Release Notes for NetScaler 11.1-64.14 Release

AAA-TM

• Title: Support for SameSite attribute
  For NetScaler Gateway and NetScaler AAA-TM deployments, support is now added to configure the SameSite cookie attribute. This attribute helps prevent issues that might occur because of certain browsers upgrade, such as Google Chrome 80. The SameSite attribute can now be set to None, Lax or Strict, as per the requirement.
  
  For details, see https://docs.citrix.com/en-us/citrix-gateway/12-1/configure-samesite-attribute-for-citrix-gateway.html
  https://docs.citrix.com/en-us/citrix-adc/12-1/aaa-tm/configure-samesite-for-aaa-deployments.html
  
  
  [ NSAUTH-7531 ]

NetScaler SDX Appliance

• Title: New values for SDX minimum bandwidth and minimum instances
  The minimum bandwidth and minimum instances values for SDX appliances that support NetScaler pooled capacity have changed. For more information, see:
  https://docs.citrix.com/en-us/citrix-application-delivery-management-software/13/license-server/adc-pooled-capacity.html
  
  
  [ NSSVM-2770 ]

Load Balancing

• Title: Support to configure the ADC generated cookie attributes
  
  For NetScaler deployments, support is now added to insert additional cookie attributes to the cookies generated by NetScaler appliance. These additional cookie attributes help in enforcing the required policies for the ADC generated cookies based on the application access pattern.
  
  This feature can be used to prevent issues that can occur because of the Google Chrome upgrade (Google Chrome 80).
  
  For more information, see https://docs.citrix.com/en-us/citrix-adc/13/load-balancing/insert-cookie-attributes.html
  
  [ NSLB-6068 ]

User Interface

• Title: Changing default RPC node passwords
  In HA, cluster, and GSLB deployments, a warning message appears for the nsroot and superuser login if the default RPC node password is not changed.
  
  [ NSCONFIG-2224 ]

AAA-TM

• An FQDN in the SSL certificate might crash in a NetScaler appliance because of a buffer overflow.
  
  [ NSHELP-20476 ]

• The NetScaler appliance crashes after an upgrade to version 13.0 because of a buffer overflow condition.
  
  [ NSHELP-20416 ]

• In some cases, a NetScaler appliance dumps core when "show aaa group -loggedIn" command is issued.
  
  [ NSHELP-19793 ]

• If a dialogue cookie in the client request is processed before checking for any existing sessions, a NetScaler appliance sends a change password page to the client.
  
  [ NSHELP-19528 ]

CallHome

• In rare cases, the Call Home process might crash resulting in the appliance to restart. The issue occurs if a Call Home sub process uses the same internal process id (PID) of the previous sub process.
  
  [ NSHELP-20334 ]

NetScaler Gateway

• The Web Interface feature might not work as intended after upgrading the NetScaler appliance.
  
  [ NSHELP-21899 ]

• The NetScaler Gateway logon page becomes unresponsive if RfWebUI based custom themes or nFactor with custom themes are used.
  
  [ NSHELP-21763 ]

• In a NetScaler Gateway high availability setup, the secondary node crashes during high availability synchronization if logging is enabled on Web App Firewall global.
  
  [ NSHELP-21254 ]

• In a NetScaler Gateway high availability setup, the secondary node crashes if a syslog policy is bound globally to Web App Firewall and one of the following conditions is met:
  - You perform a force failover.
  - You clear the configuration.
  
  [ NSHELP-21167 ]

• A NetScaler appliance might crash and dump core if the memory allocation for client and server process control blocks fails.
  
  [ NSHELP-20961 ]

• In rare cases, the NetScaler Gateway appliance crashes if AAA-TM user session is transferred and Intranet IP is enabled.
  
  [ NSHELP-20680 ]

• Users are incorrectly prompted to enter the user name and password when nFactor Logon form is customized to display the dynamic Logon Type menu and OAuth is selected from the list.
  
  [ NSHELP-20300 ]

• In a cluster setup, when a CCO node is rebooted or upgraded, there might be a mismatch of AAA-TM keys across the cluster. This can result in gateway authentication failures for the client.
  
  [ NSHELP-20294 ]

• A client machine fails to reconnect to a NetScaler Gateway appliance because the appliance sends an incorrect STA ticket upon STA refresh.
  
