by port scan tools such as NMAP in targeted hacker attacks.[# 674864]
- Websites from which you try to retrieve user records through a NetScaler appliance running release 11.1 build 50 do not properly display text in some languages (for example, Arabic). Garbled text, and characters such as question marks, appear instead.Workaround: Disconnect the appliance from the application firewall.[# 682115]
- The Application Firewall policy for HTTP requests (HTTP.REQ.HEADER) does not detect a content type with multiple lines.[# 682676]
- If you have multiple application firewall policies configured on a load balancing virtual server, and a policy has a GotoPriority Expression of NEXT, the NetScaler AppFirewall policy order bypasses all security checks in that policy's profile and moves to the next policy.[# 682935]
- The IP address of a content switching virtual server cannot be accessed after an upgrade from a previous release to the current release. The POST request results in a 302 redirect error.[# 687314]
- In a HA environment, after an upgrade to release version 11.1 56.x, the NetScaler application firewall primary node fails to restart after a failover.[# 693905]
- A NetScaler application firewall appliance intermittently blocks requests for some URLs under heavy traffic loads when advance application firewall start url check is enabled.[# 694123]
- On a NetScaler Application Firewall appliance, Analytics security insight support for content switching target load balancing virtual server is missing.[# 694743]
- The application firewall referer header check fails even after you manually add the referer URL to the relaxation rule.[# 701604]
- The HTML response page does not render properly if you enable URL transformation, and if the page attribute values contain non-breaking space (" ").[# 703641]
- If you set the AppFW profile post body limit to a value greater than 2 GB, client requests get dropped. The issue occurs because of TCP overflow for a window size variable.[# 708549]
Cache Redirection
- The NetScaler packet processing engine might crash when both of the following conditions are met:- The NetScaler appliance is configured as a forward proxy.- A request is made to an invalid IP address.[# 707795]
Clustering
- In a cluster setup, after a reboot, tagged VLAN configuration is lost on the vlan 1 interface.[# 642947]
- In a layer 3 cluster deployment, fragmented traffic steered through a GRE tunnel might cause packet loops, which result in high traffic load.Workaround: Reduce the maximum segment size (MSS) to 1,360 bytes, in the cluster deployment.[# 692350]
GSLB
- In a GSLB setup, the NetScaler appliance might not provide correct responses based on the source IP address, if all the following conditions are met:DNS policy with DNS view as action is configured and bound globally.DNS policy with preferred location as action is configured and bound globally.DNS request is sent to an ADNS service that hits both these policies and policy evaluation is positive for both.[# 701276]
- Metrics exchange protocol (MEP) between GSLB sites might flap in some cases if you enable the Secure option on the remote procedure call (RPC) node.[# 707182, 707355]
Licensing
- If you execute licensing commands simultaneously from multiple interfaces, such as NetScaler CLI, NITRO, or GUI, the commands might time out, because the licensing module processes the command serially. Here is the list of such commands:Add/rm/show licenseservershow licenseserverpoolset/unset capacity[# 685146]
Load Balancing
- After a high availability failover, Web Interface on NetScaler displays "State Error" if you try to launch an application.[# 630435]
- The NetScaler appliance is unable to reuse an existing probe connection if an HTTP wildcard load balancing virtual server is configured in MAC mode with use source IP (USIP) mode enabled and the Use Proxy Port option turned off. As a result, the connection fails and client the receives a TCP reset.[# 632872]
- If a service group member is assigned a wildcard port (port *), the monitor details for that service group member can be viewed from the Monitor Details page.[# 671729]
NITRO
- The .NET NITRO SDK get call for snmpmib resource (snmpmib.get()) fails with JSON derserialization errors.[# 702648]
NITRO API
- The NetScaler appliance does not send a response for a NITRO API request for restarting the appliance.[# 708209]
NetScaler CLI
- When you use the Net::SSH::Perl library to connect to the NetScaler appliance, and run a command with an argument that has an @ character, an error message reports that the argument does not exist.For example, an error message appears if you use the @ character in the tacacsSecret parameter of the following command:> set authentication tacacsAction TACACS-0101 -tacacsSecret Sl4make5f0rd@enc5Workaround: Use one of the following alternate approaches:- If you use the Net::SSH::Perl library, include double quotes around the command when calling $ssh->cmd().- Use the Net::Telnet library.- Use the Net::SSH::Expect library.[# 346066]
- If a user tries to log on to a NetScaler appliance through any console, the system displays a log message with an incorrect client type. For example, if the user logs on to the appliance through the XenServer console, the system displays the log message as follows:"Apr 9 12:27:02 <local0.info> 10.102.201.11 04/09/2018:06:57:02 GMT 0-PPE-0 : default UI CMD_EXECUTED 502 0 : User nsroot - Remote_ip 127.0.0.1 - Command "login nsroot "********"" - Status "Success"[# 701582]
NetScaler CPX
- Modifying the nf_conntrack_max sysctl variable to get better network performance can cause unexpected behavior. In that case, you have to increase the size of the connection-tracking and/or the hash table, and/or decrease timeout values. For more information, see http://antmeetspenguin.blogspot.in/2011/01/high-performance-linux-router.html.[# 658734, 658736]
NetScaler GUI
- The Upgrade Wizard sometimes does not display a message when the appliance is rebooting. However, the NetScaler appliance reboots and the upgrade is successful.[# 557379, 585649, 609615, 617161, 646039]
- In older versions of Internet Explorer version 7, the browser incompatibility message does not appear for NetScaler release 11.1. The logon page directly appears, and you can log on successfully.[# 649052]
- If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled, and you log on as nsroot user, an extra session is created.[# 657924]
- If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled and the nsroot password is changed at the first logon to the NetScaler appliance, the nsroot password change is not propagated to non-CCO nodes. Therefore, when an nsroot user logs on to non-CCO nodes, the appliance asks for password change again.[# 658132]
- A time zone setting ("set timezone” command) in a NetScaler appliance running release 11.1 might get lost after you upgrade it to a later release.Workaround: Set the required timezone (by using the "set timezone" command in the NetScaler CLI or the NetScaler GUI) again on the upgraded appliance.[# 692565, 683168]
NetScaler Gateway
- Active user sessions GUI view shows Client IP as 0.0.0.0 and Server IP as 0.0.0.0 in the first row of each active user session.[# 447670, 504936, 521963, 571041, 585030, 586840]
- The VPN plug-in resets the tunneled TCP connection if either party tries to close the connection by sending a FIN packet.[# 495596]
- If an automatic proxy script is configured on a client machine and split tunnel is ON, establishing a VPN tunnel makes all external websites, including a VPN server, inaccessible from Internet Explorer 11 if they are unreachable without a proxy.Workaround: Set the following registry to 1 and restart Internet Explorer at least once: HKLMSOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsEnableLegacyAutoProxyFeatures[# 591311]
- When Unified-Gateway is deployed with GSLB configured with sitePersistence as ConnectionProxy, access to published applications with -ssotype selfauth does not work when the connection is proxied from one site to another.[# 599435]
- If a VPN virtual server is bound as the default virtual server to a content switching (CS) virtual server, the "show VPN virtual server" command does not display the details of the CS virtual server to which the VPN virtual server is bound.[# 600205]
- For PreAuth and PostAuth Logging, you must use the VPN parameter. If the clientSecurityLog value is modified in a session action whose session policy has a ClientSecurity expression as the rule, the clientSecurityLog value of the session action is not honored.[# 602928]
- If an End User License Agreement (EULA) is bound to the VPN virtual server, the EULA checkbox does not appear if nFactor authentication is enabled for NetScaler Gateway.[# 615334]
- You cannot configure the portal theme for AAA authentication unless the SSLVPN is also enabled for portal theme configuration.[# 621084, 622825]
- If nfactor policies are bound to the AAA virtual server, the logon page of the virtual server is not displayed correctly by an Internet Explorer browser on a Windows mobile device.[# 621962]
- In a cluster setup, the "show bindings" command does not display Negotiate type authentication policies.[# 627652]
- If you use CVPN to edit the home page through CVPN, the embed code becomes corrupt.[# 628835]
- If a user is on the intranet and the location based VPN is set to REMOTE, and the VPN plug-in is terminated or the PC is rebooted, the NetScaler Gateway plug-in displays an authentication prompt.[# 638574]
- If a VPN session profile and RfWebUI portal theme are in use, end users cannot log on if the following are set to OFF:- ICA Proxy- Clientless VPN Mode- Transparent Interception and Client Choices[# 639453]
- Portal Theme support for AAA TM is not available in admin partitions.[# 641160]
- After a high availability failover, users cannot launch apps in WebFront until the page is refreshed.[# 641524]
- If the Home Page Text labels are lengthy when you customize an RfWebUI based theme, the home-page user interface does not function properly. The following lengthy text labels can cause this problem:Apps Tab LabelDesktop Tab LabelFavorite Tab Label[# 641529]
- If you access a NetScaler Gateway appliance from a browser set to a non-English language, and the page for changing an expired password uses the RfWebUI theme, the text on the page appears is in English only.[# 641558]
- After the preauthentication EPA scan completes, the cursor does not return to the index page.[# 644385]
- Copyright information is not translated from English to another language. The copyright information is displayed only in English.[# 644559]
- If a Windows user name has non-ASCII characters, the user is unable to collect logfiles by using the Collect Log button.[# 645098]
- An error message appears when a user logs off of a Storefront session, if Gateway logon uses SAML based authentication for ICA Proxy mode.Workaround: Log off by closing the browser.[# 646706]
- VPN session synchronization fails when the NetScaler Gateway appliance is upgraded to 11.1.49.11.[# 659848]
- RfWebUI based theme is not supported for an Authentication virtual server configured with Classic Authentication policies[# 672333]
- In an outbound ICA proxy deployment, the NetScaler appliance closes the client connection if the following conditions are met:- A TCP service has the same IP address as the destination server.- The TCP service also has the same IP port as the destination server.The appliance closes the connection because it fails to establish a connection with the destination server.[# 674632]
- If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot upload a Profile Picture.Workaround: Use Chrome or Firefox.[# 679176]
- If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot drag and drop files.Workaround: Upload the document instead of using drag and drop.[# 679193]
- If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot use Internet Explorer to open a word (.doc) document.Workaround: Use Firefox to open the document.[# 679713]
- If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN), "Stop Following a Site" functionality is not available.[# 679744]
- If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot use Internet Explorer to add a new item to the calendar.Workaround: Use Chrome or Firefox.[# 679747]
- If nFactor authentication is configured on a NetScaler Gateway appliance running release 11.1 build 11.1 51.x or later, native clients use authentication policies configured on the authentication virtual server. See https://support.citrix.com/article/CTX223386 for details.[# 680378]
- Responder policies are not supported for a Gateway virtual server configured with a portal theme based on RfWebUI.[# 684658]
- After upgrading to 11.1 build 55.13, the n-Factor authentication does not work if the first factor has NO-Authentication policy with "true" rule.Workaround: Avoid configuring "true" as rule for policy. Add the following expression for this policy:"http.req.url.contains("/nf/auth/doAuthentication.do")"[# 695650]
- In some cases, DNE Drivers used for NetScaler Gateway VPN plugin negatively impacts the download speed.[# 697536]
- After upgrading the NetScaler Gateway appliance to release 11.x or later, users might see a blank page upon log on. The blank page appears because the browser serves some of the files from its own cache, instead of requesting all the files from the upgraded appliance.Workaround: Clear the browser cache.[# 698839]
- After an upgrade to version 11.1, the NetScaler Gateway logon page does not appear on the NetScaler GUI.Workaround: Clear the web browser cache.[# 702580]
- SOCKS Proxy CR virtual server configuration for a NetScaler Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).Workaround: Use an IP address for VDA.[# 704511]
- If you access an HTTP request URL of length greater than 1024 characters, the Citrix VPN module causes memory corruption.[# 704872]
- The NetScaler Gateway appliance dumps core if the following conditions are met:• HTTP websites are accessed.• Memory allocation is low.• Memory allocation for code compression feature fails.[# 706402]
- A NetScaler Gateway appliance displays an error message upon accessing services using SAML based authentication. This happens when the appliance is bound to RFWebUI portal theme and has been successfully validated to the NetScaler appliance.[# 707997]
NetScaler Insight Center
- The appflowLog option is enabled by default in NetScaler Appliance version 11.1.58.x.Consider you have enabled the appflowLog option on a VPN virtual server and upgraded the NetScaler Appliance to version 11.1.58.x. The appflowLog option on the VPN virtual server is disabled when you downgrade the NetScaler appliance version back to version 11.1.Workaround: Manually enable the appflowLog option on the VPN virtual server after you downgraded from NetScaler Appliance version 11.1 58.x.[# 707744]
NetScaler MPX Appliance
- If you execute the “unset interface lacpkey” command on a NetScaler command line interface, the following error message appears, “LACP key not set”.Workaround: Use unset lacpmode command.For example: unset interface 10/2 -lacpmode[# 544037]
- In a NetScaler MPX appliance, the GUI and command interface is unable to distinguish between Mellanox 100G and 50G interfaces. As a result, the interfaces allow you to set 50G on 100G interface.[# 707811]
NetScaler SDX Appliance
- The default setting for auto-negotiation is OFF, which causes an error if you configure the interface from the Management Service.[# 598688]
- When you create or delete a 10G LACP or static channel, transmission stalls on the member interfaces of the channel, and therefore those interfaces stop processing traffic.Workaround: Delete the 10G LACP/static channel that has this issue and create it again.[# 600152, 697276, 704954]
- Enabling trunkAllowedVlan on an interface with more than 100 VLANs might cause a spike in CPU usage.[# 636978]
- The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in NetScaler instance:ERROR: Operation timed outERROR: Communication error with the packet engine[# 638599]
- The Rx/Tx Flow Control configuration is lost if you manually set the Rx/Tx Flow Control for a 1000BASE-T copper interface to OFF, and the interface is reset.Workaround: Enable Flow Control Auto Negotiation (ON).[# 643853]
- LR channel MTU settings are not supported in the Management Service. You must set the MTU settings in the virtual machine.[# 646977, 640003]
- The current software driver for 1G ports does not support hot-swap capability for 1G SFP transceivers on NetScaler SDX 115xx models.Workaround: After replacing the 1G SFP transceiver, reset the interface from Management Service. If the issue still persists, restart the appliance.[# 668696]
- In some cases, a client is unable to connect to the TCP-related VIP address of a NetScaler VPX instance on a NetScaler SDX appliance.[# 684106]
- Support for VPX Instance on SDX 8900 ApplianceThis release supports NetScaler VPX instance on a NetScaler SDX 8900 appliance. Note that the NetScaler SDX 8900 appliance is available only on release 11.0 build 70.109, but the VPX instances are supported on 11.0 builds 70.109 and 70.112 and 11.1 build 56.15. For more information see:https://docs.citrix.com/en-us/sdx/11/hardware-installation/sdx-hardware-platforms/sdx-8900.htmlhttps://docs.citrix.com/en-us/sdx/11-1/sdx-ag-supported-versions-ref.html[# 698749]
- When you log on to the SDX appliance as an external user by using an RADIUS, LDAP, or TACACS server, the NetScaler VPX instances that have not been configured under the groups for external authentication don’t appear under NetScaler > Instances in the SDX GUI. This happens after you’ve upgraded the NetScaler SDX appliance from the following releases, any build:- From release 10.5 to release 11.1 or 12.0- From release 11.0 to release 11.1 or 12.0Workaround: Log on to the SDX appliance by using your nsroot credentials. From the SDX GUI, go to System > User Administration > Group. Select the group and click Edit. Under Instances, move the Available instances to Configured instances. Click OK to save changes. Log out from the SDX appliance and log on back as an external user.[# 703323]
NetScaler VPX Appliance
- Untagged packets are allowed to pass through an SRIOV VF interface (Intel 82599 NIC) if the VMWare vCenter 6.0 Distributed Virtual Switch (DVS) is used to configure the VLAN trunk mode.[# 616044]
- In ESX-5.5.0 (Patch-2456374), you cannot restart or shut down the NetScaler VPX instance from the VPX console.[# 617922]
- Traffic might not pass through an SRIOV interface if you use the VMWare vCenter 6.0 Distributed Virtual Switch (DVS) to reconfigure a VLAN trunk policy.This is a known issue with VMWare vCenter 6.0. Please contact VMWare support for possible workarounds.[# 622392]
- The VLAN Trunk mode of operation does not work for SRIOV VF interfaces (Intel 82599 NIC) with ixgbe PF driver 3.21.6 or later. This is a known limitation reported by Intel.Workaround: Use ixgbe PF driver 3.21.4.3.[# 636360]
- In an ESX environment, the Interface HAMON Configuration option is not available in the NetScaler GUI.[# 641498]
- For IPv6 or LACP support, promiscuous mode must be enabled for VMXNET3 interfaces at the ESX Hypervisor.[# 641748]
- Due to a limitation of the XenServer platform, if NetScaler virtual appliances with different interfaces, such as SR-IOV and Para-virtualized (PV) mode interfaces, use the same physical NIC, traffic between the virtual appliances with different interfaces fails.[# 652640]
- Enabling trunk mode with tagged VLAN settings on an SR-IOV interface fails with the following error message:"ERROR: Maximum number of tagged VLANs bound to the interface exceeded or the binding of this VLAN is not allowed on the interface."However, trunk mode with tagged VLAN settings is shown as enabled in the output of the following command:show interface summary[# 657462]
- The NetScaler virtual appliance might fail to start if you have configured 15 or more SR-IOV and PCI passthrough interfaces.[# 657492]
- Due to a limitation in Linux-KVM and VMware ESX platforms, if you add new PCI passthrough interfaces to an existing NetScaler virtual appliance configured with SR-IOV interface, the PCI passthrough interfaces might take precedence over the existing SR-IOV interfaces.[# 660000]
- The physical link status of a PCI passthrough interface of a NetScaler VPX appliance is not updated when the state of the link is changed (for example, when the link is enabled, disabled or reset), because of a limitation in the Intel XL710 NIC. As a result, any active traffic over the PCI passthrough interface fails during this time.[# 660159]
Networking
- In some cases of FTP data connections, the NetScaler appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.[# 485678]
- VLAN trunk mode and allowed VLAN list configurations are not supported on Link Aggregation (LA) channels and redundant interface sets.[# 590805]
- In a high-availability setup, NSVLAN is synchronized to the secondary node as a regular VLAN if the same NSVLAN is not configured on the secondary node.[# 629102]
- If a VLAN specified in the allowed VLAN list of a trunk interface overlaps with the native VLAN of another interface, both the interfaces participate in packet processing on that VLAN.[# 631589]
- In a high availability setup, allowed VLAN list is not propagated or synchronized. Therefore, you have to configure allowed VLAN list on both the nodes.[# 631592]
- When a NetScaler appliance processes traffic at line rate, management CPU spike is observed on the appliance while configuring allowed VLAN list.[# 638915]
- If an interface and an IP address are bound to a VLAN, binding them to another VLAN fails with the following error message: "ERROR: Either the subnet is not directly connected or subnet already bound to another VLAN." The interface is unbound from its current VLAN and gets bound to the native VLAN.[# 643341]
- The NetScaler appliance becomes unresponsive when it accesses memory that was not properly freed and therefore contains stale information about a session.[# 685233]
- The NetScaler appliance drops non-SYN TCP packets, which match an INAT rule, and a RESET is sent.[# 688642]
- Adding an extended ACL/extended ACL6/PBR/PBR6 rule fails if the rule has the same set of conditions as that of a removed extended ACL/extended ACL6/PBR/PBR6 rule.[# 699886]
- After cluster synchronization, if some of the load-balancing monitors are not synchronized to the node, the NetScaler appliance fails to add the dependent static Monitor Static Route (MSR) routes.[# 700070]
- When the state of a VLAN becomes DOWN (due to all bound interfaces in DOWN state), the NetScaler appliance might remove some ECMP routes learnt through other UP VLANs.[# 703541]
- The NetScaler appliance ignores Layer 2 information (for example, MAC address, VLAN IDs and Interface IDs) in the Policy-based Route (PBR) rules while processing Large Scale NAT related packets.[# 707838]
- In a high availability configuration in INC mode, dynamic routing parameters might not get set properly because of the conversion errors.[# 708496]
Platform
- If you add an NTP time server by specifying the server name (host name), and the ns.conf file is very large, the result is a race condition in which the NTP daemon (NTPD) is started before host name services are ready.Workaround: Do one of the following:-Restart the NTP daemon after starting the NetScaler appliance.-Add the NTP server by specifying the IP address of the server instead of specifying the host name.[# 573306]
- In an Openstack Environment, if a custom flavor with an Ephemeral Disk of size of less than 8GB is used to a start a NetScaler VPX or Cisco Nexus 1000v instance, the config drive is not attached to the instance.[# 578366]
Policies
- If a policy expression name is same as any function name, subsequent use of the expression results in an error. In addition, if you restart the appliance and use the policy expression in a running configuration, the policy expression receives errors, which results in a configuration loss.Workaround: Do not name a policy expression with the same name as any function. The simplest way to rename a policy expression is to add a prefix or suffix to the expression name (for example, myco_func or func_myco).[# 637060]
SSL
- If you use the add crl command in release 9.3 to add a certificate revocation list (CRL) with refresh enabled, and you don't specify a method, the add crl command returns an error after an upgrade to a later release. Unlike 9.3, later releases do not have a default method.[# 604061]
- ECDHE support with SSLv3 protocol on the NetScaler appliance is not compatible with RFC 4492, because SSLv3 does not support extensions and ECDHE needs extension support.[# 610588, 657755]
- If you restart the SafeNet network HSM, you must also restart the SafeNet gateway daemon.[# 628067]
- If you have configured two SafeNet HSMs in a high availability setup on a standalone NetScaler appliance, and the primary HSM goes down, the secondary HSM does not serve traffic after a failover.[# 628075]
- In a high availability (HA) setup, if the primary node supports a SafeNet HSM, the HSM configuration is propagated to the secondary node even though the secondary node is not configured to support the SafeNet HSM. For information about configuring an HA setup with SafeNet network HSMs, see the NetScaler documentation for SafeNet network HSM.[# 628082]
- The number of SSL cards that are UP is not displayed for non-default partitions. Because SSL cards are shared between the default partition and the non-default partitions, the total number of SSL cards that are UP in all the non-default partitions is equal to the number of cards that are UP in the default partition.[# 628914]
- If you create a custom cipher group and bind it to an SSL entity, the profile name "SSL_EMBEDDED_PROFILE" incorrectly appears in the output of the "show ciphergroup" command. This error does not occur if you enable the Default profile before creating the custom cipher group and binding it to the SSL entity.[# 637230]
- If you run the "sh ssl service group" command on the cluster IP (CLIP) address and on nodes of a cluster setup, ECC curves are displayed as unbound from the CLIP.[# 660257]
- An incorrect error message is displayed in both the following cases:1. Client authentication is enabled, root CA certificate is not bound to the SSL virtual server, and a request with a valid client certificate is sent to the virtual server.2. Client authentication is enabled, root CA certificate is bound to the SSL virtual server, and a request with a wrong certificate is sent to the virtual server.The error message that appears is "Handshake failure-Internal Error" instead of "No client certificate received."[# 664574]
- In a cluster setup, if a client certificate is bound to a back-end SSL service or service group, it appears as a "Server Certificate" instead of a "Client Certificate" when you run the "show ssl service" or the "show ssl servicegroup" command on the CLIP address.[# 667389]
- The SSL entities to which a policy is bound do not appear in the output of the "show ssl policy" command if it is run on the cluster IP address.[# 668520]
- The SSL entities to which an SSL profile is bound do not appear when you run the show ssl profile <Default-Profile> command on a cluster IP (CLIP) address.Workaround: You can view the bound entities from the NetScaler IP (NSIP) address.[# 673458, 689516]
- In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.[# 678175, 678522, 678526]
- An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.[# 678176, 687205, 687098]
- You cannot add a CRL with X.509 version 1 on a NetScaler appliance if the explicit version field in that CRL is set to 0.[# 681878]
- You cannot set the previous session-key life time to its minimum value (0 seconds).[# 687135]
- Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)[# 687208]
- SSL classic policy expressions are not honored.Workaround: Use SSL default policy expressions.[# 692137]
- If your deployment uses ECDHE ciphers, ECC curves are not bound by default to a NetScaler CPX instance.Workaround: Manually bind ECC curves to the NetScaler CPX instance.[# 700363, 701991]
- You cannot bind two different types of certificates (for example, RSA and ECDSA), to a virtual server, as an SNI certificate if the domain name is the same.[# 701822]
- A NetScaler MPX/SDX 14000 FIPS appliance becomes unresponsive if it receives a packet of size > 18 KB from the backend server.[# 707061]
- The OCSP response is considered invalid if the time zone on a NetScaler appliance includes daylight saving time (DST), and the next update time in the OCSP response is before the time on the appliance.[# 707641]
System
- The HTML page rendering might fail if you insert a prebody script before the header tag. The HTML specification requires the character-encoding declaration to be serialized within the first 1024 bytes of the document, and the script might push the meta tag past the 1024-byte limit.[# 305196, 393696]
- A NetScaler appliance might not honor persistence for a load balancing virtual server with a wildcard configuration if information about the back-end server is not available.[# 556385]
- If VLAN filtering is enabled, a maximum of 256 VLANs are supported on the 10G and 40G interfaces of the SDX 14020/14040/14060/14080 40G and SDX 25100/25160 40G appliances. If you bind more than 256 VLANs, hardware filtering is automatically disabled on the interface and all filtering is done in the software on a virtual instance.[# 594068]
- A NetScaler appliance does not open a new connection to the back-end server if the following set of conditions is met:- The global maxconn parameter is set to 1.- The appliance is unable to reuse the connection for probing.As a result, the transaction fails.[# 636416]
- In a high availability environment, if you add Network Time Protocol (NTP) to a primary node by specifying the NTP server's DNS name, the command is not propagated to the secondary node.Workaround: Specify the NTP server's IP address.[# 639529]
- No Error or Warning is announced if a user tries to set trunk mode on the loopback interface.[# 643131]
- A NetScaler appliance might not initiate a rewrite action correctly if data is modified in adjacent fields in the message.[# 657565, 686496]
- When you run the set command on a NetScaler appliance, the ns.log file stores the command with all parameter values, including customer provided values.[# 674165]
- Regression in handling of "=" in BMC LDAP validation process.[# 681731]
- A NetScaler appliance in a clustered setup displays a "Cannot allocate memory" error message if you use the set command to set the server domain name in a SYSLOG action.Workaround: Delete the SYSLOG action in which you set the domain name, and add a new SYSLOG action that specifies the server domain name instead of the server IP address.rm syslogactionadd syslogaction -loglevel [-options ...][# 687067]
- Random packets on loopback interface are found missing if you capture nstrace on a NetScaler appliance.[# 689837]
- A TCP transaction delay is observed if a NetScaler appliance is unable to use the TCP connection to connect to the back-end server. In this case, the appliance opens a new connection to forward the client requests to the back-end server after some waiting period. The waiting period ranges from 400 ms to 600 ms.[# 690965]
- When a NetScaler appliance completely closes an active TCP connection, if the back-end server has its connection in TIME_WAIT state, the server silently drops the connection. When dropping the connection, the server uses the same 4tuple unless the initial sequence number of the connection is greater than the current running sequence number of an existing connection. As a result, the appliance keeps retrying to establish the connection but the transaction fails.[# 692473]
- The HTTP state machine causes a NetScaler appliance to crash. The issue occurs during an unexpected state transition for collecting necessary data for further analysis. The issue also leads to an unexpected outage.A NetScaler administrator can run the command, "nsapimgr_wr.sh -ys invalidwaitqdbg=0 -ys actvtransdbg=0" to change the default panic behavior of the appliance.[# 694410]
- A NetScaler appliance silently truncates and drops HTTP request body packets greater than the maximum HTTP header size configured in the HTTP profile. The request body is truncated only if the appliance receives an HTTP request after an incomplete header assembly (request header spanning more than one packet) and the request body is received when the appliance awaits a TCP acknowledgment for the request header sent to the server. The truncation results in TCP retransmission and latency issues.[# 695668]
- A NetScaler appliance sends a TCP fast open cookie instead of an MPTCP MP_CAPABLE option for MPTCP traffic.[# 696778]
- A NetScaler appliance is unable to handle an 'HTTP Response before Request' case. The issue occurs, if the back-end server sends a 204 or 304 response before receiving an HTTP request body.[# 697525]
- A NetScaler appliance aborts a websocket connection that tracks failed websocket upgrade attempts. This leads to a connection closure with App Flow feature or "Drop invalid requests" option enabled on the HTTP profile.[# 699831]
- A NetScaler appliance might crash if the following set of conditions are met:* Either the Compression policy or its actions are changed.* AddVaryHeader is enabled when configuring the compression parameters.[# 702081]
- The HTTP state machine causes a NetScaler appliance to crash. The issue occurs during an unexpected state transition for collecting necessary data for further analysis. The issue also leads to an unexpected outage.A NetScaler administrator can run the command, "nsapimgr_wr.sh -ys invalidwaitqdbg=0 -ys actvtransdbg=0" to change the default panic behavior of the appliance.[# 703098]
- After an upgrade, instead of initiating a new TCP connection to the back-end server for CONNECT Requests, the NetScaler appliance reuses a client connection from the reuse pool. The client connection reuse might not be accepted by some back-end servers.[# 704304]
- A NetScaler appliance might crash if the SPDY feature is enabled in an HTTP profile for accessing freed internal connection structures.[# 704835, 704766]
- If you collect a packet trace with '-capsslkeys' option enabled, all the keys captured in the nstrace.sslkeys file are zeros. The issue is observed only on NetScaler MPX 5900/8900, MPX 26000-100G, and MPX 15000-50G platforms.[# 707793]
- In a NetScaler appliance, the maximum number of requests that can be sent on a connection to the back-end server fails under the following conditions:- HTTP profile is bound to a service group.- maxReq option is set to 1.[# 708447]
Telco URL Filtering
- When a NetScaler appliance optimizes a video traffic using a Nile based TCP profile with Video Optimization enabled, the following issues are identified:- Long video startup time- Excessive buffering time[# 704755]
Upgrade and Downgrade
- You cannot log on to the NetScaler appliance after upgrading its firmware. This issue is caused by insufficient storage space. To verify that is the problem, check to see if the /var directory is 100% full. To fix the problem, delete unnecessary files. The following procedure is recommended:1) At the shell prompt, type the df -h command to display the disk-usage statistics. If they indicate that the /var directory is full, take the following steps.2) Check for any trace files in the /var/nstrace directory. Delete unnecessary files. Back up required files, including files that need to be analyzed, to a location outside the NetScaler appliance.Note: For more information about how to back up NetScaler files, seehttps://docs.citrix.com/en-us/netscaler/10-5/ns-system-wrapper-10-con/ns-sys-basic-operations-wrapper-con/ns-sys-backup-restore-tsk.html3) Check for files in the /var/core or /var/crash directory. These files indicate a problematic condition and should be analyzed. Back up these files to a location outside the NetScaler appliance and send them to Citrix Technical Support for further analysis. Delete the backed up files from the NetScaler appliance.4) Check for any user-initiated downloads, such as build files, and delete the older ones. Generally, build files are downloaded to the /var/nsinstall directory.For more information about how to free up storage space, see https://support.citrix.com/article/CTX133588[# 638818]
What's New in Previous NetScaler 11.1 Releases
The enhancements and changes that were available in NetScaler 11.1 releases prior to Build 58.13. The build number provided below the issue description indicates the build in which this enhancement or change was provided.