  [ NSHELP-20285 ]

Web App Firewall

• The NetScaler appliance blocks Closure URLs after two minutes if URL closure protection is enabled.
  
  [ NSWAF-3292 ]

• After an upgrade, a NetScaler appliance might crash because of high memory usage.
  
  [ NSHELP-21410 ]

• A NetScaler appliance might crash because of memory allocation failure.
  
  [ NSHELP-21071 ]

• A NetScaler appliance might crash if the signature feature is enabled and a specific request pattern is detected.
  
  [ NSHELP-20884 ]

• A NetScaler appliance resets the connection if an incoming GWT request has a query string in the URL.
  
  [ NSHELP-20564 ]

• After an upgrade from build 12.0-58.15 to 12.0-62.8, the URL transformation feature is not working for some URLs. The issue is caused by incorrect canonicalization when rewriting URLs.
  
  [ NSHELP-20460 ]

• A NetScaler appliance might crash if the following conditions are observed:
  - IP reputation policy expression is used in a load balancing virtual server of type TCP.
  - Security Insight is enabled.
  
  [ NSHELP-20410 ]

• After an upgrade, if you bind a signature to the Web App Firewall profile, the appliance silently drops an incoming request.
  
  [ NSHELP-20201 ]

• In a high availability setup, enabling IP reputation feature might result in high availability command propagation failures.
  
  [ NSHELP-20010 ]

Load Balancing

• When the configuration difference between GSLB sites is huge and the autosync is enabled, the filesystem might get full. The following error message is displayed:
  
  “write failed, filesystem is full.”
  
  [ NSHELP-21796 ]

• The NetScaler appliance might crash when both the following conditions are met:
  • Rule-based persistence is configured on the appliance.
  • Multiple IPv6 servers respond with the same values for the parameters configured in the rule-based persistence.
  
  [ NSHELP-20490 ]

Networking

• The CLI of a NetScaler appliance displays unwanted debug messages when the appliance processes IPv6 fragmented packets.
  
  [ NSNET-12704 ]

• In a high availability setup in INC mode, after a failover, the new secondary node might not withdraw the default route (learned from other BGP peers) that it advertised when it was functioning as primary. Because of this issue, the data traffic can arrive on the new secondary node as well.
  
  [ NSHELP-21720 ]

• In a high availability setup, by function, the node state immediately changes to UP from DOWN after a partial failure when both of the following conditions are true:
  
  - if the state of the critical interface that caused the partial failure changes to UP from DOWN
  - if the critical interface received a non-multicast packet
  
  The state of the node might not immediately change to UP if the critical interface is part of an LACP channel.
  
  [ NSHELP-21711 ]

• “sh IP BGP summary” command on the VTYSH command line incorrectly displays the 32 bit ASN values as negative values.
  
  [ NSHELP-21234 ]

• On a NetScaler appliance, management connections to IPv6 Subnet IP addresses might get reset when you perform the clear config basic operation.
  
  [ NSHELP-21206 ]

• During the “set partition” operation, the maximum memory of the partition is now increased up to NS_SYS_MEM_FREE() only. Earlier, it was increased up to the maximum memory available so that the configured partition is not lost after rebooting the NetScaler appliance.
  
  [ NSHELP-21159 ]

• The NetScaler fails to install Intermediate System to Intermediate System (IS-IS) next-hop because of missing authentication (AUTH) information on the received large Link State PDUs (LSPs).
  
  [ NSHELP-21062 ]

• The BGP daemon might display duplicate warning messages for a route removed from the NetScaler routing table.
  
  [ NSHELP-20906 ]

• After a system restart, the NetScaler appliance advertises routes with a reduced metric for 180 seconds.
  
  [ NSHELP-20842 ]

• The NetScaler appliance might not update ECMP routes properly when multiple BGP
  sessions go to "DOWN" state simultaneously.
  
  [ NSHELP-20664 ]

• A NetScaler appliance might crash if it receives IPv6 traffic that matches both of the following conditions:
  
  * Source MAC address of IPv6 traffic matches the MAC address of a service bound to a virtual server with type ANY and redirection mode set to MAC based forwarding (-m MAC)
  * The IPv6 traffic matches an RNAT6 rule with TCP proxy option enabled
  
  [ NSHELP-20548 ]

• The NetScaler appliance might skip Policy-based routes (PBR) rules for outgoing monitor packets of type UDP and ICMP.
  
  [ NSHELP-20545 ]

• 32-bit ASN values appear as negative values in the “sh ip bgp summary” command output.
  
  [ NSHELP-20540 ]

• The ADC appliance might not update the ECMP routes in an optimised way when an associated interface is disabled, or an associated IP address is deleted.
  
  [ NSHELP-19891 ]

• When a PBR rule with next hop parameter set to NULL is added for a load balancing service or a monitor, the NetScaler appliance might become unresponsive.
  
  [ NSHELP-19245 ]

• On restarting the NetScaler appliance, default route is originated before the IP address of the interface is populated. Because of this issue, the next hop of a route is set to NULL leading to a martian error.
  
  [ NSHELP-16407 ]

Platform

• Config wipe scripts fail on some NetScaler platforms. With this fix, the date code of the scripts is updated to 01/14/20 and all platforms are supported.
  
  [ NSPLAT-13498 ]

• After upgrading NetScaler SDX 8900 and SDX 15000 50G appliances to version 11.1 63.9, 10G NICs do not appear on the appliances. This issue prevents the VPX instances from booting up. As a result, the instances become unreachable.
  
  [ NSPLAT-12093 ]

• The SDX 14000 FIPS driver might crash if you make changes to the HSM partition.
  
  [ NSHELP-21408 ]

• In some cases, when you restart one or more VPX instances on a NetScaler SDX appliance containing Fortville NICs, LACP on the interfaces might go to the 'defaulted' state.
  
  [ NSHELP-21091 ]

• The NetScaler VPX appliance crashes on Azure while initializing a NIC resource. The crash leads to a kernel dump on the boot up process. This issue occurs when there is a delay in response to certain messages that the driver needs to send to the backend hypervisor as part of the initialization process. This delay is observed in the Mellanox Connectx3 and Connectx4 platforms. The fix is to increase the timeout value so that the driver waits for a longer duration to receive the response.
  
  [ NSHELP-21034 ]

• In some cases, the SDX 14000 appliance might become unresponsive and needs reboot.
  
  [ NSHELP-21017 ]

• 
  In the VPX deployment on Cisco CSP 2100 platform, occasionally packets might get dropped when more than one virtual function (VF) is created out of the physical network interface card (pNIC).
  
  [ NSHELP-20991 ]

• On SDX platforms with Fortville interfaces, the 10G & 40G Fortville interfaces can run into TX stalls when Jumbo is enabled on them.
  
  [ NSHELP-20605 ]

• On a NetScaler SDX appliance, the virtual interface status shows UP even though the corresponding physical link is DOWN.
  
  [ NSHELP-20452 ]

• A VPX instance running on a NetScaler SDX appliance fails to free the allocated ports after a client connection is closed. This failure might cause the instance to restart continuously.
  
  [ NSHELP-18729 ]

• The SDX 14000 FIPS appliance might crash and restart while configuring a FIPS HSM partition.
  
  [ NSHELP-18503 ]

Policies

• A NetScaler appliance might crash if there are few network buffers when rewriting chunked data.
  
  [ NSHELP-20847 ]

SSL

• In some cases, the following appliances might crash while running SSL traffic:
  - MPX 59xx
  - MPX/SDX 89xx
  - MPX/SDX MPX 26xxx
  - MPX/SDX 26xxx-50S
  - MPX/SDX 26xxx-100G
  - MPX/SDX 15xxx-50G
  
  [ NSSSL-7606 ]

• In a cluster setup, the 'set ssl service' command on any internal service throws an error and does not set any parameter for the internal service.
  
  [ NSSSL-5834 ]

• If the SSL default profile is enabled and bound to an SSL service group, a warning message appears when you unbind a cipher from the SSL profile and bind a service to this service group. The service is also not bound to the service group.
  
  [ NSHELP-20332 ]

• The internal SSL service state appears UP even after you unbind the certificate from the service.
  
  [ NSHELP-19752 ]

System

• A NetScaler appliance resets an MPTCP subflow if it receives a plain acknowledgment before the subflow is confirmed as MTPCP.
  