AAA-TM
- At present, customization of the Portal pages is only offered for Gateway virtual server. Admins often have the same branding requirements for the Login page that is presented on the Authentication virtual server page - for example, tmindex.html. This enhancement supports Portal Theme binding for the Authentication virtual server.[From Build 47.14][# 581544, 475585, 552072, 606858, 619869]
- OAuth Support for Multi-Factor AuthenticationThe NetScaler appliance now supports OAuth in a multifactor deployment and for cascading authentication. That is, OAuth can be now be used anywhere in a cascade, in first factor or in any of the factors, and as a fallback authentication policy.In earlier releases, OAuth could be used only for the first factor.Note: To use OAuth in a factor other than the first, you must register an authentication FQDN with the application because OAuth must start and end on the same virtual server.[From Build 47.14][# 611735, 572701, 572705]
- OAuth Support for Multi-Factor AuthenticationThe NetScaler appliance now supports OAuth in a multifactor deployment and for cascading authentication. That is, OAuth can be now be used anywhere in a cascade, in first factor or in any of the factors, and as a fallback authentication policy.In earlier releases, OAuth could be used only for the first factor.Note: To use OAuth in a factor other than the first, you must register an authentication FQDN with the application because OAuth must start and end on the same virtual server.[From Build 41.26][# 611735]
- This enhancement allows the user to Preview the custom portal themes by binding it to an Authentication virtual server. Earlier this support was only present for Gateway virtual servers.[From Build 47.14][# 620908]
- You can now change the credential default behavior by defining the loginschema so that the desired credentials (username and password) are used for SSO. To use the first factor for the SSO, you configure the loginschema to store the first factor credential at the specified indexes and use attribute expressions for the traffic policies.Previously, multiple sets of login credentials were required for nFactor authentication. By default, the credentials used for the final factor were the default single sign-on (SSO) user name and password. If the first factor was LDAP (Lightweight Directory Access Protocol) but the second factor OTP (One Time Password) on a non-Active Directory password, the default credentials became OTP. This procedure was complex and affected usability.Configuration:> set authentication loginSchema ls1 -SSOCredentials YES Done> set authentication loginSchema ls1 -SSOCredentials NO Done[From Build 49.16][# 647382]
- Maximum relayState size accepted by NetScaler SAMLIdP is increased to 2500 bytesWith this enhancement, maximum relayState size accepted by NetScaler SAMLIdP is increased to 2500 bytes as compared to existing 1024 bytes.[From Build 53.13][# 678694]
AAA-TM/NetScaler Gateway
- With this enhancement, NetScaler now supports GET requests from SAML SPs.[From Build 47.14][# 564947, 590768]
- This enhancement provides NetScaler, which acts as a SAML IDP, to pass the SPID value to the SP in an IDP initiated connection.[From Build 47.14][# 582265]
Admin Partitions
- Shared VLAN SupportOn a partitioned NetScaler appliance, you can now bind a VLAN as a dedicated VLAN for a particular partition or as a shared VLAN across multiple partitions.[From Build 47.14][# 581671]
- On a partitioned NetScaler appliance, you can now bind a VLAN as a dedicated VLAN for a particular partition or as a shared VLAN across multiple partitions.[From Build 41.26][# 581671]
- Role-based Access in an Administrative PartitionAs the root administrator of a partitioned NetScaler appliance, you can now designate partition administrators to control user access to entities within specific partitions. A partition administrator can provide granular, role-based access for a partition user and specify a set of permissions and allowed operations. The authorization is specific to the partition. The partition administrator and the users authorized by the partition administrator access the partition through a SNIP address.[From Build 51.21][# 594425]
- A group user associated with a superuser command policy is unable to switch partitions through the NetScaler GUI.[From Build 51.21][# 627770]
- Role-based access (RBA) for System GroupsAdmin partitions now provide role based authentication for system groups. With this access control mechanism, a NetScaler appliance supports the following actions:1. Bind an existing partition or all partitions to a system group.2. Authenticate a user (bound to a system group), using local or external authentication, and allow the user to switch to a partition that is bound to the system group.3. Bind the system group to a custom command policy.[From Build 51.21][# 627888]
- Instant Visibility of the HA Status of PartitionsOn a partitioned NetScaler appliance in a high availability configuration, the top pane of the NetScaler GUI displays the high availability status of the partitions. This instant visibility helps you monitor the HA configuration efficiently.[From Build 51.21][# 628478]
- Binding System Group to Administrative PartitionIn a partitioned NetScaler appliance, you can now bind a system group to a specific administrative partition by using the bind system group <grpname>-partitioname <partitioname> command.[From Build 51.21][# 629434]
- Support for sending SNMP traps of all partitions through NetScaler GUIOn a partitioned NetScaler appliance, you can now use the NetScaler GUI to enable sending SNMP trap messages of all partitions to the configured trap destination. In the default partition, enable the allPartitions option for the traps that you want to send. Previously, you had to use the NetScaler command line to enable this option.Navigate to System > SNMP > Traps, select a trap, click Edit, and select or clear the Send Traps of All Partitions check box.[From Build 53.13][# 677551]
AppExpert
- Rate Limiting at the Packet LevelYou can configure a stream selector and a responder policy to collect statistics at the packet level and identify defective or attack-prone packets flowing through all the connections identified by the selector. If, at any point, the percentage of defective or attack-prone packets exceeds the configured threshold, the policy applies a corrective action (RESET or DROP).[From Build 51.21][# 615910]
AppFlow
- If a NetScaler high-availability failover occurs when ICA AppFlow is enabled, the session reliability feature now restores the session. This capability is currently disabled by default and configurable through CLI. The CLI command to enable/disable the feature is:set ica parameter EnableSRonHAFailover YES/NOFor more information, see http://docs.citrix.com/en-us/netscaler/11-1/ns-ag-appflow-intro-wrapper-con/session-reliablility-on-netscaler-ha-pair.html[From Build 49.16][# 456218, 438710, 547601, 620411]
Cluster
- PBR Support for ClusterPartially striped and spotted policy based routes (PBR) are now supported on a Layer 3 NetScaler cluster.[From Build 41.26][# 611938]
Clustering
- LLDP Support in a Cluster SetupLLDP is a layer 2 protocol that enables a NetScaler appliance to advertise its identity and capabilities to the directly connected (neighbor) devices, and to learn the identity and capabilities of these neighbor devices. In a cluster setup, the NetScaler GUI and NetScaler CLI now display the LLDP neighbour configuration of all or specific cluster nodes when the GUI or CLI is accessed through the Cluster IP address (CLIP). Any change made to the global level LLDP mode is applied to the global level LLDP mode on each of the cluster nodes.For more information, see https://docs.citrix.com/en-us/netscaler/11-1/networking/interfaces/configuring-link-layer-discovery-protocol.html.[From Build 51.21][# 470187]
- PBR Support for ClusterPartially striped and spotted policy based routes (PBR) are now supported on a Layer 3 NetScaler cluster.[From Build 47.14][# 611938]
- SNMP MIB Support for Cluster NodesIn a cluster setup, you can now configure the SNMP MIB in any node by including the ownerNode parameter in the set snmp mib command. Without this parameter, the set snmp mib command applies only to the cluster coordinator node.To display the MIB configuration for an individual node other than the cluster coordinator node, include the ownerNode parameter in the show snmp mib command.[From Build 49.16][# 628136, 623888]
- You can now avoid closing a node's connections when you add the node to or remove it from a cluster. Before adding or removing a node, log on to the cluster IP (CLIP) address and set the "retain connections on cluster" option. Then log on to the node's NSIP address and specify a timeout interval for graceful shutdown.[From Build 51.21][# 635529, 634785]
- Audit-Log Support in ClusterA cluster setup of NetScaler appliances now supports the audit-log feature with SYSLOG-TCP, Load Balancing (LB) of SYSLOG servers, SNIP support, and FQDN support for SYSLOG configurations.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/clustering/cluster-features-supported.html[From Build 54.16][# 669938]
DNS
- Dropping a DNS Query When the Query is Split into Multiple PacketsNew option '-splitPktQueryProcessing' is added to 'dns parameter' list. This option can be disabled to prevent processing of requests split across multiple packets.[From Build 53.13][# 665067]
- Preserving NetScaler Memory by Limiting the Memory Consumed by DNS CacheYou can now limit the amount of memory consumed by the DNS cache. You can specify the maximum cache size (in MB), and also the cache size (in MB) for storing negative responses. When either limit is reached, no more entries are added to the cache. Also, SNMP traps are generated and syslog messages are logged.The maximum cache size is set using the maxCacheSize parameter and the cache size for negative responses is set using the maxNegativeCacheSize parameter.This limitation is added per packet engine. For example, if the maxCacheSize is set to 5 MB and the appliance has 3 packet engines, then the total configured cache size is 15 MB.[From Build 52.13][# 665068]
- Retaining DNS Records in CacheYou can now retain the cache that is built so far and prevent it from being aged out. You can do so by using the cacheNoExpire parameter. When this parameter is enabled, the entries in the DNS cache is retained. When this parameter is disabled, the records are flushed out when the TTL expires.This option can be used only when the maximum cache size (maxCacheSize parameter) is specified.[From Build 52.13][# 665070]
- Enabling DNS Cache BypassYou can now configure the cacheHitBypass parameter so that the cache is built but not used. When this parameter is enabled, the requests bypass the DNS cache and are sent to the back-end servers. When this parameter is disabled, the NetScaler appliance starts responding from the cache that has been built so far.[From Build 52.13][# 665073]
- Collecting Statistics of the DNS Responses Served from the CacheYou can now collect statistics of the DNS responses served from cache and use these statistics to create a threshold beyond which additional DNS traffic is dropped. You can enforce the threshold with a bandwidth based policy. Previously, bandwidth calculation for a DNS load balancing virtual server was not accurate, because the number of cache hits was not reported. In proxy mode, the statistics for Request bytes, Response bytes, Total Packets rcvd, and Total Packets sent statistics are continuously updated. Previously, these statistics were not always updated, particularly for a DNS load balancing virtual server.[From Build 53.13][# 665081]
- Flushing Negative RecordsNegative records (NXDOMAIN records and NODATA records) cannot be deleted from the NetScaler appliance's DNS cache. With this fix, you can use the flush dns proxyrecords command to flush negative DNS records from the DNS cache.[From Build 53.13][# 665527]
- Restricting TTL of Negative RecordsYou cannot set an appropriate time to live (TTL) value for the negative records.With this fix, you can use the new maxnegcacheTTL option in the set DNS parameter list to set a TTL for negative records.[From Build 53.13][# 665528]
- Generating SNMP Traps and Syslog Messages When the Memory Consumed by DNS Cache Reaches the Limits Set for Caching DNS Records and Negative ResponsesYou can now limit the amount of memory consumed by the DNS cache. You can specify the maximum cache size (in MB), and also the cache size (in MB) for storing negative responses. When either limit is reached, no more entries are added to the cache. Also, SNMP traps are generated and syslog messages are logged.[From Build 52.13][# 665532]
GSLB
- Support for EDNS0 Client SubnetThe NetScaler appliance now supports the EDNS0 client subnet (ECS) option in deployments that include the NetScaler appliance configured as an ADNS server authoritative for a GSLB domain. In the deployment, if you use static proximity as the load balancing method, you can now use the IP subnet in the ECS option, instead of using the LDNS IP address, to determine the geographical proximity of the client. In the case of proxy mode deployment, the appliance forwards a DNS query with the ECS option as-is to the back-end servers and does not cache DNS responses that include the ECS option.Note: The EDNS0 client subnet (ECS) option is not applicable for some other deployment modes, such as ADNS mode for non-GSLB domains, resolver mode, and forwarder mode. In such modes, the ECS option is ignored by the NetScaler appliance.[From Build 41.26][# 457159]
- Support for EDNS0 Client SubnetThe NetScaler appliance now supports the EDNS0 client subnet (ECS) option in deployments that include the NetScaler appliance configured as an ADNS server authoritative for a GSLB domain. In the deployment, if you use static proximity as the load balancing method, you can now use the IP subnet in the ECS option, instead of using the LDNS IP address, to determine the geographical proximity of the client. In the case of proxy mode deployment, the appliance forwards a DNS query with the ECS option as-is to the back-end servers and does not cache the DNS responses that include ECS option.Note: The EDNS0 client subnet (ECS) option is not applicable for some other deployment modes, such as ADNS mode for non-GSLB domains, resolver mode, and forwarder mode. In such modes, the ECS option is ignored by the NetScaler appliance.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/gslb/configure-EDNS0-client-subnet.html.[From Build 47.14][# 457159]
- Real-time Synchronization of the GSLB ConfigurationWhen you create or change the GSLB configuration on a master site, you can use the new AutomaticConfigSync option to automatically synchronize the slave sites.When AutomaticConfigSync option is enabled, you do not have to manually trigger the AutoSync option.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/gslb/configure-gslb/sync-configuration-gslb-setup.html.[From Build 51.21][# 605595]
- Backing UP a Parent Site in a Parent-Child DeploymentThe backup parent site topology is useful in scenarios wherein a large number of child sites are associated with a parent site. If this parent site goes DOWN, all of its child sites become unavailable. To prevent this, you can now configure a backup parent site to which the child sites can connect if the original parent site is DOWN.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/gslb/gslb-deployment-types/parent-child-topology-deployment.html.[From Build 51.21][# 605605]
- Time Delay for Setting a Site as DOWN When Metrics Exchange Protocol Connection to a Remote Site is DOWNIn a GSLB high availability setup, if the status of a Metrics Exchange Protocol (MEP) connection to a remote site changes to DOWN, you can set a delay to allow some time for reestablishment of the MEP connection before the site is marked as DOWN. If the MEP connection is back UP before the delay expires, the services are not affected.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/gslb/configure-metrics-exchange-protocol.html.[From Build 51.21][# 621435]
- You can test the GSLB setup to make sure that the ADNS services or the DNS servers are responding with the correct IP address for the domain name that is configured in the GSLB setup.This is supported in NetScaler GUI only.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/gslb/testing-the-gslb-setup.html.[From Build 51.21][# 664467]
Load Balancing
- Secure FTP Monitoring SupportThe NetScaler appliance now supports secure FTP monitoring. That is, you can now configure the appliance to send secure FTP probes to your FTP services.For more information about secure FTP monitoring support, see http://docs.citrix.com/en-us/netscaler/11-1/load-balancing/load-balancing-builtin-monitors/lb-built-in-monitors-secure-monitoring-using-sftp.html.[From Build 47.14][# 237766]
- Required Unbind Operation Prevents Accidentally Disabling a Virtual ServerAccidentally deleting a service or service group that is bound to a virtual server can result in the virtual server going DOWN. With this release, you cannot delete a service or service group that is bound to a virtual server until you first unbind it from the virtual server.[From Build 47.14][# 258327]
- Support for Load Balancing ProfileA load balancing configuration has a large number of parameters, so setting the same parameters on a number of virtual servers can become tedious. You can now set load balancing parameters in a profile and associate this profile with virtual servers, instead of setting these parameters on each virtual server.For more information about load balancing profiles, see http://docs.citrix.com/en-us/netscaler/11-1/load-balancing/lb-support-for-load-balancing-profile.html.[From Build 47.14][# 353669]
- Setting SSL Parameters on a Secure MonitorA monitor inherits either the global settings or the settings of the service to which it is bound. If a monitor is bound to a non-SSL or non-SSL_TCP service, such as SSL_BRIDGE, you cannot configure it with SSL settings such as the protocol version or the ciphers to be used. Therefore, in such deployments, SSL-based monitoring of the back-end servers is ineffective.This enhancement gives you more control over SSL-based monitoring of back-end servers, by enabling you to bind an SSL profile to a monitor. An SSL profile contains SSL parameters, cipher bindings, and ECC bindings. For example, you can set server authentication, ciphers, and protocol version in an SSL profile and bind the profile to a monitor. Note that to perform server authentication, you must also bind a CA certificate to a monitor. To perform client authentication, you must bind a client certificate to the monitor. New parameters for the "bind lb monitor" command enable you to do so.Note: The SSL settings take effect only if you add a secure monitor. Also, the SSL profile type must be BackEnd.SSL profiles can be bound to the following monitor types:- HTTP- HTTP-ECV- TCP- TCP-ECV- HTTP-INLINETo specify an SSL profile while adding a monitor by using the command lineAt the command prompt, type:add lb monitor <monitorName> <type> -secure YES -sslprofile <string>set lb monitor <monitorName> <type> -secure YES -sslprofile <string>Example:add ssl profile prof1 -sslProfileType BackEndadd lb monitor mon1 HTTP -secure YES -sslprofile prof1To bind a certificate-key pair to a monitor by using the command lineAt the command prompt, type:bind monitor <monitor name> -certkeyName <string> [(-CA [-crlCheck ( Mandatory | Optional ) | -ocspCheck ( Mandatory | Optional )][From Build 47.14][# 506771]
- Configuring an HTTPS Virtual Server to accept HTTP TrafficYou can now configure an HTTPS virtual server to also process all HTTP traffic. That is, if HTTP traffic is received on the HTTPS virtual server, the appliance internally prepends "https://" to the incoming URL or redirects the traffic to another HTTPS URL, depending on the option configured.For more information about configuring an HTTPS virtual server to accept HTTP traffic, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/config-ssloffloading/ssl-config-https-vserver-to-accept-http-traffic.html.[From Build 47.14][# 570157]
- Improved Support for PersistencyIn certain cases, cores of a NetScaler appliance might not be synchronized, because a core-to-core monitoring or service update has not reached one of the cores. For example, if the core that owns persistency has not received notification that a service is DOWN, that service remains in the persistency table. If a traffic-owner core that has been notified that the service is DOWN finds it in the persistency table, it requests a different service from the persistency-owner core, so that it can redirect the request. Before this enhancement, if the persistency owner returned the same service, the traffic-owner core dropped the user's request. Now, instead of immediately dropping the request, the traffic owner queries the persistency owner a second time. Sending the second query usually gives the persistency owner enough time to have received the update, in which case it returns a different service.[From Build 47.14][# 571771]
- Closing Monitor Connections at Service and Service Group LevelA parameter named monConnectionClose has been added at the service and service group levels. If this parameter is not set, the monitor connection is closed by using the value set in the global load balancing parameters. If this parameter is set at the service or service group level, the monitor connection is closed by sending a connection termination message, with the FIN or RESET bit set, to the service or service group.[From Build 41.26][# 607661]
- Closing Monitor Connections at the Service LevelA parameter named monConnectionClose has been added at the service level. If this parameter is not set, the monitor connection is closed by using the value set in the global load balancing parameters. If this parameter is set at the service level, the monitor connection is closed by sending a connection termination message, with the FIN or RESET bit set, to the service.For more information about closing monitor connections at the service level, see http://docs.citrix.com/en-us/netscaler/11-1/load-balancing/load-balancing-configure-monitors/close-monitor-connection.html.[From Build 47.14][# 607661]
- Cluster Support for Secure MonitoringEnhanced secure monitors are now supported in cluster environments.[From Build 54.16][# 620338, 669899]
- Closing Monitor Connections at the Service Group LevelA parameter named monConnectionClose has been added at the service group level. If this parameter is not set, the monitor connection is closed by using the value set in the global load balancing parameters. If this parameter is set at the service group level, the monitor connection is closed by sending a connection termination message, with the FIN or RESET bit set, to the service group.For more information about closing monitor connections at the service group level, see http://docs.citrix.com/en-us/netscaler/11-1/load-balancing/load-balancing-configure-monitors/close-monitor-connection.html.[From Build 47.14][# 628111]
- Support for Reverse TCP MonitorsThe NetScaler appliance now supports reverse TCP monitors. A reverse monitor marks the service as DOWN if the probe criteria are satisfied and UP if they are not satisfied.A direct TCP monitor marks the service as DOWN if it receives a RESET in response to the monitor probe. However, a reverse TCP monitor treats RESET as a successful response and marks the service as UP.To configure a reverse TCP monitor by using the NetScaler command lineAt the command prompt, type:add lb monitor <monitor-name> tcp -reverse yes -destip <primary-service ip> -destport <primary-service port>bind service <svc-name> -monitorname <monitor-name>To configure a reverse TCP monitor by using the NetScaler GUI1. Navigate to Traffic Management > Load Balancing > Monitors.2. Create a TCP monitor and select Reverse.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/load-balancing/load-balancing-custom-monitors/lb_custom_monitor_configuring_reverse_monitoring_for_a_service.html.[From Build 49.16][# 630159]
- FIX Protocol SupportNetScaler appliances now support load balancing virtual servers of type SSL_FIX, which can load balance FIX-protocol requests at the FIX message level and allow FIX-specific session persistence.[From Build 47.14][# 634096]
- NetScaler appliances now support load balancing virtual servers of type SSL_FIX, which can load balance FIX-protocol requests at the FIX message level and allow FIX-specific session persistence.[From Build 41.26][# 634096]
- Enabling or Disabling Persistence Session on Services that are in TROFS StateYou can set the new trofsPersistence flag to specify whether or not to honour persistence sessions for services that are in the TROFS state. Persistence sessions are honored If this flag is set to ENABLED. They are not honored if it is set to DISABLED. Previously, persistence sessions were honored if a service was in the TROFS state.[From Build 53.13][# 657750]
- RADIUS Interim Message Support for RADIUS-Only ModeRADIUS interim message support has been added for RADIUS-only mode, to treat interim messages as start messages.[From Build 54.16][# 675763]
NITRO
- Support for ping and traceroute commandsYou can now direct ping and traceroute operations to any host, by using the NITRO API through the NetScaler appliance.[From Build 49.16][# 406603]
- Automate NetScaler Upgrade and Downgrade with a Single APIA new API, install, can be used to upgrade or downgrade a NetScaler appliance. You can specify a local or remote location for the build file used to upgrade or downgrade the appliance.For more information about this NITRO API, see http://docs.citrix.com/en-us/netscaler/11-1/nitro-api/nitro-rest/nitro-rest-usage-scenarios/automate-upgrade-downgrade.html.[From Build 41.26][# 598557]
- Handle Multiple NITRO Calls in a Single RequestA new API, macroapi, can be used to configure a set of homogeneous or heterogeneous objects in a single API request. The query parameter "onerror" specifies the action to be taken if an error is encountered. Possible values for this parameter are exit, continue, and rollback.For more information about this NITRO API, see http://docs.citrix.com/en-us/netscaler/11-1/nitro-api/nitro-rest/nitro-rest-usage-scenarios/multiple-nitrocalls-single-request.html.[From Build 41.26][# 598559]
- Retrieve Bindings in BulkYou can use a bulk GET API to fetch bindings of all the entities of a given entity type.For example, you can fetch bindings of all the load balancing virtual servers in one call instead of by using multiple GET by "name" calls.For information about this NITRO API, see http://docs.citrix.com/en-us/netscaler/11-1/nitro-api/nitro-rest/nitro-rest-usage-scenarios/retrieve-bindings-bulk.html.[From Build 41.26][# 600350]
- Simplify Management Operations with an idempotent APIYou can add or update resources seamlessly, with a single API, by using the new "idempotent" query parameter. Previously, an attempt to add a resource that was already configured, or to update a resource that was not yet configured, caused an error.Now, if you include "idempotent=yes" in a POST request, NITRO executes the request in an idempotent manner.For more information about this API, see http://docs.citrix.com/en-us/netscaler/11-1/nitro-api/nitro-rest/nitro-rest-usage-scenarios/management-operations-idempotentAPI.html.[From Build 41.26][# 601351]
NetScaler CLI
- Force Password ChangeThe default root credentials for a NetScaler appliance is "nsroot". However, for security reasons, you might enforce a password change to ensure the credentials are changed to a new value other than the default value. To implement this, a new parameter, "forcePasswordChange" is introduced.If you, as a root administrator log on with default credentials and set forcePasswordChange to ENABLED, on your next subsequent logon attempt, you will be prompted to change the password, and will not be allowed to log on without doing so. After the password is changed, the prompt no longer appears.Note: You are prompted to change the current password to a new one only if the ForcePasswordChange parameter is enabled. Otherwise, you can access the appliance with the default login credentials (user name: NSROOT, password: NSROOT).[From Build 51.21][# 490116, 638504]
- 1) A new system parameter was added. "totalAuthTimeout" - the default value is 20 seconds, minimum value 5 seconds and maximum 120 seconds. set system parameter - totalAuthTimeout <positive_integer>2) A new aaa radius param was added. authservRetry - the default value is 3 retries, minimum 1 and maximum 10 retries can be configured.set aaa radiusParams - authservRetry <positive_integer>[From Build 47.14][# 492179]
NetScaler CPX
- Container-Based Application Delivery ControllerCitrix NetScaler CPX is a container-based application delivery controller that can be provisioned on a Docker host. NetScaler CPX enables customers to leverage Docker engine capabilities and use NetScaler load balancing and traffic management features for container-based applications. You can deploy one or more NetScaler CPX instances as standalone instances on a Docker host. For more information, see About NetScaler CPX: http://docs.citrix.com/en-us/netscaler-cpx/11-1/about-netscaler-cpx.html.[From Build 47.14][# 627953, 632576]
- Open Source packages are now available in NetScaler CPXAll the open source packages that are used in NetScaler CPX are available in the contrib/cpx/ folder.[From Build 49.16][# 652842]
- New End User License Agreement (EULA) for NetScaler CPX ExpressYou now need to accept an End User License Agreement (EULA) to install and use the NetScaler CPX Express.The End User Licensing Agreement is available at: https://www.microloadbalancer.com/eula.For more information, see http://docs.citrix.com/en-us/netscaler-cpx/11-1.html.[From Build 51.21][# 656632]
NetScaler GUI
- High Availability Status Information in the Top PaneThe top pane of the NetScaler GUI now displays the High Availability status of the node. This instant visibility of HA status helps you monitor the HA configuration efficiently.[From Build 47.14][# 423777, 466239, 582803]
- Diagnostic of Start New Trace and Support Stop Running TraceStarting and stopping nstrace are now separate options in the NetScaler GUI. As a result, it is easier to stop a running trace and download the results.Navigate to System > Diagnostics and select "Start New Trace" or "Stop Running Trace."[From Build 47.14][# 564499, 565594]
- Tabular, One-page Application Firewall WizardThe new, tabular, Application Firewall wizard improves flexibility and accelerates the completion of tasks. You can go back to any page and edit any details about profiles, policies, and signatures, and skip screens that are not mandatory. In addition, all resource-consuming tasks, such as submission and binding, are completed after you click Finish.For more information about the wizard, see http://docs.citrix.com/en-us/netscaler/11-1/application-firewall/configuring-application-firewall/using-wizard.html[From Build 47.14][# 587433, 557185, 619712]
- To test connectivity from a subnet IP (SNIP) address to another IP address, you can now select the source address from a list of SNIP addresses instead of typing the SNIP address. If the SNIP address is not in the list, you can add it. To use this feature, navigate to System > Diagnostics. In Utilities, select ping or ping6, and then select "SNIP."[From Build 47.14][# 597501]
- The NetScaler appliance was enhanced so Negotiate Authentication is available for VPN Virtual Servers. The GUI reflects this under the NSG > Policies > Authentication node.[From Build 47.14][# 600708]
- GUI Wizard for CloudBridge Tunnel ConfigurationThe NetScaler GUI now provides a wizard for easy configuration of a CloudBridge Connector tunnel between the NetScaler appliance and a Virtual Private Gateway on Amazon AWS.[From Build 47.14][# 602678]
- Improved IPv4 Address FieldsIPv4 address fields now do not have dot separators, which improve the usability of these fields.[From Build 47.14][# 610522]
- SSL Certificate Management GUI Enhancements and Changes1) Links to the following pages have been removed from the SSL overview page:- Create RSA Key- Create DSA Key- Create CSR- Create CertificateTo access these pages, navigate to Traffic Management > SSL > SSL Files.2) Server, client, and CA certificates are now segregated. When you bind a certificate to an SSL end point, only the list of appropriate certificates appears. For example, when you bind a server certificate to an SSL virtual server, only the server certificates are listed. In earlier releases, all the certificates, including client and CA certificates, were listed.3) You can configure an SNMP trap from the "Install Certificate" page to send a notification when the certificate is about to expire. For a valid certificate in the notification period, status changes to yellow. For an expired certificate, status changes to red.4) "Certificate format" field has been removed, because the format (PEM/DER/PFX/Bundle) is automatically detected by the software during certificate installation. Also, if the file is not password protected, you are not prompted for a password.5) The key files, CSR files, and certificate files are segregated onto different tabs for ease of use.6) The SSL certificate overview page now explains the end-to-end flow of managing certificates on your appliance.[From Build 47.14][# 612894]
- Usability Support to Upload Technical Support Collector ArchiveYou can now automatically upload the technical support collector archive to Citrix Support servers.Navigate to System > Diagnostics > Technical Support Tools > Generate support file, and select Upload the Collector Archive. Type your user credentials and click Run.[From Build 47.14][# 614285, 620953]
- Icons for Action and Information MenusTwo new icons in the NetScaler GUI display action menus and information menus. If you are in a window with detail-view rows, and the rows have actions, you can now display the action menu by clicking the action icon in that row, rather than right-clicking the row.Similarly, you can display the info menu by clicking the info icon.[From Build 47.14][# 614868]
- In the load balancing visualizer, you can now seamlessly migrate the configuration of a service to all the services bound to the virtual server. To copy the settings of one service to all the other services, in the visualizer, click "Configuration Sets," select a service, and then click "Migrate Config."[From Build 47.14][# 619498]
- Support for High Availability Configuration for a Secure Access Only Remote nodeThe NetScaler GUI now supports configuration of a node in High Availability (HA) mode even if the Secure Access Only option is enabled for the NetScaler IP (NSIP) address of the other node in the HA pair.[From Build 47.14][# 624858]
- FIPS-140-2 level complianceAfter you successfully enable FIPS mode on a NetScaler 14000 FIPS appliance, existing configurations that use SNMP versions 1, version 2, and the "noPrivacy" security levels of SNMP version 3, are removed from the appliance and you are not allowed to reconfigure them. This is required for FIPS-140-2 level compliance.[From Build 51.21][# 638506]
- What is added?The XenApp and XenDesktop wizards provide a new authentication configuration flow, and a new configuration download option to automatically import the NetScaler Gateway configuration required for StoreFront. In addition, all sections in the wizard have been refined to make overall deployment configuration much simpler. The following new configuration options are provided:1. You can use a FQDN to connect to a virtual server, instead of using the IP address. A Gateway FQDN virtual server can forward traffic to a NetScaler Gateway virtual server IP address.2. StoreFront FQDN is changed to StoreFront URL ( HTTP / HTTPS ).3. The Authentication section now supports the following authentication types for StoreFront: Domain, RSA, SMS, Smart Card and RSA+ Domain.4. XenApp and XenDesktop wizard dashboards provide a button that downloads the configuration file. This file only contains the first NetScaler Gateway successfully created configuration.The following items have been removed from the XenApp and XenDesktop wizards:1. Load Balancing configuration section under the StoreFront settings2. Load Balancing configuration section under the Authentication section3. XenApp Farm section4. Advanced configuration options for deploying StoreFrontWhat is expected in case of an upgrade?When a NetScaler appliance is upgraded to a build with a new XenApp and XenDesktop wizard, any deployments created in the previous version retain the old wizard view and functionality. New NetScaler Gateway deployment for StoreFront will use the new flow.[From Build 48.10][# 649743]
NetScaler Gateway
- You can now extract attributes from Access Control Server (ACS) and Terminal Access Controller Access-Control System (TACACS). The extracted attributes allow the admin to use the NetScaler Group Attribute command to authorize usage.[From Build 49.16][# 329209, 625415]
- This enhancement provides NetScaler the ability to use the FIPS SSL key to perform SAML signing. For all customers looking for FIPS compliant devices and SAML based user identity, this enhancement is very useful.[From Build 47.14][# 346843, 457851, 553143]
- VPN License Counter for SNMA new VPN license counter for SNMP monitors license issues, and you can add or remove licenses as needed.[From Build 51.21][# 414263]
- This enhancement provides the ability to a clear config basic command so it will not erase the TACACS related configuration.[From Build 47.14][# 515227]
- This enhancement provides the ability for the end-user to specify the RDP destination instead of the administrator pre-configuring it. The Gateway portal provides the option to provide a field where the user can enter the RDP destination. The user can launch the RDP connection by entering the destination info. This option is administrator-controlled, so that only a specific group of users can be provided with this capability.[From Build 47.14][# 527779]
- This enhancement supports SAML SP Artifact Binding flows for nfactor.[From Build 47.14][# 554999]
- The STA and nextHop VPN parameters can now be configured using FQDN instead of just the IP address. The STA server is used for authorizing ICA connections and NextHop is used for specifying the second-hop in a "double-hop" Gateway deployment.[From Build 47.14][# 560476, 566511]
- The Unified Gateway wizard now provides an option to retrieve LDAP attributes when creating an LDAP Action. Also, you can choose an extracted LDAP attribute as an LDAP Login name, and you can evaluate LDAP bind credentials.[From Build 49.16][# 570696]
- This enhancement introduces support for a new key transport algorithm(RSA-V1_5). The RSA-V1_5 can used to encrypt SAML assertions along with RSA-OAEP.[From Build 47.14][# 580078]
- The AlwaysOn feature enables Gateway plugins to detect the location of the user (intranet/corporate vs. Internet/extranet) and establish the VPN connection automatically. The Administrator controls the plugin behavior to establish the connections to all locations or only from internet. Also, controls are provided to enable/disable the user's ability to logoff from the Gateway and network behavior when the VPN connection has not been established.This feature is very useful for enhancing the end-user experience by eliminating the manual step of establishing/terminating the VPN connection. It is also very helpful for customers looking to maintain strict security controls on remote access users by tunneling all traffic through the Gateway. The feature is supported on the Windows platform.[From Build 47.14][# 595825]
- Multi-factor authentication enhances the security of an application by requiring users to provide multiple proofs of identification to gain access. The NetScaler appliance provides an extensible and flexible approach to configuring multi-factor authentication. This approach is called nFactor authentication.This multi-factor authentication capability is now available for all Gateway use cases as well[From Build 47.14][# 597011]
- This enhancement allows the binding of DNS-based Rewrite or Responder policies to Gateway VPN virtual servers. This enhancement can filter-in or filter-out DNS traffic going through the SSL VPN.[From Build 47.14][# 599689]
- In this release, RDP Proxy connections use the same IP and port as that of the Gateway vserver. Hence, there is no need to open any new IP or port on the uplink firewalls.[From Build 47.14][# 603894]
- Framehawk technology is used to provide the best end-user experience on Citrix virtual apps/desktops (ICA/HDX connections) on any type of network. NetScaler Gateway now supports ICA/HDX connections based on Framehawk with double STA tickets. This helps to maintain fault tolerance from STA servers.[From Build 47.14][# 603904, 615718]
- In this release, the UI experience for Windows plugin has been improved. New capabilities like the drop-down list of connected Gateway servers has been added. Also, more status information, like progressive bars during download or VPN connection establishment, has been added.[From Build 47.14][# 604407]
- The RfWeb UI Gateway feature provides users a consistent portal experience when accessing corporate apps and resources from inside corporate network or remotely from Internet. The StoreFront Receiver for the Web User Interface (RfWeb UI) is now available from NetScaler Gateway natively. This UI is provided as a portal theme that can be bound to Gateway virtual server/global to get the exact same UI experience as that of StoreFront.By using the RfWeb UI theme, customers can consolidate all types of applications - Citrix virtual apps/desktops, Enterprise webapps, SaaS/cloud apps, RDP resources and SSL VPN apps - on the Gateway portal with the same experience as that of StoreFront.This feature supported from StoreFront 3.6 onwards.[From Build 47.14][# 604419, 522033]
- Non-Blocking LDAP SSL/TLS authentication support added. This enhancement reduces the authentication bottleneck to prevent delayed/denied user logons.[From Build 47.14][# 609519]
- The DNS resolution through NetScaler Gateway or the NetScaler G ateway Plug-in if IPv6 is enabled on the client's adapter and the ISP provides the IPv6 DNS address on the IPv6 stack.[From Build 51.21][# 612000]
- The NetScaler appliance inserts an NS_ESNS cookie for page tracking (for showing a waterfall chart) when AppFlow is enabled. Cookie insertion was controlled by the clientSideMeasurements option in the appflow action in release 10.5, but in release 11.0 the default became to always insert the cookie when appflow is enabled. Android receiver (HTTP client) was not able to handle this cookie. This fix adds the Enable/Disable page tracking (cookie insertion) option to the appflow action.You can now enable or disable Page tracking feature from NetScaler Insight Center.To perform this action, navigate to Configuration > System > Appflow > Actions. Edit an AppFlow action name, and select the Page Tracking check box.[From Build 47.14][# 613351, 598478, 608448]
- This enhancement allows an admin to view the different LoginSchemas present in NetScaler. This is done from the NetScaler admin GUI under LoginSchema Profiles configuration. Use the following path to see the LoginSchemas: Configuration>Security>AAA -Application Traffic>Login Schema>Profiles.[From Build 47.14][# 617921]
- You can now use advanced (PI) expressions for external authentication. PE expressions are also supported.[From Build 51.21][# 620070]
- This enhancement provides NetScaler, which is acting as SAML IDP, the capability to sign the entire SAML response along with the assertion.[From Build 47.14][# 620844]
- The global AAA parameter "set aaa param -maxaAAUser <value>" has been enhanced to automatically increase or decrease when new concurrent user (CCU) licenses are added or removed. Previously, adjusting the MaxAAAUser count was a manual adjustment that needed to be done after extra licenses were added. This value represents the maximum number of global AAA sessions that can exist. If you want to restrict the number of AAA sessions to a value lower than the licensed limit, you can set the maxaAAUser parameter on the gateway virtual server.[From Build 49.16][# 624773]
- The Unified Gateway Visualizer provides an easy visual representation of the configurations done using the Unified Gateway Wizard. It shows the pre-authentication and authentication policies, Content Switching, NetScaler Gateway and Load Balancing virtual servers, XA/XD apps, Web and SaaS apps.Along with the visual representation, admins can use this Visualizer for below purposes:1. Edit the Unified Gateway configuration2. View various policies, like Session Policy, Rewrite and Responder Policy etc.3. Add new configuration, like policies, Web apps, SaaS apps.4. View the state of the Load Balancing, vservers and services, NetScaler Gateway vserver and Content Switching vserver[From Build 47.14][# 625465]
- You can now terminate specified RDP proxy connections.kill rdpConnection [-userName <string>] [-all]- userName: Terminates RDP Proxy connections that belong to the specified user.- all: terminates all active rdp proxy connections.[From Build 49.16][# 626153]
- New CCU packaging and pricing have changed in the following ways:1. MaxAAA is automatically set to the maximum licensed number.2. Licenses now use the following scheme:a. Platinum: Unlimited (formerly 100)b. Enterprise: 1000 (formerly 5)c. Standard: 500 (formerly 5)d. Any other license: 5e. If additional CCU licenses are present on the system, you add those to the above values(for example, standard is 500 + any additional CCU licenses).f. Disregard additional CCUs for the platinum case, since platinum is already unlimited.[From Build 49.16][# 632308]
- During certificate authentication, if only one certificate is present on a client's computer, it is now chosen by default. The user is no longer prompted to select a certificate. However, if two or more certificates are present, the user is prompted to select a certificate. Additionally, if the certificate is successfully authenticated, the certificate preference is automatically saved. The preference is removed if the certificate authentication later fails, or if the user manually clears the saved certificate option by setting NetScaler Gateway Plugin preferences.[From Build 48.10][# 639192]
- Other Opswat EPA scans, such as version match checking, can be configured to verify HP drive encryption.[From Build 49.16][# 647203]
- NetScaler Gateway now supports Microsoft InTune.[From Build 51.21][# 651061]
- In the XenApp/XenDesktpo configuration wizard, the StoreFront Settings Download option is now hidden if StoreFront is not deployed.[From Build 49.16][# 651852, 642556]
- The NetScaler appliance now allows you to choose an existing domain-server configuration, if available, instead of having to configure a new domain server when the appliance is updated.Previously, if you configured a domain server, you would not be able to use the existing configuration when the NetScaler appliance was updated, because there was no provision to choose an existing configuration for the XA-XD Wizard.[From Build 49.16][# 655923]
- New StoreFront features are incorporated in the Unified Gateway Wizard.[From Build 51.21][# 656840]
- The NetScaler Gateway appliance now supports the HDX Enlightened Data Transport (EDT) as a data transmission path. EDT provides a high definition in-session user experience of virtual desktops for users running a Citrix Receiver.[From Build 51.21][# 659795, 666135]
- The SAML attribute limit has been increased from 256 bytes to 10 KB.[From Build 51.21][# 659801]
- The XenApp & XenDesktop Wizard now supports exporting multiple Gateway deployments to supported StoreFront servers. In previous versions, only the first Gateway deployment was exportable. Now up to 32 deployments can be exported. All exported Gateway deployments are included in a single GatewayConfig.zip file.[From Build 51.21][# 661565]
- Support for SAML ForceAuthn Parameter and Artifact Binding (when NetScaler is SP) using GET HTTP MethodNetScaler SAML SP (Service Provider) module now sends additional attribute called 'ForceAuth' in the authentication request to external IdP (Identity Provider). By default, the ForceAuthn carries a value of 'false'. It can be set to 'true' to provide a hint to IdP to force authentication despite existing authentication context.Additionally, NetScaler SP does authentication request in query parameter when configured with artifact binding.[From Build 53.13][# 665828]
- With this enhancement, Storefront server can be used to validate user credentials instead of Active Directory server. This simplifies Gateway configuration in XA/XD deployments where StoreFront server is mandatory.This is applicable only for end user login with password. This feature cannot be used for group extraction without user password. Please check documentation for details.[From Build 54.16][# 672398]
- Support for FTP over TLSThe NetScaler Gateway appliance now supports FTP over TLS.[From Build 57.13][# 691082]
NetScaler Insight Center