  [ NSHELP-20649 ]

• A NetScaler appliance resets MPTCP subflows if a subflow is alive and active for more than the idle timeout period.
  
  [ NSHELP-20648 ]

• A NetScaler appliance might crash if one SYN buffers are properly freed while the other buffer is removed and not freed in the retransmission queue.
  
  [ NSHELP-20424 ]

User Interface

• The NetScaler pooled capacity licensing might fail if latency is high between ADC and ADM. This issue occurs if latency is greater than 200 ms.
  
  The NetScaler licensing client attempts repeatedly to check out the licenses from ADM. In a high availability and cluster setup, licensing configurations are unnecessarily reapplied whenever synchronization is triggered. Propagation and synchronization of the pooled licensing commands are disabled. Each node must be licensed independently by logging in to the NSIP of the node. You can execute only show commands on the Cluster IP.
  
  [ NSUI-14868 ]

• After upgrading to build 12.1-55.x, the appliance might boot up unlicensed if pool licensing is configured. As a result, all the features are disabled and any configuration that is license dependent is missing in the running configuration. Perform a warm reboot to restore the pool license and the configuration.
  Caution: Do not run "save config" or force an HA failover on an unlicensed appliance.
  
  [ NSUI-7869 ]

• The Client-Server Link Mapping option under Network > TCP/IP connections of Citrix GUI displays a blank connection in admin partition mode.
  
  [ NSHELP-18772 ]

• You cannot retrieve a backup file using the NetScaler GUI if the file name is from 61 to 63 characters long even though the maximum limit is 63 characters.
  
  [ NSHELP-11667 ]

AAA-TM

• The session establishment fails when accessed from the Citrix Workspace app using Webview if preauthentication EPA is configured along with nFactor authentication.
  
  [ NSHELP-22845 ]

• In the SAML LogoutRequest parameter, the attributes SPNameQualifier and NameQualifier are missing from the NameID element when a SAML Service Provider (SP) receives an assertion from SAML Identity Provider (IdP).
  
  [ NSHELP-8018 ]

• The AAA-TM parameter configurations related to "set aaa parameter" command is lost if you execute the “force cluster sync” command manually.
  Workaround: Do not execute the “force cluster sync” command.
  
  [ NSAUTH-6274 ]

NetScaler Gateway

• The user name in the ICA log message might be truncated if it contains character ' (single quote) in the user name.
  
  [ NSHELP-22814 ]

• In rare cases, the NetScaler Gateway appliance might crash when an intranet IP address that is already configured was previously used and freed incorrectly.
  
  [ NSHELP-22349 ]

• In a NetScaler Gateway high availability setup, the secondary node might crash during core-to-core communication.
  
  [ NSHELP-21991 ]

• The following error message appears when you import an SJIS file from AppExpert>Responder>HTML Page Imports.
  
  "URL malformed"
  
  Workaround: Save the SJIS file in UTF-8 format, and then import it.
  
  [ NSHELP-20711 ]

• The "show audit messages" output does not display the latest logs if you modify the syslog server in the global syslog parameters.
  
  [ NSHELP-19430 ]

• SOCKS Proxy CR virtual server configuration for a NetScaler Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).
  Workaround: Use an IP address for VDA.
  
  
  [ NSHELP-8549 ]

• In an outbound ICA proxy deployment, the NetScaler appliance closes the client connection if the following conditions are met:
  - A TCP service has the same IP address as the destination server.
  - The TCP service also has the same IP port as the destination server.
  The appliance closes the connection because it fails to establish a connection with the destination server.
  
  [ NSHELP-8469 ]

• For command "add vpn intranetApplication", description for "protocol" parameter is incorrectly displayed in man page. The description has "BOTH" as a possible value instead of "ANY". However, the man page correctly displays the possible values required for configuration.
  
  [ NSHELP-8392 ]

• An AAA-TM virtual server login page displays an error code number instead of a meaningful error message.
  
  [ NSHELP-7872 ]

• After upgrading the NetScaler Gateway appliance to release 11.x or later, users might see a blank page upon log on. The blank page appears because the browser serves some of the files from its own cache, instead of requesting all the files from the upgraded appliance.
  Workaround: Clear the browser cache.
  
  [ NSHELP-6807 ]

• A NetScaler appliance in a clustered setup displays a "Cannot allocate memory" error message if you use the set command to set the server domain name in a SYSLOG action.
  