- You can now use NetScaler Insight Center to monitor NetScaler integrated caching. Cache Insight enables you to see and monitor the various actions performed by the NetScaler cache.[From Build 47.14][# 498439]
- You can now enable, edit, or clear AppFlow on multiple virtual servers simultaneously. To perform these actions, navigate to Configuration > Inventory and open your NetScaler Instance. Select the virtual servers and click Enable AppFlow, Edit AppFlow Settings, or Clear AppFlow Configuration, respectively.[From Build 47.14][# 534805]
- NetScaler Insight Center can now use the X-Forwarded-For header to display the actual client IP address instead of the IP address of the proxy that forwarded the request.[From Build 47.14][# 541439]
- You can now view USB event reports of a user's active sessions on HDX Insight. You can view details such as USB Status, Number of USB Instances Accepted, Number of USB Instances Rejected, and Number of USB Instances Stopped.[From Build 47.14][# 549746]
- You can now assign IPv4, IPv6, or both IP addresses to your NetScaler Insight Center server. To assign a new IP address, navigate to Configuration > System > Network Configuration, and select IPv4, IPv6, and/or both and specify the network parameters.If you specify both IPv4 and IPv6 addresses, you can access the NetScaler Insight Center by using any one of the IP addresses.[From Build 47.14][# 582943]
- You can now search for a specific application, client, or server by using the Search option in Web Insight.[From Build 47.14][# 590782]
- You can now view the client's machine name for any user session in HDX Insight.[From Build 47.14][# 606187]
- You can now view the current session details from the Geomaps section in HDX Insight.[From Build 47.14][# 606188]
- In HDX Insight, you can view a diagrammatic representation of a client's current session details.Navigate to HDX insight > Users, and in the Current Sessions section, click the Diagram button to display details such as Client IP address, NetScaler IP address, Origin Server IP address, Country, Region, Session ID, and Client Version.[From Build 47.14][# 606189]
- The following thin clients now support HDX Insight:-WYSE Windows based thin clients-WYSE Linux based thin clients-WYSE ThinOS based thin clients-10Zig Ubuntu based thin clients[From Build 47.14][# 614892, 550997, 604388, 620422, 632370]
- 1)You can now use NetScaler Insight Center to monitor and manage your incoming traffic's IP Reputation.2)You can now enable/disable AppFlow for Security insight separately from the Enable AppFlow option. To Enable or Disable AppFlow, navigate to Configuration > Inventory and open your NetScaler Instance. Select the virtual servers and click Enable AppFlow and select the Security Insight option.[From Build 47.14][# 635528]
- You can only enable or disable the X-Forwarded-For feature using the NetScaler appliance's CLI. To enable this feature, at the command prompt, type: "set appflow param httpXForwardedFor ENABLED".[From Build 51.21][# 643724]
NetScaler SDX Appliance
- Support to display the details for Out of Service stateManagement Service now displays the reason for Out Of Service state of the NetScaler instances when you mouse over on them in the dashboard.[From Build 47.14][# 393721]
- Support to send selective system notification through email or SMSYou can now send notifications to communicate with selected groups of users for a number of system-related functions.[From Build 47.14][# 434771]
- Static Routes Support for Management ServiceYou can now specify an IP address as a static route when provisioning a NetScaler instance. The instance then uses this address, instead of the default route, to connect to the Management Service.[From Build 47.14][# 498445]
- Option to Set CLI PromptYou can now customize the CLI prompt of the Management Service.[From Build 47.14][# 526292]
- Ability to configure SSL Ciphers to Securely Access the Management ServiceYou can select SSL cipher suites from a list of SSL ciphers supported by SDX appliances, and bind any combination of the SSL ciphers to access the Management Service securely through HTTPS[From Build 47.14][# 530232]
- IPv6 SupportSDX Appliances now support IPv6 addresses in the following configurations:- SDX Network Configuration- Server Configuration- Authentication Server- Syslog Server- SNMP Server- Notification Server- SNMP Interface Configuration- NetScaler Configuration (If provisioning uses IPv6 address.)[From Build 47.14][# 531419, 251566]
- Scaling the Throughput of NetScaler InstancesYou can now allocate up to 16 CPU cores to each NetScaler instance on an SDX 25xxx appliance and up to 10 CPU cores to each NetScaler instance on an SDX 14xxx 40G appliance to scale the throughput of these instances.[From Build 52.13][# 555664, 615198]
- Ability to generate partition MAC addressesYou can now generate partition MAC addresses on a NetScaler SDX appliance and use them to configure admin partitions on a NetScaler instance on the appliance.For more information, see http://docs.citrix.com/en-us/sdx/11-1/configuring-managing-netscaler-instance/generate-partition-MAC-addresses.html.[From Build 47.14][# 576124]
- Option to Disable nsrecover Login AccountUsing the Management Service interface, you can now disable the nsrecover login account. To disable the nsrecover login account, navigate to "Configuration > System > Configure System Settings" and clear the "Enable nsrecover Login" check box.[From Build 47.14][# 576375]
- Updated Encryption MethodThe management service now uses the SHA512 encryption method to encrypt the nsrecover passwords stored on the SDX appliance.[From Build 47.14][# 576379, 578112]
- Support to Encrypt Backup FilesThe Management Service now provides an option to encrypt the backup files.For more information, see http://docs.citrix.com/en-us/sdx/11-1/configuring-management-service/backup-restore.html.[From Build 47.14][# 576381]
- Disable physical interface on the NetScaler SDX applianceIf you are not using any of the physical interfaces on a NetScaler SDX appliance, you can now disable them by using Management Service.For more information, see http://docs.citrix.com/en-us/sdx/11-1/manage-monitor-appliance-network-configuration/managing-interfaces.html.[From Build 47.14][# 577800]
- For any operations that require NetScaler SDX appliance reboot, Management Service now detects the unsaved configurations on the NetScaler instances and prompts you to save them.[From Build 47.14][# 581603]
- Support to transfer backup files to an external backup serverYou can now configure a NetScaler SDX appliance to transfer the backup files to an external backup server by using FTP, SFTP, and SCP.For more information, see http://docs.citrix.com/en-us/sdx/11-1/configuring-management-service/backup-restore.html.[From Build 47.14][# 581604, 576259]
- Clean Install is Supported on all the NetScaler SDX PlatformsUsing the Management Service, you can now do a clean install of any NetScaler SDX appliance, regardless of the platform.Note: Before initiating the clean install, make sure that the factory partition on the appliance has enough space for the extracted single-bundle image.For more information, see http://docs.citrix.com/en-us/sdx/11-1/configuring-management-service/performing-a-factory-reset.html.[From Build 51.21][# 605703]
- Cascade Authentication for System UsersYou can now cascade external authentication servers to have a continuous, reliable authentication process in place to authenticate and authorize external users. If authentication fails on the first authentication server, the NetScaler SDX Management Service attempts to authenticate the user by using the second external authentication server, and so on.You can cascade up to 32 external authentication servers.For more information, see http://docs.citrix.com/en-us/sdx/11-1/configuring-management-service/cascading_external_authentication_servers.html.[From Build 47.14][# 611319, 612186]
- Option to select the protocol for NetScaler and Management Service communicationUsing the Admin profile, you can now specify whether the Management Service and the NetScaler VPX instance should communicate with each other only over a secure channel or by using HTTP.[From Build 47.14][# 616436, 621482]
- Option to add Network Subnet instead of specific IP address or hostname of the SNMP Manager.You can now add the network subnet of the SNMP manager instead of specifying the SNMP Manager's IP address or host name. If you do not configure at least one SNMP manager, the appliance accepts and responds to SNMP queries from all IP addresses on the network. If you configure one or more SNMP managers, the appliance accepts and responds only to SNMP queries from those specific IP addresses or IP addresses from that subnet.For more information, see http://docs.citrix.com/en-us/sdx/11-1/manage-monitor-appliance-network-configuration/configuring-snmp-trap-destination.html.[From Build 47.14][# 622893, 440103]
- Support for NetScaler SDX 25000A PlatformThis release includes the support for new NetScaler SDX platform, SDX-25000A.[From Build 50.10][# 623143]
- Support for NetScaler SDX 25000A PlatformThis release includes the support for new NetScaler SDX platform, SDX-25000A.[From Build 51.21][# 623143]
- Support for SNMP MIB-2 Table InterfacesNetScaler SDX Appliances now support SNMP MIB-2 table interfaces, using which you can get the details of all the interfaces and channels on the NetScaler SDX Appliance.[From Build 51.21][# 623235]
- Support for Alarm Threshold and Timeout ValueWhen configuring SNMP in the Management Service, you can now define the alarm threshold and timeout values.[From Build 51.21][# 623711]
- Support to add Additional DNS ServersIn the Management Service, you can now add up to two additional DNS servers to the network configuration. The additional DNS servers can have either IPv4 or IPv6 addresses.Note: Make sure that you:* Add a DNS server IP address or two DNS server IP address as additional DNS server.* Do not use the same DNS server IP address for the primary DNS server and additional DNS servers.For more information, see http://docs.citrix.com/en-us/sdx/11-1/hardware-installation/sdx-initial-configuration.html.[From Build 51.21][# 625779]
- Support for NetScaler SDX 8900 ApplianceThis release supports the NetScaler SDX 8900 appliance.For more information see the following documentations:NetScaler SDX Hardware-Software Compatibility Matrixhttps://docs.citrix.com/en-us/netscaler-hardware-platforms/sdx/supported-versions.htmlCitrix NetScaler SDX 8900https://docs.citrix.com/en-us/netscaler-hardware-platforms/sdx/hardware-platforms/8900.htmlCitrix Downloads pagehttps://www.citrix.com/downloads/netscaler-adc/components/netscaler-firmware-59xx-89xx.html[From Build 57.13][# 653122, 636909]
- Not Mandatory to Provide the NetScaler VPX Admin Account DetailsProviding the NetScaler VPX admin account details is now optional when you use the Management Service to provision a NetScaler VPX instance on a NetScaler SDX appliance.[From Build 51.21][# 658380]
- 2048-bit default certificateA NetScaler appliance now uses a 2048-bit default certificate.Note: Before installing a 2048-bit certificate, you must delete the 1024-bit default certificate and its keys, and then restart the Management Service.On a NetScaler SDX Appliance, the existing default certificate and keys are at the following locations:* Default certificate: /var/mps/ssl_certs/* Default key: /var/mps/ssl_keys[From Build 51.21][# 658381]
- Support for Events and Alarms for SDX BackupAlarms and events are generated if any VPX instance running on an SDX appliance is either out of service or unreachable at the time of SDX backup. To view the alarms and events about any discrepancy in the backup file, from the NetScaler SDX GUI navigate to Configuration > System > Events/Alarms.[From Build 57.13][# 666238]
- Support for VPX Instance on SDX 8900 ApplianceThis release supports NetScaler VPX instance on a NetScaler SDX 8900 appliance. Note that the NetScaler SDX 8900 appliance is available only on release 11.0 build 70.109, but the VPX instances are supported on 11.0 builds 70.109 and 70.112 and 11.1 build 56.15. For more information see:https://docs.citrix.com/en-us/sdx/11/hardware-installation/sdx-hardware-platforms/sdx-8900.htmlhttps://docs.citrix.com/en-us/sdx/11-1/sdx-ag-supported-versions-ref.html[From Build 56.19][# 698749]
NetScaler VPX Appliance
- New license for NetScaler VPX on ESX and KVM platforms40G license is now available for NetScaler VPX appliance on ESX and KVM platformsFor more information about recommended interfaces and performance details, refer to the latest VPX datasheet.[From Build 47.14][# 623179]
- The number of unique IPv6 addresses that you can add to a NetScaler virtual appliance configured with SR-IOV interfaces is limited to 30 on the following platforms:* XenServer* Linux-KVM* VMware ESX[From Build 49.16][# 639229]
- MAS as a Centralized License Management ServerWith the NetScaler Check-In/Check-Out (CICO) Licensing feature, when you provision NetScaler VPX instances you can now assign licenses from NetScaler MAS, which acts as a centralized license management server. When a VPX instance is retired or removed, the license is released back to the MAS licensing server so that you can assign it to another instance if required.For more information, see http://docs.citrix.com/en-us/netscaler-mas/12/NetScaler-CICO0.html.[From Build 54.16][# 652846]
- Support for Jumbo Frames on NetScaler VPX Appliances Running on AWSJumbo frames are now supported on NetScaler virtual appliances running on Amazon Web Services (AWS).You can send larger data payload through each frame, which makes data transmission more efficient. To enable Jumbo Frames, use NetScaler CLI, GUI, or NITRO API.[From Build 51.21][# 658197]
- New license for NetScaler VPX on XenServer and KVM platformsThe following licenses are now available for NetScaler VPX appliances on a XenServer platform:* 25MB* 5G* 8G* 10G* 15G* 25GAlso, a 100G license is now available for NetScaler VPX appliances on a KVM platform.For more information about recommended interfaces and performance details, see the latest VPX datasheet.[From Build 49.16][# 660256]
- Support for PCI Passthrough Interfaces on NetScaler VPX Appliances Installed on VMware ESX ServerYou can now configure a NetScaler VPX instance deployed on VMware ESX Server to use PCI passthrough interfaces.For performance information about PCI passthrough interfaces on ESX Server, see the latest VPX datasheet.[From Build 51.21][# 661840]
- Support for NetScaler VPX Appliances on Cisco CSP 2100You can now deploy an SR-IOV enabled NetScaler VPX instance on Cisco Cloud Services Platform (CSP) 2100 to enable network functions virtualization (NFV) for your environment. CSP 2100 is an open, x86 Linux Kernel-based virtual machine (KVM) software and hardware platform designed for data center NFV. For more information, see https://docs.citrix.com/en-us/netscaler/11-1/deploying-vpx/vpx-instance-enabled-with-sriov-on-cisco-csp.html[From Build 56.19][# 696320]
Networking
- Using a Source Port from a Specified Port Range for Backend CommunicationBy default, for configurations with USIP option disabled or with USIP and use proxy port options enabled, the NetScaler appliance communicates to the servers from a random source port (greater than 1024).The NetScaler supports using a source port from a specified port range for communicating to the servers. One of the use case of this feature is for servers that are configured to identify received traffic belonging to a specific set on the basis of source port for logging and monitoring purposes. For example, identifying internal and external traffic for logging purpose. For more information, http://docs.citrix.com/en-us/netscaler/11-1/load-balancing/load-balancing-manage-clienttraffic/use-specified-sourceport.html.[From Build 47.14][# 420067, 420039]
- Setting the MTU on the NSVLANBy default, the MTU of the NSVLAN is set to 1500 bytes. You can now modify this setting to optimize throughput and network performance. For example, you can configure the NSVLAN to process jumbo frames. For more information, see http://docs.citrix.com/en-us/netscaler/11-1/networking/interfaces/configuring-nsvlan.html.[From Build 47.14][# 425950]
- Stateful Connection Failover Support for RNAT configurations with TCP Proxy OnConnection failover helps prevent disruption of access to applications deployed in a distributed environment. In a High Availability (HA) setup, stateful connection failover for RNAT is now supported with TCP proxy.Connection failover can be enabled per RNAT rule. For enabling connection failover on an RNAT rule, you enable the "connFailover" ("Connection Failover") parameter of that specific RNAT rule. To enable TCP proxy for RNAT, you must enable "tcpproxy" parameter by using the "set rnatparam" command in the NetScaler CLI or select "Enable RNAT Source IP Persistency" (System > Setting > Change Global System Settings) in the NetScaler GUI.For more information, see https://docs.citrix.com/en-us/netscaler/11-1/networking/ip-addressing/configuring-network-address-translation/configuring-rnat.html.[From Build 51.21][# 439206]
- Using NULL Policy Based Routes to Drop Outgoing PacketsSome situations might demand that the NetScaler appliance drops specific outgoing packets instead of routing them, for example, in testing cases and during deployment migration. NULL policy based routes can be used to drop specific outgoing packets. A NULL PBR is a type of PBR that has the nexthop parameter set to NULL. The NetScaler appliance drops outgoing packets that match a NULL PBR. For more information, see http://docs.citrix.com/en-us/netscaler/11-1/networking/ip-routing/configuring-policy-based-routes/null-policy-based-routes-drop-outgoing-packets.html.[From Build 47.14][# 451632]
- Stateful Connection Failover Support for RNATConnection failover helps prevent disruption of access to applications deployed in a distributed environment. The NetScaler appliance now supports stateful connection failover for connections related to RNAT rules in a NetScaler High Availability (HA) setup.In an HA setup, connection failover (or connection mirroring) refers to the process of keeping an established TCP or UDP connection active when a failover occurs. The primary appliance sends messages to the secondary appliance to synchronize current information about the RNAT connections. The secondary appliance uses this connection information only in the event of a failover. When a failover occurs, the new primary NetScaler appliance has information about the connections established before the failover and hence continues to serve those connections even after the failover. From the client's perspective this failover is transparent. During the transition period, the client and server may experience a brief disruption and retransmissions.Connection failover can be enabled per RNAT rule. For enabling connection failover on an RNAT rule, you enable the connFailover (Connection Failover) parameter of that specific RNAT rule by using either NetScaler command line or configuration utility. Also, you must disable the tcpproxy (TCP Proxy) parameter globally for all RNAT rules in order for connection failover to work properly for TCP connections.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/networking/ip-addressing/configuring-network-address-translation/configuring-rnat.html.[From Build 47.14][# 457167]
- Managing High Availability Heartbeat Messages on a NetScaler ApplianceThe two nodes in a high availability configuration send and receive heartbeat messages to and from each other on all interfaces that are enabled. The heartbeat messages flow regardless of the HA MON setting on these interfaces. If NSVLAN or SYNCVLAN or both are configured on an appliance, the heartbeat messages flow only through the enabled interfaces that are part of the NSVLAN and SYNCVLAN.If a node does not receive the heartbeat messages on an enabled interface, it sends critical alerts to the specified Command Center and SNMP managers. These critical alerts give false alarms and draw unnecessary attention from the administrators for interfaces that are not configured as part of the connections to the peer node.To resolve this issue, the HAHeartBeat option for interfaces and channels is used for enabling or disabling HA heartbeat-message flow on them.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/system/high-availability-introduction/managing-ha-heartbeat-messages.html.[From Build 47.14][# 477162, 575447, 604578]
- Configuring Allowed VLAN ListNetScaler accepts and sends tagged packets of a VLAN on an interface if the VLAN is explicitly configured on the NetScaler appliance and the interface is bound to the VLAN. Some deployments (for example, Bump in the wire) require the NetScaler appliance to function as a transparent device to accept and forward tagged packets related to a large number of VLANs. For this requirement, configuring and managing a large number of VLANs is not a feasible solution.Allowed VLAN list on an interface specifies a list of VLANs. The interface transparently accepts and sends tagged packets related to the specified VLANs without the need for explicitly configuring these VLANs on the appliance. For more information, see http://docs.citrix.com/en-us/netscaler/11-1/networking/interfaces/configure-allowed-VLAN-list.html.[From Build 47.14][# 495219]
- Extending VLANs from Multiple Enterprises to a CloudCloudBridge Connector tunnels can now be used to extend an enterprise's VLAN to a cloud. VLANs extended from multiple enterprises can have overlapping VLAN ID. You can now isolate each enterprise's VLANs, by mapping them to a unique VXLAN in the cloud. On a NetScaler appliance, which is the CloudBridge connector endpoint in the cloud, you can configure a VXLAN-VLAN map that links an enterprise's VLANs to a unique VXLAN in the cloud. VXLANs now support VLAN tagging for extending multiple VLANs of an enterprise from CloudBridge Connector to the same VXLAN.[From Build 47.14][# 499295]
- Configuring Source IP Persistency for Backend CommunicationBy default, for a load balancing configuration with the USIP option disabled and a net profile bound to a virtual server or services or service groups, the NetScaler appliance uses the round-robin algorithm to select an IP address from the net profile for communicating with the servers. Because of this selection method, the IP address selected can be different for different sessions of a specific client.Some situations require that the NetScaler appliance sends all of a specific client's traffic from the same IP address when sending the traffic to servers. The servers can then, for example, identify traffic belonging to a specific set for logging and monitoring purposes.The source IP persistency option of a net profile enables the NetScaler appliance to use the same address, specified in the net profile, to communicate with servers for all sessions initiated from a specific client to a virtual server. For more information, http://docs.citrix.com/en-us/netscaler/11-1/load-balancing/load-balancing-manage-clienttraffic/configure-source-IP-persistency-backend-communication.html.[From Build 47.14][# 530670]
- Adding Default Route for the changed NSIP address Before a RestartIf you change the NSIP address of a NetScaler appliance, you can now add a default route to the new address's subnet before restarting the NetScaler appliance. This change makes the new NSIP address accessible from other networks after the appliance is restarted.In previous releases, if the subnet address of the new NSIP address is different from the previous one, you cannot add a default route for this new subnet until you restart the appliance. Because of this restriction, the new NSIP address is unreachable from other networks after a restart.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/networking/ip-addressing/configuring-netscaler-owned-ip-addresses/configuring-netscaler-ip-address.html.[From Build 47.14][# 551505]
- Dynamic Routing support for Link-Local Subnet IPv6 addressesNetScaler appliances now support dynamic routing on a link-local Subnet IPv6 (SNIP6) address for a VLAN. In a default admin partition, link-local SNIP6 address takes precedence over the link-local NSIP6 address for running dynamic routing on a VLAN. In a non-default partition, the NetScaler appliance does not support dynamic routing on link-local NSIP6 address for a VLAN. Link-local SNIP6 address can now be used for running dynamic routing on the VLAN.[From Build 47.14][# 553544]
- IPv6 Support in Active-Active Mode using VRRPNetScaler Appliances Support VIP6 Addresses in Active-Active Deployments.An active-active deployment, in addition to preventing downtime, makes efficient use of all the NetScaler appliances in the deployment. In an IPv6 active-active deployment mode, the same VIP6 address is assigned to every NetScaler appliance in the configuration, but with different priorities, so that a given VIP6 can be active on only one appliance at a time.The active VIP6 address is called the master VIP6, and the corresponding VIP6s on the other NetScaler appliances are called the backup VIP6s. If a master VIP6 fails, the backup VIP6 with the highest priority takes over and becomes the master VIP6. All the NetScaler appliances in an active-active deployment use the Virtual Router Redundancy Protocol (VRRP) to advertise their VIP6s and the corresponding priorities at regular intervals.NetScaler appliances in active-active mode can be configured so that no appliance is idle. In this configuration, different sets of VIPs are active on each appliance.The following features of IPv4 active-active configuration are also supported for IPv6 active-active configuration:* Preemption* Delaying preemption* Sharing* Changing VIP address priority automaticallyFor more information, see http://docs.citrix.com/en-us/netscaler/11-1/networking/interfaces/active-active-mode-using-vrrp.html.[From Build 47.14][# 553570]
- IPv6 Support in Active-Active Mode using VRRPNetScaler Appliances Support VIP6 Addresses in Active-Active Deployments.An active-active deployment, in addition to preventing downtime, makes efficient use of all the NetScaler appliances in the deployment. In an IPv6 active-active deployment mode, the same VIP6 address is assigned to every NetScaler appliance in the configuration, but with different priorities, so that a given VIP6 can be active on only one appliance at a time.The active VIP6 address is called the master VIP6, and the corresponding VIP6s on the other NetScaler appliances are called the backup VIP6s. If a master VIP6 fails, the backup VIP6 with the highest priority takes over and becomes the master VIP6. All the NetScaler appliances in an active-active deployment use the Virtual Router Redundancy Protocol (VRRP) to advertise their VIP6s and the corresponding priorities at regular intervals.NetScaler appliances in active-active mode can be configured so that no appliance is idle. In this configuration, different sets of VIPs are active on each appliance.The following features of IPv4 active-active configuration are also supported for IPv6 active-active configuration:* Preemption* Delaying preemption* Sharing* Changing VIP address priority automatically[From Build 41.26][# 553570]
- Graceful Restart for Dynamic Routing ProtocolsIn a non-INC high availability (HA) setup in which a routing protocol is configured, after a failover, routing protocol is converged and routes between the new primary node and the adjacent neighbor routers are learned. Route learning take some time to complete. During this time, forwarding of packets is delayed, network performance might get disrupted, and packets might get dropped.Graceful restart enables an HA setup during a failover to direct its adjacent routers to not remove the old primary node's learned routes from their routing databases. Using the old primary node's routing information, the new primary node and the adjacent routers immediately start forwarding packets, without disrupting network performance.The following routing protocols support graceful restart in a non-INC high availability setup:- Border Gateway Protocol (BGP)- IPv6 Border Gateway protocol (IPv6 BGP)- Open Shortest Path First (OSPF)- IPv6 Open Shortest Path First (OSPFv3)[From Build 41.26][# 571033]
- Graceful Restart for Dynamic Routing ProtocolsIn a non-INC high availability (HA) setup in which a routing protocol is configured, after a failover, routing protocol is converged and routes between the new primary node and the adjacent neighbor routers are learned. Route learning take some time to complete. During this time, forwarding of packets is delayed, network performance might get disrupted, and packets might get dropped.Graceful restart enables an HA setup during a failover to direct its adjacent routers to not remove the old primary node's learned routes from their routing databases. Using the old primary node's routing information, the new primary node and the adjacent routers immediately start forwarding packets, without disrupting network performance.The following routing protocols support graceful restart in a non-INC high availability setup:- Border Gateway Protocol (BGP)- IPv6 Border Gateway protocol (IPv6 BGP)- Open Shortest Path First (OSPF)- IPv6 Open Shortest Path First (OSPFv3)For more information, see:- http://docs.citrix.com/en-us/netscaler/11-1/networking/ip-routing/configuring-dynamic-routes/configuring-ospf.html- http://docs.citrix.com/en-us/netscaler/11-1/networking/ip-routing/configuring-dynamic-routes/configuring-ipv6-ospf.html- http://docs.citrix.com/en-us/netscaler/11-1/networking/ip-routing/configuring-dynamic-routes/configuring-bgp.html[From Build 47.14][# 571033]
- Network Service Header support for Service FunctionNetwork Services Header (NSH) is a new standard that enables the Service Function Chaining (SFC) architecture. NSH enables you to define the service chain paths and forward the data-plane traffic through multiple service nodes in a dynamic and fail-proof manner.A NetScaler appliance can now play the service-function role in a SFC architecture. The NetScaler appliance receives packets with Network Service headers and, upon performing the service, modifies the NSH bits in the response packet to indicate that the service has been performed. In that role, the appliance supports symmetric service chaining with features (for example, INAT, TCP and UDP load balancing services, and routing). The NetScaler appliance as service-function does not support IPv6 and Reclassification.[From Build 47.14][# 593459]
- Logging Start Time and Connection Closure Reasons in RNAT Log EntriesFor diagnosing or troubleshooting problems related to RNAT connections, the NetScaler appliance now logs the following additional information:- Start time of the RNAT session.- Reason for closure of the RNAT session. The NetScaler appliance logs closure reason for TCP RNAT sessions that do not use the TCP proxy (TCP proxy disabled) of the appliance. The following are the type of closure reasons that are logged for TCP RNAT sessions:-- TCP FIN. The RNAT session was closed because of a TCP FIN sent by either the source or destination device.-- TCP RST. The RNAT session was closed because of a TCP Reset that was sent by either the source or destination device.-- TIMEOUT. The RNAT session timed out.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/networking/ip-addressing/configuring-network-address-translation/configuring-rnat.html.[From Build 47.14][# 609410]
- NetScaler Support for Microsoft Direct Access DeploymentMicrosoft Direct Access is a technology that enables remote users to seamlessly and securely connect to enterprise's internal networks, without the need to establish a separate VPN connection. Unlike VPN connections, which require user intervention to start and close connections, a Direct Access-enabled client connects automatically to the enterprise's internal networks whenever the client connects to the Internet.Manage-Out is a Microsoft Direct Access feature that allows administrators inside the enterprise network to connect to Direct Access clients outside the network and manage them (for example, performing administration tasks, such as scheduling service updates, and providing remote support.In a Direct Access deployment, NetScaler appliances provide high availability, scalability, high performance, and security. NetScaler load balancing functionality sends client traffic through the most appropriate server. The appliances can also forward the Manage-Out traffic through the right path to reach the client.[From Build 41.26][# 612455]
- NetScaler Support for Microsoft Direct Access DeploymentMicrosoft Direct Access is a technology that enables remote users to seamlessly and securely connect to enterprise's internal networks, without the need to establish a separate VPN connection. Unlike VPN connections, which require user intervention to start and close connections, a Direct Access-enabled client connects automatically to the enterprise's internal networks whenever the client connects to the Internet.Manage-Out is a Microsoft Direct Access feature that allows administrators inside the enterprise network to connect to Direct Access clients outside the network and manage them (for example, performing administration tasks, such as scheduling service updates, and providing remote support).In a Direct Access deployment, NetScaler appliances provide high availability, scalability, high performance, and security. NetScaler load balancing functionality sends client traffic through the most appropriate server. The appliances can also forward the Manage-Out traffic through the right path to reach the client. For more information, see http://docs.citrix.com/en-us/netscaler/11-1/networking/interfaces/netscaler-support-microsoft-direct-access-deployment.html.[From Build 47.14][# 612455]
- Wildcard TOS MonitorsIn a load balancing configuration in DSR mode using TOS field, monitoring its services requires a TOS monitor to be created and bound to these services. A separate TOS monitor is required for each load balancing configuration in DSR mode using TOS field, because a TOS monitor requires the VIP address and the TOS ID to create an encoded value of the VIP address. The monitor creates probe packets in which the TOS field is set to the encoded value of the VIP address. It then sends the probe packets to the servers represented by the services of a load balancing configuration. With a large number of load balancing configurations, creating a separate custom TOS monitor for each configuration is a big, cumbersome task. Managing these TOS monitors is also a big task. Now, you can create wildcard TOS monitors. You need to create only one wildcard TOS monitor for all load balancing configurations that use the same protocol (for example, TCP or UDP).A wildcard TOS monitor has the following mandatory settings:-Type = <protocol>-TOS = YesThe following parameters can be set to a value or can be left blank:-Destination IP-Destination Port-TOS IDA wildcard TOS monitor (with destination IP, Destination port, and TOS ID not set) bound to a DSR service automatically learns the TOS ID and the VIP address of the load balancing virtual server. The monitor creates probe packets with TOS field set to the encoded VIP address and then sends the probe packets to the server represented by the DSR service.[From Build 49.16][# 615975]
- Monitoring Command Propagation Failures in a Cluster DeploymentIn a cluster deployment of NetScaler appliances, you can use the new command "show prop status" for faster monitoring and troubleshooting of issues related to command-propagation failure on non-CCO nodes. This command displays up to 20 of the most recent command propagation failures on all non-CCO nodes. You can use either the NetScaler command line or the NetScaler GUI to perform this operation after accessing them through the CLIP address or through the NSIP address of any node in the cluster deployment.To know more information about this feature, see http://docs.citrix.com/en-us/netscaler/11-1/clustering/cluster-managing/Monitoring-Command-Propagation-Failures-in-cluster-deployment.html[From Build 49.16][# 623707]
- NITRO API Support for Dynamic RoutingNetScaler appliances now support NITRO API for configuring dynamic routing protocols.[From Build 47.14][# 626083]
- Support for Sending Response Traffic Through an IP-IP tunnelYou can now configure a NetScaler appliance to send response traffic through an IP-IP tunnel instead of routing it back to the source. Previously, when the appliance received a request from another NetScaler or a third-party device through an IP-IP tunnel, it had to route the response traffic instead of sending it through the tunnel. You can now use policy based routes (PBRs) or enable MAC-Based Forwarding (MBF) to send the response through the tunnel.In a PBR rule, specify the subnets at both end points whose traffic is to traverse the tunnel. Also set the next hop as the tunnel name. When response traffic matches the PBR rule, the NetScaler appliance sends the traffic through the tunnel.Alternatively, you can enable MBF to meet this requirement, but the functionality is limited to traffic for which the NetScaler appliance stores session information (for example, traffic related to load balancing or RNAT configurations). The appliance uses the session information to send the response traffic through the tunnel.[From Build 49.16][# 632279]
- Advertisement of SNIP and VIP Routes to Selective AreasIn a cluster setup, for a requirement to advertise spotted SNIP addresses to only the server-side routers, enabling DRADV mode or redistribute connect ZebOS operations cannot be used. This is because these operations send all the connected routes to ZebOS. Also, adding dummy static routes in ZebOS for the required subnets, or adding ACLs in ZebOS to filter unwanted connected routes is a cumbersome and tedious task.A new option, Network Route, addresses this issue. You can enable this option for only one SNIP address per subnet. The connected route for that SNIP address is sent as a kernel route to ZebOS.For VIP and SNIP addresses, another new option, Tag, can be assigned an integer from 1 to 4294967295. This parameter can be set only when Host Route or Network Route is enabled for VIP or SNIP addresses. The tag value associated with VIP and SNIP addresses are also sent along with their routes to ZebOS. Tags with different values can be set for VIP and SNIP routes. These tag values can then be matched in routemaps in ZebOS and advertised to selective areas.For more information, see https://docs.citrix.com/en-us/netscaler/11-1/networking/ip-routing/configuring-dynamic-routes/advertisement-of-snip-and-vip-routes-to-selective-areas.html.[From Build 51.21][# 633418]
- Support of Automatic ARP Resolution to Special MAC addressIn a cluster deployment, when the client-side or server side-link to a node goes down, traffic is steered to this node through the peer nodes for processing. Previously, the steering of traffic was implemented on all nodes by configuring dynamic routing and adding static ARP entries pointing to the special MAC address of each node. If there are a large number of nodes in a cluster deployment, adding and managing static ARP entries with special MAC addresses on all the nodes is a cumbersome task. Now, nodes implicitly use special MAC addresses for steering packets. Therefore, static ARP entries pointing to special MAC addresses no longer have to be added to the cluster nodes.[From Build 49.16][# 635235]
- Automatic TCP-Connection Reset for Inactive NodesPreviously, a cluster node did not reset its existing TCP connections (to clients and servers) when its state became Inactive. As a result, the states of the client and server connections became undefined. Now, a node resets all its TCP connections before entering the Inactive state.[From Build 49.16][# 635826]
- Loop Prevention Mechanism based on VLAN IDFor a MAC-mode based load balancing configuration, the NetScaler appliance maintains a source MAC table. This table maps the virtual server to the MAC addresses of all the bound services. The appliance uses this table to prevent (loop prevention mechanism) the server traffic from reaching the virtual server.For a trunk link that is shared by the VLANs of the servers and the VLANs of clients, the appliance also prevents traffic from these clients from reaching the virtual server. To solve this issue, the NetScaler loop prevention mechanism now considers the VLAN ID along with the MAC address, so that the client traffic in a trunk link reaches the virtual server.[From Build 51.21][# 663400]
- Disabled ACL logging for Loopback TrafficBy default, the NetScaler appliance bypasses ACL processing for loopback traffic, but it logs the loopback traffic for ACL rules for which the ACL logging option is enabled. These log entries for loopback traffic create a false impression that the NetScaler appliance has processed loopback traffic for ACL rules.Now, the NetScaler appliance does not log loopback traffic for ACL rules.[From Build 52.13][# 671305]
Platform
- Support for Hardware PlatformsThis release now supports the NetScaler MPX 5900 and NetScaler MPX 8900 platforms. For more information, see https://docs.citrix.com/en-us/netscaler/11-1/ssl/support-for-mpx-5900-8900-platforms.html.[From Build 56.19][# 493998, 681106]
- Amazon Web Service IAM Roles SupportNetScaler VPX on AWS cloud now supports IAM roles. IAM roles are designed for AWS applications to securely make API requests from their instances, without requiring users to manage the security credentials that the applications use. The user can define which accounts or AWS services can assume the roles. The application is granted the permissions for the actions and resources that the user has defined for the role through the security credentials associated with the role. An application on the instance retrieves the security credentials provided by the role from instance metadata item iam/security-credentials/role-name. These security credentials are temporary and are renewed automatically. New credentials are available at least five minutes before the expiration of the old credentials.[From Build 47.14][# 585172]
- Support for New Hardware PlatformsThe T1120 and T1300-40G platforms with NIC firmware 4.53 are now supported.Note: T1300-40G platform with NIC firmware 4.26 is backward compatible.[From Build 47.14][# 593888]
- Support for New Hardware PlatformsThe T1120 and T1300-40G platforms with NIC firmware 4.53 are now supported in this release.Note: T1300-40G platform with NIC firmware 4.26 has backward compatibility.[From Build 41.26][# 593888]
- New firmware version for SDX platformsNetScaler SDX provides the latest XL710 v5.04 firmware for the following platforms:* SDX Model: 14xxx 40G* SDX Model: 25xxx 40GThe XL710 v5.04 firmware includes a tool to automatically upgrade the XL710 firmware from the previous version to v5.04.For more information, see https://support.citrix.com/article/CTX218219.[From Build 50.10][# 620786]
- Support for SR-IOV interfaces on NetScaler VPX Appliance in XenServerYou can now configure a NetScaler VPX appliance deployed on XenServer to use SR-IOV network interfaces.For performance information about SR-IOV interfaces on XenServer, see the latest VPX datasheet.[From Build 49.16][# 632408]
- Support for PCI Passthrough interfaces on NetScaler VPX Appliance in Linux-KVMYou can now configure a NetScaler VPX instance deployed on Linux-KVM to use PCI passthrough interfaces.For performance information about PCI passthrough interfaces on KVM, see the latest VPX datasheet.[From Build 49.16][# 632416]
- Support for VMXNET3 interfaces on NetScaler VPX Appliance in VMware ESXYou can now configure NetScaler VPX appliance deployed on VMware ESX 6.0 or ESX 5.5 to use VMXNET3 network interfaces. The NetScaler VPX appliance now supports Intel 82599 10g Network Interface Card (NIC).For performance information of VMXNET3 interface on ESX, refer the latest VPX datasheet.For information on how to configure VMXNET3 interfaces on NetScaler VPX appliance, see http://docs.citrix.com/en-us/netscaler/11-1/deploying-vpx/install-vpx-on-esx/configure-vmxnet3.html.[From Build 47.14][# 637336]
- Support for SR-IOV interfaces on NetScaler VPX Appliance in VMware ESXYou can now configure NetScaler VPX appliance deployed on VMware ESX 6.0 or ESX 5.5 to use SR-IOV network interfaces. The NetScaler VPX appliance now supports Intel 82599 10g Network Interface Card (NIC).For performance information of SR-IOV interface on ESX, refer the latest VPX datasheet.For information on how to configure SR-IOV interfaces on NetScaler VPX Appliance, see http://docs.citrix.com/en-us/netscaler/11-1/deploying-vpx/install-vpx-on-esx/configure-sr-iov.html.[From Build 47.14][# 637341]
- Support for SR-IOV interfaces on NetScaler VPX Appliance in Linux-KVMYou can now configure NetScaler VPX appliance deployed on Linux-KVM to use SR-IOV network interfaces.For performance information of SR-IOV interface on KVM, refer the latest VPX datasheet.For information on how to configure SR-IOV interfaces on NetScaler VPX Appliance in Linux-KVM, see http://docs.citrix.com/en-us/netscaler/11-1/deploying-vpx/install-vpx-on-kvm/configure-SR-IOV-KVM.html.[From Build 47.14][# 647418]
- Support for New Hardware PlatformsThis release now supports the NetScaler MPX 26000-100G and NetScaler MPX 26000T-100G platforms. For more information, see https://docs.citrix.com/en-us/netscaler-hardware-platforms/mpx/netscaler-hardware-platforms/citrix-netscaler-mpx-26000-100g-26000T-100g.html.[From Build 56.19][# 648922, 653372]
- NetScaler VPX for Telco OperatorsA new NetScaler VPX platform, VPX-T, is introduced for Telco operators, to meet their core-network requirements. VPX-T platform licenses are available for different throughput requirements (for example, 100G and 40G). NetScaler Telco software licensing editions (Basic and Advanced) are applicable for VPX-T.VPX-T is supported on the following virtualization platforms:* Citrix XenServer* VMware ESX* Linux-KVMFor more information about the platform licenses available for VPX-T, recommended interfaces, performance details, and a list of features in different NetScaler Telco software licensing editions, see the VPX-T datasheet.[From Build 51.21][# 656943]
SSL
- Removing RC4-MD5 cipher from the default cipher listThe RC4-MD5 cipher is removed from the list of default ciphers that are supported on a NetScaler appliance.For the updated list of ciphers supported by the NetScaler appliance, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/supported-ciphers-list-release-11.html.[From Build 47.14][# 258311]
- Providing the Revocation Status of a Server Certificate to a ClientTo avoid unnecessary congestion when each client requests the revocation status of a server certificate during an SSL handshake, the NetScaler appliance now supports OCSP stapling. That is, the appliance can now send the revocation status of a server certificate to a client, at the time of the SSL handshake, after validating the certificate status from an OCSP responder. The revocation status of a server certificate is "stapled" to the response the appliance sends to the client as part of the SSL handshake. To use the OCSP stapling feature, you must enable it on an SSL virtual server and add an OCSP responder on the appliance.Note: NetScaler appliances support OCSP stapling as defined in RFC 6066.Important: NetScaler support for OCSP stapling is limited to handshakes using TLS protocol version 1.0 or higher. This feature is not supported in a cluster setup.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/ssl-11-1-ocsp-stapling-solution.html.[From Build 51.21][# 367538]
- Support for TLS Session Ticket ExtensionAn SSL handshake is a CPU-intensive operation. If session reuse is enabled, the server/client key exchange operation is skipped for existing clients. They are allowed to resume their sessions. This improves the response time and increases the number of SSL transactions per second that a server can support. However, the server must store details of each session state, which consumes memory and is difficult to share among multiple servers if requests are load balanced across servers.NetScaler appliances now support the SessionTicket TLS extension. Use of this extension indicates that the session details are stored on the client instead of on the server. The client must indicate that it supports this mechanism by including the session ticket TLS extension in the client Hello message. For new clients, this extension is empty. The server sends a new session ticket in the NewSessionTicket handshake message. The session ticket is encrypted with a key known only to the server. If a server cannot issue a new ticket at this time, it completes a regular handshake.To resume a session, the client must include the session ticket in the request. If, for any reason, the server does not honor the ticket, it attempts to initiate a full handshake with the client.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/customize-ssl-config/support-for-tls-session-ticket-extension.html.[From Build 51.21][# 416800, 577122, 648240]