  Workaround: Delete the SYSLOG action in which you set the domain name, and add a new SYSLOG action that specifies the server domain name instead of the server IP address.
  rm syslogaction
  add syslogaction -loglevel [-options ...]
  
  [ CGOP-6745 ]

• If you use CVPN to edit the home page through CVPN, the embed code becomes corrupt.
  
  [ CGOP-4505 ]

• If a Windows user name has non-ASCII characters, the user is unable to collect logfiles by using the Collect Log button.
  
  [ CGOP-3359 ]

• If the Home Page Text labels are lengthy when you customize an RfWebUI based theme, the home-page user interface does not function properly. The following lengthy text labels can cause this problem:
  Apps Tab Label
  Desktop Tab Label
  Favorite Tab Label
  
  [ CGOP-1622 ]

• If a VPN session profile and RfWebUI portal theme are in use, end users cannot log on if the following are set to OFF:
  - ICA Proxy
  - Clientless VPN Mode
  - Transparent Interception and Client Choices
  
  [ CGOP-1575 ]

Web App Firewall

• If you upgrade a NetScaler appliance in a high availability (HA) setup from version 10.5.56.15 to version 11.1.51.1901 and skip 250 rules with active traffic, the GUI or CLI displays a "failed to skip some rules" error message and an operation time-out error message.
  
  Workaround: Turn off the Learning feature when skipping learned rules.
  
  [ NSWAF-1184 ]

• The information that the GUI displays for the application firewall web services interoperability (WSI) check does not say that it is a prerequisite and cannot be disabled.
  
  [ NSWAF-679 ]

• When using IE, an RFC violation occurs when submitting a form with Form Field Name and value triggering the request as malformed multipart request. This issue does not occur in Chrome or Firefox.
  The correct format of the request should be; Content-Disposition: form-data; name="".
  
  [ NSHELP-17547 ]

• The NetScaler application firewall should bypass requests from application firewall processing after the system reaches a specified CPU/memory usage limit, but there is currently no policy for reviewing CPU and memory capacity and bypassing the application firewall.
  
  [ NSHELP-17352 ]

Load Balancing

• The NetScaler appliance might crash intermittently if device watchdog request
  (DWR) probing is enabled for Policy and Charging Rules Function (PCRF), and the PCRF becomes unreachable.
  
  Workaround: Disable DWR monitoring for the PCRF.
  
  [ NSHELP-20827 ]

• The show gslb domain command does not populate the correct MIR and ECS values between the GSLB virtual server and the GSLB domain bound to the same virtual server.
  
  
  [ NSHELP-11729 ]

• If a service group member is assigned a wildcard port (port *), the monitor details for that service group member can be viewed from the Monitor Details page.
  
  [ NSHELP-9409 ]

Miscellaneous

• Title: Support for VPX Instance on SDX 8900 Appliance
  This release supports NetScaler VPX instance on a NetScaler SDX 8900 appliance. Note that the NetScaler SDX 8900 appliance is available only on release 11.0 build 70.109, but the VPX instances are supported on 11.0 builds 70.109 and 70.112 and 11.1 build 56.15. For more information see:
  https://docs.citrix.com/en-us/sdx/11/hardware-installation/sdx-hardware-platforms/sdx-8900.html
  https://docs.citrix.com/en-us/sdx/11-1/sdx-ag-supported-versions-ref.html
  
  [ NSOTHER-98 ]

Networking

• When a NetScaler appliance processes traffic at line rate, management CPU spike is observed on the appliance while configuring allowed VLAN list.
  
  [ NSNET-5689 ]

• In some cases of FTP data connections, the NetScaler appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
  
  [ NSNET-5233 ]

• No Error or Warning is announced if a user tries to set trunk mode on the loopback interface.
  
  [ NSNET-4405 ]

• The following error messages might appear if you configure more than 100 VLANs in the trunkallowedVlan list on an interface in the NetScaler instance:
  ERROR: Operation timed out
  ERROR: Communication error with the packet engine
  
  [ NSNET-4312 ]

• In a cluster setup, after a reboot, tagged VLAN configuration is lost on the vlan 1 interface.
  