- Support for SafeNet Network HSMAll NetScaler MPX, SDX, and VPX appliances except the MPX 9700/10500/12500/15500 FIPS appliances now support the SafeNet network hardware security module (HSM). A NetScaler ADC used with a SafeNet Network HSM provides FIPS 140-2 Level 2 and FIPS 140-2 Level 3 protection, depending on which SafeNet HSM is being used.SafeNet HSM integration with the ADC is supported for TLS versions 1.0, 1.1, and 1.2.For more information about configuring SafeNet network HSM, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/ssl-support-safenet-hsm.html.[From Build 47.14][# 450699]
- Support for SNI on the Back-End ServiceThe NetScaler appliance now supports Server Name Indication (SNI) at the back end. That is, the common name is sent as the server name in the client hello to the back-end server for successful completion of the handshake. In addition to helping meet federal system integrator customer security requirements, this enhancement provides the advantage of using only one port instead of opening hundreds of different IP addresses and ports on a firewall.Federal system integrator customer security requirements include support for Active Directory Federation Services (ADFS) 3.0 in 2012R2 and WAP servers. This requires supporting SNI at the back end on a NetScaler appliance.[From Build 41.26][# 471431, 559271, 595785]
- Support for SNI on the Back-End ServiceThe NetScaler appliance now supports Server Name Indication (SNI) at the back end. That is, the common name is sent as the server name in the client hello to the back-end server for successful completion of the handshake. In addition to helping meet federal system integrator customer security requirements, this enhancement provides the advantage of using only one port instead of opening hundreds of different IP addresses and ports on a firewall.Federal system integrator customer security requirements include support for Active Directory Federation Services (ADFS) 3.0 in 2012R2 and WAP servers. This requires supporting SNI at the back end on a NetScaler appliance.For more information about SNI support on the back-end service, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/config-ssloffloading/support_for_sni_on_backend_service.html.[From Build 47.14][# 471431, 559271, 595785]
- The NetScaler VPX appliance now supports AES-GCM/SHA2 ciphers on the front end.[From Build 41.26][# 498207]
- Support for AES-GCM/SHA2 ciphers on the front-end of VPX appliancesThe NetScaler VPX appliance now supports AES-GCM/SHA2 ciphers on the front end.For the updated cipher/protocol support matrix, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/cipher_protocl_support_matrix.html.[From Build 47.14][# 498207]
- ECDSA Cipher Suites Support on the Back-end of MPX Appliances with N3 ChipsThe NetScaler MPX appliances with N3 chips now support the elliptical curve digital signature algorithm (ECDSA) cipher group end to end. ECDSA cipher suites use elliptical curve cryptography (ECC). Because of its smaller size, it is particularly helpful in environments where processing power, storage space, bandwidth, and power consumption are constrained.Note: if you add an ECDSA certificate-key pair, only the following curves are supported:-prime256v1-secp384r1The following ciphers are supported with ECDSA:-ECDHE-ECDSA-AES256-GCM-SHA384-ECDHE-ECDSA-AES256-SHA384-ECDHE-ECDSA-AES256-SHA-ECDHE-ECDSA-AES128-GCM-SHA256-ECDHE-ECDSA-AES128-SHA256-ECDHE-ECDSA-AES128-SHA-ECDHE-ECDSA-RC4-SHA-ECDHE-ECDSA-DES-CBC3-SHAFor more information about ECDSA cipher suites, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/customize-ssl-config/ecdsa_cipher_suite_support_on_mpx_appliances_with_n3_chips.html.[From Build 47.14][# 519632]
- ECDSA Cipher Suites support on MPX appliances with N3 chipsThe NetScaler MPX appliances with N3 chips now support the elliptical curve digital signature algorithm (ECDSA) cipher group. The ECDHE_ECDSA key exchange mechanism provides forward secrecy. In ECDHE_ECDSA, the server's certificate must contain an ECDSA-capable public key. For client authentication, an ECDSA CA certificate must be bound to the virtual server.ECDSA cipher suites use elliptical curve cryptography (ECC). Because of its smaller size, it is particularly helpful in environments where processing power, storage space, bandwidth, and power consumption are constrained.Note: if you add an ECDSA certificate-key pair, only the following curves are supported:-prime256v1-secp384r1[From Build 41.26][# 519632]
- Support for Client Certificate ThumbprintNetScaler appliances now support inserting the thumbprint (also called a fingerprint) of a certificate into the header of a request sent to a back-end server. If client authentication is enabled, the appliance computes the thumbprint of the certificate, and uses an SSL policy action to insert the thumbprint into the request. The server searches for the thumbprint, and grants secure access if there is a match.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/config-ssl-actions-policies/config-ssl-based-hdr-insertion.html.[From Build 51.21][# 537629, 632507]
- Support for ECDHE Ciphers on the NetScaler MPX 9700/10500/12500/15500 FIPS appliancesCitrix NetScaler MPX 9700/10500/12500/15500 FIPS appliances running firmware version 2.2 now support the ECDHE cipher group on the frontend and backend. This group contains the following ciphers:- TLS1-ECDHE-RSA-DES-CBC3-SHA 0xc012- TLS1-ECDHE-RSA-AES256-SHA 0xc014- TLS1.2-ECDHE-RSA-AES-128-SHA256 0xc027- TLS1-ECDHE-RSA-AES128-SHA 0xc013Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.The following ECC curves are supported: P_256, P_384, P_224, and P_521.By default, all four curves are bound to an SSL virtual server.For the updated cipher/protocol support matrix, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/cipher_protocl_support_matrix.html.[From Build 47.14][# 543536]
- Support for ECDHE Ciphers on the back end on the NetScaler MPX 9700/10500/12500/15500 FIPS appliances.Citrix NetScaler MPX 9700/10500/12500/15500 FIPS appliances running firmware version 2.2 now support the ECDHE cipher group on the back end. This group contains the following ciphers:- TLS1_TXT_ECDHE_RSA_WITH_DES_192_CBC3_SHA 0xc012- TLS1_TXT_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xc014- TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256 0xc027- TLS1_TXT_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xc013Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.The following ECC curves are supported: P_256, P_384, P_224, and P_521.By default, all four curves are bound to an SSL virtual server.[From Build 41.26][# 543536]
- Support for AES-GCM and SHA2 Ciphers at the Front End of MPX/SDX 14000 FIPS AppliancesThe NetScaler MPX/SDX 14000 FIPS appliance now supports AES-GCM and SHA2 ciphers at the front end.The following AES-GCM and SHA2 ciphers are supported at the front end of the MPX/SDX 14000 FIPS appliance:- TLS1.2-AES256-GCM-SHA384- TLS1.2-AES128-GCM-SHA256- TLS1.2-ECDHE-RSA-AES256-GCM-SHA384- TLS1.2-ECDHE-RSA-AES128-GCM-SHA256- TLS1.2-AES-256-SHA256- TLS1.2-AES-128-SHA256For more information, see http://docs.citrix.com/en-us/netscaler/12/ssl/cipher_protocl_support_matrix.html.[From Build 53.13][# 579751]
- Support for ECC curves in Service GroupsYou can now bind ECC curves to back-end service groups by using the NetScaler command line.At the command prompt, type:bind ssl serviceGroup <serviceGroupName> -eccCurveName <eccCurveName>[From Build 47.14][# 592418]
- Support for New FIPS PlatformThis release supports the MPX 14000 FIPS platform, which is a high-end platform containing 63 crypto cores, available in the following models:Model number System ThroughputMPX 14030 FIPS 30 GbpsMPX 14060 FIPS 60 GbpsMPX 14080 FIPS 80 GbpsFor more information, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/configuring-mpx-14000-fips-appliance.html.[From Build 51.21][# 592833, 498222, 590397]
- New Counters at the SSL Virtual Server Level and at the Global LevelSix counters have been added to the output of the "stat ssl vserver" command, as follows:1. ssl_ctx_tot_enc_bytes: Tracks the number of encrypted bytes.2. ssl_ctx_tot_dec_bytes: Tracks the number of decrypted bytes.3. ssl_ctx_tot_hw_enc_bytes: Tracks the number of hardware encrypted bytes.4. ssl_ctx_tot_hw_dec_bytes: Tracks the number of hardware decrypted bytes.5. ssl_ctx_tot_session_new: Tracks the number of new sessions created.6. ssl_ctx_tot_session_hits: Tracks the number of session hits.Five counters have been added to the output of the "stat ssl -detail" command, as follows:1. ssl_tot_sslServerInRecords: Tracks the number of SSL records processed by the appliance.2. ssl_cur_sslInfo_SPCBInUseCount: Tracks the number of SSL protocol control blocks (SPCBs) used at any given point.2. ssl_cur_session_inuse: Tracks the number of active SSL sessions.4. ssl_cur_sslInfo_cardinBlkQ: Tracks the number of bulk encryption and decryption operations that are pending for card.5. ssl_cur_sslInfo_cardinKeyQ: Tracks the number of handshake-related operations that are pending for card.[From Build 47.14][# 597279, 582601]
- Support for New SDX FIPS PlatformThis release supports the SDX 14000 FIPS platform, which is a high-end platform containing 63 crypto cores, available in the following models:Model number System ThroughputSDX 14030 FIPS 30 GbpsSDX 14060 FIPS 60 GbpsSDX 14080 FIPS 80 GbpsFor more information, see http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/configuring-SDX-14030-14060-14080-fips-appliance.html.[From Build 52.13][# 597890]
- Support to create a Certificate Signing Request signed with the SHA256 Digest AlgorithmThe NetScaler appliance supports creating a CSR signed with the SHA256 digest algorithm. The encryption hash algorithm used in SHA256 makes it stronger than SHA1.For more information about creating a CSR signed with the SHA256 digest algorithm, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/manage-certs/obtain-cert-frm-cert-auth.html.[From Build 47.14][# 606874, 595902]
- Support for TLS1.2 signature hash algorithmThe NetScaler appliance is now completely TLS1.2 signature hash (sighash)-extension compliant.On an SDX appliance, if an SSL chip is assigned to a VPX instance, the cipher support of an MPX appliance applies. Otherwise, the normal cipher support of a VPX instance applies. NetScaler platforms support sighash combinations as follows:-On a VPX instance: RSA-MD5, RSA-SHA1, RSA-SHA224, RSA-SHA256, RSA-SHA384, RSA-SHA512, DSA-SHA1, DSA-SHA224, DSA-SHA256, DSA-SHA384, DSA-SHA512.-On an MPX/SDX appliance with N3 chips: RSA-MD5, RSA-SHA1, RSA-SHA224, RSA-SHA256, RSA-SHA384, RSA-SHA512, ECDSA-SHA1, ECDSA-SHA224, ECDSA-SHA256, ECDSA-SHA384, ECDSA-SHA512.-On an MPX/SDX appliance without N3 chips: RSA-MD5, RSA-SHA1, RSA-SHA224, RSA-SHA256, RSA-SHA384, RSA-SHA512.Previously, the appliance supported only RSA-SHA1 and RSA-SHA256 on the front end, and RSA-MD5, RSA-SHA1, and RSA-SHA256 on the back end. In addition, the VPX appliance supported DSA-SHA1 on the front end and back end.With this enhancement, a NetScaler appliance can send SHA-384 and SHA-512 signature_algorithm extensions in the back-end Client Hello message. As a result, Windows IIS servers do not reset the connection if a SHA-384 or SHA-512 certificate is used.[From Build 54.16][# 606904, 665257]
- Support for AES-GCM/SHA2 ciphers on the back-end of MPX appliancesThe NetScaler MPX appliance now supports AES-GCM/SHA2 ciphers on the back end.For the updated cipher/protocol support matrix, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/cipher_protocl_support_matrix.html.[From Build 47.14][# 611979]
- ECDSA Cipher Suites Support on SDX Appliances with N3 ChipsThe NetScaler SDX appliances with N3 chips now support the elliptical curve digital signature algorithm (ECDSA) cipher group end to end.In ECDHE_ECDSA, the server's certificate must contain an ECDSA-capable public key. For client authentication, an ECDSA CA certificate must be bound to the virtual server.To support ECDSA cipher suites on a NetScaler SDX appliance, an SSL core must be assigned to the VPX instance.ECDSA cipher suites use elliptical curve cryptography (ECC). Because of its smaller size, ECC is particularly helpful in environments where processing power, storage space, bandwidth, and power consumption are constrained.Note: if you add an ECDSA certificate-key pair, only the following curves are supported:-prime256v1-secp384r1The following ciphers are supported with ECDSA:-ECDHE-ECDSA-AES256-GCM-SHA384-ECDHE-ECDSA-AES256-SHA384-ECDHE-ECDSA-AES256-SHA-ECDHE-ECDSA-AES128-GCM-SHA256-ECDHE-ECDSA-AES128-SHA256-ECDHE-ECDSA-AES128-SHA-ECDHE-ECDSA-RC4-SHA-ECDHE-ECDSA-DES-CBC3-SHAFor more information, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/customize-ssl-config/ecdsa_cipher_suite_support_on_mpx_appliances_with_n3_chips.html.[From Build 51.21][# 620716]
- Segregation of Certificates According to TypeTo facilitate certificate selection, certificates are now segregated according to type, such as server certificate, client certificate, and CA certificate.To view the certificates in the GUI, navigate to Traffic Management > SSL > Certificates.To view the certificates in the CLI, type "show ssl certkey"[From Build 47.14][# 620923, 623890]
- ECDSA Cipher Suites Support on the Back-End of MPX Appliances with N3 ChipsThe NetScaler MPX appliances with N3 chips now support the elliptical curve digital signature algorithm (ECDSA) cipher group end-to-end.ECDSA cipher suites use elliptical curve cryptography (ECC). Because of its smaller size, it is particularly helpful in environments where processing power, storage space, bandwidth, and power consumption are constrained.Note: if you add an ECDSA certificate-key pair, only the following curves are supported:-prime256v1-secp384r1The following ciphers are supported with ECDSA:-ECDHE-ECDSA-AES256-GCM-SHA384-ECDHE-ECDSA-AES256-SHA384-ECDHE-ECDSA-AES256-SHA-ECDHE-ECDSA-AES128-GCM-SHA256-ECDHE-ECDSA-AES128-SHA256-ECDHE-ECDSA-AES128-SHA-ECDHE-ECDSA-RC4-SHA-ECDHE-ECDSA-DES-CBC3-SHAFor more information, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/customize-ssl-config/ecdsa_cipher_suite_support_on_mpx_appliances_with_n3_chips.html.[From Build 51.21][# 636122]
- Optimizing ECDHE ComputationECDHE-RSA computation has been optimized by using a combination of software and hardware offload capabilities.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/customize-ssl-config/ssl-hybrid-ecdhe-optimization.html.[From Build 50.10][# 643480]
- Support for ECDHE Ciphers at the Front End and Back End on NetScaler MPX//SDX 14000 FIPS AppliancesCitrix NetScaler MPX/SDX 14000 FIPS appliances now support the ECDHE cipher group.The following ciphers are supported at the front end of the MPX/SDX 14000 FIPS appliance:- TLS1-ECDHE-RSA-AES256-SHA- TLS1-ECDHE-RSA-AES128-SHA- TLS1.2-ECDHE-RSA-AES-256-SHA384- TLS1.2-ECDHE-RSA-AES-128-SHA256- TLS1-ECDHE-RSA-DES-CBC3-SHAThis following ciphers are supported at the back end of the MPX/SDX 14000 FIPS appliance:- TLS1-ECDHE-RSA-AES256-SHA- TLS1-ECDHE-RSA-AES128-SHA- TLS1.2-ECDHE-RSA-AES-128-SHA256- TLS1-ECDHE-RSA-DES-CBC3-SHABecause of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment. It is also very useful in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.The following ECC curves are supported: P_256, P_384, P_224, and P_521.By default, all four curves are bound to an SSL virtual server.For more information, see http://docs.citrix.com/en-us/netscaler/12/ssl/cipher_protocl_support_matrix.html.[From Build 53.13][# 651524]
- Support for SHA384 and SHA512 signed-certificates on the back-end of a NetScaler applianceAll SHA-2 signed certificates (SHA384, SHA512) are now supported on the back-end of all appliances. Earlier, only SHA256 signed-certificates were supported.[From Build 54.16][# 651813, 681095, 683236, 683438]
- Support for a Hybrid FIPS Mode on the MPX/SDX 14000 FIPS PlatformThe new MPX/SDX 14000 FIPS platform contains one primary card and one or more secondary cards. If you enable the hybrid FIPS mode, the pre-master secret decryption commands are run on the primary card because the private key is stored on this card, but the bulk encryption and decryption is offloaded to a secondary card. This significantly increases the bulk encryption throughput on a MPX/SDX 14000 FIPS platform as compared to non-hybrid FIPS mode and the existing MPX 9700/10500/12500/15000 FIPS platform. Enabling the hybrid FIPS mode also increases the SSL transactions per second on this platform.[From Build 53.13][# 651814]
- Send Certificates to Back-End Servers as Strings, without SpacesA CLI command has been added to send a certificate to a back-end server as a string without any spaces, instead of in its original format (with spaces). Previously, you had to use an nsapimgr option to do this.At the NetScaler CLI, type:set ssl parameter -insertCertSpace ( YES | NO )[From Build 52.13][# 661342]
- Cluster Support for SSL ProfilesThe default SSL profiles are now supported in a cluster setup.For information about SSL profiles, see http://docs.citrix.com/en-us/netscaler/11-1/ssl/ssl-profiles1.html.[From Build 54.16][# 668625, 664706, 664726, 667119]
- Secure Implementation of Session TicketsYou can now secure session tickets by using a symmetric key to encrypt them. Additionally, to achieve forward secrecy, you can specify a time interval at which the session-ticket key is refreshed. Session-ticket keys can be generated by the appliance, or you can manually enter session-ticket key data. Entering this data manually is helpful in HA or cluster deployments so that the appliances can decrypt each other's session tickets.[From Build 54.16][# 669514]
- A new category of SSL certificatesA new category of SSL certificates called Unknown Certificates is added to the NetScaler GUI. This category is for certificates that do not meet the conditions for end-user certificates (both server and client), CA certificate, and intermediate CA certificate. To view these certificates, navigate to Traffic Management > SSL > Certificates>Unknown Certificates.[From Build 56.19][# 673219]
- Support for Safenet Client Library version 6.2.xThe NetScaler appliance now supports Safenet Client Library version 6.2.x.[From Build 54.16][# 679568, 678980]
- Support for OCSP Stapling in a cluster setupOCSP stapling is now supported in a cluster setup. OCSP stapling is used to provide the revocation status of a server certificate to a client during an SSL handshake.[From Build 54.16][# 688057]
- Support for FIPS 140-2 Level-3 on MPX/SDX 14000 FIPS PlatformsThis release adds support for FIPS 140-2 Level 3 on the MPX 14000 FIPS and SDX 14000 FIPS platforms. The "set fips" command allows only "Level-2" option but internally level-2 is converted to level-3.For more information, see https://docs.citrix.com/en-us/netscaler/11-1/ssl/configuring-mpx-14000-fips-appliance.html and https://docs.citrix.com/en-us/netscaler/11-1/ssl/configuring-sdx-14030-14060-14080-fips-appliance.html[From Build 56.19][# 694386]
Security
- Configuring DNS Security Options from the Add DNS Security Profile Page in the NetScaler GUIYou can now configure the DNS security options from the Add DNS Security Profile page in the NetScaler GUI. This page provides a user-friendly graphical user interface for configuring DNS security settings. The Cache Poisoning Protection option is always enabled. The other security options can be applied to all DNS endpoints or to specific DNS virtual server(s) in your deployment.Two of the security options, Bypass the Cache and Provide root details in the DNS response, can be applied to all DNS endpoints. The following security options can be applied either to all DNS endpoints or to specific DNS virtual servers:DNS DDoS protectionManage exceptions - whitelist/blacklist serversPrevent random subdomain attacksEnforce DNS transactions over TCPFor more information, see http://docs.citrix.com/en-us/netscaler/11-1/security/dis-security-options.html.[From Build 51.21][# 617479]
System
- Specifying a domain name for a logging serverWhen configuring an auditlog action, you can specify the domain name of a syslog or nslog server instead of its IP address. Then, if the server's IP address changes, you do not have to change it on the NetScaler appliance.[From Build 49.16][# 314438]
- Option to Allocate an Extra Management CPUAccording to your requirement, you can now allocate an extra management CPU from packet engine pool in the NetScaler MPX appliance, and achieve better performance for configuring and monitoring of your appliance. This feature is supported in NetScaler MPX models 25xxx, 22xxx, 14xxx, 115xx, 15xxx, and 26xxx. For more information, see https://docs.citrix.com/en-us/netscaler/12/system/basic-operations/allocate-extra-management-CPU.html[From Build 56.19][# 352233, 235321, 559207, 604165, 615657]
- TCP Fast Open (TFO) is a TCP mechanism that enables speedy and safe data exchange between a client and a server during TCP's initial handshake. This feature is available as a TCP option in the TCP profile bound to a virtual server of a NetScaler appliance. TFO uses a TCP Fast Open Cookie (a security cookie) that the NetScaler appliance generates to validate and authenticate the client initiating a TFO connection to the virtual server. By using the TFO mechanism, you can reduce an application's network latency and the delay experienced in short TCP transfers.[From Build 41.26][# 358990]
- TCP Fast Open MechanismTCP Fast Open (TFO) is a TCP mechanism that enables speedy and safe data exchange between a client and a server during TCP's initial handshake. This feature is available as a TCP option in the TCP profile bound to a virtual server of a NetScaler appliance. TFO uses a TCP Fast Open Cookie (a cryptographic cookie) that the NetScaler appliance generates to validate the client initiating a TFO connection to the virtual server. By using the TFO mechanism, you can reduce an application's network latency and the delay experienced in short TCP transfers.[From Build 47.14][# 358990]
- Proportional Rate Recovery AlgorithmThe Proportional Rate Recovery (PRR) algorithm is a fast recovery algorithm that evaluates TCP data during a loss recovery. It is patterned after Rate-Halving, by using the fraction that is appropriate for the target window chosen by the congestion control algorithm. It minimizes window adjustment, so that the actual window size at the end of recovery is close to the Slow-Start threshold (ssthresh).[From Build 47.14][# 473777]
- Policy Infrastructure (PI) for Auditlog FrameworkAudit log actions now support advance policies and expressions. Advance policy expressions are very powerful and provide endless use cases to work with. Previously, the audit module supported only classic policies. You can now bind advanced audit-log policies to the syslog and nslog global entities.[From Build 49.16][# 522692, 607221]
- RDX Error ManagementIn the NetScaler GUI, if you skip a mandatory field or make an invalid entry, an error message appears beside the field or in the page header, depending on the type of error, and remains until you enter a valid value. For example, on the Add Virtual Server page, if you enter an invalid server IP address or port number, an error message appears beside the IP Address or Port field, and you cannot submit the page until you correct the error.[From Build 47.14][# 552575]
- Configuring SNMP Audit Log LevelsAfter you enable the SNMP trap logging option, a NetScaler appliance on which at least one trap listener is configured can log SNMP trap messages (for SNMP alarms in which logging capability is enabled). Now, you can specify the audit log level of trap messages sent to an external log server. The default log level is Informational. Possible values are Emergency, Alert, Critical, Error, Warning, Debug, and Notice.For example, you can set the audit log level to Critical for an SNMP trap message generated by a logon failure. That information is then available on the NSLOG or SYSLOG server for troubleshooting.[From Build 47.14][# 569317]
- MAC Address is tied to the IP Address in case of an IP ConflictAn SNMP trap that is sent as a result of an IP address conflict now contains the MAC address of the device. You can therefore identify the device by its MAC address. Previously, identifying the device was not possible, because the conflict lasts for only a short time.[From Build 47.14][# 570372, 524621]
- You can now enable auto-bootstrapping on a NetScaler VPX or NetScaler 1000v instance running on Hyper-V, by attaching a DVD ROM with an appropriate ISO file to the instance before booting it up.[From Build 47.14][# 578451]
- Bridge Group Support for ClusterBridge Group functionality is now supported on a Layer 3 NetScaler cluster.[From Build 47.14][# 587548]
- A new slow-start algorithm, Hybrid Start (Hystart) is configured as a TCP option in the relevant TCP profile bound to a virtual server. This algorithm dynamically determines a safe point at which to terminate (ssthresh) and enables a transition to avoid congestion with heavy packet losses. This option is disabled by default.[From Build 41.26][# 603099]
- TCP Hystart AlgorithmA new slow-start algorithm, Hybrid Start (Hystart) is configured as a TCP option in the relevant TCP profile bound to a virtual server. This algorithm dynamically determines a safe point at which to terminate (ssthresh) and enables a transition to avoid congestion with heavy packet losses. This option is disabled by default.[From Build 47.14][# 603099]
- The "start nstrace" command has a new parameter, -capsslkeys, with which you can capture the SSL master keys for all SSL sessions. If the capsslkeys option is enabled, a file named nstrace.sslkeys is generated along with the packet trace and imported into Wireshark to decrypt the SSL traffic in the trace file.[From Build 41.26][# 603225]
- Capturing SSL Keys during NetScaler TraceThe "start nstrace" command has a new parameter, -capsslkeys, with which you can capture the SSL master keys for all SSL sessions. If the capsslkeys option is enabled, a file named nstrace.sslkeys is generated along with the packet trace and imported into Wireshark to decrypt the SSL traffic in the trace file.[From Build 47.14][# 603225]
- In a NetScaler appliance, if the Ring Receive buffer is full, the appliance starts to discard data packets at the Network Interface Card (NIC). As a result, the appliance drops packets leading to a probe failure.[From Build 49.16][# 623977, 649735]
- Warning about an Unsaved NetScaler ConfigurationThe NetScaler GUI displays a Save icon with a red dot when a running configuration is not saved. A unsaved configuration could be lost if a power outage or restart occurs.To save the configuration(s), you can click the Save icon and then click Yes at the configuration prompt. When you return to the main screen by clicking OK, the icon is white.Note: In some cases, the red dot might appear even though there is no unsaved configuration. In that case, if you click the Save icon, the following message appears: "The running configuration has not changed."[From Build 47.14][# 626225]
- TCP Burst Rate ControlA NetScaler appliance now uses a technique called "TCP Burst Rate Control" for burst management in a high speed mobile network. This technique evenly spaces the flow of data into the network, avoiding bursts by waiting for a period of time before sending the next group of packets. By using this technique, you can achieve better throughput and lower packet drop rates. This feature is available as a TCP option in the TCP profile bound to a virtual server on a NetScaler appliance.[From Build 49.16][# 628114]
- Dynamic TCP Buffer ManagementWhen you enable the Dynamic Receive Buffer option in a TCP profile, the NetScaler appliance can dynamically adjust the TCP receive buffer size for optimized memory usage based on the congestion window.[From Build 47.14][# 628115]
- New Hardware-Script Option Removes Media ErrorsIn a hardware script, the new -d option extracts CF, SSD, and HDD media errors from the log files.>ns_hw_err.bash -d[From Build 52.13][# 628137]
- Proactive Support for Hardware ErrorsThe Citrix Call Home service automatically generates a support case and uploads the system data to the Technical Support server if a critical hardware error, such as failure of a hard disk drive (HDD), Compact Flash (CF) device, SSL card, or power supply unit (PSU), occurs in a NetScaler appliance on which the Call Home feature is enabled.[From Build 47.14][# 639336, 599891]
- The TCP timestamp is now an interoperable parameter for TCP and Multipath TCP (MPTCP) data transmission.[From Build 50.10][# 646496]
- Displaying MPTCP StatisticsThe new "stat mptcp" command displays statistical information about MPTCP counters, including counters for total MPTCP traffic, current traffic, and erroneous traffic flowing through the NetScaler appliance.[From Build 54.16][# 646498, 350115]
- By default, a NetScaler appliance ignores the non-standard and obsolete "Proxy-Connection" HTTP header. To change this behavior, use the nsamimgr command to set the proxyConnection parameter to 1. This setting prioritizes the Proxy-Connection header over the Connection header.For example, nsapimgr -ys proxyconnection=1[From Build 51.21][# 654560]
- Half-closed or established TCP connections, between clients and a NetScaler appliance, cleaned up by the NetScaler zombie process can now be dropped silently, that is, without sending RST packets to the clients.To configure this feature, run the following commands at the NetScaler shell prompt:- nsapimgr_wr.sh -ys tcp_hc_zombie_silent_drop=1- nsapimgr_wr.sh -ys tcp_est_zombie_silent_drop=1[From Build 50.10][# 656135]
- Changes in NetScaler Telco Software Licensing EditionsThe software licensing editions for NetScaler Telco platforms (NetScaler T1000 series and NetScaler VPX-T) have changed as follows:Basic edition* Features added: Content Filtering* Features removed: NoneAdvanced edition* Features added: AAA, Content Optimization, Appflow for ICA, RDP Proxy, RISE, and Internet On Hold (IOH)* Features removed: None[From Build 51.21][# 656361]
Telco
- Port Control Protocol for Large Scale NATNetScaler appliances now support Port Control Protocol (PCP) for large scale NAT (LSN). Many of an ISP's subscriber applications must be accessible from Internet (for example, Internet of Things (IOT) devices, such as an IP camera that provides surveillance over the Internet). One way to meet this requirement is to create static large scale NAT (LSN) maps. But for a very large number of subscribers, creating static LSN NAT maps is not a feasible solution.Port Control Protocol (PCP) enables a subscriber to request specific LSN NAT mappings for itself and/or for other 3rd party devices. The large scale NAT device creates an LSN map and sends it to the subscriber. The subscriber sends the remote devices on the Internet the NAT IP address:NAT port at which they can connect to the subscriber.Applications usually send frequent keep-alive messages to the large scale NAT device so that their LSN mappings do not time out. PCP helps reduce the frequency of such keep-alive messages by enabling the applications to learn the timeout settings of the LSN mappings. This helps reduce bandwidth consumption on the ISP's access network and battery consumption on mobile devices.PCP is a client-server model and runs over the UDP transport protocol. A NetScaler appliance implements the PCP server component and is compliant with RFC 6887. Port Control Protocol is supported for NAT44, DS-Lite and NAT64 on the NetScaler appliance. For more information, see:- http://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-introduction/port-control-protocol-large-scale-NAT.html- http://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/dual-stack-lite/port-control-protocol-DS-Lite.html- http://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-nat-64/port-control-protocol-largescale-nat64.html[From Build 47.14][# 496807]
- Port Control Protocol for Large Scale NATNetScaler appliances now support Port Control Protocol (PCP) for large scale NAT (LSN). Many of an ISP's subscriber applications must be accessible from Internet (for example, Internet of Things (IOT) devices, such as an IP camera that provides surveillance over the Internet). One way to meet this requirement is to create static large scale NAT (LSN) maps. But for a very large number of subscribers, creating static LSN NAT maps is not a feasible solution.Port Control Protocol (PCP) enables a subscriber to request specific LSN NAT mappings for itself and/or for other 3rd party devices. The large scale NAT device creates an LSN map and sends it to the subscriber. The subscriber sends the remote devices on the Internet the NAT IP address:NAT port at which they can connect to the subscriber.Applications usually send frequent keep-alive messages to the large scale NAT device so that their LSN mappings do not time out. PCP helps reduce the frequency of such keep-alive messages by enabling the applications to learn the timeout settings of the LSN mappings. This helps reduce bandwidth consumption on the ISP's access network and battery consumption on mobile devices.PCP is a client-server model and runs over the UDP transport protocol. A NetScaler appliance implements the PCP server component and is compliant with RFC 6887. Port Control Protocol is supported for NAT44, DS-Lite and NAT64 on the NetScaler appliance.[From Build 41.26][# 496807]
- Compact Logging for Large Scale NATLogging LSN information is one of the important functions needed by ISPs to meet legal requirements and be able to identify the source of traffic at any given time. This eventually results in a huge volume of log data, requiring the ISPs to make large investments to maintain the logging infrastructure.Compact logging is a technique for reducing the log size by using a notational change involving short codes for event and protocol names. For example, C for client, SC for session created, and T for TCP. Compact logging results in an average of 40 percent reduction in log size. Compact logging is supported for NAT44, DS-Lite, and NAT64. For more information, see:- http://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-nat-64/log-monitor-largescale-nat64.html- http://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/dual-stack-lite/logging-monitoring-DS-Lite.html- http://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-introduction/lsn-logging-monitoring.html[From Build 47.14][# 496812]
- Compact Logging for Large Scale NATLogging LSN information is one of the important functions needed by ISPs to meet legal requirements and be able to identify the source of traffic at any given time. This eventually results in a huge volume of log data, requiring the ISPs to make large investments to maintain the logging infrastructure.Compact logging is a technique for reducing the log size by using a notational change involving short codes for event and protocol names. For example, C for client, SC for session created, and T for TCP. Compact logging results in an average of 40 percent reduction in log size.Compact logging is supported for NAT44, DS-Lite, and NAT64.[From Build 41.26][# 496812]
- Large Scale NAT64Because of the imminent exhaustion of IPv4 addresses, ISPs have started transitioning to IPv6 infrastructure. But during the transition, ISPs must continue to support IPv4 along with IPv6, because most of the public Internet still uses IPv4. Large scale NAT64 is an IPv6 transition solution for ISPs with IPv6 infrastructure to connect their IPv6-only subscribers to the IPv4 Internet. DNS64 is a solution for enabling discovery of IPv4-only domains by IPv6-only clients. DNS64 is used with large scale NAT64 to enable seamless communication between IPv6-only clients and IPv4-only servers.A NetScaler appliance implements large scale NAT64 and DNS64 and is compliant with RFCs 6145, 6146, 6147, 6052, 3022, 2373, 2765, and 2464.The following lists some of the large scale NAT64 features supported on NetScaler appliance:- ALGs. Support of application Layer Gateway (ALG) for SIP, RTSP, FTP, ICMP, and TFTP protocols.- Deterministic/Fixed NAT. Support for pre-allocation of blocks of ports to subscribers to minimize logging.- Mapping. Support of Endpoint-independent mapping (EIM), Address-dependent mapping (ADM), and Address-Port dependent mapping (APDM).- Filtering. Support of Endpoint-Independent Filtering (EIF), Address-Dependent Filtering (ADF), and Address-Port-Dependent Filtering (APDF).- Quotas. Configurable limits on number of ports, sessions per subscriber, and sessions per LSN group.- Static Mapping. Support for manually defining a large scale NAT64 mapping.- Hairpin Flow. Support for communication between subscribers or internal hosts using NAT IP addresses.- 464XLAT connections. Support for communication between IPv4-only aware applications on IPv6 subscriber hosts and IPv4 hosts on the Internet through IPv6 network.- Variable length NAT64 and DNS64 prefixes. The NetScaler appliance supports defining NAT64 and DNS64 prefixes of lengths of 32, 40, 48, 56, 64, and 96.- Multiple NAT64 and DNS64 prefix. The NetScaler appliance supports multiple NAT64 and DNS64 prefixes.- LSN Clients. Support for specifying or identifying subscribers for large scale NAT64 by using IPv6 prefixes and extended ACL6 rules.- Logging. Support for logging NAT64 sessions for law enforcement. In addition, the following are also supported for logging.-- Reliable SYSLOG. Support for sending SYSLOG messages over TCP to external log servers for a more reliable transport mechanism.-- Load balancing of log servers. Support for load balancing of external log servers for preventing storage of redundant log messages.-- Minimal Logging. Deterministic LSN configurations or Dynamic LSN configurations with port block significantly reduce the large scale NAT64 log volume.-- Logging MSISDN information. Support for including subscribers' MSISDN information in large scale NAT64 logs to identify and track subscriber activity over the Internet.[From Build 41.26][# 496866]
- Large Scale NAT64Because of the imminent exhaustion of IPv4 addresses, ISPs have started transitioning to IPv6 infrastructure. But during the transition, ISPs must continue to support IPv4 along with IPv6, because most of the public Internet still uses IPv4. Large scale NAT64 is an IPv6 transition solution for ISPs with IPv6 infrastructure to connect their IPv6-only subscribers to the IPv4 Internet. DNS64 is a solution for enabling discovery of IPv4-only domains by IPv6-only clients. DNS64 is used with large scale NAT64 to enable seamless communication between IPv6-only clients and IPv4-only servers.A NetScaler appliance implements large scale NAT64 and DNS64 and is compliant with RFCs 6145, 6146, 6147, 6052, 3022, 2373, 2765, and 2464.The following lists some of the large scale NAT64 features supported on NetScaler appliance:- ALGs: Support of application Layer Gateway (ALG) for SIP, RTSP, FTP, ICMP, and TFTP protocols.- Deterministic/Fixed NAT: Support for pre-allocation of blocks of ports to subscribers to minimize logging.- Mapping: Support of Endpoint-independent mapping (EIM), Address-dependent mapping (ADM), and Address-Port dependent mapping (APDM).- Filtering: Support of Endpoint-Independent Filtering (EIF), Address-Dependent Filtering (ADF), and Address-Port-Dependent Filtering (APDF).- Quotas: Configurable limits on number of ports, sessions per subscriber, and sessions per LSN group.- Static Mapping: Support for manually defining a large scale NAT64 mapping.- Hairpinning Flow: Support for communication between subscribers or internal hosts using NAT IP addresses.- 464XLAT connections: Support for communication between IPv4-only aware applications on IPv6 subscriber hosts and IPv4 hosts on the Internet through IPv6 network.- Variable length NAT64 and DNS64 prefixes: The NetScaler appliance supports defining NAT64 and DNS64 prefixes of lengths of 32, 40, 48, 56, 64, and 96.- Multiple NAT64 and DNS64 prefix: The NetScaler appliance supports multiple NAT64 and DNS64 prefixes.- LSN Clients: Support for specifying or identifying subscribers for large scale NAT64 by using IPv6 prefixes and extended ACL6 rules.- Logging: Support for logging NAT64 sessions for law enforcement. In addition, the following are also supported for logging.-- Reliable SYSLOG: Support for sending SYSLOG messages over TCP to external log servers for a more reliable transport mechanism.-- Load balancing of log servers: Support for load balancing of external log servers for preventing storage of redundant log messages.-- Minimal Logging: Deterministic LSN configurations or Dynamic LSN configurations with port block significantly reduce the large scale NAT64 log volume.-- Logging MSISDN information: Support for including subscribers' MSISDN information in large scale NAT64 logs to identify and track subscriber activity over the Internet.For more information, see http://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-nat-64.html[From Build 47.14][# 496866]
- HTTP Header Logging Support for DS-LiteThe NetScaler appliance can now log request header information of an HTTP connection that is using the NetScaler's DS-Lite functionality. The HTTP header logs can be used by ISPs to see the trends related to the HTTP protocol among a set of subscribers. For example, an ISP can use this feature to find out the most popular website among a set of subscribers. For more information, see http://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/dual-stack-lite/logging-monitoring-DS-Lite.html.[From Build 47.14][# 558159, 559227]
- Subscriber Aware LSN Session TerminationCurrently, if a subscriber session is deleted when a RADIUS Accounting STOP or a PCRF-RAR message is received, or as a result of any other event, such as TTL expiry or flush, the corresponding LSN sessions of the subscriber are removed only after the configured LSN timeout period. LSN sessions that are kept open until this timeout expires continue to consume resources on the appliance.This enhancement adds a new parameter (subscrSessionRemoval). If this parameter is enabled, and the subscriber information is deleted from the subscriber database, LSN sessions corresponding to that subscriber are also removed. If this parameter is disabled, the subscriber sessions are timed out as specified by the LSN timeout settings.For more information about subscriber aware LSN session termination, see http://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-telco-subscriber-management.html.[From Build 47.14][# 578275]
- Subscriber Aware LSN Session TerminationCurrently, if a subscriber session is deleted when a RADIUS Accounting STOP or a PCRF-RAR message is received, or as a result of any other event, such as TTL expiry or flush, the corresponding LSN sessions of the subscriber are removed only after the configured LSN timeout period. LSN sessions that are kept open until this timeout expires continue to consume resources on the appliance.This enhancement adds a new parameter (subscrSessionRemoval). If this parameter is enabled, and the subscriber information is deleted from the subscriber database, LSN sessions corresponding to that subscriber are also removed. If this parameter is disabled, the subscriber sessions are timed out as specified by the LSN timeout settings.[From Build 41.26][# 578275]
- Support for SIP and RTSP ALGs for DS-LiteThe NetScaler appliance now supports SIP and RTSP application layer gateways (ALGs) for DS-Lite. For more information, see:- http://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/dual-stack-lite/AGL-DS-Lite.html- http://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-nat-64/configuring-agl-large-scale-NAT64.html[From Build 47.14][# 604029]
- NAT44 Wildcards Static MapsA static mapping entry is usually a one-to-one LSN mapping between a subscriber IP address:port and a NAT IP address:port. A one-to-one static LSN mapping entry exposes only one port of the subscriber to the Internet.Some situations might require exposing all ports (64K) of a subscriber to the Internet (for example, a server hosted on an internal network and running a different service on each port). To make these internal services accessible through the Internet, you have to expose all the ports of the server to the Internet.One way to meet this requirement is to add 64K one-to-one static mapping entries, one mapping entry for each port. Creating 64K entries is very cumbersome and a big task. Also, this large number of configuration entries might lead to performance issues in the NetScaler appliance.Another simple method is to use wildcard ports in a static mapping entry. You just need to create one static mapping entry with NAT-port and subscriber-port parameters set to the wildcard character (*), and the protocol parameter set to ALL, to expose all the ports of a subscriber to the Internet. For a subscriber's inbound or outbound connections matching a wildcard static mapping entry, the subscriber's port does not change after the NAT operation.[From Build 41.26][# 614784]
- NAT44 Wildcards Static MapsA static mapping entry is usually a one-to-one LSN mapping between a subscriber IP address:port and a NAT IP address:port. A one-to-one static LSN mapping entry exposes only one port of the subscriber to the Internet.Some situations might require exposing all ports (64K) of a subscriber to the Internet (for example, a server hosted on an internal network and running a different service on each port). To make these internal services accessible through the Internet, you have to expose all the ports of the server to the Internet.One way to meet this requirement is to add 64K one-to-one static mapping entries, one mapping entry for each port. Creating 64K entries is very cumbersome and a big task. Also, this large number of configuration entries might lead to performance issues in the NetScaler appliance.Another simple method is to use wildcard ports in a static mapping entry. You just need to create one static mapping entry with NAT-port and subscriber-port parameters set to the wildcard character (*), and the protocol parameter set to ALL, to expose all the ports of a subscriber to the Internet. For a subscriber's inbound or outbound connections matching a wildcard static mapping entry, the subscriber's port does not change after the NAT operation. For more information, see http://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-introduction/configuring-static-lsn-maps.html.[From Build 47.14][# 614784]
- Policy-based TCP ProfileYou can now configure the NetScaler appliance to perform TCP optimization based on subscriber attributes. For example, the appliance can now select different TCP profiles at run time, based on the network to which the user equipment (UE) is connected. As a result, you can improve a mobile user's experience by setting some parameters in the TCP profiles and then using policies to select the appropriate profile.For more information about policy-based TCP profile, see http://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-telco-subscriber-management.html.[From Build 47.14][# 622947]
- Global override LSN parameter removed from L3 parametersThe global override LSN parameter has been removed from L3 parameters. To override LSN, you must now create a net profile with the overrideLsn parameter enabled and bind this profile to all the load balancing virtual servers that are configured for value added services. For more information, see http://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-introduction/override-lsn-configuration-lb-configuration.html.[From Build 47.14][# 642585]
- Wildcard Port Static Large Scale NAT64 MapsA static large scale NAT64 mapping entry is usually a one-to-one mapping between a subscriber IPv6 address:port and a NAT IPv4 address:port. A one-to-one static large scale NAT64 mapping entry exposes only one port of the subscriber IP address to the Internet.Some situations might require exposing all ports (64K - limited to the maximum number of ports of a NAT IPv4 address) of a subscriber IP address to the Internet (for example, a server hosted on an internal network and running a different service on each port). To make these internal services accessible through the Internet, you have to expose all the ports of the server to the Internet.One way to meet this requirement is to add 64 thousand one-to-one static mapping entries, one mapping entry for each port. Creating that entries is very cumbersome and a big task. Also, this large number of configuration entries might lead to performance issues in the NetScaler appliance.A simpler method is to use wildcard ports in a static mapping entry. You just need to create one static mapping entry with NAT-port and subscriber-port parameters set to the wildcard character (*), and the protocol parameter set to ALL, to expose all the ports of a subscriber IP address for all protocols to the Internet.For a subscriber's inbound or outbound connections matching a wildcard static mapping entry, the subscriber's port does not change after the NAT operation. When a subscriber-initiated connection to the Internet matches a wildcard static mapping entry, the NetScaler appliance assigns a NAT port that has the same number as the subscriber port from which the connection is initiated. Similarly, an Internet host gets connected to a subscriber's port by connecting to the NAT port that has the same number as the subscriber's port.[From Build 51.21][# 651078]
Fixed Issues in Previous NetScaler 11.1 Releases
The issues that were addressed in NetScaler 11.1 releases prior to Build 58.13. The build number provided below the issue description indicates the build in which this issue was addressed.