  [ NSNET-4162 ]

• 
  The NetScaler appliance allows configuration through NITRO APIs even before the protocol modules are not completely initialised. Because of this reason, the write memory command fail with the following error message:
  
  “save config denied – modules not ready”
  
  [ NSHELP-19431 ]

• When the NetScaler appliance is cleaning up large number of server connections as part of remove command, the Pitboss process might restart. This Pitboss restart might cause the ADC appliance to crash.
  
  [ NSHELP-136 ]

NSDOC

• If you have to set a domain wide cookie for an authentication domain, you must enable authentication profile on a load balancing virtual server.
  
  [ NSHELP-15356 ]

Platform

• On a NetScaler SDX appliance, Tx stalls might be reported for an interface on a VPX instance if the following conditions are met:
  - The VPX instance has more than one dedicated core.
  - Three or four reset operations are issued consecutively with JUMBO MTU traffic on a 10G, 25G, or 40G interface.
  - Malicious Driver Detected (MDD) event is observed for the interface in the Citrix Hypervisor (formerly XenServer) logs.
  
  [ NSPLAT-11798 ]

• In an Openstack Environment, if a custom flavor with an Ephemeral Disk of size of less than 8GB is used to a start a NetScaler VPX or Cisco Nexus 1000v instance, the config drive is not attached to the instance.
  
  [ NSPLAT-7395 ]

• Enabling trunk mode with tagged VLAN settings on an SR-IOV interface fails with the following error message:
  "ERROR: Maximum number of tagged VLANs bound to the interface exceeded or the binding of this VLAN is not allowed on the interface."
  However, trunk mode with tagged VLAN settings is shown as enabled in the output of the following command:
  show interface summary
  
  [ NSPLAT-3614 ]

• Upgrading a NetScaler SDX appliance from release 11.1 build 61.112 to release 11.1 build 63.x fails.
  
  Workaround: Upgrade the appliance to release 11.1 build 64.x.
  
  [ NSHELP-22648 ]

• VLAN filtering does not work on the VPX instances with LA interface and L2 mode configured because all the member interfaces in the channel are set to promiscuous mode. As a result, all the VPX instances with this LA interface see all the packets from all the VLANs.
  
  Workaround: Use a different LA channel for each VPX instance.
  
  [ NSHELP-22500 ]

• On the NetScaler MPX platform, a 50G port that is a member of a link aggregation group continues to be DOWN if the following actions are performed:
  
  1. The 50G port is disabled.
  2. The port on the peer switch is disabled.
  3. The port on the peer switch is enabled.
  4. The 50G port is enabled.
  
  The 50G port does not come up even after it is enabled. As a result, traffic cannot pass through the 50G port.
  
  [ NSHELP-20529 ]

• On the following NetScaler SDX platforms, connectivity to a VPX instance might fail if it receives heavy multicast traffic when a management port is not assigned to a VPX instance and instance management is done through the data ports.
  - SDX 8900
  - SDX 14000-40G
  - SDX 14000-40S
  - SDX 15000-50G
  - SDX 25000-40G
  - SDX 25000T
  - SDX 25000T-40G
  
  [ NSHELP-19861 ]

Policies

• The NetScaler appliance now allows all string and character literals which include binary characters. However, the UTF-8 character sets still require the string and character literals to be a valid UTF-8.
  
  Previously, the appliance allowed only valid UTF-8 string and character literals. This was true for both UTF-8 and binary (ASCII) character sets. However, this did not allow some binary string and character literals which meant that some valid expressions related to binary content cannot be written.
  
  Example:
  
  CLIENT.TCP.PAYLOAD(100).CONTAINS("\xff\x02")
  
  [ NSPOLICY-2362 ]

• Connections might hang if the size of processing data is more than the configured default TCP buffer size.
  
  Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
  
  [ NSPOLICY-1267 ]

SSL

• ECDHE support with SSLv3 protocol on the NetScaler appliance is not compatible with RFC 4492, because SSLv3 does not support extensions and ECDHE needs extension support.
  
  [ NSSSL-4724 ]

• If you create a custom cipher group and bind it to an SSL entity, the profile name "SSL_EMBEDDED_PROFILE" incorrectly appears in the output of the "show ciphergroup" command. This error does not occur if you enable the Default profile before creating the custom cipher group and binding it to the SSL entity.
  