AAA-TM
- If you configure "CLI Accounting" on the NetScaler appliance, the RADIUS server does not send accounting message with Session ID.[From Build 51.21][# 538997]
- In a multi-core NetScaler environment, user sessions sometimes do not get terminated if the decision to terminate is based on a force timeout value that is configured on a TM traffic action.[From Build 50.10][# 610604, 618760]
- The StoreFront FQDN is not accepted as valid when a user uses it for the Test Connection function in the XA/XD Wizard. After the StoreFront FQDN is entered, the XA/XD Wizard displays an error when the user clicks Continue.[From Build 50.10][# 612276, 621861, 639203, 650065, 651022]
- If you log on to the NetScaler Traffic Management (TM) virtual server using "401 Basic" authentication, you might observe authentication failures if your username or password contains special characters. This is because only UTF-8 characters below ASCII 128 (for example, A-Z, a-z, 0-9, and ~ ! @ # $ % ^ & * ( ) _ + - = [ { ] } \ | ; : ' " / ? . > , < special characters) are allowed.[From Build 56.19][# 620845, 589509, 650263, 672340]
- In a high availability setup, a session does not time out even if a force timeout is configured on a traffic action that is bound to a load balancing or content switching virtual server and a force fail over is performed.[From Build 50.10][# 623053]
- If you remove the NT LAN Manager (NTLM) prompt while using Kerberos or NTLM authentication, the NetScaler appliance configured for NetScaler AAA does not fall back to the next authentication method.[From Build 57.13][# 644276, 630764]
- The NetScaler appliance might restart if role-based access is enabled in admin partitions.[From Build 51.21][# 653702]
- If the LDAP bind account password used on a NetScaler appliance contains the "at" special character (@), test connection performed on LDAP server fails, and the dashboard shows that the LDAP server is down.[From Build 52.13][# 654375]
- If the LDAP bind account password used on a NetScaler appliance contains the "at" special character (@), test connection performed on LDAP server fails, and the dashboard shows that the LDAP server is down.[From Build 55.13][# 654375, 689891]
- The NetScaler appliance fails if all of the following conditions are met:- The appliance is used as a SAML service provider.- Multiple load balancing and content switching virtual servers are configured for the same external identity provider (IdP) but with different FQDN.- SAML login happens on a virtual server with an existing SAML session from the same IdP.[From Build 51.21][# 664171, 670657]
- In a multifactor SAML IdP configuration, if a SAML request is resent from the service provider during authentication, the NetScaler appliance sends an assertion before authentication is complete.[From Build 51.21][# 666161]
- When OWA is configured for traffic policy based logout, once logout is triggered, sessions stay for longer time in few versions and cases because of application implementation. With this fix, once logout is configured in traffic policy, session is removed in at most 2 min regardless of activity from the client.[From Build 54.16][# 668414]
- If a NetScaler AAA daemon sends a DNS query by using source port 3000 to LDAP or RADIUS servers, the CPU utilization goes high and the DNS data packet keeps looping. With this fix, the NetScaler AAA daemon sends queries to LDAP or RADIUS servers starting with source port 10000 and above.[From Build 55.13][# 671309, 694723]
- An attempt to change an LDAP password through the NetScaler Gateway virtual server fails if the new password includes any multibyte UTF-8 characters, such as German umlauts (for example, kölnbonn207), Latin small letter sharp s (for example, straße2017), or special characters (for example, &%$§1Lucie-Marie).[From Build 56.19][# 672846, 691269]
- An attempt to change an LDAP password through the NetScaler Gateway virtual server fails if the new password includes any multibyte UTF-8 characters, such as German umlauts (for example, kölnbonn207), Latin small letter sharp s (for example, straße2017), or special characters (for example, &%$§1Lucie-Marie).[From Build 54.16][# 672846]
- An attempt to change an LDAP password through the NetScaler Gateway virtual server fails if the new password includes any multibyte UTF-8 characters, such as German umlauts (for example, kölnbonn207), Latin small letter sharp s (for example, straße2017), or special characters (for example, &%$§1Lucie-Marie).[From Build 55.13][# 672846]
- In a high availability setup, a session does not time out even if a force timeout is configured on a traffic action that is bound to a load balancing or content switching virtual server and a force fail over is performed.[From Build 55.13][# 675185, 684400]
- A NetScaler appliance connected to a back-end LDAP server logs an incorrect error code for the “restricted logon hours” parameter in the NetScaler AAA daemon logs[From Build 56.19][# 676697]
- NTLM authentication fails when the NetScaler tries to negotiate with an LB virtual server in front of the NTLM server.[From Build 55.13][# 677747]
- When persistent cookie is configured for AAA-TM access, response is not sent to client if server sends a connection-close header or closes connection when NetScaler determines to insert persistent cookie,[From Build 54.16][# 678452, 665339]
- The NetScaler appliance might fail if you use Kerberos authentication and the cached ticket incorrectly points to NULL, because the Kerberos ticket has expired and removed from the Distributed Hash Table (DHT).[From Build 54.16][# 678865]
- Inflate of the data fails intermittently when NetScaler IdP receives authentication request from external Service Provider (SP) incase "Redirect Binding" is used as the transport mechanism in SAML flow.When "Redirect Binding" is used as the transport mechanism in SAML flow, when NetScaler IdP receives authentication request from external Service Provider (SP), occasionally inflate of the data fails. This is highly intermittent. Current enhancement offers different variants for doing inflate as the issue in intermittent and disappears on a reboot.[From Build 53.13][# 680064]
- The NetScaler appliance crashes because of a failure to access the NetScaler AAA logon credentials. The failure occurs while attempting to match the rewrite policy against an AAA group.[From Build 55.13][# 680099]
- The NetScaler appliance configured for NetScaler AAA by using LDAP authentication might become unresponsive because the wrong counter increments when alerts are received from a client counter. The ssl_tot_sslError_FatalAlertSentCount counter increments, instead of the ssl_tot_sslError_FatalAlertRecdCount counter.[From Build 55.13][# 681715]
- If you set the ‘Validate LDAP Server Certificate’ parameter in an LDAP server configuration, you can log on even if the hostname does not match. With this fix, the hostname is checked when the option is enabled.[From Build 56.19][# 681888, 644099]
- If you set the ‘Validate LDAP Server Certificate’ parameter in an LDAP server configuration, you can log on even if the hostname does not match. With this fix, the hostname is checked when the option is enabled.[From Build 55.13][# 681888, 644099]
- The NetScaler appliance configured for NetScaler AAA using single sign-on to access backend server becomes unresponsive if both of the following conditions are met:• The NetScaler appliance tries to process client response based on 401 basic authentication request.• The traffic management virtual server is configured with basic authentication.[From Build 55.13][# 682850, 684739, 684086, 686368, 688553]
- In rare scenarios, a NetScaler appliance becomes unresponsive when both nodes of a high availability (HA) setup claim to be the primary node.[From Build 55.13][# 683015]
- A load balancing virtual server on a NetScaler appliance sends a reset code to the client when it receives the second packet of the client's POST request.[From Build 55.13][# 683216]
- NetScaler fails to perform SAML Single Logout, if NetScaler is configured for SAML Authentication with an Identity Provider (IdP) that sends session index of 64 bytes. If the session index is less than 64 bytes, Single Logout is performed as expected.[From Build 54.16][# 683429]
- If external LDAP authentication uses a case-insensitive user name, NetScaler AAA is unable to lock the user name after the number of attempts specified by the Max Login Attempts parameter.[From Build 56.19][# 683645]
- Client logons are delayed by 15 seconds if Kerberos Constrained Delegation (KCD) is used on a NetScaler appliance. The delay occurs during the process of issuing a Kerberos ticket to the client.[From Build 55.13][# 683869]
- In rare scenarios, NetScaler dumps core if dialogue mode operation like password change operation happens during RBA authentication.[From Build 55.13][# 684648]
- A NetScaler appliance configured for NetScaler AAA with single sign-on is unable to log off from Online Web Access (OWA).[From Build 56.19][# 688665]
- A NetScaler appliance can add multiple NetScaler AAA groups, but the “save config” operation saves only the first group.[From Build 55.13][# 689212, 689457]
- After an upgrade from an earlier release 10.5 build 60.7 to release 11.1 build 52.32, if the client sends an invalid basic authorization header as "Authorization: Basic (null)", then NetScaler appliance does not perform single sign-on (SSO) to access back end.[From Build 56.19][# 689265]
- Assigning a custom port other than the default to an authentication enabled load balancing virtual server causes the NetScaler appliance to display an error message.[From Build 54.16][# 689832]
- Assigning a custom port other than the default to an authentication enabled load balancing virtual server causes the NetScaler appliance to display an error message.[From Build 55.13][# 689832]
- If an attribute is a binary-string type and contains “0x00” as a value, the LDAP attributes extraction fails. At this point, the NetScaler appliance configured for NetScaler AAA becomes unresponsive.[From Build 56.19][# 690245]
- A NetScaler appliance configured for NetScaler AAA becomes unresponsive during a VPN session if both of the following conditions are met:• The primary session is in the timed out state.• The secondary session is in sync but the actual state of the session is reset to zero.[From Build 56.19][# 690468]
- In some cases, if you log on to ShareFile through a load balancing virtual server by using NetScaler AAA, you are incorrectly directed to a different user profile.[From Build 56.19][# 691050]
- In some cases, a NetScaler appliance becomes unresponsive if either or both of the following conditions are met:• The SSO and Proxy are configured• The authentication request is a POST method[From Build 57.13][# 691795]
- If you run the 'ldapsearch' command at the NetScaler shell prompt, the following error message appears:Segmentation fault: 11 (core dumped)[From Build 56.19][# 692008]
- A NetScaler appliance configured for forms single sign-on (SSO) to back end adds whitespaces at the end of URL and before HTTP version.[From Build 56.19][# 694433, 686735]
- The Outlook Anywhere (OA) services traffic on the NetScaler appliance might intermittently slow down the authentication process. The delay in the authentication process is observed after sometime.[From Build 57.13][# 694879]
- The NetScaler appliance occasionally becomes unresponsive when the username is in “userPrincipalName” format and the domain length is one.[From Build 56.19][# 695117]
- If the HTTPOnly flag is not set on the NSC_TASS cookie of NetScaler AAA, the script allows you to access an application. With this fix, the script is unable to read NSC_TASS cookie.[From Build 56.19][# 695118]
- The NetScaler AAA wrongly calculates the NSC cookie length if an authentication function calculates the string delimiter (/0) as well. In this context, the function also copies the character (/0) into the HTTP header. With this fix, NetScaler AAA now calculates the string length correctly without a string delimiters (/0) and is not copied to the HTTP header.[From Build 56.19][# 695641]
- If the initial request to the traffic management virtual server is an unauthenticated POST request, the NetScaler appliance configured for NetScaler AAA, disregards the post body.[From Build 56.19][# 695703]
- A NetScaler appliance configured for NetScaler AAA might become unresponsive when trying to single sign-on (SSO) with a backend server, because the front-end loses the connection.[From Build 56.19][# 695764]
- If a SAML Identity Provider (IdP) sends a namespace for a digital signature and if the namespace is not within the signedInfo or signature parameters, the NetScaler appliance configured for SAML Service Provider (SP) rejects the namespace assertion and the signature validation fails.[From Build 57.13][# 697392]
- The NetScaler appliance becomes unresponsive if an invalid cookie tries to merge with a body cookie, causing the cookie parsing to fail.[From Build 57.13][# 700872]
- The NetScaler appliance becomes unresponsive if an invalid cookie tries to merge with a body cookie, causing the cookie parsing to fail.[From Build 57.13][# 701682, 705826]
- In a high availability setup, a NetScaler appliance might become unresponsive when one of the nodes is running release 11.1 build 57.11 and the other node is running a different build.[From Build 57.13][# 705349]
- If you use certificate authentication method in the nFactor authentication, users observe, “401 unauthorized” error and the NetScaler appliance fails to authenticate the NetScaler AAA request.[From Build 57.13][# 706250]
Admin Partitions
- SNMP profiles have been modified to avoid dropping SNMP responses intended for non-default partitions. An SNMP agent can now track each SNMP request and send a response to a non-default partition. Previously, if a non-default partition received an SNMP request through a subnet IP address, the SNMP agent on the partition responded to the default partition, because the SNIP address was defined on the default partition.[From Build 49.16][# 609367]
- The CLI does not correctly display the command prompt to users who have read-only-access accounts created in the default partition and bound to a non-default partition.[From Build 55.13][# 675151]
- When you access a partitioned appliance through the NetScaler GUI, the Dashboard does not display the "CPU vs. Memory Usage and HTTP Requests Rate" graph in the left pane.[From Build 54.16][# 676700]
- When you access a partitioned appliance through the NetScaler GUI, the Dashboard does not display the "CPU vs. Memory Usage and HTTP Requests Rate" graph in the left pane.[From Build 55.13][# 676700]
- When you configure an administrative partition, validation of the partition's VMAC address might fail, causing the NetScaler appliance to crash.[From Build 54.16][# 677765]
- On a partitioned NetScaler appliance, the system memory counters are not updated properly unless they are cleared during partition deletion.[From Build 55.13][# 681422, 682240]
- In rare cases, one of the partitions on a partitioned appliance does not get enough slots to send Gratuitous Address Resolution Protocol (GARP) messages for all its IP addresses on the network.[From Build 56.19][# 692922]
Analytics
- The NetScaler Gateway login page fails to load if you have enabled client side measurements in the AppFlow action.[From Build 57.13][# 694892]
AppExpert
- When a NetScaler appliance receives a client request for evaluating a responder policy, it might not log the responder data. Before evaluation, the appliance sets the ns_auditlog_module_id global variable and uses the data for log processing. If during the evaluation you block the log action and wait for more data, and while you are waiting the appliance receives another client request to evaluate a different policy, the responder log data is not recorded for the responder module.[From Build 55.13][# 687140]
AppFlow
- ICA parsing uses a lot of memory, so the NetScaler appliance reaches its memory limit with a lower than expected number of connections.[From Build 49.16][# 459458]
- A NetScaler load balanced server responds with a 411 error code for a corrupted HTTP request.[From Build 50.10][# 629223]
- If you have configured NetScaler Gateway in a double-hop setup, HDX virtual desktops might become unresponsive when you perform the following sequence of actions: connect, disconnect and reconnect.[From Build 48.10][# 641396]
- When AppFlow for ICA is enabled on a NetScaler appliance in a multicore environment, the Netscaler appliance might become unresponsive.[From Build 49.16][# 647713]
- Automatic client reconnection (ACR) for Linux VDA clients fails if the NetScaler appliance is in the path and ICA AppFlow is enabled for the appliance.[From Build 50.10][# 648254, 651200]
- Applications do not launch when AppFlow is enabled and connection chaining is disabled. This is because when a full sized packet is received, the connection chain ID is added to the packet resulting in the size of packet going beyond the maximum transmission unit (MTU). So, the packet gets dropped and the application fails to launch.[From Build 50.10][# 650618, 653126, 661587, 664792]
- If AppFlow for ICA is enabled on a NetScaler appliance, the appliance might become unresponsive under certain circumstances during ICA capability negotiation in ICA PROXY mode.[From Build 49.16][# 653385, 655823, 661720]
- If HDX Insight is enabled on a NetScaler appliances in high-availability mode, and if the nodes are set to STAY PRIMARY or STAY SECONDARY, session reliability fails when a failover happens.[From Build 49.16][# 653438]
- If AppFlow clientside measurements and AppFirewall are enabled, due to incomplete and incorrect order of the restore/cleanup of AppFlow and AppFirewall feature, NetScaler might become unresponsive.[From Build 50.10][# 655309, 658547]
- When Web Insight is enabled, and if the configuration has wild card virtual servers, the NetScaler appliance might become unresponsive when writing the appflow records.[From Build 50.10][# 658624, 660103]
- Service states for the service groups cannot be updated. As a result, client requests are dropped.[From Build 53.13][# 658990]
- Memory usage on a NetScaler appliance might increase over time if AppFlow Client-side Measurements is enabled.[From Build 52.13][# 666358, 672859]
- Memory usage on a NetScaler appliance might increase over time if AppFlow Client-side Measurements is enabled.[From Build 53.13][# 666358, 672859]
- If AppFlow clientside measurements are enabled, NetScaler instance does not buffer the response packets even though it acknowledges the packet to the server. This will cause page load issues if the packets are lost.[From Build 50.10][# 670464]
- If you enable AppFlow on a SQL virtual server, the NetScaler appliance might become unresponsive.[From Build 52.13][# 671462, 672362]
- If you enable AppFlow on a SQL virtual server, the NetScaler appliance might become unresponsive.[From Build 53.13][# 671462, 672362, 668129, 670343]
- If numerous GET requests are sent to a NetScaler appliance on which AppFlow is enabled, at some point the requests begin to time out.[From Build 52.13][# 671993, 674438]
- Memory usage on a NetScaler appliance might increase over time if the AppFlow feature is enabled and HTTP pipelined requests are sent to the HTTP or SSL virtual servers that match at least one of the AppFlow policies.[From Build 51.26][# 672102, 670990, 671906, 676930, 667606]
- Memory usage on a NetScaler appliance might increase over time if the AppFlow feature is enabled and HTTP pipelined requests are sent to the HTTP or SSL virtual servers that match at least one of the AppFlow policies.[From Build 52.13][# 672102, 670990, 671906]
- If AppFlow Client-Side Measurements action is enabled on any of the AppFlow policies, connection to backend server might get terminated intermittently thereby sending only partial response to the client.[From Build 53.13][# 672863, 673532, 677954, 677576]
- If AppFlow Client-Side Measurements action is enabled on any of the AppFlow policies, connection to backend server might get terminated intermittently thereby sending only partial response to the client.[From Build 52.13][# 672863, 673532]
- The NetScaler appliance crashes, dumps core, and restarts if a certificate is unbound from an SSL virtual server while an SSL transaction is in progress.[From Build 54.16][# 679995]
- The NetScaler appliance crashes, dumps core, and restarts if a certificate is unbound from an SSL virtual server while an SSL transaction is in progress.[From Build 55.13][# 679995]
- When ClientSide Measurements is enabled, and you access the NetScaler Gateway, then the Microsoft Internet Explorer browser displays an error.[From Build 55.13][# 680567, 688758]
- When an AppFlow policy bound to a VPN virtual server applies an undef action, the NetScaler instance might become unresponsive.[From Build 54.16][# 681596]
- A NetScaler appliance crashes and dumps core if an ECDSA certificate is bound to the SSL virtual server that processes an SSL transaction.[From Build 54.16][# 683567, 686195]
- A NetScaler appliance crashes and dumps core if an ECDSA certificate is bound to the SSL virtual server that processes an SSL transaction.[From Build 55.13][# 683567, 686195]
- If there are more than 300 embedded objects in a web page, and if client-side-measurements is enabled, the NetScaler instance might become unresponsive.[From Build 56.19][# 686027, 692988, 683591, 694296, 691725, 692914]
- If an AppFlow policy is bound to ICA_REQUEST bindpoint for a virtual server with the ULFD mode enabled, disabling AppFlow for that virtual server from NetScaler MAS/NetScaler Insight Center can cause the NetScaler instance to become unresponsive.[From Build 55.13][# 688260, 687559, 685968, 684245, 691851]
- A NetScaler appliance might become unresponsive if an AppFlow action has client-side measurements enabled and the appliance receives a corrupted request.[From Build 56.19][# 691229]
- A NetScaler appliance might become unresponsive if an AppFlow action has client-side measurements enabled and the appliance receives an HTTP server response before the full client request.[From Build 56.19][# 692649]
- NetScaler MAS 12.0 does not process AppFlow records sent from NetScaler 11.1 appliances running build versions lesser than or equal to 55.x.[From Build 56.19][# 696009, 695724]
Application Firewall
- The exported, learned data for field formats does not match the output of the following command: sh appfw learning data.[From Build 48.10][# 329025, 303481]
- When editing application firewall signatures, you cannot sort the "Enabled" column.[From Build 56.19][# 621333]
- A NetScaler appliance in a high availability configuration might fail when the Application Firewall HTTP request is chunked or the chunk-header information is split across the packet and the content-type is "application/x-www-form-urlencoded" and "multipart/form-data".[From Build 50.10][# 642238, 646749, 650320]
- The NetScaler appliance fails if the signature match function accesses invalid memory while matching signature rules.[From Build 48.10][# 643854]
- A NetScaler AppFirewall appliance might run out of memory, because firewall sessions might not get cleaned up in a high availability environment if sync or propagation is disabled or the software versions running on a pair of nodes do not match. This is due to DHT not being able to clean up entries properly.[From Build 49.16][# 646293, 645547, 658502]
- Sites that use the NetScaler application firewall have excessive high availability failovers because of a faulty error-handling routine related to memory allocation.[From Build 48.10][# 647309]
- The name of a user defined signature objects must not contain a hash character (#), even though the feedback message inaccurately lists it as an allowed character.[From Build 48.10][# 648010]
- If the HTML response page contains a pair of hyphens (--) in the comment tag, the NetScaler appliance might parse the response page incorrectly and not add the URLs to starturl closure. This could result in some starturl violations.[From Build 48.10][# 648104]
- The NetScaler appliance might fail if both of the following conditions are met:- The application firewall and compression modules are both active for a connection.- The connection is aborted for any reason, such as connection failure on the client or server, or invalid HTTP content is received from the client or server.Typically, the application firewall and compression modules free the resources, including references to the connection. However, in rare cases, freeing a connection results in a dangling connection structure pointer or duplicate freeing of the structure pointer. In either of these cases, the appliance might fail.[From Build 49.16][# 648981, 648996, 653492, 654739]
- Applications might not load properly when the memory_max_allowed value for the AppFW pool is low. This low memory condition can also cause memory allocation errors that result in numerous connection resets.[From Build 48.10][# 649031, 651536]
- On a NetScaler appliance running release 11.1 build 64, SQL and cross-site scripting relaxations might not work for application or json content types. The AppFW logs display the following message, even when the relaxation rules are applied for User-Agent:SQL Keyword check failed for header User-Agent.[From Build 55.13][# 651054]
- On a NetScaler appliance running release 11.1 build 64, SQL and cross-site scripting relaxations might not work for application or json content types. The AppFW logs display the following message, even when the relaxation rules are applied for User-Agent:SQL Keyword check failed for header User-Agent.[From Build 54.16][# 651054]
- CPU utilization becomes high if you upgrade the NetScaler appliance to release 11.0 build 65 and enable Application Firewall Starturl Closure protection.[From Build 51.21][# 656708, 656061, 658404, 670134]
- If the NetScaler appliance sends AppFlow data with application firewall records to the Security Insight collector, the appliance might fail. This might occur if the built-in NOPOLICY policy, which does not have any specified action, is configured as a global policy.[From Build 50.10][# 656771]
- If the NetScaler appliance sends AppFlow data with application firewall records to the Security Insight collector, the appliance might fail. This might occur if the built-in NOPOLICY policy, which does not have any specified action, is configured as a global policy.[From Build 49.16][# 656771]
- Executing force sync operation using the nssync -s command from the shell triggers NetScaler appliance reboot and crash. The nsnetsvc crash occurs when the import filename length exceeds MAX_FILE_PATH_LEN.[From Build 51.21][# 657920]
- A NetScaler appliance fails under the following set of conditions:- The appliance is configured to log for parsing errors in XML responses, and the configuration includes a confidential field. Webform fields can be designated as confidential fields to protect the information that users type into them.- The appliance receives a request in which query parameters are set.- A parsing error occurs during processing of the XML response.[From Build 50.10][# 658561, 639647]
- The NetScaler appliance fails to upload files for a policy profile with signatures when the NetScaler AppFirewall signature function is enabled.[From Build 53.13][# 660112]
- NetScaler release 11.0 build 47 or later logs error messages when you enable the Application Firewall feature on a NetScaler appliance in high availability mode.[From Build 51.21][# 660528]
- NetScaler release 11.0 build 47 or later logs error messages when you enable the Application Firewall feature on a NetScaler appliance in high availability mode.[From Build 52.13][# 660528]
- If you upgrade NetScaler appliance in a high availability (HA) setup from version 10.5.56.15 to version 11.1.51.1901 and skip 250 rules with active traffic, the GUI or CLI displays a "failed to skip some rules" error message and an operation time-out error message.[From Build 52.13][# 661111]
- In a high availability setup, after successful deployment of the Application Firewall learned StartURL rule from the GUI, the rule remains in the learned database and is not removed. Deploying the same startURL rule results in the following error message: "The StartURL check is already in use."[From Build 51.21][# 661111]
- On a NetScaler Application Firewall appliance in a high availability configuration, learning mode does not work after an upgrade to release 11.0 build 68.10.[From Build 52.13][# 662359, 670726]
- On a NetScaler Application Firewall appliance in a high availability configuration, learning mode does not work after an upgrade to release 11.0 build 68.10.[From Build 51.21][# 662359, 670726]
- On a NetScaler Application Firewall appliance in a high availability configuration, learning mode does not work after an upgrade to release 11.0 build 68.10.[From Build 51.21][# 662734]
- On a NetScaler Application Firewall appliance in a high availability configuration, learning mode does not work after an upgrade to release 11.0 build 68.10.[From Build 52.13][# 662734]
- Application Firewall uses master-slave communication for processing security checks and retrieves connection information through Protocol Control Block (PCB). In a high availability mode, the NetScaler appliance might fail, if factory reset occurs when PCB variables are cleared before freeing Application Firewall context data when accessing null pointer during processing.[From Build 51.21][# 664159, 665334]
- A log message is not generated when the FormFieldConsistency protection is enabled on an Application Firewall profile and the generated hidden field "as_fid" is modified.With this fix, the NetScaler Application Firewall now generates a log message when the "FormFieldConsistency" protection is enabled and the hidden field "as_fid" is modified in the NetScaler Application Firewall profile.[From Build 51.21][# 664211]
- The Onhover pattern has been added to the default list of cross-site scripting (XSS) denied patterns that the Application Firewall looks for when scanning traffic.[From Build 51.21][# 665595]
- A NetScaler appliance might fail when Application Firewall processes a request for SQL injection inspection, if the request has the SQLInjectiontype field set to "SQL Special Char or Keyword" and SQL comment handling is set to "ANSI/Nested".[From Build 51.21][# 665631, 669524]
- If the NetScaler Application Firewall learning feature is enabled, Form Field Consistency violations result in blocking URL requests that end with a question mark (?), with no query parameters.[From Build 51.21][# 666019]
- The output of the appfw learningdata command does not include a caret and dollar sign (^$) at the beginning and end of a URL string. Therefore, the URLs are not in proper regex format. If you do not enclose a URL in ^$ characters when you specify a learned rule to be deleted, all the rules are deleted.[From Build 56.19][# 668255]
- The NetScaler appliance crashes during a field-consistency check if processing a large number of form-select fields.[From Build 52.13][# 668627, 664482]
- The NetScaler appliance crashes during a field-consistency check if processing a large number of form-select fields.[From Build 53.13][# 668627, 664482]
- Application firewall signature rule #14990 has a PCRE expression pattern to detect the presence of a violation string in the Accept-Charset header. This expression is computationally intensive and results in generation of log message "PCRE match limit exceeded with regex..." With this fix, rule #14990 is deprecated and replaced by signature rule #999972, which has an optimized PCRE expression. The new rule shows the source as Snort and the Snort ID as 14990.[From Build 52.13][# 669824]
- An archive error can occur when application firewall profiles are exported and archived, because the export file is not removed from the /var/archive/appfw/ and /var/tmp directories after profile export is successful. The problem is caused by an uppercase profile name when the archived export file is saved with the same case as the profile name.[From Build 52.13][# 670744]
- During the downgrade process, the NetScaler appliance becomes unresponsive and generates an aslearn core file if the application firewall schema profile of the learned database files is not installed properly.[From Build 52.13][# 670752]
- A large number of DHT operations causes high CPU usage when StartURLClosure is enabled.[From Build 54.16][# 672807, 672753]
- The NetScaler application firewall blocks web-service URLs and displays the following error message: No_Service_URL.[From Build 53.13][# 673630]
- A NetScaler AppFirewall appliance displays the following error message when you try to deploy learned rules with the WAF learning mode enabled: Error in retrieving Application Firewall learning data.[From Build 53.13][# 674023]
- When a user-defined application firewall signature object is updated by using the configuration utility, the enabled signature rules might get disabled and the configured actions in some signature rules might not be preserved.[From Build 52.13][# 674031]
- The NetScaler appliance fails to restart after an upgrade to software release 11.1 build 51.21. The failure, caused by memory corruption in the AppSecure module, occurs while evaluating an invalid session cookie.[From Build 53.13][# 674361]
- A NetScaler appliance might fail to start after URL transformation, because of low memory allocation.[From Build 53.13][# 674415, 675793, 679479, 678765, 677990]
- Form based NetScaler AppFirewall checks can be bypassed by a multipart POST request in which the Content-type header has been tampered with.[From Build 55.13][# 674658]
- The IP reputation feature does not get enabled when the application firewall add-on license is added.[From Build 53.13][# 675202]
- The IP reputation feature does not get enabled when the application firewall add-on license is added.[From Build 52.13][# 675202]
- When you enable the AppFirewall custom signature feature on a NetScaler appliance running software version 11.0 build 69, the appliance stops processing traffic and dumps core memory.[From Build 53.13][# 675880]
- During the URL transformation process, cross-site scripting (XSS) protection does not consider relaxation rules for HTTP request tags that have no content except a comma (<, >).[From Build 53.13][# 676394, 676397, 660890]
- A NetScaler appliance running release 11.1 fails to restart after a failover if Distributed Hash Table (DHT) entries are not in sync across the HA nodes.[From Build 54.16][# 678072]
- The NetScaler AppFirewall appliance crashes while copying form data if the form field consistency check is enabled.[From Build 55.13][# 678297, 689073]
- You cannot select a range of learned rules by using the SHIFT key, even though you could do so in release 11.0. With this fix, you can use the SHIFT key to select a range of learned rules.[From Build 54.16][# 678900]
- On a NetScaler Application Firewall appliance in a high availability configuration, learning mode does not work after an upgrade to release 11.0 build 68.10.[From Build 53.13][# 679411]
- A NetScaler appliance running release 11.1 and build 52 might fail because of a mismatch during memory allocation and display the following error message:userspace_panic as_free().[From Build 54.16][# 681746, 683564, 684632]
- Since release 11.1 build 41, the ImportSizeLimit parameter in the AppFW settings can be set to limit the size of the objects that are imported to the NetScaler appliance. This limit is now extended from 128 MB to 256 MB. Execute the following set command from the CLI to change the value to meet your requirement:set appfw setting -importsizelimitMaximum value: 268435456Minimum value: 1Default: 134217728Example> set appfw setting -importsizelimit 268435457[From Build 55.13][# 682219]
- Since release 11.1 build 41, the ImportSizeLimit parameter in the AppFW settings can be set to limit the size of the objects that are imported to the NetScaler appliance. This limit is now extended from 128 MB to 256 MB. Execute the following set command from the CLI to change the value to meet your requirement:set appfw setting -importsizelimitMaximum value: 268435456Minimum value: 1Default: 134217728Example> set appfw setting -importsizelimit 268435457[From Build 54.16][# 682219]
- The application firewall signature-update warning messages are not delivered in standard syslog message format. Therefore, NetScaler MAS does not process them. The warning messages do not include the module name or a time stamp, both of which are part of the syslog standard. Signature update messages are also not in standard syslog format.[From Build 54.16][# 682416]
- Applying cross-site scripting checks to complete URLs causes applications to stop after an upgrade. With this fix, cross-site scripting checks run only on the URL's base path if the CrossSiteScriptingCheckCompleteURLs option is enabled in the AppFw profile.[From Build 54.16][# 682770]
- Application firewall log messages generated when data is dropped because of Unknown Content-Type do not include the Content-Type Header value, which would facilitate tracking and monitoring.This issue has been fixed now. Application firewall logs allows requests which have multiple charsets with same value in the content-type header.[From Build 54.16][# 682778]
- On a NetScaler AppFirewall appliance, URL global pages cause memory buildup on the secondary node when the URL closure protection feature is enabled.[From Build 54.16][# 683366]
- When you attempt to export learned data for an application firewall profile, the appliance fails because of improper initialization of a stack variable. The Aslearn process restarts continuously because of connection failure.[From Build 55.13][# 684988]
- Traffic to a back-end application is blocked by the HTML cross-site scripting check when the profile type is XML. The cross-site scripting check fails for field with following tags; <?xml version="Bad tag: ?xml" <blocked>.When you have cross-site scripting enabled, the application firewall makes the following changes to requests that match the HTML Cross-Site Scripting check:Left angle bracket (<) to HTML character entity equivalent (<) Right angle bracket (>) to HTML character entity equivalent (>) This prevents browsers from interpreting unsafe html tags, such as <script>, and thereby executing malicious code. If you enable both request-header checking and XSS transformation, any special characters found in request headers are also modified as described above. If scripts on your protected web site contain cross-site scripting features, but your web site does not rely upon those scripts to operate correctly, you can safely disable blocking and enable transformation. This configuration allows legitimate web traffic while stopping any potential cross-site scripting attacks.[From Build 55.13][# 685775]
- If you use the CLI of a NetScaler AppFirewall appliance to display an enum definition, the AS_CCARD_DEFAULT_CARD_TYPE default value for credit card options is not included.[From Build 56.19][# 686540]
- If you use the CLI of a NetScaler AppFirewall appliance to display an enum definition, the AS_CCARD_DEFAULT_CARD_TYPE default value for credit card options is not included.[From Build 55.13][# 686540]
- The NetScaler packet processing engine fails to start when URL transform regression scripts are executed during a low-memory condition.[From Build 55.13][# 687625]
- The NetScaler appliance restarts if it attempts to process an invalid incoming HTTP packet.[From Build 56.19][# 688479]
- The NetScaler appliance crashes when security insight is enabled and the application firewall detects a violation of the maximum limit for fld_name length.Set the fld_name length limit to the same value as MAX_AS_NAME_LEN.[From Build 56.19][# 690028, 690556, 690467, 692023, 695808]
- After an upgrade from an earlier release 11.0 build to release 11.1 build 55.4, the 'APPFW_RESET' and 'APPFW_DROP' AppFw profiles do not appear when you run the sh appfw profile command with the "more" option.For example:sh appfw profile | more1) Name: APPFW_BYPASS LogEveryPolicyHit: OFF2) Name: APPFW_RESET LogEveryPolicyHit: ON3) Name: APPFW_DROP LogEveryPolicyHit: ON4) Name: APPFW_BLOCK UseHTMLErrorObject: OFFThis issue does not occur after upgrading a NetScaler AppFirewall appliance to release 11.1 build 55.8.[From Build 56.19][# 690261, 689327]
- After an upgrade from an earlier release 11.0 build to release 11.1 build 55.4, the 'APPFW_RESET' and 'APPFW_DROP' AppFw profiles do not appear when you run the sh appfw profile command with the "more" option.For example:sh appfw profile | more1) Name: APPFW_BYPASS LogEveryPolicyHit: OFF2) Name: APPFW_RESET LogEveryPolicyHit: ON3) Name: APPFW_DROP LogEveryPolicyHit: ON4) Name: APPFW_BLOCK UseHTMLErrorObject: OFFThis issue does not occur after upgrading a NetScaler AppFirewall appliance to release 11.1 build 55.8.[From Build 55.13][# 690261, 689327]
- A NetScaler AppFirewall custom signature request for field name value parsing does not clear the field name pattern match buffer.[From Build 56.19][# 691268]
- On a NetScaler application firewall appliance in high-availability mode, using the "aslearn -stop" command to stop the aslearn process causes a core dump but does not stop the aslearn process.[From Build 56.19][# 692060]
- The Application Firewall auto-update feature does not work and the ‘https://s3.amazonaws.com/NSAppFwSignatures/SignaturesMapping.xml" file fails to download.[From Build 57.13][# 692155]
- The NetScaler AppFirewall search filter for cookie consistency learned rules does not work.[From Build 56.19][# 692560]
- In some cases, when a credit card number is split across multiple packets, the learned data rules of a NetScaler application firewall report incorrect credit card information.[From Build 56.19][# 692814]
- On a NetScaler application firewall appliance in a high-availability mode, the DUT might crash when performing application security check because of memory resource constraints for the NetScaler appliance.[From Build 56.19][# 694195]
- If a signature rule is configured on POST body with the content-type “application/xml”, the NetScaler application firewall appliance might not apply the associated rule actions to a traffic even after the rule matches the traffic.[From Build 56.19][# 694727]
- On a NetScaler AppFW profile, when the charset is set to Japanese(SJIS), enabling SQL transform on AppFW profile transforms Japanese data containing Yen symbols[From Build 56.19][# 694764]
- The XML pages might not be rendered properly in the web browsers if XML protection to strip XML comments is enabled on the application firewall profile.[From Build 56.19][# 695091]
- NetScaler Application Firewall AppFw Field Format learned Data is different from the Export Learned Data. When aslearn configured learned data is deployed and the field types reaches aslearn supported limit, the get learnt data will not able to display total learnt data.[From Build 56.19][# 695412]
- NetScaler Application Firewall blocks POST requests with more than 8250 bytes per signature. Uploading more than 8000 bytes of files fails when request content-type is configured as 'application/octet-steam' and signatures are bound to the application firewall profile. This is due to NetScaler advertising "TCP window Full" to the client after client sends the first 8000 bytes.[From Build 56.19][# 695555]
- Application firewall truncates html error page response, if the configured html error page is more than 8 KB in size.[From Build 57.13][# 695591]
- The error message “Cannot deploy CSS relaxation with empty value” appears when you attempt to deploy CSS learned rules with value type as "$" on a NetScaler application firewall appliance.[From Build 56.19][# 695903]
- The refine search option in the NetScaler application firewall web GUI for AppFW Field Format Learned Rules does not work properly.[From Build 56.19][# 697143]
- After an upgrade, the NetScaler appliance enabled with the application firewall feature crashes and dumps core memory.[From Build 57.13][# 699564, 703832, 700422, 706353]
Cache
- A NetScaler VPX instance becomes unresponsive if a range request is greater than the cached response size. This issue happens if you enable the media classification mode on a NetScaler appliance. While parsing range header and creating range records table, the value for parameter object size is set incorrectly. So when a range request is received, the incorrect value of the stored response causes failure.[From Build 51.21][# 657823, 659374, 661940, 662460, 667599]
Cache Redirection
- Counters for classic cache redirection policies are not incremented for HTTPS traffic.[From Build 56.19][# 657190]
Clustering
- For some commands, such as "add cs policy" and "add server," the ID generated on a non-CCO node already exists for another command of same type on the cluster configuration coordinator (CCO). Therefore, command execution on the non-CCO node fails.[From Build 55.13][# 614718, 615459]
- If a load balancing server is trying to synchronize its states, occasionally one or more cluster nodes might get stuck in a Service state. As a result, the other nodes in the cluster might be unavailable, which leads to an improper cluster formation.[From Build 50.10][# 651828]
- The NetScaler appliance might fail to reestablish a connection if both of the following conditions are met:• The policy engine (PE) receiving the traffic is in the DOWN state.• The NetScaler buffer (NSB) is kept on hold by a recovery mechanism.[From Build 56.19][# 685979, 687732]
Content Switching
- The NetScaler appliance might fail if you change the target of a content switching policy action from virtual server based to expression based.[From Build 50.10][# 657325, 653722, 659696, 661214]
- In some cases, the NetScaler appliance might fail after a set command is run on a content switching virtual server.[From Build 56.19][# 687467, 688523, 688071, 692366, 693777]
DNS
- A NetScaler appliance configured for DNSSEC offloading might fail because of a race condition that can occur when the appliance receives a DNS query for a type A record for a domain that also has a CNAME record, and the canonical name identifies a domain that is in the zone offloaded for DNSSEC processing.[From Build 54.16][# 599741]
- A NetScaler appliance configured as an DNS end resolver sometimes fails to respond to DNS queries. When the appliance is configured as an end resolver, it generates iterative DNS queries to name servers on behalf of the client and returns the final responses. If a DNS zone has multiple NS records, the appliance queries the first name server in the NS record. If this resolution fails, the appliance does not retry with other name servers in the NS records, and it does not send any response to the client.[From Build 49.16][# 645836]
- A clear config operation in a Cluster deployment does not set non-CCO nodes to the default value for the "max pipeline" parameter.[From Build 48.10][# 648087]
- If the DNS server from which the cached DNS records are being served goes DOWN, the proactive DNS update queries are redirected to the back-end server.[From Build 52.13][# 660562]
- The set lb vserver command allows you to assign the same IP address to the DNS name server and the DNS virtual server. With this fix, neither the set lb vserver nor the add dns nameServer command, nor the NetScaler GUI, allows you to assign the same address to both virtual servers.[From Build 53.13][# 665651]
- When the NetScaler appliance receives a DNS TCP packet that has dnspayloadlen as zero, the appliance might dump core memory.[From Build 52.13][# 666803]
- In a cluster setup, the default DNS policy is not made available to packet engines. With this fix, the default DNS policy is loaded into the packet engine.[From Build 54.16][# 669829]
- If the load balancing feature is disabled and DNS name servers are being used, DNS resolution uses the most recently configured name server. If that name server is disabled, one of the name servers that is UP is used for DNS resolution.[From Build 52.13][# 670588]
- When a NetScaler appliance on which DNSSEC is configured is an authoritative DNS server for two domain zones, the appliance might send the same RRSIG responses to both zones instead of responding to only the appropriate zone.[From Build 52.13][# 671880]
- If a NetScaler appliance receives a CNAME chain that includes some entries that are currently cached, the appliance returns a valid address record instead of reporting that the bailiwick check failed.[From Build 54.16][# 675553]
- When a NetScaler appliance in resolver mode receives a DNS response from a name server and forwards it to an alternative name server, the NetScaler appliance goes DOWN.[From Build 54.16][# 682730, 683138, 680141]
- When a NetScaler appliance in resolver mode receives a DNS response from a name server and forwards it to an alternative name server, the NetScaler appliance goes DOWN.[From Build 55.13][# 682730, 683138, 680141]
- When a NetScaler appliance receives a DNS query, the NetScaler appliance does not forward the query to the back-end server. Instead, the appliance responds with a SERVFAIL error.[From Build 56.19][# 693315]
DataStream
- The DataStream feature does not work if you use a MySQL database at the back end.[From Build 51.21][# 629504]
- The NetScaler appliance might fail and dump core memory if a load balancing virtual server of type ORACLE is configured with SOURCEIP persistence.[From Build 57.13][# 700294]
Front End Optimization
- The NetScaler appliance dumps core when the front end optimization (FEO) feature is enabled for one virtual server and an AppFlow action with client-side measurement is enabled for another virtual server.[From Build 55.13][# 686146]
GSLB
- A NetScaler appliance does not allow creation of a GSLB service entity if the entity's IP address and port number match those of an existing load balancing virtual server or service entity but the service type does not match.[From Build 54.16][# 578930]
- In a GSLB setup, if you have configured static proximity as the primary load balancing method and RTT as the backup load balancing method, the NetScaler appliance might intermittently send an empty response to a DNS query requesting the GSLB domain.[From Build 50.10][# 616321]
- The NetScaler GUI displays an error message when you autosync for a non-default partition.[From Build 53.13][# 648396]
- In a GSLB high availability setup, if a node stays in secondary state for more than 249 days, the service state might not be updated on this node after it becomes the primary node.[From Build 51.21][# 658093]
- When a remote GSLB service is configured with an external monitor on a GSLB site node, the state of this service might become inconsistent across packet engines, because of core-to-core message failures. In that case, the NetScaler appliance might generate incorrect replies to GSLB domain queries.[From Build 56.19][# 658108, 679822, 692324, 692737, 695765]
- The MEP connection for site metrics goes DOWN if the dynamic RTT and GSLB server persistence features are unused for more than 249 days. In some cases, however, the MEP connection for site metrics remains UP, but the MEP connection for network metrics goes DOWN.[From Build 51.21][# 658890]
- The GEO rule for wildcard qualifiers matched any other qualifier. With this fix, the matchWildcardtoany option in the set locationParameter command is set to NO and hence the wildcard qualifiers do not match any other qualifier, by default.[From Build 53.13][# 665771]
- A NetScaler appliance might go DOWN while unbinding a GSLB domain from a GSLB virtual server. This issue occurs rarely, but can occur if GSLB site persistence is configured.[From Build 53.13][# 666105]
- In a new cluster deployment or when the NetScaler firmware in a cluster deployment is upgraded to build 11.1-53.11, management CPU usage spikes to up to 99% on every cluster node. This issue occurs in the absence of any additional configuration, management, or data traffic.[From Build 54.16][# 682766, 683601, 685391]
- In a new cluster deployment or when the NetScaler firmware in a cluster deployment is upgraded to build 11.1-53.11, management CPU usage spikes to up to 99% on every cluster node. This issue occurs in the absence of any additional configuration, management, or data traffic.[From Build 53.13][# 682766, 683601, 685391]
- GSLB auto synchronization might fail if the GSLB virtual server's status appears different on the sites participating in GSLB.[From Build 56.19][# 692943]
- If a large number of GSLB services are configured, a NetScaler appliance might fail to send MEP updates for some of the services if the TCP window is not available. The unavailability of TCP window can result in inconsistencies in the states of the GSLB services between GSLB sites.[From Build 57.13][# 700614, 693765, 701735, 702307]
Integrated Cache
- If you change the Integrated Cache configuration, all policies bound to contentgroup has to be updated and the Integrated Cache did not have enough memory allocated for all policy updates. This issue is resolved by increasing the cache memory from 4Kb to 80KB.[From Build 54.16][# 675025, 675504]
- The NetScaler Integrated Cache might delay processing of client requests if you enable the flash cache.[From Build 54.16][# 681664]
Integrated Caching
- A NetScaler appliance fails if a Page Tracking session is enabled on the appliance by Appflow or AppQoE modules for partial content responses. This happens only for partial content responses served from Integrated Cache.[From Build 51.21][# 656556]
- A NetScaler appliance fails if a Page Tracking session is enabled on the appliance by Appflow or AppQoE modules for partial content responses. This happens only for partial content responses served from Integrated Cache.[From Build 52.13][# 656556]
- When a request is sent and if the back-end server responds with a 301 status code, the cache stores the response meaning the URL is permanently moved and Cache is trying to serve range request. This causes the NetScaler appliance to crash.[From Build 53.13][# 673506, 684404]
- If the response from the Integrated Caching (IC) module has trailing spaces in the content-length header, the HTTP/2 connection times out.[From Build 57.13][# 688274]
- A NetScaler appliance might crash when stored static objects cause the buffer to overflow and overwrite the pointer to the adjacent buffer.[From Build 57.13][# 696001, 697526, 696597, 697716, 697718, 697268, 697535, 698707, 700083, 700414]
Load Balancing
- The NetScaler appliance resets a client-side TCP connection if a virtual server with spillover (SO) persistence enabled is bound to the load balancing group. With this fix, the client-side TCP connection is not reset.[From Build 56.19][# 589363]
- If the same IP address is assigned to both a GSLB service and a load balancing virtual server, the NetScaler appliance dumps core and restarts, because the internal service weight is set to zero.[From Build 50.10][# 628937]
- A secure HTTP-ECV monitor might time out if the back-end server sends a large certificate.[From Build 48.10][# 638148]
- In a high availability (HA) setup, after a forced HA synchronization, the configuration is first cleared and then reapplied on the secondary node. As part of the synchronization operation, the service state changes are logged in the ns.log file. Repeated forced synchronizations can flood the ns.log file. However, the service state messages are applicable only to the primary node and not relevant to the secondary node. Therefore, these messages are not logged in the ns.log file on the secondary node.[From Build 50.10][# 645197]
- In the SAML response, the RelayState field is truncated. When the samlidp feature is processed, the URL decodes the entire content before parsing for individual elements. The customer's service provider sends the RelayState that was encoded. When the service provider posts the assertion back, the RelayState is truncated resulting in an SP failure.[From Build 48.10][# 648337]
- The NetScaler appliance fails to send an assertion back to the service provider when the SAML request comes without an ID field. When behaving as a samlidp, the ID field from the authnReq is remembered, so it can be sent back in the assertion. If service providers don't send IDs, we fail due to logic error. The logic was revised so if we don not get an ID, we don't send it back.[From Build 48.10][# 648489]
- In a cluster setup, the configuration of a service might be lost if you restart the appliance after you have configured a request timeout action (-reqTimeoutAction) in an HTTP profile and attached the profile to the service.[From Build 52.13][# 649994, 649940]
- The NetScaler appliance dumps core and restarts if an autoscale service group is configured with SSL as the service type.[From Build 52.13][# 656734]
- If a GSLB service goes DOWN and then returns to the UP state, the configured hash-based load balancing methods might produce incorrect load balancing decisions, because the cache maintained for hash-based load balancing algorithms is not cleared when the GSLB service state is updated through MEP.[From Build 51.21][# 658463, 658940]
- The NetScaler appliance might become unresponsive because of an internal issue related to CRC check if custom monitors are configured for a load balancing configuration of type TFTP.[From Build 52.13][# 658860]
- Redirection does not work properly if you initially configure an HTTPS redirect URL without a slash at the end, then change the URL by adding a slash, and then remove the slash.[From Build 52.13][# 662640]
- The NetScaler appliance dumps core and restarts if all of the following conditions are met:- You are using Citrix Receiver or a web browser to access the NetScaler Gateway appliance.- An optimal XenApp/XenDesktop is launched by using determine_services in the policy expression.- Static proximity is used to create a preferred list of Desktop Delivery Controllers and this information is forwarded to the StoreFront.- Your connection is terminated or disconnected while the determine_services policy is being evaluated.[From Build 52.13][# 668766, 672752]
- The NetScaler appliance dumps core and restarts if all of the following conditions are met:- You are using Citrix Receiver or a web browser to access the NetScaler Gateway appliance.- An optimal XenApp/XenDesktop is launched by using determine_services in the policy expression.- Static proximity is used to create a preferred list of Desktop Delivery Controllers and this information is forwarded to the StoreFront.- Your connection is terminated or disconnected while the determine_services policy is being evaluated.[From Build 51.21][# 668766, 672752]
- An error message appears when the Test Connectivity button is clicked for FQDN based LDAP/RADIUS servers.[From Build 53.13][# 671494]
- Admin partition packets originating from FreeBSD and destined to a virtual server's VIP address are not forwarded to FreeBSD in the return path.[From Build 53.13][# 671789, 621010]
- The NetScaler appliance crashes, because an issue in the internal timer logic in stream analytics causes the system to spend more time than expected for ageing tasks.[From Build 54.16][# 672899]
- In a high availability (HA) setup, if domain-based services are configured and the secondary node does not receive any Service State Sync (SSS) update for the services for more than 247 days, a packet engine might crash when this node becomes the primary node.[From Build 55.13][# 673446, 684550, 688305]
- In a high availability (HA) setup, if domain-based services are configured and the secondary node does not receive any Service State Sync (SSS) update for the services for more than 247 days, a packet engine might crash when this node becomes the primary node.[From Build 56.19][# 673446, 684550, 688305, 695688]
- In high traffic, during high availability synchronization, the NetScaler packet processing engine might crash on the secondary node in some cases.[From Build 57.13][# 677199, 678552, 683958, 692394, 696407, 701832]
- A spillover trap might be sent even though a backup virtual server is not configured.With this fix, a spillover trap is sent only if one of the following conditions applies:- A spillover method or policy is configured.- No spillover method or policy is configured, but a backup virtual server is configured to accept the traffic when the primary virtual server is DOWN.[From Build 54.16][# 679991]
- NetScaler: AAA-TMA cached ticket is expired before server receives it. This happens when a NetScaler is used as a kerberos SSO to backend servers. This usually happens just around the time ticket expires, which is typically 10 hours.[From Build 55.13][# 681026]
- When you rename an HTTPS virtual server that is associated with an internal HTTP virtual server, the internal virtual server's name is not changed correctly.[From Build 54.16][# 681559, 674427]
- The maximum string size of Target Vserver Expression is 1500. If the configuration includes an expression greater than 1500, the NetScaler appliance crashes. With this fix, the maximum string size of Target Vserver Expression is limited to 1499.[From Build 55.13][# 684131]
- In a high availability (HA) setup, an unusually large spike in the number of persistent connections might result in underperformance of the Secure Socket Funneling (SSF) channel between the primary node and the secondary node. The underperformance can eventually lead to session buildup on the primary node and cause persistence to fail.[From Build 56.19][# 685179, 684834, 694238]
- Resetting a server connection resets the connections to all services configured with the same IP address and port number. As a result, connections to the service group members are also reset. With this fix, deleting a service that has the same IP address and port number as that of other service group members does not affect the service group connections.[From Build 56.19][# 685707]
- If an add lb monitor command specifies an httprequest argument value of more than 77 characters, a subsequent show command shows an incorrect httprequest value for the HTTP requests that the monitor sends to the CLIP address. The NetScaler appliance's ns.conf file also contains the incorrect httprequest value for the monitor. Also, the other nodes (non-CCO) in the cluster are updated with the incorrect httprequest value by the configsync process.[From Build 55.13][# 685856, 687784]
- The NetScaler appliance might crash if deletion of a service item and display of the service item are executed in parallel.[From Build 56.19][# 691507]
- A packet engine crashes because of an invalid memory reference when memory allocation for Call ID persistence session fails. With this fix, the packet engine checks for memory allocation failure before accessing the persistence session.[From Build 56.19][# 694655]
- The NetScaler appliance crashes if a delinked TCP connection is logged incorrectly.[From Build 57.13][# 695326]
Log Streaming
- If you enable AppFlow feature and ULFD mode on a NetScaler appliance, memory usage on the NetScaler appliance might increase.[From Build 52.13][# 663260]
NITRO
- For external users that require a challenge and response, authentication through NITRO does not work.[From Build 55.13][# 558715]
- The .NET SDK GET call fails with the following exception if it is made with a parameter that accepts boolean values:Invalid argument value [<attribute>].Example:When the “internal” attribute of service_args is set to “true”, a get on service_args yields the following exception:Invalid argument value [internal][From Build 55.13][# 595938]
NetScaler 1000V
- AppFlow for ICA, Integrated Disk Caching, Delta Compression features should not be listed under "System->Licenses" section in the NetScaler Configuration Utility.[From Build 50.10][# 501888]
NetScaler 1000V Appliance
- TCP services that go through tagged VLAN interfaces might go down.[From Build 55.13][# 683196]
- TCP services that go through tagged VLAN interfaces might go down.[From Build 54.16][# 683196]
NetScaler GUI
- When a partition admin tries to perform the Download, Create, or Create Directory operation on the "Manage Certificate" screen, an "operation not permitted" error appears. The expected behavior is that the buttons must be disabled.[From Build 51.21][# 491353]
- The NetScaler GUI displays exponent 3 and key size 1024 when you try to create a FIPS key, but these options are not supported.Also, you cannot create a key of size 3072 from the GUI.[From Build 49.16][# 639154, 654952]
- If the name of a load balancing virtual server contains a space, the virtual server is not listed by the reporting tool. (Reporting > Counters > System entities statistics > Entities)[From Build 51.21][# 642269]
- If you use "clear ns configuration" command to clear the NetScaler configuration and reset it to factory default, the command policies are restored to the default values.[From Build 51.21][# 643546, 200969]
- The field value for X-Forwarded-For HTTP header is not displayed as client IP in NetScaler Security Insight violation logs.[From Build 49.16][# 645284, 636390]
- You cannot bind a cipher or cipher group to an SSL entity by using the NetScaler GUI. Therefore, after you upgrade or restart the appliance, you must bind the cipher suite to the custom cipher group again.[From Build 52.13][# 648293, 638254]
- If you have configured static proximity as the load balancing method on a load balancing virtual server, you cannot set a backup method by using the GUI.[From Build 48.10][# 648408]
- On a NetScaler SDX appliance, the selected order of external authentication servers for cascading authentication might change in the NetScaler GUI if you randomly switch views. This is a display issue.[From Build 48.10][# 649190]
- When creating a cluster node group, you no longer have to specify a node state. The "Add Node Group" page in the NetScaler GUI displays "state" as optional, not as a required field.Page Navigation: Configuration > System >Cluster > NodeGroup > Add Node Group[From Build 48.10][# 650357]
- In NetScaler Gateway > Policies > RDP, you can now enable and disable the RDP feature. A regression caused this option to break.[From Build 48.10][# 651030]
- In NetScaler Gateway > Policies > RDP, you can now enable and disable the RDP feature. A regression caused this option to break.[From Build 49.16][# 651030]
- In Security > AAA > Virtual Servers, you can now bind an SSL profile to a virtual server.[From Build 48.10][# 651031]
- You cannot unbind a transform policy from a virtual server by using the GUI.[From Build 52.13][# 652579]
- You cannot unbind a transform policy from a virtual server by using the GUI.[From Build 51.21][# 652579]
- If you try to bind a default load balancing virtual server to a content switching virtual server in an admin partition, the following error message appears:Operation not permitted.[From Build 50.10][# 653058]
- SSL GSLB services are configured on port 443. However, if you try to edit the service by using the NetScaler GUI, port 80 appears instead of 443. This was a display issue and is fixed.[From Build 49.16][# 654239]
- When using the XenApp and XenDesktop wizard, the Retrieve Stores functionality intermittently fails on the first click.[From Build 56.19][# 655159]
- If the features "Force password change for nsroot user when default nsroot password is being used" and "strong password" are enabled, any password is accepted when you change the nsroot password.[From Build 51.21][# 656825]
- If you configure an external authentication server, such as RADIUS, by using the NetScaler GUI, the option to bind a classic authentication policy to a system global entity fails.[From Build 56.19][# 674643]
- A NetScaler appliance might crash or become unresponsive if you restart the appliance when it is under memory stress.[From Build 56.19][# 684653]
- In a cluster setup, the content switching policies bound to a load balancing virtual server do not appear when you select “Show CS/CR Bindings” for that virtual server in the NetScaler GUI.[From Build 56.19][# 689517]
- You can now edit GUI parameters for a custom session policy in a cluster setup.[From Build 55.13][# 689519]
- If from the NetScaler GUI, you create a new session policy from an existing session policy, the attempt fails.[From Build 55.13][# 689520]
- The NetScaler appliance GUI does not display the StoreFront section details in the XA/XD wizard.[From Build 56.19][# 695630]
NetScaler Gateway
- Expired AD (active directory) accounts produce "Incorrect Credentials" error messages, which is inaccurate and leads the user to keep trying their username and password when they will not work. The message should be similar to: "Your user account has expired".[From Build 56.19][# 563034]
- The NetScaler appliance fails when the corrupted NSB structure member is de-referenced.[From Build 54.16][# 594963, 604548, 647540, 650845, 665351, 675623]
- When encryption is enabled for client security expressions (in the VPN session action parameter), the device might fail occasionally.[From Build 55.13][# 607555, 616311]
- When encryption is enabled for client security expressions (in the VPN session action parameter), the device might fail occasionally.[From Build 54.16][# 607555, 616311]
- For SmartControl to work, the Gateway login is required on the NetScaler appliance enforcing SmartControl. Storefront's session timeout causes automatic disconnections of ICA sessions launched through NetScaler Gateway if the ICA Smart Control policy is bound to the VPN virtual server. This requirement is now relaxed.[From Build 49.16][# 640466, 640223, 642970]
- If DNS Truncate configuration is used, all the DNS suffixes are pushed from the NetScaler appliance, but not all of the DNS suffixes are used by the AGEE Client.[From Build 48.10][# 641458, 543403]
- Single sign-on (SSO) users connected to a VPN virtual server configured for SAML authentication cannot log off if Shibboleth is the SAML identity provider (IDP). Instead of the logoff page, an HTTP error message appears. This failure occurs with the following configuration:* VPN virtual server is configured for SAML authentication.* Shibboleth is the SAML identity provider (IDP).[From Build 48.10][# 642554, 576014]
- Under the following set of conditions, the wrong error message appears:A VPN traffic action is configured with SSO OFF.A samlSSOProfile is configured.The user tries to set this samlSSOProfile to the VPN traffic action.[From Build 57.13][# 643029]
- If Certificate Authentication with Two Factor ON is chosen, and username extraction from Certificate has been configured, the username field is editable with old Portal Themes (Default, Greenbubble, X1).[From Build 49.16][# 643125, 641162, 646600]
- The console shows many IPv4 Socks errors that are constantly being generated.[From Build 49.16][# 643302, 639579, 639782]
- A control channel between a NetScaler Gateway Plug-in and a NetScaler appliance is terminated if multicast IP packets are tunneled over the control channel.[From Build 49.16][# 643558, 649729]
- If the LDAP bind account password used on NetScaler contains a pair of dollar signs"$$", the authentication for the bind account fails, and the dashboard shows that the LDAP server is down.[From Build 48.10][# 644689]
- Functionality issues were present if the following do not have a trailing slash:- The VPN URLs are of the Selfauth/Samlauth type- The relay state is evaluated from the SAMLSSO Profile- The relay state is sent from the IDP to the SAML SP case[From Build 48.10][# 645585]
- POST EPA scans fail on Windows 8 and 8.1 machines. This problem no longer occurs, because OPSWAT revised the OESIS 3 library.[From Build 49.16][# 646292]
- SAML authentication fails if the NetScaler appliance is configured as a service provider and redirect binding is used as the means of trust. The error message "Parsing of presented Assertion failed..." appears.[From Build 54.16][# 646893]
- If SSO is enabled on an AAA-TM or Gateway configuration, the NetScaler appliance might fail.[From Build 49.16][# 647016]
- If the NetScaler Gateway appliance is configured for End Point Analysis (EPA) and the user has bookmarked the advanced login page (/logon/LogonPoint/tmindex.html), attempts to log on fail.[From Build 48.10][# 647678]
- On the LDAP side, if the administrator sets the option to change the user password at the next logon, the X1 Theme is applied to the Password Change page. If the user clicks Submit without entering the password, the "You need to enter the password" prompt is shown in English, even on systems localized for a different language.[From Build 51.21][# 647784]
- For Windows 7 in English, Espanol, or Francaise, the NetScaler Gateway plug-in truncates the Add button on the Connection tab if the browser is Internet Explorer 8.[From Build 48.10][# 647789]
- User access to servers might be erratic, and users might lose information if step-up authentication is configured to begin or end with a SAML action.[From Build 48.10][# 648306]
- If RfWebUI or a VPN portal theme with RfWebUI as the base theme is bound at the VPN Global level, users cannot connect to VPN virtual servers that are configured with a non-RfWebUI theme.[From Build 48.10][# 648950]
- If a client machine with the following configuration is on the Internet when it enters the logged-off state, its network access remains blocked if it is moved to an intranet:*A location-based VPN is set to REMOTE.*Network access upon VPN failure is set to onlyToGateway.[From Build 48.10][# 649057]
- The NetScaler appliance fails when it attempts to send traffic to an SSL back end through a forward proxy in cvpn/securebrowse mode.[From Build 50.10][# 649290]
- Users cannot access the RfWebUI homepage if wiHome in the session action points to a load balancing virtual server.[From Build 48.10][# 649395]
- Build 47.14 of the Enterprise Edition does not support the RDP Proxy feature. (This issue does not apply to the Platinum Edition).[From Build 48.10][# 649848]
- After an upgrade to NetScaler release 11.0 build 66.11nc, Microsoft Surface PRO 4 Laptops users connected to a WI-FI network have issues when connecting to NetScaler Gateway.[From Build 50.10][# 650226]
- Kerberos authentication can fail, and the connection might be dropped, if consumption of AAA session memory is very high. In a high availability setup, a failover might occur.[From Build 48.10][# 650492]
- Mac OSX users are unable to sign on to the OSX Receiver client and are denied access to their apps and desktops.[From Build 51.21][# 651273, 652955, 666081]
- Mac OSX users are unable to sign on to the OSX Receiver client and are denied access to their apps and desktops.[From Build 49.16][# 651273]
- When using Unified Gateway, Citrix Receiver fails to enumerate applications.[From Build 52.13][# 651307]
- NetScaler Gateway is not able to generate URLs for SharePoint 2013 in CVPN format. As a result, SharePoint is inaccessible.[From Build 51.21][# 652330]
- In rare cases, the NetScaler appliance might incorrectly detect the SSO status and stop processing traffic.[From Build 52.13][# 652696, 656760, 665571, 665669]
- The RADIUS accounting feature does not send an accounting-session-id parameter, which is required (RFC 2866).[From Build 51.21][# 653363]
- If the NetScaler appliance is used as a SAML Service Provider to support the IBM Tivoli Identity Provider, the SAML assertion verification fails. SAML assertion verification failures occur after upgrading to version 11.0.[From Build 50.10][# 653763]
- The NetScaler appliance fails because of a NetScaler packet processing engine (PPE) error.[From Build 49.16][# 653884, 654602]
- The NetScaler appliance fails whenever a Content Switching VIP is accessed with IP 154.2.78.13.[From Build 49.16][# 653934]
- Kerberos Authentication fails when Kerberos Traffic is sent through UDP.[From Build 52.13][# 654089]
- Kerberos Authentication fails when Kerberos Traffic is sent through UDP.[From Build 51.21][# 654089]
- A safety check was created for incomplete/invalid homepage URLs. The safety check redirects the user to the correct homepage based on the Portal theme. The URL redirects to the correct homepage only when a valid homepage request is received; otherwise, the server sends back a 404 error message.[From Build 49.16][# 654168]
- If only nFactor certificate authentication is configured for NetScaler Gateway, a VPN session is created instead of a traffic management (TM) session for access to a load balancing virtual server.[From Build 49.16][# 654466]
- If you connect to NetScaler Gateway by using full tunnel VPN and attempt to access an internal URL that has Kerberos authentication enabled, the authentication fails. You are directed to the authentication screen and prompted for username and password.[From Build 49.16][# 654697]
- If a NetScaler Gateway appliance with a split-tunnel configuration is used only as a DNS Server, all traffic sent to the appliance is sent through the VPN tunnel. Therefore, some local resources are inaccessible.[From Build 52.13][# 654827]
- When used for debugging, Internet Explorer issues 404 errors related to fonts because the NetScaler 11.1 landing page uses the Times New Roman font instead of Citrix Sans in the area where user name and password are displayed.[From Build 50.10][# 654951]
- Microsoft Office 2016 documents trigger authentication prompts when using SSO Sharepoint with the NetScaler Gateway appliance.[From Build 50.10][# 655354]
- The Citrix virtual adapter is not enabled on a Windows 7 64-bit machine, and its driver is shown as unsigned in the device manager.Note: If a Windows 7 64-bit user is logged out immediately after logging in, install security patch KB3033929 on that user's Windows machine.[From Build 49.16][# 655557]
- The Citrix virtual adapter is not enabled on a Windows 7 64-bit machine, and its driver is shown as unsigned in the device manager.Note: If a Windows 7 64-bit user is logged out immediately after logging in, install security patch KB3033929 on that user's Windows machine.[From Build 50.10][# 655557]
- Global Server Load Balancing (GSLB) HTTP cookie based persistence does not work with NetScaler Gateway SSL VPN clients when the site prefix is a substring of a GSLB domain.[From Build 50.10][# 656026]
- If a NetScaler appliance is used to load balance SharePoint servers with AAA-TM, then an upgrade to the office 2016 suite on the client device causes failures during inline editing of the documents.[From Build 50.10][# 656067, 658202]
- A NetScaler appliance might periodically restart after an upgrade if the deployment uses STA servers and, during the upgrade, the administrator's browser is closed while the appliance is communicating with a STA server.[From Build 51.21][# 656236, 658333, 661742, 661981, 662842, 663944, 665773]
- A NetScaler appliance might periodically restart after an upgrade if the deployment uses STA servers and, during the upgrade, the administrator's browser is closed while the appliance is communicating with a STA server.[From Build 50.10][# 656236, 658333, 661742, 661981, 663944]
- If the AAA subsystem is configured for NTLM authentication, and the backend server is used for NTLM authentication, the server sends a content-length response that spans multiple TCP packets in a Type2 message. The NetScaler appliance then fails to complete NTLM authentication.[From Build 51.21][# 656917]
- The NetScaler appliance becomes unresponsive while processing heavy UDP traffic.[From Build 51.21][# 656920, 661104]
- If jumbo frames are enabled on loopback, processing of data sent by AAAd in the packetEngine can cause massive memory corruption. This happens because the TCP data in the jumbo frame exceeds the application maximum segment size (MSS).[From Build 51.21][# 656994, 662324, 664318, 664591, 664837, 665693, 665865, 668202]
- Processing IPv6 packets on a MUX channel while the feature is disabled leads to a device failure.[From Build 50.10][# 657710]
- If negotiate authentication is the first authentication factor, non-pass-through authentication in the next factor is not supported.[From Build 51.21][# 657741]
- The NetScaler appliance fails if it tries to clean up the control channel between the NetScaler Gateway plugin and the NetScaler appliance at a time when memory usage is high.[From Build 50.10][# 658229]
- The NetScaler Gateway appliance fails when a user attempts to log on, if the logon page uses the RfWebUI theme and the appliance has insufficient CCU Licenses.[From Build 51.21][# 659085]
- A memory leak gradually diminishes the amount of memory available for SSL VPNs. The NetScaler appliance eventually fails unless it is rebooted before memory utilization reaches too high a percentage.[From Build 55.13][# 660223, 677197, 551669, 544066, 684981]
- If an iPhone client uses Safari to access Netscaler Gateway, the NetScaler or NetScaler Gateway appliance might dump core memory.[From Build 51.21][# 660344, 663343]
- The primary NetScaler appliance in a high availability (HA) pair might reboot under the following conditions:> The MTU of one of the HA interfaces of the primary appliance is modified.> ICA sessions are active, and session reliability for the HA feature is enabled.[From Build 52.13][# 660888]
- A GSLB virtual server using the least connections method always resolves to the same site IP address.[From Build 51.21][# 661206]
- If AD/LDAP authentication is configured to communicate on SSL channel in authentication actions, under heavy login load, Gateway portal results in blank pages.[From Build 51.21][# 661235, 661917]
- If AD/LDAP authentication is configured to communicate on SSL channel in authentication actions, under heavy login load, Gateway portal results in blank pages.[From Build 50.10][# 661235, 661917]
- If Client Certificate authentication and Pre-Auth End Point Analysis are both configured, redundant End Point Analysis occurs before the logon page is displayed. This behavior is due to the EPA Session Reset with Cert Two Factor Authentication set to On.[From Build 51.21][# 661601]
- In certain cases, when an SSL proxy is configured for Clientless VPN access mode, the NetScaler Gateway appliance dumps core memory because of partial cleanup of connections.[From Build 52.13][# 662668, 671999]
- If a VPN virtual server to which a custom RfWebUI portal theme is bound is accessed from a browser that has the language set to German, French, Spanish or Japanese, the log on page does not load.[From Build 51.21][# 662773]
- The TURN service does not start if there are two or more VPN servers with the same IP address but different port numbers.[From Build 51.21][# 662931, 655808]
- In certain cases, the NetScaler Gateway appliance dumps core memory when a client making a logout request reads a NULL value from AAA session information.[From Build 52.13][# 663145]
- The NetScaler appliance occasionally dumps core memory during system initialization, because of a VPN module error.[From Build 51.21][# 663377]
- The NetScaler Gateway appliance sends duplicate RADIUS access-requests to the RADIUS authentication service for each logon to the appliance.[From Build 52.13][# 664305]
- The Connection Proxy" persistence does not work when accessing the NetScaler Gateway GSLB Service if the GSLB services are configured with publicIP different from the service IP.[From Build 51.21][# 665452, 672355, 673913]
- In some AAA logout sessions, the appliance dumps core memory.[From Build 52.13][# 666046]
- In some AAA logout sessions, the appliance dumps core memory.[From Build 51.21][# 666046]
- In certain cases, the NetScaler Gateway appliance dumps core when client sends only one STA ticket whereas the appliance expects two STA tickets.[From Build 52.13][# 666052]
- It takes longer to access Storefront or in rare scenarios Storefront becomes inaccessible in case "wihome" parameter in vpn session profile is set to a Load balanced v-server configured on the same NetScaler.[From Build 53.13][# 667188, 676111, 680660]
- Not all intranet applications are loaded onto the client machine when a large number of intranet applications and CSEC encryption are configured.[From Build 51.21][# 667968]
- If Gateway is configured with client certificate authentication and client fails to submit certificate, a blank screen is displayed instead of an error page.[From Build 54.16][# 668337]
- If you configure the Windows Gateway plug-in with split tunnel set to Reverse, traffic is not processed after a client's computer wakes up from sleep.[From Build 54.16][# 668768]
- In rare cases, a NetScaler appliance dumps core if the server-side connection closes while NTLM Authentication is in progress.[From Build 56.19][# 670062, 657633, 684467, 686139, 672074, 681078, 690645]
- In rare scenarios, NetScaler dumps core in case Server side connection gets closed while NTLM Authentication is in progress.[From Build 54.16][# 670062, 657633, 684467, 681078, 686139, 672074]
- The NetScaler Gateway appliance dumps core memory whenever it tries to access the Access Gateway virtual server during the authentication process for a device running the MAC OS[From Build 52.13][# 670324]
- Memory leak in SSLVPN pool is encountered when connection to AAAD daemon is closed at the time of authentication.[From Build 55.13][# 670586, 683809, 671944]
- Memory leak in SSLVPN pool is encountered when connection to AAAD daemon is closed at the time of authentication.[From Build 54.16][# 670586, 683809, 671944]
- Multi-Stream ICA Functionality Support for EDTNetScaler Gateway now supports multi-stream ICA functionality while using HDX Enlightened Data Transport (EDT) as a data transmission path.[From Build 52.13][# 671878]
- If you configure TACACS authentication in “password*OTP” format, and a user types an invalid credential, the following incorrect error message appears:Error in retrieving Versions. Cannot read property ‘replace’ of undefined.You can ignore the message.[From Build 55.13][# 672001]
- Upon employing WebAuth authentication mechanism for validating user credentials, if the user connection that initiated the login gets terminated after NetScaler receives response from external server but before it validates the success rule, then occasionally the NetScaler appliance fails.For this issue to recur all of the below conditions should be met in the specified sequence.1. WebAuth is used as authentication mechanism2. NetScaler contacts external server using webAuth for login3. External server responds with a valid data4. WebAuth success rule is configured such that NetScaler waits for further data from server. Hence, it 'blocks' execution.5. In the meantime, client connection times out, or user closes browser tab6. Complete data from server arrives. By then, client connection is already closed.[From Build 53.13][# 672098]
- Intermittently active FTP file download fails over VPN tunnel. This happens when VPN plugin receives VPN protocol specific data along with FTP data.[From Build 52.13][# 672141]
- A NetScaler Gateway appliance becomes unresponsive if the following conditions are met:- The appliance is configured with a content switching (CS) virtual server that acts as the front-end server for a VPN virtual server.- The CS virtual server is deleted after the VPN virtual server is renamed.[From Build 55.13][# 673293, 681420, 684770]
- If you log on to NetScaler Gateway using plug-in for Windows, the challenge-response text from back-end prompting you to give specific inputs during logon does not get displayed if the text exceeds 100 characters.[From Build 53.13][# 673653]
- In rare scenarios, if X1 is used as the Gateway portal theme, the NetScaler appliance fails to process the "setclient" requests.[From Build 54.16][# 673900, 674020, 682547]
- If an extracted AD attribute is non-text and contains 0x00 or other delimiters as a value, LDAP attribute extraction fails.[From Build 53.13][# 674132, 672353]
- The following command pertaining to internal monitor for next hop server fails "add lb monitor STAMON* in HA failover scenario. The failure causes configuration loses of updated parameter for internal monitor.[From Build 53.13][# 674411]
- Gateway configured with nFactor authentication does not respond in case Preauth EPA is configured for the same and certificate authentication is attempted after EPA.[From Build 53.13][# 674854]
- A large cache file can cause high CPU-usage levels on a NetScaler appliance during synchronization of a high availability (HA) setup.[From Build 55.13][# 675524]
- Updating a certificate-key pair used in SAML IDP samlSPCertName creates a duplicate entry and generates a "Cannot allocate memory" error message.[From Build 55.13][# 675983]
- In rare scenarios, if the failover versions are different in SSLVPN, then the secondary node reboots due to memory outage.[From Build 54.16][# 676448]
- The initial connection to a particular internal resource use client IP when global USIP is enabled.The subsequent new connections do not use the configured global USIP and use SNIP to initiate the back-end connection.[From Build 54.16][# 676522, 385457]
- In rare cases, upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), NetScaler Gateway dumps core if SSO and Proxy are configured in Traffic policy.[From Build 55.13][# 676545]
- The session connection fails in case of a fail-over on second hop HA pair.[From Build 53.13][# 676569]
- In CS-UG deployment, NetScaler dumps core while accessing a self-authentication link.[From Build 54.16][# 676872, 682169]
- NetScaler Gateway dumps core in case SingleSignOn (SS0) is disabled and the connection to server is removed or gatetimeout happens during TCP handshake with the back-end server.[From Build 54.16][# 678251]
- If you use client machine with Windows 10 operating system to logon to VPN using VPN plug-in, in rare scenarios, the plug-in fails to establish VPN tunnel with error code 1012.[From Build 54.16][# 678282]
- The NetScaler appliance dumps core when a user connected, through Unified Gateway, to a VPN virtual server bound to an AppFlow policy does the following:1. Changes the content switching (CS) action to connect to another VPN virtual server, which is not bound to an Appflow policy.2. Then removes the first VPN virtual server.3. Continues to access resources over the initial VPN session.[From Build 55.13][# 678847]
- Intermittently, a NetScaler Gateway appliance dumps core if a connection is reset during data transfer between a client and a VPN server.[From Build 56.19][# 678885, 674356, 676859, 676857, 684178, 692683]
- DTLS feature must not be enabled on a virtual server configured with "listen" policy. Using command "add vpn vser" on a virtual server with the DTLS feature enabled and "listen" policy configured returns success but the DTLS feature does not get enabled on the virtual server.[From Build 55.13][# 679025, 691573]
- DTLS feature must not be enabled on a virtual server configured with "listen" policy. Using command "add vpn vser" on a virtual server with the DTLS feature enabled and "listen" policy configured returns success but the DTLS feature does not get enabled on the virtual server.[From Build 56.19][# 679025, 691573]
- While using Clientless VPN to access SharePoint 13 over Gateway, if your documents folder is named as "Shared Document", the document link is not rewritten and does not return the desired pages.[From Build 54.16][# 679182]
- In rare scenarios, NetScaler dumps core while accessing virtual server information when the RDP traffic is handled by separate RDP listener on NetScaler and the virtual server information is not present.[From Build 55.13][# 679360]
- Upon failover or after clearing the configuration, SSL connections via proxy fail if the last octet in the IP address assigned to the proxy is greater than 127.[From Build 54.16][# 679412, 672306, 685958]
- In rare situations, the Windows plug-in fails during VPN session logout.[From Build 54.16][# 679570]
- Upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), back-end sites take too long to open.[From Build 54.16][# 679582]
- In rare cases, a NetScaler Gateway appliance in a Unified Gateway (UG) deployment dumps core if the traffic management (TM) virtual server behind the UG is configured for SAML with advanced policies and the content switching (CS) policies are not properly configured to route SAML responses to TM.[From Build 54.16][# 679768]
- EPA and VPN plugin does not get launched from the latest Firefox build (52.0 or later). This happens as Firefox does not support NPAPI plugins anymore.[From Build 54.16][# 679998, 682798]
- Logon for users belonging to multiple groups fails if AppFlow is enabled on the appliance. The logon failure happens once the data from authentication server exceeds 1460 bytes, the default TCP MSS. This also affects features such as SAML and SAML IDP that rely on authentication deamon (AAAD).[From Build 53.13][# 680197, 679246, 682187, 677643, 682324, 673992, 681300]
- Intermittently, a NetScaler Gateway appliance becomes unresponsive when multiple STA servers are bound to VPN virtual server (or VPN global) and IPv6 communication protocol is used between client and Gateway virtual server in Gateway deployment with XenApp/XenDesktop.[From Build 55.13][# 680435, 684833]
- NetScaler dumps core when the client connection is closed during TCP handshake with back-end server.[From Build 54.16][# 680845]
- If Gateway is configured for certificate authentication in primary cascade with ldap group extraction in secondary, Gateway is disregarding errors from aaad when group extraction is attempted.[From Build 54.16][# 681913]
- Single sign-on (SSO) to SMB fileshare servers fails when a user tries to access the servers from the Fileshare tab on the portal home page. This issue occurs rarely, and only when the single sign-on credential index is set to Secondary.[From Build 55.13][# 682313]
- When a VPN virtual server is configured with RfWebUI as a portal theme, the NetScaler Gateway Windows plug-in does not automatically reconnect after the upgrade.[From Build 57.13][# 682689]
- In rare scenarios, blue screen appears (BSOD) when NetScaler VPN plugin is installed along with Pulse Secure plugin.[From Build 54.16][# 683009]
- A user's session with an Identity Service Provider (IDP) does not get logged out after the user clicks "logout" on the NetScaler Gateway portal screen. This issue occurs if the NetScaler Gateway appliance uses SAML for logon.[From Build 55.13][# 683360, 687229]
- The NetScaler appliance dumps core intermittently if both of the following conditions are met:- FQDN is used in session profile parameters, such as wihome.- Failover occurs twice (that is the original primary node becomes primary again.)[From Build 57.13][# 683436, 643082]
- In rare cases, the NetScaler appliance dumps core when a client sends a FIN event without an HTTP body.[From Build 54.16][# 683452]
- In rare cases, a NetScaler Gateway appliance becomes unresponsive after an attempt to access the portal page if the HTTP header of the request is large (possibly with google analytics enabled). A buffer overrun leads to memory corruption.[From Build 55.13][# 683484]
- HTML5 Receiver app launch fails while accessing a NetScaler Gateway bound with RfWebUI theme portal.[From Build 54.16][# 683987]
- In rare scenarios, NetScaler Gateway dumps core if you have an SSL-Proxy configured at NetScaler Gateway and you access the intranet web application through a Clientless Virtual Private Network (CVPN) via Gateway that has proxy-authentication configured at proxy.[From Build 55.13][# 684488]
- In rare scenarios, after rebooting the system, AlwaysON enabled VPN plugin fails to connect to Gateway.[From Build 54.16][# 684709]
- In rare scenarios, after rebooting the system, AlwaysON enabled VPN plugin fails to connect to Gateway.[From Build 55.13][# 684709]
- When hundreds of users try to log on to NetScaler Gateway at about the same time, the logon page might stop loading, or it might load very slowly, in which case the logon process takes a very long time to complete.[From Build 55.13][# 684774]
- In rare cases, a NetScaler Gateway appliance becomes unresponsive because core-to-core Gateway messages are processed incorrectly under heavy load situations.[From Build 55.13][# 684888]
- If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN) and upload a form that has a post body exceeding 8 KB, NetScaler rewrite policies do not decode the form content beyond 8 KB.[From Build 55.13][# 685215]
- In rare cases, a NetScaler Gateway appliance dumps core when the single-sign-on feature tries to access an authentication resource that has been removed.[From Build 55.13][# 685389]
- A secure load balancing virtual server on a NetScaler appliance processes both secure and insecure cookies.[From Build 55.13][# 685421]
- A secure load balancing virtual server on a NetScaler appliance processes both secure and insecure cookies.[From Build 57.13][# 685421]
- In rare scenarios, NetScaler dumps core while binding Classic session polices to an existing binding entity, when you have multiple VPN policies configured to the NetScaler.[From Build 55.13][# 685463, 670544, 691767]
- In rare cases, the NetScaler appliance dumps core while binding Classic session polices to an existing binding entity, when you have multiple VPN policies configured to the NetScaler appliance.[From Build 56.19][# 685463, 670544, 691767]
- In a CS-UG setup, if users log on to Access Gateway virtual server directly, they are "looped" back to the VPN logon page.[From Build 55.13][# 685670]
- If you use the NetScaler Gateway plug-in for Windows, a simultaneous download of 128 or more files fails upon accessing NetScaler Gateway.[From Build 55.13][# 685971]
- In rare cases, a NetScaler Gateway appliance dumps core if it receives incorrect SOCKS requests from clients.[From Build 56.19][# 686160, 689726, 690771, 693841]
- In rare cases, a NetScaler Gateway appliance dumps core if it receives incorrect SOCKS requests from clients.[From Build 55.13][# 686160, 689726, 690771]
- The client detection logic for Citrix Receiver does not work in Firefox, because the browser no longer supports NPAPI plug-ins.[From Build 55.13][# 686337]
- In a double-hop deployment, a NetScaler Gateway appliance intermittently dumps core when the first-hop server receives a TCP RST event from the second-hop server.[From Build 55.13][# 686508]
- When a user configures a NetScaler appliance for SAML Authentication, duplicate apps appear on the home page if the RfWeb UI portal theme is bound to the appliance.[From Build 56.19][# 686516, 660563]
- NetScaler Gateway does not comply with RFC7230 for POSTLOGINFLAGS headers.[From Build 56.19][# 686632]
- The NetScaler Gateway VPN plug-in fails to launch when you enter the logon credentials by using Google Chrome browser if the post-auth End-point Analysis(EPA) functionality is enabled and the "Client Choices" option is disabled.[From Build 56.19][# 686642]
- The NetScaler appliance fails to access the gateway home page after an upgrade to software release 11.1 build 51.21. The cause of the failure is the presence of an unexpected parameter (/ilearn).[From Build 55.13][# 686715, 687092]
- Some traffic patterns cause application launch through NetScaler Gateway to fail if EDT is enabled on virtual desktop applications.[From Build 55.13][# 686774, 686960, 687587]
- In rare cases, while accessing Gateway via proxy, NetScaler dumps core if KCD based Single Sign-On is attempted to back-end servers.[From Build 55.13][# 686858]
- In rare situations, VPN plug-in installation fails and a "Citrix Access Gateway is not supported on this platform" error message appears on a machine running a 64-bit operating system.[From Build 55.13][# 687139, 691368]
- The NetScaler appliance dumps core during Core2Core communication as resetting the TCP connection closes the connection without cleaning the connection structure.[From Build 55.13][# 687211]
- The NetScaler appliance dumps core during core-to-core communication, because resetting the TCP connection closes the connection without cleaning the connection structure.[From Build 56.19][# 687211]
- When you use the XenApp/XenDesktop wizard to remove a StoreFront and RSA deployment, it doesn't clean up the virtual-server configurations.[From Build 55.13][# 687578]
- The NetScaler Gateway plug-in incorrectly displays a “green bullet” icon suggesting a connected VPN virtual server session status even after the session is disconnected. The plug-in UI display is not in sync with the plug-in tray icon status.[From Build 57.13][# 688111]
- The NetScaler appliance fails when it tries to authenticate an invalid incoming HTTP packet.[From Build 55.13][# 688215]
- In rare cases, a NetScaler Gateway appliance dumps core when processing forms based SSO to URLs larger than 4 KB.[From Build 56.19][# 688842]
- In some cases, the STA server information is not deleted from the Gateway appliance even after clearing configuration of the High Availability (HA) fail-over.[From Build 56.19][# 689076]
- NTLM Single sign-on (SSO) fails because of invalid signature of type-3 NTLM message.[From Build 56.19][# 689538]
- Both of the following issues are fixed:- A NetScaler Gateway appliance becomes unresponsive because the Gateway plug-in continuously tries to connect to the Gateway server.- The VPN plug-in displays the Connect button instead of automatically logging on, even when the client certificate is cached and the AlwaysON feature is enabled.[From Build 56.19][# 689570, 689622, 653527, 674320, 688142]
- A single sign-on (SSO) attempt might use the wrong domain in a configuration that has parent and child domains. If SSO expressions are used to compute the correct domain, the NetScaler appliance uses the domain obtained at the time of logon instead of the one computed with the expression.[From Build 56.19][# 689684, 689721]
- If a NetScaler Gateway appliance that has partitions is configured with an intranet IP address, traffic from one of the partitions to the default partition loops back to the sender instead of treating the partitioned appliance as two independent appliances.[From Build 56.19][# 689907]
- Signing on to an outbound proxy can cause the NetScaler appliance to dump core if Kerberos constrained delegation (KCD) is used for single sign-on.[From Build 56.19][# 690388]
- In some cases, when the NetScaler Gateway appliance is configured with the Smart Control policy, even though the ICA apps launch successfully, the following error message appears in the ns.log file. STA Ticket not found in the ICA file, closing the connection, user: username, SSID xxx.[From Build 56.19][# 690457]
- A user of Internet Explorer version 8 or 9 can't establish a VPN connection through a NetScaler Gateway appliance that uses the RfWebUI portal theme. The VPN virtual server doesn't respond.[From Build 55.13][# 691752]
- A user of Internet Explorer version 8 or 9 can't establish a VPN connection through a NetScaler Gateway appliance that uses the RfWebUI portal theme. The VPN virtual server doesn't respond.[From Build 56.19][# 691752]
- In rare cases, a persistent cookie can cause a NetScaler Gateway appliance in a Unified Gateway (UG) deployment to dump core.[From Build 56.19][# 692079]
- End-point Analysis (EPA) scan fails on the client computer, even though the logs indicate otherwise, if the connection between the computer running on Mac OS and the NetScaler appliance is relatively slow (for example, if there's a client-side proxy).[From Build 56.19][# 692771, 687892]
- End-point analysis (EPA) scan becomes unresponsive if the EPA plug-in is installed for the first time on the user machine that accesses the NetScaler appliance bound to the RfWeb UI portal theme.[From Build 56.19][# 692821, 696260]
- In some cases, the NetScaler appliance becomes unresponsive while back-end authentication cookies are cached when a proxy server is configured between the NetScaler appliance and a back-end server.[From Build 57.13][# 693284]
- When you configure the Gateway server in ICA Proxy mode, the server occasionally becomes unresponsive if the Secure Ticket Authority (STA) servers do not respond in time or the client connection is closed.[From Build 56.19][# 693522, 697088]
- "Authentication" submenu under "System" cannot be expanded.[From Build 56.19][# 693573]
- In case the Split tunnel ON, the Automatic detect settings checkbox (under LAN Settings) in the Internet Explorer settings was being modified after connecting to VPN, because of which external traffic wasn't reachable.[From Build 56.19][# 694328]
- Upon dual refresh of the logon page, the following error message is displayed "Error 404, object not found". The error appears because "NS_TMAC" cookie is missing in the request.[From Build 56.19][# 694417]
- The NetScaler appliance sends a huge quantity of "auditlog" messages to the Syslog server when a duplicate server connection is found.[From Build 56.19][# 694606]
- The NetScaler Gateway plug-in fails to list a device certificate under the Certificate drop-down menu if the Subject field inside the certificate has no value.[From Build 56.19][# 695035]
- When you have Windows AutoLog-ON feature enabled on your NetScaler Gateway appliance, during logon the client is unable to find the "nsauto.exe" file because the path to the file is incorrectly truncated.The issue is noticed when you modify the following registry entry:NtfsDisable8dot3NameCreationThis registry entry truncates the applications file path in Windows.[From Build 56.19][# 695209]
- In some cases, the NetScaler appliance cannot load the background image when the VPN virtual server has custom theme and DFA policy bound to it.[From Build 57.13][# 695413]
- Client and server IP addresses are not displayed if a VPN session is disconnected before successful logon.[From Build 56.19][# 695444, 697635]
- In some cases, the connection from a client computer to the NetScaler appliance is aborted.[From Build 56.19][# 695560, 696270, 697255]
- In some cases, the connection from a client computer to the NetScaler appliance is aborted.[From Build 57.13][# 695560, 696270, 697255]
- Endpoint analysis (EPA) scan fails on the client machine, because the EPA package does not get installed on the machine properly.[From Build 56.19][# 695795, 700831]
- When a logon request is made to an affected URL, the URL incorrectly responds with an HTTP 403 response displaying the following error message instead of redirecting users to the logon page. Error: Not a privileged User.[From Build 56.19][# 695911]
- In some cases, the NetScaler Gateway appliance is unable to block access to the Internet and the intranet. This happens if you enable the AlwaysOn feature with NetworkAccessOnVPNFailure parameter set to onlyToGateway and if the FQDN of the virtual server is not accessible by client over the intranet.[From Build 57.13][# 696805]
- False SNMP alarms for SYN flood are reported when the NetScaler Gateway appliance is deployed in an ICA Proxy mode and session reliability functionality is enabled.[From Build 57.13][# 697457]
- In rare cases, the NetScaler appliance configured for Session Reliability (SR) and High Availability (HA) becomes unresponsive as it misses initialization of some of the ICA context fields.[From Build 57.13][# 697700]
- In a multi-core NetScaler appliance, Enlightened Data Transport (EDT) application fails to launch on a NetScaler instance deployed on VMware ESX, and configured to use VMXNET3 NIC.[From Build 57.13][# 697771]
- A NetScaler Gateway appliance running release 11.1. build 55.13 or 56.19 fails while attempting forms-based single sign on (SSO) to the back-end server. This happens because the POST request sent from the NetScaler appliance to the back-end server contains corrupted headers, resulting in SSO failure.[From Build 57.13][# 700652, 702495, 702678]
- In some cases, the NetScaler Gateway appliance dumps core due to memory corruption caused by the CVPN module.[From Build 57.13][# 701624, 702311]
NetScaler ICA
- When XenApp/XenDesktop users launch applications/desktops that have the Advanced Encryption policy enabled, memory allocation issues cause high-availability failovers.[From Build 51.21][# 659728]
- The NetScaler appliance fails because it attempts to process a large unexpected value for an Expander variable. This fix adds checks to prevent this condition.[From Build 51.21][# 660894, 662489, 668651]
- When Session Reliability is disabled on Storefront and Session Reliability on HA Failover is enabled on a NetScaler high availability pair running on 11.1 build 49.16, the passive NetScaler instance might reboot when you launch an application or a virtual desktop.You can avoid the issue by performing either of the following steps:* Disable "Session Reliability on HA" feature on the NetScaler instance.-or-* Enable Session Reliability on Storefront. (Navigate to Citrix Storefront > NetScaler Gateway > Secure Ticket Authority > Enable Session Reliability.)[From Build 51.21][# 664372, 667057]
- When ICA AppFlow is enabled on a NetScaler appliance, some network traffic patterns might cause the appliance to become unresponsive.[From Build 52.13][# 670826, 671134]
- When session reliability is enabled for the high availability feature, memory usage by the NetScaler appliance spikes and causes a failover.[From Build 53.13][# 671918, 673784, 656996, 672949, 676413]
- If AppFlow for ICA is enabled, some network traffic patterns, when followed by a client reconnect, might cause the appliance to become unresponsive.[From Build 52.13][# 672748]
- If Session Reliability on HA failover is enabled, the NetScaler appliance does not disable compression of the ICA data during capability negotiation. As a result, a parsing operation is skipped.[From Build 53.13][# 673442, 674038, 679904]
- When session Reliability on HA Failover is enabled on a NetScaler high availability pair, the primary NetScaler has a buffer to maintain CGP sequence updates, which will be sent to secondary. After a reconnect, buffer updates wrong offset, resulting in corruption. Once the buffer corruption happens, wrong addresses will be accessed which can lead the NetScaler instance to become unresponsive.[From Build 54.16][# 679494, 684204]
- Debug prints that are enabled by default cause unwanted logging in the NetScaler console.[From Build 53.13][# 681196]
NetScaler Insight Center
- The whitelist of Citrix Receiver versions used by HDX Insight now includes version 13.0.2.265571 of Citrix Receiver for Linux.[From Build 51.21][# 614558, 606817]
- System groups cannot be created in the NetScaler Insight Center GUI.[From Build 48.10][# 650657]
- AppFlow configuration fails if you use the NetScaler Insight Center FQDN instead of the NetScaler Insight Center IP address.[From Build 48.10][# 652425]
- For a NetScaler appliance in multicore setup, reports from all cores were not getting generated except "0" core.[From Build 50.10][# 656225]
- When you use LDAP for external authentication, you will receive a "Error: Resource does not exist" error message when you click Configuration tab.[From Build 50.10][# 658344]
- The NetScaler appliance does not respond if AppFlow for ICA is enabled under certain network traffic conditions.[From Build 56.19][# 687084, 689052, 696701]
- When you launch the ICA application that is enabled with advanced encryption in XenApp or XenDesktop, in some cases, NetScaler does not respond while handling the advanced encryption handshake.[From Build 56.19][# 689491, 696819]
- The NetScaler appliance slows down if Session Reliability (SR) on HA failover is enabled for ICA HDX Insight.[From Build 56.19][# 689730]
- The NetScaler appliance does not respond if AppFlow for ICA is enabled under certain network traffic conditions.[From Build 56.19][# 692326, 692554]
- You cannot see analytics data in the day, week, or month report on Insight Center.[From Build 57.13][# 693359]
- HDX Insight does not display ICA channel data when Logstream transport is enabled for the AppFlow feature in the NetScaler appliance and if “smartctl” is enabled for ICA HDX Insight.[From Build 56.19][# 693672]
- If AppFlow for ICA is enabled, in an error scenario for ICA parser with a particular network traffic condition, the NetScaler appliance can go down.[From Build 56.19][# 696552]
- When HDX Insight is enabled in NetScaler Appliance. In a rare scenario, due to a negative length saved in one of the structures used for logging mechanism, the NetScaler Appliance fails.[From Build 57.13][# 697800, 698444, 650103]
NetScaler MPX Appliance
- A NetScaler appliance might become unresponsive due to one or both of the following situations that occur during interface reset, or change in interface state to UP, or high availability failover.- An internal process fails to fetch the current state of an interface link.- A NetScaler packet engine is terminated.[From Build 54.16][# 660297, 570287, 601816, 609401, 616054, 628184, 630630, 638162, 647061, 653868, 663084, 663461, 663716, 664778, 665684, 666824, 668332]
NetScaler NITRO
- NetScaler logon credentials are locked and the error message “connection limit CFE exceeded” appears if the following conditions are met:- The “show ns runningconfig” command takes a long time to execute- The same command is re-run multiple times while the first command is still running at the background.The NetScaler appliance remains locked until the command completes.[From Build 56.19][# 689426]
- The HTTP daemon on a NetScaler appliance might fail if the “probe server” NITRO call to the appliance fails.[From Build 56.19][# 693286]
NetScaler SAMLIdP
- If the RelayState value in a SAML Authentication request is more than 512 bytes but less than 1024 bytes, the SAML IdP server causes buffer overrun when sending an assertion after successful authentication.[From Build 50.10][# 656779, 664051, 664765]
NetScaler SDX Appliance
- The Management Service command-line interface (CLI) might fail if you access it over Telnet by using a Perl script with a Net::Telnet object.[From Build 53.13][# 608798]
- The "hostname" field displays no information when you click a NetScaler SDX backup file to fetch its details.[From Build 57.13][# 638437]
- A NetScaler VPX instance on a NetScaler SDX appliance might fail because of kernel memory corruption caused by a problem in the error handling path in the kernel. The issue occurs when a user-space process fails and dumps the core file at a time when the value for "sysctl.kern.corefile" points to a nonexistent directory.You can stack trace this issue by searching for the following message in the /var/log/messages file:Core dump of pid xxx (yyy) uid zzz could not be done at %s; switching core dump pattern to default: /var/core/%N-%PWhere xxx, yyy, and zzz are specific values.[From Build 51.21][# 646464, 607629, 634970, 644162, 652390, 657167, 664426, 671795, 671806]
- You can only assign 22 partition MAC addresses to the following SDX platforms and the virtual machine will not start, if you assign more than 22 partition MAC addresses:* 11500* 13500* 14500* 16500* 18500* 20500* 115xx series[From Build 57.13][# 647534]
- If you configure a large number of channels or interfaces on a NetScaler SDX appliance, Management Service UI screens that display the system interface list or channels load slowly.[From Build 51.21][# 659110]
- If you configure a large number of channels or interfaces on a NetScaler SDX appliance, Management Service UI screens that display the system interface list or channels load slowly.[From Build 52.13][# 659110]
- If you configure a large number of channels or interfaces on a NetScaler SDX appliance, Management Service UI screens that display the system interface list or channels load slowly.[From Build 53.13][# 659110, 674635]
- The NICs of a 14xxx 40G or 25xxx 40G NetScaler SDX appliance are not shown under Configuration > System > Interfaces if, after a factory reset, you use the Platform Upgrade option in the Management Service to upgrade the appliance to NetScaler SDX release 10.5 or 11.1 with 5.04 firmware.[From Build 51.21][# 663206]
- The NICs of a 14xxx 40G or 25xxx 40G NetScaler SDX appliance are not shown under Configuration > System > Interfaces if, after a factory reset, you use the Platform Upgrade option in the Management Service to upgrade the appliance to NetScaler SDX release 10.5 or 11.1 with 5.04 firmware.[From Build 52.13][# 663206, 659913]
- An attempt to upgrade a NetScaler SDX appliance fails if _32.tgz or _64.tgz is part of the file name of the firmware image.[From Build 55.13][# 663614, 664303, 689021]
- On the NetScaler SDX 25000A platform, you cannot create NetScaler VPX instances on the NetScaler SDX appliance after using the clean install option to reset the appliance to a NetScaler SDX 11.1.50.x. image.[From Build 51.21][# 664825]
- A NetScaler SDX appliance always sends requests for authenticated time synchronization updates to an NTP server, even if authentication is disabled. This causes time synchronization between the SDX appliance and the NTP server to fail.[From Build 53.13][# 668232]
- If you send multiple I/O request to the NetScaler SDX appliance, it becomes unresponsive.[From Build 54.16][# 669814, 686864]
- Upgrading the Management Service to NetScaler SDX release 11.1.50.x fails with the following error message and with error code 10008:This platform sysid 450088 is not supported[From Build 52.13][# 670131]
- Upgrading the Management Service to NetScaler SDX release 11.1.50.x fails with the following error message and with error code 10008:This platform sysid 450088 is not supported[From Build 51.21][# 670131]
- When you use a single-bundle image file to upgrade a NetScaler SDX appliance, the upgrade-progress page might become unresponsive.[From Build 55.13][# 672042, 686510]
- When you upgrade from an earlier build of NetScaler release 10.5, with a supplemental pack older than 100015, to 10.5 build 62.x or later, static rules are not applied on the host, which might cause interface renaming issues.[From Build 54.16][# 677145]
- When external users authenticate by using RADIUS, LDAP, or TACACS authentication, the external user data is stored locally on the SDX Management Service running NetScaler release 11.0. After you upgrade to a later release, the user data is also migrated to the upgraded version, and the data appears under the Users tab of Owner/Readonly group when the "show systemgroup" command is run.With this fix, external user data no longer appears.[From Build 56.19][# 678108]
- Upgrading the firmware of a NetScaler VPX instance through SDX service management fails if you've disabled pinging the NSIP address of the instance. When you attempt the upgrade, the following error message appears even if the instance is in the UP state: "VPX not up and running."[From Build 54.16][# 680566]
- If system logs are not rotated properly, over time they consume too much disk space. This causes the XenServer server to run out of disk space and creates unexpected system behaviour.[From Build 54.16][# 683171, 684959, 685535]
- If system logs are not rotated properly, over time they consume too much disk space. This causes the XenServer server to run out of disk space and creates unexpected system behaviour.This issue is fixed in NetScaler release 11.1 build 53.13. For version 11.1 53.11, apply the following workaround.1. Log on to dom0.2. Run the df command to check the available disk space.3. If the disk space is full (100%) and the /var/log directory has large log files, run the rm <fileName> command to delete files and free space.3. Check the permission of "opt/xensource/bin/rotate_logs_by_size" file by running the Is -I command:# ls -l /opt/xensource/bin/rotate_logs_by_sizeIf the result appears as "-r--r--r-- 1" and with no x characters, as in the following example, you need to change the permission.-r--r--r-- 1 root root 3794 Mar 27 13:48 /opt/xensource/bin/rotate_logs_by_size4. Run the chmod 555 to change the file permission.# chmod 555 /opt/xensource/bin/rotate_logs_by_sizeRecheck the file permission. For example:# ls -l /opt/xensource/bin/rotate_logs_by_size-r-xr-xr-x 1 root root 3794 Mar 27 13:48 /opt/xensource/bin/rotate_logs_by_size5. Reboot the system for the above changes to take effect immediately, or wait for a few hours for the changes to become effective.[From Build 53.13][# 683171, 684959]
- A NetScaler VPX instance's configuration is deleted if you use the Management Service to force a reboot of the instance.[From Build 55.13][# 683743]
- If a channel configuration that is created by using the Management Service is pushed to an existing VPX instance, the channel name on the VPX instance might differ from the channel name on the Management Service.Because of this behavior the channel name might differ on two VPX instances of an HA pair, running on two different SDX appliances. This causes a NetScaler VPX HA pair to break after a failover.With this fix, Management Service creates channels on VPX instances with the same names provided the LA IDs are available on the VPX instances.For example, if channel LA/3 is created on Management Service, the same is created on the VPX instance, provided LA/3 ID is available on the VPX instance.However, for example, if LA/9 is created on Management Service, the channel is created with the first available LA ID on the VPX instance, because a VPX instance can support channels only up to LA/8.Note: Upon upgrade to this version, the existing LA configurations on the SDX Management Service or on the VPX instance do not change.[From Build 57.13][# 684428]
- The /var directory of a NetScaler VPX instance running on a NetScaler SDX appliance runs out of space after scheduled backups, because the old backup files are not removed automatically.[From Build 55.13][# 688200, 688365]
- When you upgrade the NetScaler SDX Management Service from release 11.0 or lower to release 11.1 or higher, some anomalies might occur such as:- Management Service does not display the VPX instances running on the SDX appliance.- The NetScaler VPX instances fail to come up.- Management Service becomes unreachable.- XenServer upgrade is incomplete.These issues occur if the NetScaler database contains large sets of NetScaler events-related historical data. With this fix, reports of historical data is lost; however, reports collected after upgrade is retained.[From Build 57.13][# 693526, 694388]
- In a VPX instance (standalone or part of an HA setup) running on a SDX-21550/SDX-20500 platform, TX stalls are observed and the state of the configured load balancing services in the VPX instance flaps.[From Build 56.19][# 694571, 697369]
- The "Version-Bit" field displays no information when you perform any of the following actions:- Click a backup file and fetch its details.- Add instances for instance restore.[From Build 57.13][# 696131]
- The “Date” field in the Events detail page displays no information. To see the Events details, navigate to Configuration > System > Events on the NetScaler SDX GUI.[From Build 57.13][# 696706]
- On a NetScaler SDX 8900 appliance running software release 11.1 build 56.19 and earlier, you might experience some load balancing virtual server-related issues, such as service monitors randomly going down and flapping.[From Build 57.13][# 697355, 700675]
- The NetScaler SDX GUI freezes and stops responding after you save a configuration under Configuration > NetScaler > NetScaler Configuration > Save Configuration.[From Build 57.13][# 702792]
NetScaler VPX Appliance
- In an ESX environment, a CLAG channel that includes a VMXNET3 interface might continue to send LACPDUs to its partner even when it is in DETACHED state.[From Build 51.21][# 642389]
- A NetScaler VPX instance might stop responding and dump core memory if you allocate a large disk size for log messages. The higher the rate of log messages, the more quickly the instance runs out of memory and fails.[From Build 53.13][# 646674]
- A NetScaler VPX instance might stop responding and dump core memory if you allocate a large disk size for log messages. The higher the rate of log messages, the more quickly the instance runs out of memory and fails.[From Build 50.10][# 646674]
- A NetScaler VPX instance might stop responding and dump core memory if you allocate a large disk size for log messages. The higher the rate of log messages, the more quickly the instance runs out of memory and fails.[From Build 51.21][# 646674]
- A NetScaler VPX instance might stop responding and dump core memory if you allocate a large disk size for log messages. The higher the rate of log messages, the more quickly the instance runs out of memory and fails.[From Build 52.13][# 646674]
- In a KVM environment, a NetScaler VPX instance fails to start if you have configured more than 11 vCPUs.[From Build 49.16][# 647348]
- If you deploy NetScaler VPX on Azure in HA mode, the VPN virtual servers on the secondary node are not reachable after a failover. This is because, during a synchronization operation, the NSIP address of the primary node is used to create the virtual server on the secondary node. After a failover, when the secondary node becomes the new primary, the VPN virtual server has the NSIP address of the old primary.[From Build 49.16][# 651670]
- When a remote tagged IP address is accessed through a NetScaler VPX appliance hosted on Linux KVM, the checksum value in each sent packet is incorrect.[From Build 52.13][# 655067, 668302]
- If you use the following command to remove an allowed-VLAN list from an SR-10V interface, the list is not removed, and therefore you cannot configure new VLAN settings for the interface.unset int -trunkallowedVlan[From Build 55.13][# 657468]
- If you add additional SR-IOV or PCI passthrough interfaces to an existing NetScaler virtual appliance configured with SR-IOV or PCI passthrough interfaces, the existing interface names might get corrupted.[From Build 52.13][# 659827, 662429]
- If you add additional SR-IOV or PCI passthrough interfaces to an existing NetScaler virtual appliance configured with SR-IOV or PCI passthrough interfaces, the existing interface names might get corrupted.[From Build 51.21][# 659827, 662429]
- The NetScaler VPX GUI incorrectly shows Moscow's time zone as GMT+4 instead of GMT+3.[From Build 52.13][# 662630]
- Certificate-based authentication (SSH key pair) does not work on a NetScaler VPX appliance running on Azure. This happens due to internal logic that uses different keys to encrypt and decrypt certificate data.[From Build 53.13][# 668007]
- In a VPX high availability setup running on AWS, if you force the primary node to restart, and you run the show interface command on the node after it restarts and becomes the new secondary node, the command's output shows an extra (nonexistent) interface (ENI).[From Build 54.16][# 670035, 676774]
- A NetScaler VPX appliance running on a VMware ESX server and configured with a VMXNET3 network interface stops responding and restarts if any traffic is sent to a tagged interface. Also, in the log message, the VLAN ID of the tagged interface is incorrect.[From Build 52.13][# 671581, 676316]
- When you add custom DNS name server in the NetScaler VPX appliance through NetScaler CLI, DNS lookup fails. This happens due to a default Azure DNS server entry present in /etc/resolv.conf.[From Build 54.16][# 672344]
- In a NetScaler VPX HA deployment running on AWS, when a failover makes the secondary node primary, the network interfaces are attached to the new primary in the wrong order.For example, if the primary node has NICS 1/2 (AA:BB:CC:DD:EE:FF), 1/3 (12:34:56:78:90:12), and 1/4 (1A:2B:3C:4D:5E:6F), upon failover the new primary would have 1/2 (1A:2B:3C:4D:5E:6F), 1/3(AA:BB:CC:DD:EE:FF), 1/4(12:34:56:78:90:12). Here, the interface MAC order has changed. However, this behavior does not apply to the NIC that's configured with the NetScaler management IP address.[From Build 55.13][# 675746]
- The NetScaler "set ha node <NODE_ID> -haStatus STAYPRIMARY" and "set ha node <NODE_ID> -haStatus STAYSECONDARY" commands are disabled by default on VPX instances running on AWS. An error message appears if you try to run one of these commands.[From Build 54.16][# 676882]
- If you try to use the VMware vSphere snapshot feature on a NetScaler VPX appliance running on a VMware ESX hypervisor, network connectivity to the NetScaler VPX instance is lost. This happens because a VPX appliance does not support the snapshot feature. This fix adds support for the snapshot feature. You can now use this feature to manage your VPX appliance.[From Build 55.13][# 687305, 688953]
- After a failover of a NetScaler VPX HA setup running on AWS, the interfaces from both the nodes do not attach and detach properly. This happens if the stack name of the Citrix CloudFormation template exceeds 25 characters.With the fix, the stack name of the Citrix CloudFormation template supports up to 90 characters.[From Build 56.19][# 689356]
- A NetScaler VPX instance running on a VMWare ESX hypervisor becomes unreachable if you select "Register with NetScaler MAS for manageability" while configuring pooled licensing in the instance GUI.[From Build 56.19][# 695516]
Networking
- For extended ACL rules that are associated with NAT configurations (for example, RNAT rules and Large Scale NAT configurations), the NetScaler GUI displays the TCP established parameter as enabled even though the parameter is disabled.[From Build 51.21][# 597458]
- In rare scenarios, you get "Invalid argument" as an error message while using the NetScaler Gateway wizard to configure Storefront through XenApp and Xen Desktop.[From Build 53.13][# 611703]
- In a high availability setup, the monitoring process (pitboss) might terminate the file sync daemon (nsfsyncd), if syncing of files takes longer time (> 25 minutes) than expected.[From Build 53.13][# 624522, 655088, 655708]
- In a high availability setup, the monitoring process (pitboss) might terminate the file sync daemon (nsfsyncd), if the connection to packet engine gets stuck for a long time (> 25 minutes).[From Build 53.13][# 628439]
- During a "force sync" operation in a cluster deployment, performing a "save config" operation on a node might lead to a full or partial configuration loss on that node. With this fix, the "save config" operation is not permitted during a "force sync" operation.[From Build 49.16][# 642375, 658619]
- In a high availability (HA) setup, after an HA force failover operation, the NetScaler appliance removes (but not properly) static default route6s of all non-default traffic domains from its memory.Though the "show route6 operation" does not display these route6s but adding them again fails with the following error message: "ERROR: Resource already exist". This is because these route6s were not completely removed from memory.This issue also happens on a standalone NetScaler appliance when a traffic domain that has default route6s is removed.[From Build 51.21][# 644265]
- Restarting a NetScaler appliance that has a VLAN bound to a traffic domain and is configured as a SYNC VLAN or NSVLAN might cause configuration loss of binding between the VLAN and the traffic domain.[From Build 51.21][# 648839]
- A NetScaler appliance with OSPFv3 dynamic routing protocol configured might measure the length of OSPFv3 LSA packets in Network Byte Order instead of Host Byte Order for comparison with the minimum required packet length. As a result, the NetScaler appliance becomes unresponsive.[From Build 48.10][# 652131]
- In a high availability setup, after a failover, the new primary node does not set the R bit and F bit in BGP open messages that are used to inform the upstream router that the node has restarted gracefully.[From Build 52.13][# 665774]
- In a high availability setup, after a failover, the new primary node does not set the R bit and F bit in BGP open messages that are used to inform the upstream router that the node has restarted gracefully.[From Build 51.21][# 665774]
- On a NetScaler appliance, when a routing daemon (for example, BGP routing daemon) is restarted multiple times over a short period of time, the corresponding routing configuration (for example, BGP routing configuration) might get removed from the appliance.[From Build 52.13][# 669005]
- A NetScaler appliance might become unresponsive or a high CPU is observed during the following scenario:* The appliance resolves a domain into two IP addresses, one of the IP addresses is a NetScaler owned IP address and the other is an external IP address.* The appliance sends a packet destined to the external IP address from LO/1.* The response packet keeps looping after the appliance receives it.[From Build 55.13][# 669754, 669977, 687943]
- The NetScaler appliance forwards TCP packets to the destination without processing them if they are destined to port 69 and match an RNAT rule.[From Build 54.16][# 670455]
- In a load balancing configuration of type ANY (virtual server or services) with USIP enabled, the NetScaler appliance uses router's MAC address to forward ICMP errors to the servers.[From Build 54.16][# 676653]
- In a high availability setup, when a critical interface goes to DOWN state because of TX stall, HA failover might not happen.[From Build 55.13][# 677815, 679068, 680001]
- The NetScaler appliance might not evaluate packets against ACL or ACL6 rules that include not equal operator (!=).[From Build 54.16][# 678030]
- In a high availability setup, when a critical interface goes to DOWN state because of TX stall, HA failover might not happen.[From Build 54.16][# 679068]
- A NetScaler appliance logs an IP conflict error when it receives any unsolicited ARP message from a network device such as Check Point Firewall for a NetScaler appliance-owned IP address. The appliance logs an IP address conflict error even if the IP address to MAC address mapping is correct in the ARP message.[From Build 56.19][# 679490, 689372]
- Memory allocated for a TCP session might not get free after a failure in reassembling fragments of a size of more than 1500 bytes. This accumulation over a period of time depletes available memory.[From Build 56.19][# 680185, 680186, 691792]
- Interfaces in MUTED state might drop the LLDP packets instead of processing them.[From Build 54.16][# 682769]
- The NetScaler appliance drops ND6 solicitation packets received on interfaces that are in muted state.[From Build 55.13][# 684119]
- The NetScaler appliance updates the ND entry of a next hop router with its MAC address after learning it from the router advertisement packets received from the router. The appliance might not update the state of the ND entry from INCOMPLETE to STALE. This update failure results in looping the outgoing packets ( destined through the next hop router) in the NetScaler queue. As a result, the NetScaler appliance becomes unresponsive.[From Build 54.16][# 684126]
- The NetScaler appliance does not process the BGP remote-as configuration for an IPv6 peer after a reboot resulting in the loss of BGP configuration for this peer.[From Build 55.13][# 685123]
- In a NetScaler telco deployment, the NetScaler appliance reuses the outgoing probe connection information for two different incoming connections with the same 4-tuple that are destined to the same server. This reuse of probe connection might cause the NetScaler appliance to become unresponsive.[From Build 54.16][# 685344]
- When you remove a static route, the NetScaler appliance does not advertise the connected route that has the same prefix as that of the removed static route and for which the DRADV mode is enabled.[From Build 56.19][# 686058]
- If the IP address (type VIP) of a virtual server is bound to a net profile, deleting the virtual server also removes the IP address from the net profile.[From Build 56.19][# 690082]
- The NetScaler appliance might not properly processes the ND6 unsolicited neighbor advertisement messages and update its routing table.[From Build 56.19][# 693472]
- In a high availability configuration, synchronization of session information to the secondary node happens only when the state of the secondary node is UP. When the state of the secondary node is other than UP state for a long time, session information that are to be synchronized are build up on the primary node. This results in memory crunch or session hitting maximum limits in the primary node.[From Build 56.19][# 693995]
- A NetScaler appliance might become unresponsive after applying the ACLs if the appliance has more than 1,100 ACL rules and some of these rules have overlapped conditions.[From Build 57.13][# 694203]
Optimization
- The NetScaler appliance fails to serve HTTP POST requests if Front End Optimization (FEO) and Integrated Cache (IC) features are enabled.[From Build 53.13][# 673038, 665833]
- If a response from the StoreFront server does not have a Content Type field in the header, but the appliance expects a value in the Content Type field, the appliance crashes.[From Build 56.19][# 688412]
Platform
- In rare cases, a user-mode process failure can cause kernel failure, either at the same time or later. If the kernel fails, the NetScaler appliance dumps core memory. This failure can occur on nCore MPX, VPX, or SDX, appliances, although the most common occurrence is on a NetScaler VPX instance on a NetScaler SDX appliance.[From Build 51.21][# 634900, 641199]
Policies
- The HTTP.REQ.TXID and HTTP.RES.TXID policy expressions return the same "universally unique identifier" (UUID) for different transactions.[From Build 56.19][# 663414, 675873]
- The NetScaler appliance crashes if you select an X.509 certificate with 2048 or 4096 bit RSA public key for an XML_ENCRYPT() policy function.[From Build 53.13][# 672262]
- If you define a policy variable or a named expression with the same name as that of a built-in policy function, NetScaler appliances display the following system error message, "when you try to use the policy function in a valid policy expression:Expression syntax error [p.req.user^.name, Offset 13]."Example:> add ns variable user -type text(10)Done> add rewrite action act1 insert_http_header h1 http.req.user.name[From Build 53.13][# 675375, 676388]
- In some cases, if you get errors such as too long patset strings, bad UTF-8 characters, bad regexess, or too long patset strings when adding an entry to a patset, the system encounters a fault[From Build 54.16][# 675677]
- A log message is not logged for the Responder module when the NetScaler appliance receives a request and processes policies for a different module while a client request sent to the Responder module awaits log processing.[From Build 55.13][# 685375]
- When an Advanced expression function in an ALT expression blocks the current evaluation of the expression, then upon resumption it may cause the NetScaler appliance to crash.[From Build 55.13][# 687345]
- The audit framework has no mechanism to filter UndefHit logs generated in ns.log for undefined hits on rewrite or responder policies. To turn off log generation, you must remove HTTP transaction logging for undefined policies.[From Build 56.19][# 690748]
- Clearing a NetScaler system configuration causes the appliance to fail if an HTTP profile references a patset configuration entity.[From Build 56.19][# 691227]
- The audit log action in a responder policy resets when modifying a responder action bound to the same responder policy.[From Build 56.19][# 693791]
- A NetScaler appliance might crash or become unresponsive if a memory allocation failure ccurs in a pattern set or dataset policy expression.[From Build 57.13][# 700461]
SSL
- If a certificate has a validity of 100 years, Days to Expiration incorrectly appears as 0 in the NetScaler command line interface and the configuration utility.[From Build 56.19][# 509608]
- After you upgrade to this build, the priority of the cipher groups changes in the default profile.[From Build 54.16][# 579059, 679085]
- In a cluster setup, a certificate update fails, with the following error, if the certificate is in DER format.Error :: No such resource[From Build 55.13][# 583715]
- If you upgrade to release 10.5, SSL client authentication fails if it uses a 4096-bit client certificate.[From Build 51.21][# 600815, 343395]
- A configuration loss, such as the ECC curve and ciphers unbinding from an SSL virtual server or service, might occur after you upgrade to this build.[From Build 54.16][# 613912, 643135, 647100]
- A DTLS configuration fails if it uses MAC-Based forwarding or a VLAN.[From Build 52.13][# 615454, 629512]
- In a cluster setup, if you rename a load balancing virtual server of type SSL, the local database table that is used for all GET operations is not updated.[From Build 50.10][# 620964, 576828, 641041]
- Adding a certificate revocation list (CRL) on the NetScaler appliance fails with the error message "Certificate Issuer Mismatch" for a DER certificate, and with the error message "Invalid CRL" for a PEM certificate. This issue occurs because the attribute type of the common name field is different for the CA certificate than for the CRL.[From Build 48.10][# 623058, 634017]
- If a profile is bound to an SSL virtual server, the NITRO API displays incorrect SSL virtual server settings. The correct settings are displayed in the profile.[From Build 51.21][# 628135]
- If memory allocation fails during a TLS1.2 protocol handshake, the handshake is not terminated. As a result, the appliance might dump memory core and restart.[From Build 52.13][# 630547, 639222, 639465, 646023, 647371, 649201, 658037, 662933, 663160, 665797, 668460, 676013, 679036]
- You can bind ECDSA ciphers to an SSL virtual server on a platform that does not have N3 chips even though ECDSA ciphers are supported only on platforms with N3 chips.[From Build 48.10][# 635234]
- The crash was happening while parsing unsupported OID in below SAN entry.[From Build 54.16][# 635712, 648778, 653861, 659342]
- On a NetScaler MPX appliance, an SSL handshake that uses NULL ciphers fails on both the front end and the back end.[From Build 50.10][# 642885, 612482, 644392, 654541, 657541]
- If you try to load large certificate files (> 256kB), the NetScaler appliance might dump core and restart, because of insufficient memory.[From Build 51.21][# 643614, 624364, 646510, 667980]
- The "stat ssl vserver" command for a content switching, cache redirection, or VPN virtual server fails, and the following error message appears:No such resource [vServerName, <vservername>][From Build 52.13][# 644731, 671337]
- A NetScaler virtual appliance sometimes fails because of a memory leak if you use GCM-based ciphers on a VPX appliance. The ciphers can eventually exhaust memory, causing the appliance to fail if the memory exhaustion error is not gracefully handled.[From Build 49.16][# 652477, 654559, 656035, 657343]
- A certificate-key pair bound to a secure monitor is not saved in the configuration file (ns.conf). As a result, the binding is lost after you restart the appliance.[From Build 49.16][# 654722]
- Support for TLS1.2 signature hash algorithmThe NetScaler appliance is now completely TLS1.2 signature hash (sighash)-extension compliant.On an SDX appliance, if an SSL chip is assigned to a VPX instance, the cipher support of an MPX appliance applies. Otherwise, the normal cipher support of a VPX instance applies. NetScaler platforms support sighash combinations as follows:-On a VPX instance: RSA-MD5, RSA-SHA1, RSA-SHA224, RSA-SHA256, RSA-SHA384, RSA-SHA512, DSA-SHA1, DSA-SHA224, DSA-SHA256, DSA-SHA384, DSA-SHA512.-On an MPX/SDX appliance with N3 chips: RSA-MD5, RSA-SHA1, RSA-SHA224, RSA-SHA256, RSA-SHA384, RSA-SHA512, ECDSA-SHA1, ECDSA-SHA224, ECDSA-SHA256, ECDSA-SHA384, ECDSA-SHA512.-On an MPX/SDX appliance without N3 chips: RSA-MD5, RSA-SHA1, RSA-SHA224, RSA-SHA256, RSA-SHA384, RSA-SHA512.Previously, the appliance supported only RSA-SHA1 and RSA-SHA256 on the front end, and RSA-MD5, RSA-SHA1, and RSA-SHA256 on the back end. In addition, the VPX appliance supported DSA-SHA1 on the front end and back end.With this enhancement, a NetScaler appliance can send SHA-384 and SHA-512 signature_algorithm extensions in the back-end Client Hello message. As a result, Windows IIS servers do not reset the connection if a SHA-384 or SHA-512 certificate is used.For more information, see http://docs.citrix.com/en-us/netscaler/12/ssl/support-for-tls12-signature-hash-algorithm.html.[From Build 54.16][# 655458, 662659]
- TLS handshake fails if client authentication is set to mandatory.[From Build 50.10][# 656490]
- Client authentication causes memory leak if a client sends a certificate that includes its intermediate CA certificates. This exhausts memory on the NetScaler appliance.[From Build 49.16][# 656671]
- The wrong counter increments when alerts are received from a client counter. Instead of the ssl_tot_sslError_FatalAlertRecdCount counter, the ssl_tot_sslError_FatalAlertSentCount counter increments.[From Build 53.13][# 659782, 662587, 675640, 676150, 674138, 673277, 677793, 676317, 679944, 681715]
- If you add a partition and later remove it, the state of all the SSL virtual servers configured on the appliance changes to DOWN.[From Build 54.16][# 660319, 667130, 671887]
- SSL processing is delayed if the server sends a DES cipher with TLS1.2 protocol in the server_hello message to the NetScaler appliance. Although this combination is deprecated, the appliance tries to process it. The operation fails at the SSL card and blocks the card for a few seconds, causing latency in processing any new requests on the same card.[From Build 51.21][# 661628]
- The NetScaler appliance might dump core memory and restart if you bind a secure monitor to a domain based service.[From Build 52.13][# 661808, 662002, 672103, 672532, 674664, 671558, 674758]
- A NetScaler appliance might dump core and restart repeatedly if the SSL3-EDH-RSA-DES-CBC3-SHA cipher is selected when heavy traffic has exhausted the appliance's memory.[From Build 51.21][# 661818]
- The SSL parameter "deny SSL renegotiation" is now set to ALL by default in all admin partitions. Previously, it was set to NO in the non-default partitions.[From Build 52.13][# 663601]
- The NetScaler appliance dumps core memory and restarts if all of the following conditions are met:- SNI feature is enabled.- Exact server certificate match is unsuccessful.- The common name field is greater than 253 characters.[From Build 51.21][# 664338, 670653]
- In a cluster setup, you cannot make any change to a service or service group if you have associated a common name with the service or the service group and enabled or disabled server name indication (SNI).[From Build 52.13][# 665340]
- In a cluster setup, you cannot make any change to a service or service group if you have associated a common name with the service or the service group and enabled or disabled server name indication (SNI).[From Build 53.13][# 665340]
- "Client Cert Required" appears in the CLI output of SSL services, even if requirements for a client certificate have been met. This is only a display issue.Example:> sh ssl service svc1...Server Auth: DISABLED Client Cert Required:...[From Build 53.13][# 668085]
- An SSL handshake fails if a client hello includes an ECC extension but the NetScaler appliance does not support any of the ECDHE ciphers in the cipher list sent by the client. The handshake fails even if the list contains some non-ECDHE ciphers that are supported.[From Build 52.13][# 668239]
- The NetScaler appliance might dump core and restart if it receives SSL traffic while AppFlow is enabled.[From Build 51.26][# 668689, 672376, 672526]
- The NetScaler appliance might dump core and restart if it receives SSL traffic while AppFlow is enabled.[From Build 52.13][# 668689, 672376, 672526]
- The service group members do not appear in the output of the "show lb vserver <name>" command if it is run on a cluster IP address.[From Build 56.19][# 668935, 642802, 463835, 684073, 684892, 691890]
- You cannot enable server-name indication (SNI) in a back-end profile.[From Build 52.13][# 670267]
- Twenty-five days after a NetScaler appliance is restarted, memory utilization continuously increases. As a result, the appliance might stop processing trafic or dump core memory and restart if the memory is exhausted.[From Build 53.13][# 670731, 669812, 675045, 677777, 677322, 680221]
- The "set ssl vserver" or the "unset ssl vserver" command fails and the following error message appears:Internal error[From Build 52.13][# 670927, 673889, 673829, 671270]
- The "set ssl vserver" or the "unset ssl vserver" command fails and the following error message appears:Internal error[From Build 51.26][# 670927, 673889, 673829, 671270]
- The SSL handshake fails if a server certificate is linked to its issuer certificate, OCSP stapling is enabled, and an SSL client requests the server-certificate status.[From Build 51.26][# 671777]
- The SSL handshake fails if a server certificate is linked to its issuer certificate, OCSP stapling is enabled, and an SSL client requests the server-certificate status.[From Build 52.13][# 671777]
- If a packet engine sends more than 40 entries for a single request to the hardware, the command times out and the SSL card goes down.[From Build 53.13][# 672384]
- If you receive a response code other than HTTP 200 for an OCSP request, the NetScaler appliance dumps core memory and restarts.[From Build 53.13][# 673265, 675865, 678915, 677699]
- A NetScaler appliance might dump core and restart if you have configured policy based SSL renegotiation and a client sends multiple SSL records before renegotiation is initiated.[From Build 54.16][# 673348, 682192, 682160, 684547, 684992, 687515]
- A NetScaler appliance might dump core and restart if you have configured policy based SSL renegotiation and a client sends multiple SSL records before renegotiation is initiated.[From Build 55.13][# 673348, 682192, 682160, 684547, 684992, 687515]
- On MPX FIPS appliances, an HTTPS monitor bound to an SSL service fails to send ECDHE ciphers in Client Hello messages.[From Build 53.13][# 673821, 658154]
- The NetScaler appliance might dump core memory and restart if AppFlow and SSL features are enabled and the appliance receives SSL traffic.[From Build 52.13][# 673897, 674543, 674479, 674128, 676165]
- The NetScaler appliance might dump core memory and restart if AppFlow and SSL features are enabled and the appliance receives SSL traffic.[From Build 53.13][# 673897, 674543, 674479, 674128, 676165, 680784]
- In rare cases, a NetScaler appliance might dump core and restart if you add a certificate revocation list (CRL) larger than 256 KB.[From Build 55.13][# 674278, 678890]
- The NetScaler appliance might occasionally send a wrong certificate if SNI is enabled.[From Build 55.13][# 675158]
- Some client authentication connections might be dropped if OCSP check is set to mandatory and an OCSP domain name entry is not found in the NetScaler DNS cache.[From Build 55.13][# 675882, 677473]
- If an OCSP responder URL incorrectly resolves to a NetScaler reserved IP address, the appliance dumps core memory and restarts.[From Build 53.13][# 675887]
- An incorrect entry is logged for handshake failure, even though the handshake succeeds, if both of the following conditions are met:-You use a Safari browser to access the NetScaler appliance.-OCSP responder is configured and client authentication is enabled on the SSL virtual server.[From Build 54.16][# 676629]
- For requests less than 255 bytes long, you can configure the HTTP GET method for queries to an OCSP server. If you specify the GET method but the length is greater than 255 bytes, the appliance uses the POST method by default.To set the method by using the NetScaler CLIAt the command prompt, type;set ssl ocspResponder <name> -httpMethod GET[From Build 55.13][# 676942]
- If the destination IP address in an OCSP request is an IPv6 address, the NetScaler appliance dumps core memory and restarts.[From Build 53.13][# 678474]
- Session ticket parameters are saved in the configuration (ns.conf) file even though session tickets are not enabled in the SSL profile. As a result, if you upgrade to release 12.0 builds 41.x or build 51.x, you might observe a loss in configuration.[From Build 54.16][# 678514, 677813]
- Session ticket parameters are saved in the configuration (ns.conf) file even though session tickets are not enabled in the SSL profile. As a result, if you upgrade to release 12.0 builds 41.x or build 51.x, you might observe a loss in configuration.[From Build 55.13][# 678514, 677813]
- Secure implementation of session tickets is supported only in release 11.1 build 54.x. Configuration loss occurs, if you upgrade from release 11.1 build 54.x to release 12.0 build 41.x or 51.x, in any one of the following scenarios:Scenario 1:1. Your deployment uses an SSL profile.2. In the SSL profile, sessionTicket is enabled and one or more of the following new secure session ticket parameters have non-default values:- sessionTicketKeyRefresh- sessionTicketKeyData- sessionKeyLifeTime- prevSessionKeyLifeTimeDo not upgrade because there is no workaround.Scenario 2:1. Your deployment uses a custom SSL profile.2. In the SSL profile, sessionTicket is disabled.Use the following workaround to avoid configuration loss during upgrade.[From Build 56.19][# 678514, 677813]
- If both OCSP stapling and session ticket are enabled on an SSL virtual server, and a client sends a session reuse request that contains an OCSP stapling status extension, the appliance dumps core memory and restarts.[From Build 53.13][# 678743, 678740]
- If both OCSP stapling and session ticket are enabled on an SSL virtual server, and a client sends a session reuse request that contains an OCSP stapling status extension, the appliance dumps core memory and restarts.[From Build 54.16][# 678743, 678740]
- If you update a server certificate, the NetScaler appliance sends an OCSP request. However, if a server certificate is continuously updated, the appliance dumps core memory and restarts.[From Build 53.13][# 679618]
- You cannot modify the internal OCSP responder parameters in this build.[From Build 55.13][# 679708]
- You cannot modify the internal OCSP responder parameters in this build. This is a temporary limitation.[From Build 54.16][# 679708]
- Zero SSL cards are reported after a warm restart of a NetScaler VPX appliance. If you run the "stat ssl" command after a restart, the following message appears:0 SSL cards present & 0 SSL cards UP[From Build 54.16][# 680948, 680715]
- The value for days to expiration of a certificate appears incorrectly on a cluster IP (CLIP) address.[From Build 54.16][# 682493]
- In a cluster setup, if you remove a service group, the corresponding entries on the CCO node are not deleted.[From Build 54.16][# 682767]
- The NetScaler appliance dumps core and restarts if a wildcard SSL virtual server has the -m mac option enabled.[From Build 54.16][# 682775]
- In a cluster setup, if you rename a service group, the corresponding entries on the CCO node are not updated.[From Build 54.16][# 682784]
- In a high availability deployment, session-tickets functionality is lost after you issue a force failover twice. Sessions are resumed on the basis of session ID instead of session tickets.[From Build 55.13][# 683034]
- In a high availability deployment, session-tickets functionality is lost after you issue a force failover twice. Sessions are resumed on the basis of session ID instead of session tickets.[From Build 54.16][# 683034]
- Memory leak might occur in OpenSSL functions if the NetScaler appliance is low on memory.[From Build 57.13][# 684055]
- Information about internal service parameters is lost when you restart the appliance.[From Build 56.19][# 684152]
- On a NetScaler MPX or SDX 14000 FIPS appliance, requests are not forwarded to the back-end server if virtual-server based transparent access with a wildcard IP address (*:443) is configured in a transparent SSL acceleration setup.[From Build 55.13][# 684413]
- A NetScaler appliance might run out of memory and crash if it receives a non-handshake record, such as an alert message, before a DTLS handshake is complete.[From Build 56.19][# 685145, 693355, 697277]
- Memory usage might continuously increase on a partitioned NetScaler VPX appliance processing SSL traffic. As a result, the appliance might become unresponsive after some time.[From Build 55.13][# 685669]
- The "update ssl certkey" command fails if the certificate-key pair is bound to a load balancing monitor.[From Build 55.13][# 686633]
- An SSL handshake might take a long time (many retries) to complete after you restart a NetScaler appliance.[From Build 56.19][# 686713]
- The connection with the back-end server is terminated if OCSP validation for the server certificate fails, even though OCSP validation is optional.[From Build 55.13][# 686998]
- If previous session key lifetime is configured, a session ticket expires later than expected. That is it adds the previous session key lifetime to the session ticket lifetime instead of expiring after the session ticket lifetime.[From Build 55.13][# 687207]
- The NetScaler appliance dumps core and restarts if it receives a request while both session-ticket and SSL-session persistence are enabled.[From Build 55.13][# 687575]
- The NetScaler appliance dumps core and restarts if both client authentication and session ticket are enabled and a session ticket reuse request is continuously received on the appliance.[From Build 55.13][# 687777, 690238]
- In some cases, a pipeline HTTP request is not forwarded to the back-end server if the back-end server sends a response before receiving the full request from a client.[From Build 56.19][# 688100]
- Connection to a NetScaler appliance is lost while adding a DSA certificate file of type .PFX, and the following error message appears:"ERROR: The remote side closed the connection."[From Build 56.19][# 688415]
- If you try to add a certificate-key pair containing an unsupported OID in the Subject Alternative Name (SAN) field of the certificate, the following error message appears:ERROR: Invalid OID for SAN entry in certificate[From Build 55.13][# 688416]
- If you try to add a certificate-key pair containing an unsupported OID in the Subject Alternative Name (SAN) field of the certificate, the following error message appears:ERROR: Invalid OID for SAN entry in certificate[From Build 56.19][# 688416]
- A certificate without a common name field in the subject name fails to load.[From Build 55.13][# 688811]
- "Duplicate certificate error" appears when you try to bind a certificate containing a specific domain name to an SSL virtual server, if a certificate with a matching wildcard SAN entry is bound to the same virtual server.[From Build 56.19][# 691769]
- After you restart a NetScaler appliance, all the ECC curves might be bound a virtual server or service even though they were unbound from that virtual server or service before the appliance was restarted.[From Build 56.19][# 691889]
- A NetScaler appliance crashes when session ticket is enabled and continuous session ticket reuse requests are received.[From Build 56.19][# 692481, 692823, 694291, 696851]
- If you associate the default front-end profile to an SSL virtual server, the state of that virtual server changes from Out-of-Service to DOWN.[From Build 56.19][# 692858]
- An OCSP responder URL is not added to an OCSP HTTP GET request. This causes OCSP failure if GET httpMethod is enabled.[From Build 56.19][# 693312]
- If Qualys scan is run on NetScaler IP (NSIP) address, subsequent SSL transactions with Thales HSM will fail.[From Build 57.13][# 693356]
- A NetScaler MPX 5900/8900 appliance might go DOWN if the following entities are bound to an SSL virtual server or an SSL internal service configured on the appliance:• RSA 512-bit certificate• ECDHE ciphers[From Build 57.13][# 693792]
- A NetScaler MPX 5900/8900 appliance might go DOWN if the following entities are bound to an SSL virtual server or an SSL internal service configured on the appliance:• RSA 512-bit certificate• ECDHE ciphers[From Build 56.19][# 693792]
- A NetScaler appliance might crash during a DHE based key exchange when an allocation failure occurs because of high memory consumption.[From Build 56.19][# 694078]
- If two certificates issued by two different CAs have the same OCSP URL, addition of one of the certificate-key pairs might fail.Example1. CA certificate C1 is used to issue certificate S1, which contains OCSP_URL1.2. Certificate-key pairs for both C1 and S1 are added successfully on the NetScaler appliance.3. CA certificate C2 is used to issue certificate S2, which also contains OCSP_URL1.4. If you first add a certificate-key pair for S2, it is successful but adding a certificate-key for CA2 fails. If you reverse the order, adding a certificate-key for CA2 is successful but adding a certificate-key for S2 fails.[From Build 56.19][# 694395]
- If two certificates issued by two different CAs have the same OCSP URL, addition of one of the certificate-key pairs might fail.Example1. CA certificate C1 is used to issue certificate S1, which contains OCSP_URL1.2. Certificate-key pairs for both C1 and S1 are added successfully on the NetScaler appliance.3. CA certificate C2 is used to issue certificate S2, which also contains OCSP_URL1.4. If you first add a certificate-key pair for S2, it is successful but adding a certificate-key for CA2 fails. If you reverse the order, adding a certificate-key for CA2 is successful but adding a certificate-key for S2 fails.[From Build 55.13][# 694395]
- In a cluster setup, a custom cipher group bound to an SSL profile is lost after the "force cluster sync" command is run. As a result, there will be a configuration loss after the cluster node restarts.[From Build 56.19][# 694545]
- A NetScaler appliance might crash if it receives a malformed signature from a client in the Client Certificate Verify message.[From Build 56.19][# 694834]
- In some cases, a NetScaler appliance might crash if it finds invalid data while parsing the binary certificate.[From Build 56.19][# 694904]
- An SSL handshake fails if both of the following conditions are met:- OCSP stapling is configured.- Multiple clients request the status of the server certificate in parallel.[From Build 56.19][# 696422, 696993]
- An SSL handshake fails if both of the following conditions are met:- OCSP stapling is configured.- Multiple clients request the status of the server certificate in parallel.[From Build 57.13][# 696422, 696993]
- The NetScaler appliance becomes unresponsive if after an SNI handshake is complete, an HTTP/1.1 request is received and the SNI certificate is unbound from the virtual server simultaneously.[From Build 57.13][# 697789, 697902, 698125, 699526]
- An SSL handshake fails if all of the following conditions are met:- Both OCSP stapling and session ticket are enabled on the SSL virtual server.- Server certificate is linked to its issuer certificate.- Client sends a status_request extension in the ClientHello message.[From Build 57.13][# 698066]
- The message “FIPS Card is not configured” appears if a NetScaler appliance performs a warm restart after the packet engine crashes.[From Build 57.13][# 699865, 700588]
System
- A NetScaler appliance might become unresponsive if it has a TCP profile with the TCP keepalive option enabled and is bound to a load balancing virtual server. The cause is an interoperability issue between the TCP keepalive and TCP packet retransmission functionalities.[From Build 50.10][# 619349, 626027]
- The default Rx ring size is set as 512. However, you can use the nsif command through the NetScaler command line to change the Rx size to 1024 or 2048 at run time.[From Build 53.13][# 623977, 649735, 665707, 676636]
- If NetScaler appliance is setup with Web Log feature and weblog clients are connected then under traffic stress, a buffer overrun can cause the weblog client to reconnect. When the clients reconnect, we lose part of the data on connections where reconnect was triggered and hence log data is not complete.[From Build 49.16][# 633308, 646753, 648657, 656502]
- Heavy traffic through a NetScaler appliance can result in a web log buffer overrun, causing a NetScaler Web logging (NSWL) client to reconnect. When the client reconnects, the use of surplus connections results in omission of the PCB's user-name information (part of connection related information) during cloning. This leads to a loss of log data.[From Build 48.10][# 633308, 646753, 648657]
- If AppFlow feature and client side measurements are enabled, the NetScaler appliance deletes the NSC_ESNS cookie before forwarding the request to the backend server. A rule was rewritten and configured to insert the Pback cookie in the request sent to the backend server. We are corrupting the OutllookSession cookie when we are trying to do both insert and delete in the HTTP request at the same offset. This is causing sign-on problems. This issue is under investigation.[From Build 56.19][# 633371, 682640, 672615, 639767, 387117, 232011]
- If the HTTP/2 window update frame is not handled properly and when integrated caching and application firewall is enabled, the queued packets are transmitted and they fail to update the HTTP/2 window. This results in an appliance crash[From Build 53.13][# 634356, 660867, 668809, 670748, 674245]
- In a NetScaler appliance, if you enable TCPCIP option through the NetScaler command line, the appliance sends an incorrect sequence in the client IP header information (for example, if the sequence number is 52, the appliance sends an incorrect sequence number as 48). This is because of incorrect sequence number calculation.[From Build 53.13][# 638095, 670322]
- The Configd daemon fails if the number of session IDs exceeds the preset limit and existing client sessions are renumbered.[From Build 49.16][# 639380, 657168, 657781]
- Enabling both the AppFlow option and the AppQoE option might cause a memory leak, which can degrade performance and eventually cause the appliance to fail.[From Build 55.13][# 640545, 685334, 686832, 687603]
- The CPU parameter value on the LCD panel does not match the value reported by the NetScaler CLI or GUI.[From Build 48.10][# 643237]
- Warning logs appear in the NetScaler GUI, and the SNMP daemon returns unsuitable responses to requests, if nsaggregatord is busy when snmpd initiates communication between the two daemons. Snmpd loads nsaggregatord with requests, causing the connection to frequently reset. With this fix, the appliance uses a breather logic to prevent the frequent resets.[From Build 54.16][# 645276, 668040]
- Memory allocation failures occur, because the NetScaler appliance does not allocate sufficient memory for packet engines.[From Build 49.16][# 647072, 643407, 650630]
- A NetScaler appliance constantly fails and dumps core memory, filling the Var directory with core files.[From Build 51.21][# 647955]
- In a MPTCP connection, if a client negotiates a Maximum Segment Size (MSS) value of more than 1460 bytes, and the NetScaler appliance receives an ICMP protocol error message after fragmenting and sending a Data Security Standard (DSS) packet, the appliance fails. This happens because of incorrect handling of DSS packets with a segment sizes.[From Build 51.21][# 648275]
- On a NetScaler appliance, if a FIN packet is held back by the forwarding interface and in the meantime, if Selective Acknowledgement (SACK) blocks are generated for the previous packet, the appliance fails.[From Build 49.16][# 648446]
- On a NetScaler appliance, if a FIN packet is held back by the forwarding interface and in the meantime, if Selective Acknowledgement (SACK) blocks are generated for the previous packet, the appliance fails.[From Build 50.10][# 648446]
- In a NetScaler appliance, if there is an incoming TCP traffic from Wireless VLANs, the appliance routes the data packets to an IP router but now the appliance performs Policy Based Routing (PBR) to route the data packets based on incoming packet parameters, such as VLAN, MAC address, Interface, SRCIP, SRCPort, destination IP address, and destination port, to different routers through configured VLANs.[From Build 50.10][# 649180]
- When page tracking is enabled on an AppFlow, the NS_ESNS cookie is inserted into the response being served from the cache. The extra bytes added to the response are not accounted internally and so, when the ACK is received for those extra bytes, NetScaler crashes.[From Build 50.10][# 649334, 653370, 656768, 662177]
- If a FASTCLOSE packet from a NetScaler appliance to a client is lost, the multipath TCP (MPTCP) session does not notify the application about the abrupt connection closure and close the socket. As a result, the appliance does not retransmit the lost packet.[From Build 50.10][# 649968]
- A NetScaler appliance fails if a TCP/IP session is simultaneously reused for TCP and Multipath TCP (MPTCP) operation and not mutually exclusive with TCP KeepAlive enabled for MPTCP subflows.[From Build 50.10][# 654080]
- The initial probe connection that a NetScaler appliance makes with the back-end internet server to check for server availability is now reusable for actual server connection with internet server.[From Build 50.10][# 654087]
- The NetScaler appliance might stop functioning and report a segmentation violation if your configuration includes policies or actions that use the following functions and one of them fails to obtain the memory that it needs:XPATH()XPATH_WITH_MARKUP()XPATH_JSON()XPATH_JSON_WITH_MARKUP()XPATH_HTML()XPATH_HTML_WITH_MARKUP()[From Build 52.13][# 656646]
- Syslog analysis is affected if the date/month format in a syslog message is not a user configured timestamp. This issue occurs if the Syslogaction uses the default date format (MM/DD/YYYY) instead of a user defined data format.[From Build 50.10][# 659197, 656437]
- NetScaler appliance crashes when a large host-name header is received and AppFlow logging for host-name and domain-name is enabled.[From Build 50.10][# 660075, 664886]
- A NetScaler appliance in the process of dumping core memory might malfunction and generate a misleading core file.[From Build 52.13][# 660574]
- A NetScaler appliance might crash at a random location and dump a core file unrelated to the actual cause of the problem.[From Build 51.21][# 660574]
- If the integrated caching and application firewall features are enabled and an HTTP/2 window update frame is not handled properly, the queued packets are transmitted without updating the HTTP/2 window. As a result, the appliance crashes.[From Build 53.13][# 660867]
- In CUBIC or BIC algorithms, the clamping congestion window is set maximum and sender congestion (snd_cwnd) is constantly increasing causing a NetScaler appliance unable to push data more than 2 GB.[From Build 52.13][# 663551, 656192]
- An overflow of integers updates the NetScaler memory statistics with a false value. This results in SNMP memory traps not reaching the configured threshold.[From Build 52.13][# 663720, 612313]
- If a NetScaler appliance receives an HTTP request with an empty trailer, it aborts the transaction and resets the connection.[From Build 54.16][# 664875]
- This LACP/HA flapping issue has been root-caused to the ixgbe driver issue where repeated query to ethtool delays the system to the point where the LACP gets timedout. Particularly, ethtool command run on an interface where there is no sfp module incurs the penalty of discovering through I2C every single time (unnecessarily). The fix is to address this issue by having a retry limit and only retry if there is change in state of SFP module.[From Build 53.13][# 665624, 665456, 653897]
- If the integrated caching (IC) memory limit is set to a value greater than 4 GB and front end optimization (FEO) is enabled, the NetScaler appliance crashes.[From Build 55.13][# 666208]
- In a TACACS authentication configuration, if you clear the system global TACACS policy, the NetScaler appliance displays a warning error message: "Config NodeGroup changed, force cluster sync should be fired on the newly added node to be in sync."[From Build 52.13][# 666392]
- If TCP non-end point mode is enabled in a NetScaler appliance, the appliance generates an acknowledgment (ACK) to the client before getting a link connection with ACK not having the correct timestamp value.[From Build 53.13][# 667006]
- The LCD daemon nslcd can get its internals corrupted and stop sending heartbeats to pitboss. This triggers a kill and restart action performed by pitboss to nslcd. If this condition occurs 5 times during a period of 24 hours, then pitboss will perform a warm restart of that cluster node. It may be possible under rare circumstances that all cluster nodes to reach this condition at the same time and that event may cause an outage for a limited period of time.[From Build 54.16][# 667175, 515501, 602521, 667998]
- The NetScaler command line does not come out of the execution logic and does not display the command prompt when multiple grep with pipe operations are performed.[From Build 52.13][# 667214]
- If you enable Web Logging feature before configuring the log buffer size, the NetScaler appliance does not apply the buffer size after a restart.[From Build 57.13][# 667392]
- In an MPTCP connection, a NetScaler appliance sets the TCP PSH flag during retransmission of FastClose and DataFIN packets.[From Build 51.21][# 667765]
- In an MPTCP connection, a NetScaler appliance sets the TCP PSH flag during retransmission of FastClose and DataFIN packets.[From Build 56.19][# 667765]
- A NetScaler appliance fails if multiple vulnerabilities are observed in the Network Time Protocol (NTP) daemon and if it is exploited by an external or local user authentication.[From Build 57.13][# 669821, 670476, 688886, 685045]
- When transmitting a TCP packet, a NetScaler appliance reuses the same IP-ID for packet retransmission. This impacts the customer if a firewall, Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) drops the packet during retransmission.[From Build 53.13][# 670056]
- Processing audit-log leads to a memory-buffer overflow and disrupts other modules on the NetScaler appliance if the audit-log message size and log levels were not validated properly before audit-log processing began.[From Build 52.13][# 670496]
- In an SSL connection with a client, the NetScaler appliance does not evaluate the SSL policies for HTTP/2 streams.[From Build 56.19][# 670556, 660674, 672227, 689849]
- In an SSL connection with a client, the NetScaler appliance does not evaluate the SSL policies for HTTP/2 streams.[From Build 55.13][# 670556, 660674, 672227, 689849]
- The NetScaler appliance crashes if integrated caching and the application firewall are enabled and the HTTP/2 window update frame is not handled properly. The reason for the crash is that the queued packets are transmitted but they fail to update the window.[From Build 53.13][# 670748]
- The NetScaler appliance inserts an Etag at the wrong offset in the HTTP response header if an HTTP profile has the EtagPersistency option enabled and the header of the response that the appliance received from the server has an Etag identifier without double quotation marks.[From Build 53.13][# 670967]
- A NetScaler appliance adds an SNMP trap for TCP-level synflood if the Varbindings are incorrect for the synflood trap.[From Build 54.16][# 671128]
- When NetScaler Web Logging (NSWL) is trying to send log data and client connection does not exist, it causes the appliance to crash.[From Build 53.13][# 671383]
- Memory utilization becomes high when a NetScaler appliance processes real-time customer traffic.[From Build 56.19][# 671433]
- A NetScaler appliance displays an error message when an SNMP idle-time limit is exceeded.[From Build 57.13][# 671555, 671670]
- After an upgrade, a NetScaler Weblogging (NSWL) HTTP record size is miscalculated if the HTTP header size is greater than 16 kilobytes and it is not a multiple of the word boundary.[From Build 53.13][# 671996, 672244, 678903]
- After an upgrade, a NetScaler Weblogging (NSWL) HTTP record size is miscalculated if the HTTP header size is greater than 16 kilobytes and it is not a multiple of the word boundary.[From Build 52.13][# 671996, 672244]
- Memory usage on a NetScaler appliance might increase over time if Multipath TCP (MPTCP) is enabled and MPTCP to Subflow sequence number mapping fails because of a split packet error in the lower client-side MSS. The appliance becomes unresponsive after the memory is exhausted.[From Build 53.13][# 672009, 670102]
- In some circumstances, a NetScaler appliance in a high availability (HA) pair loses its SYSLOG configuration and displays the following error message when you try to add a SYSLOG action on the secondary node: "Audit-log action exists with the same IP and port."This issue occurs if the configuration on the secondary node is cleared or an HA failover occurs when you bind a SYSLOG policy to a virtual server.[From Build 53.13][# 672315, 673460]
- If the length of the HTTP header name extends to multiple TCP segments, it leads to an out-of-bounds memory access causing a NetScaler appliance to crash.[From Build 53.13][# 673096]
- If Multipath TCP (MPTCP) is enabled, the NetScaler appliance might dump core memory and restart because a protocol control block (PCB) is freed twice.[From Build 53.13][# 673228]
- If an HTTP WebSocket upgrade connection request contains a Content-Length header field, WebSocket applications malfunction.[From Build 53.13][# 673826]
- The NetScaler appliance sends malformed HTTP headers to the server if insertion of the client address is configured on a service in a non-default traffic domain (TD).[From Build 53.13][# 675352]
- Snmpd communicates with nsaggregatord to process the requests it receives. The SNMP Code also maintains a cache of the responses from aggregator in the form of a Cache table. If the Cache table is corrupted, it causes the appliance to fail.[From Build 54.16][# 675631]
- In a non-end-point mode, for every out-of-order packet, NetScaler generates a duplicate acknowledgment (DUP_ACK). In a rare case of sack disabled packets, after generating a duplicate acknowledgment, the appliance does not reset the counter which results in unnecessary duplicate acknowledgments causing the connection to disconnect.[From Build 56.19][# 676598, 690857]
- If the session ID maintained for clients exceeds the threshold of 16 million entries, the configuration engine might crash. That affects the management traffic. As a result, the management connection closes and the manager must log back on to the NetScaler appliance.[From Build 55.13][# 676599]
- Instead of silently closing the connection, a NetScaler appliance in a wildcard configuration might send a response to the source of the request. Upon receiving a SYN request, the appliance sends a "probe connection" request to the back-end server and queues the SYN request. When the server sends a "reset" response, the appliance sends the response to the client instead of silently closing the connection.[From Build 55.13][# 677729]
- If you enable front end optimization (FEO) and configure integrated caching (IC) with cache selectors, the NetScaler appliance might crash.[From Build 55.13][# 677943]
- The NetScaler appliance crashes if the total number of TimeWait connections exceeds 7000 while the MPTCP feature is enabled.[From Build 56.19][# 678015]
- In a high availability setup, the following command-propagation warning message appears when a backup is created for a large configuration file on the primary node: "Warning: There is no response from secondary. Propagation Timed out” However, creation of the backup file succeeds in both the nodes after some time.[From Build 55.13][# 679376]
- A NetScaler appliance crashes if the content-type header is missing from an HTTP responder.[From Build 54.16][# 681284]
- If a client sends an HTTP/2 header continuation frame, the Netscaler appliance dumps core.[From Build 54.16][# 681361, 683274]
- If a client sends an HTTP/2 header continuation frame, the NetScaler appliance dumps core.[From Build 55.13][# 681361, 683274]
- An attempt to configure a NetScaler appliance that uses Cloudstack can cause the appliance to fail. If the Cloudstack AutoScale feature or an AutoScale policy is configured with the IP address a server, an attempt to configure the appliance through the NetScaler CLI instead of through CloudPlatform or Cloudstack binds the IP-address based server to the AutoScale Policy service group. This causes the appliance to crash.[From Build 56.19][# 681426]
- An attempt to configure a NetScaler appliance that uses Cloudstack can cause the appliance to fail. If the Cloudstack AutoScale feature or an AutoScale policy is configured with the IP address a server, an attempt to configure the appliance through the NetScaler CLI instead of through CloudPlatform or Cloudstack binds the IP-address based server to the AutoScale Policy service group. This causes the appliance to crash.[From Build 55.13][# 681426]
- If an SNMP trap is configured by:* adding v2/v1 traps* adding v3 traps with bindings* removing v2/v1 traps* unbinding v3 trapsand if you run the "show SNMP trap" command for displaying the SNMP v3 trap details, the appliance fails.[From Build 56.19][# 682161]
- If a load balancing virtual server configured with a backup server is down, the si_cur_Client counter underflows, causing client connections for the virtual server to display abnormal values in the NetScaler GUI.[From Build 55.13][# 682762]
- A Multipath TCP (MPTCP) client can now send MP_JOIN requests to different destination virtual servers instead of sending it to only one virtual server that handled MP_CAPABLE requests.[From Build 56.19][# 682880, 687518]
- A NetScaler appliance might crash, if a particular sequence of white space and CR-LF characters is sent to an HTTP or SSL virtual server instead of a valid HTTP request.[From Build 56.19][# 683512]
- If multiple trap destinations have the same IP address but different SNMP versions, one of which is SNMPv3, modifying an SNMPv3 trap message leads to an appliance failure.[From Build 55.13][# 683622, 683806]
- If the MSS value in a client TCP handshake with a NetScaler appliance is from 1322 to 1329, the appliance sends 1330-byte segments, which cause packet drops, and the TCP connection fails.[From Build 54.16][# 684148, 687638]
- Some packets become invalid and are dropped when policies are applied. If HTTP/2 packets are dropped, the NetScaler appliance fails to send a rst_stream frame to the client, which causes the appliance to crash when new packets arrive.[From Build 55.13][# 684370]
- Some packets become invalid and are dropped when policies are applied. If HTTP/2 packets are dropped, the NetScaler appliance fails to send a rst_stream frame to the client, which causes the appliance to crash when new packets arrive.[From Build 56.19][# 684370]
- A NetScaler device might fail if it sends FIN packets on a Multipath TCP (MPTCP) fallback connection and the global state variable has not been cleared.[From Build 56.19][# 684574, 685357, 687357, 696622]
- The NetScaler appliance does not include the latest DATA_ACK packet in the retransmitted data segments. It reuses DATA_ACK packets that were sent in the original data segment.[From Build 56.19][# 684908]
- Connections can become unresponsive because of data loss that occurs under the following set of conditions:* Different traffic domains are configured on the virtual server and the service.* Data insertion causes the NetScaler appliance to split packets.[From Build 56.19][# 685510]
- A NetScaler appliance in a high availability configuration crashes when using TCP transport to send log messages.[From Build 55.13][# 685898]
- A NetScaler appliance fails when sending log messages to Syslog server over TCP transport.[From Build 54.16][# 685898]
- When a client times out and sends a message longer than one packet, TCP sends a FIN packet to the application handler (for example, SSL). When TCP receives the second packet, it directly sends the packet to the application handler. As a result, the application handler generates a close notify alert for the first packet and an RST alert for the second packet.[From Build 55.13][# 686390]
- The NetScaler appliance does not send buffered log messages when the SYSLOG server is ready to accept them.[From Build 55.13][# 686751]
- The NetScaler appliance does not send buffered log messages when the SYSLOG server is ready to accept them.[From Build 54.16][# 686751]
- In a SYSLOG action, setting the netProfile parameter during a log transfer causes multiple SYSLOGTCP connections to be established but only one connection serves the log traffic.[From Build 56.19][# 687042]
- A NetScaler appliance might crash if it receives a FIN packet with multiple invalid SACK blocks from the origin server and tries to forward the packet to an MPTCP client.[From Build 56.19][# 687118, 687352, 687351]
- The user is not able to log on to NetScaler Gateway as there is a high-utilization of memory.[From Build 56.19][# 687462, 686135, 692657]
- If a NetScaler-inserted cookie is deleted from the end of a cookie header, the appliance does not remove the preceding semicolon. As a result, an extra semicolon is sent at the end of the cookie header when forwarding it to the back-end server.[From Build 55.13][# 687612]
- HTTP/2 traffic can cause a NetScaler appliance to crash. If a responder policy matches an incoming HTTP/2 request, the appliance might drop the HTTP/2 request but fail to close the HTTP/2 stream. A subsequent packet in the same HTTP/2 stream can then cause a crash.[From Build 55.13][# 688686]
- A High CPU usage issue is identified because of the high processing rate of show/stat commands. This fix significantly reduces the time required for processing a show or stat command, especially if the NetScaler configuration is very large.[From Build 54.16][# 688788]
- A NetScaler appliance can become unresponsive if it hosts a wildcard load balancing virtual server that has the use source IP option enabled and the use proxy port option disabled. The failure occurs if the virtual server associates the outgoing probe-connection information with different incoming connections destined to the same server.[From Build 55.13][# 689915]
- A NetScaler appliance can become unresponsive if it hosts a wildcard load balancing virtual server that has the use source IP option enabled and the use proxy port option disabled. The failure occurs if the virtual server associates the outgoing probe connection information with different incoming connections destined to the same server.[From Build 56.19][# 689915, 694803]
- If you force Quick ACK mode by sending Keep Alive probes in the middle of a three-way handshake, it causes the appliance to reset the back-end server connection.[From Build 56.19][# 690047]
- Passive FTP data connections intermittently reset after a NetScaler HA failover.[From Build 56.19][# 690775]
- HTTP headers can be corrupted by the following series of events:* The rewrite feature inserts an end-of-header mark, but the next packet contains more header bytes.* The compression (CMP) feature interprets the incorrectly marked HTTP header-end as the actual end of the header, and tries to insert a content-encoding header.[From Build 56.19][# 691308]
- If a NetScaler appliance performs window management for Transparent connections with Dynamic Window Management option enabled in the TCP profile, it results in a window update acknowledgment. This causes a wrong mapping of sequence and acknowledgment numbers and connection to disconnect.[From Build 56.19][# 692149]
- If a client using the NITRO API over HTTPS to connect to a NetScaler appliance reuses the same source IP address and port within two TCP maximum segment lifetime (MSL) timeout intervals, the connection might be dropped with a TCP reset. Similarly, client TCP connections might be dropped under the following set of conditions:* Source IP address is enabled and proxy port disabled in the client's connection request.* A previous server connection still exists on the appliance and has persisted for two TCP MSL timeout intervals.[From Build 57.13][# 692613]
- A NetScaler appliance might become unresponsive if an incorrect nstrace logic is applied for collecting packets in TXB mode.[From Build 56.19][# 694368]
- A memory leak occurs if Content Filtering feature is configured with either an add prebody or an add postbody action.[From Build 57.13][# 696218, 699644, 700721]
- Strong ciphers are not enabled on a VPX appliance with Telco licenses. As a result, the VPX-T platform supports only export ciphers and denies HTTPS access. This fix addresses the issue by enabling strong ciphers for Telco platform licenses thereby enabling HTTPS access and SSL use cases for VPX-T platform.[From Build 57.13][# 698725]
- A NetScaler appliance might crash with different backtraces if any one of the following conditions is met:• Memory is freed to wrong pool.• AppQoE or HTMLInjection feature is enabled.• AppFlow feature is enabled with clientSideMeasurements option enabled in the AppFlow action.[From Build 57.13][# 700529]
Telco
- In a high availability setup, forcing synchronization does not synchronize Port Control Protocol (PCP) mappings to the secondary node.[From Build 56.19][# 647630]
- In NetScaler T-13xx platform, the NetScaler software incorrectly calculates the minimum memory required for large scale NAT (LSN) configurations. The NetScaler appliance might become unresponsive if the memory limit is set to a value lower than the incorrectly calculated minimum required memory displayed in “show extendedmemory” output.[From Build 55.13][# 689375]
Upgrade and Downgrade
- When you upgrade the NetScaler firmware from release 10.1 build 129.11 to release 11.1 build 51.21, the null route option is automatically set to YES.[From Build 54.16][# 679093]
- Repetitive messages appear in log files when you restart the NetScaler appliance after upgrading the firmware. The messages appear regardless of whether you use the GUI or the CLI to perform the upgrade. The repetitive logging stops when you log back on to the appliance.[From Build 56.19][# 690534]
Video Optimization
- A NetScaler appliance with Video Optimization feature enabled might become unresponsive if there is a memory failure.[From Build 56.19][# 690975, 695683]
Release history
For details of a specific release, see the corresponding release notes.
- Build 58.13 (2018-06-13) (Current build)
- Build 57.13 (2018-01-25) Replaces: 57.11
- Build 56.19 (2017-11-17) Replaces: 56.15
- Build 55.13 (2017-08-14)
- Build 54.16 (2017-06-13) Replaces: 54.14
- Build 53.13 (2017-04-12) Replaces: 53.11
- Build 52.13 (2017-02-28)
- Build 51.26 (2016-12-23) Replaces: 51.21
- Build 51.21 (2017-02-02)
- Build 50.10 (2016-10-28)
- Build 49.16 (2016-09-28)
- Build 48.10 (2016-08-04)
- Build 47.14 (2016-06-30)
- Build 41.26 (2016-05-19)