  [ NSSSL-4486 ]

• Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
  
  [ NSSSL-4427 ]

• An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
  
  [ NSSSL-3184 ]

• In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
  
  [ NSSSL-3161 ]

• The SSL entities to which an SSL profile is bound do not appear when you run the show ssl profile command on a cluster IP (CLIP) address.
  Workaround: You can view the bound entities from the NetScaler IP (NSIP) address.
  
  [ NSSSL-2481 ]

• In a cluster setup, if a client certificate is bound to a back-end SSL service or service group, it appears as a "Server Certificate" instead of a "Client Certificate" when you run the "show ssl service" or the "show ssl servicegroup" command on the CLIP address.
  
  [ NSSSL-1223 ]

• An incorrect error message is displayed in both the following cases:
  1. Client authentication is enabled, root CA certificate is not bound to the SSL virtual server, and a request with a valid client certificate is sent to the virtual server.
  2. Client authentication is enabled, root CA certificate is bound to the SSL virtual server, and a request with a wrong certificate is sent to the virtual server.
  
  The error message that appears is "Handshake failure-Internal Error" instead of "No client certificate received."
  
  [ NSSSL-851 ]

• In a cluster setup, the running configuration on the cluster IP (CLIP) address shows the DEFAULT_BACKEND cipher group bound to entities, whereas it is missing on nodes. This is a display issue.
  
  [ NSHELP-13466 ]

System

• Event monitor logs are not displayed on the NetScaler GUI dashboard.
  
  [ NSHELP-19965 ]

• After a restart, VM login failure logs occur. This happens after you execute the "show ns hardware" command.
  
  [ NSHELP-18548 ]

• A NetScaler appliance silently truncates and drops HTTP request body packets greater than the maximum HTTP header size configured in the HTTP profile. The request body is truncated only if the appliance receives an HTTP request after an incomplete header assembly (request header spanning more than one packet) and the request body is received when the appliance awaits a TCP acknowledgment for the request header sent to the server. The truncation results in TCP retransmission and latency issues.
  
  [ NSHELP-11096 ]

• The Application Firewall policy for HTTP requests (HTTP.REQ.HEADER) does not detect a content type with multiple lines.
  
  [ NSHELP-11092 ]

• The mptcp_cur_session_without_subflow counters incorrectly decrement to a negative value instead of zero.
  
  [ NSHELP-10972 ]

• A NetScaler appliance sends a TCP fast open cookie instead of an MPTCP MP_CAPABLE option for MPTCP traffic.
  
  [ NSHELP-10909 ]

• If you access a NetScaler appliance from the GUI, the TCP/IP Connection page supports only a set of classic and advanced policy expressions as a filter. If you use an unsupported expression as a filter, the NetScaler GUI does not display a warning message, and using the unsupported expression leads to an appliance failure.
  
  Note: You can type the show connectiontable command to view the list of supportable expressions.
  
  [ NSHELP-10809 ]

• A NetScaler appliance might not honor persistence for a load balancing virtual server with a wildcard configuration if information about the back-end server is not available.
  
  [ NSHELP-10559 ]

• Random packets on loopback interface are found missing if you capture nstrace on a NetScaler appliance.
  
  [ NSHELP-10166 ]

• In client IP header insertion (for example, -X-Forwarded-for) if the IP address to be inserted is not as long as the buffer, the header pads spaces at the end of the client IP address.
  
  [ NSHELP-10079 ]

• When you reboot your appliance, a mismatch between default TCP profiles and built-in profiles causes the Forward RTO-recovery (FRTO) option to be enabled on a TCP profile other of a node.
  
  [ NSHELP-9453 ]

• A NetScaler appliance with connection chaining and SSL enabled might send more MTU data.
  
  [ NSHELP-9411 ]

• Compression policies of classic policy type do not work as expected. NetScaler recommends you to use the advanced policy infrastructure.
  
  [ NSHELP-9108 ]

• If you set the AppFW profile post body limit to a value greater than 2 GB, client requests get dropped. The issue occurs because of TCP overflow for a window size variable.
  
  
  [ NSHELP-8860 ]

• By default, a NetScaler appliance ignores the non-standard and obsolete "Proxy-Connection" HTTP header. To change this behavior, use the nsamimgr command to set the proxyConnection parameter to 1. This setting prioritizes the Proxy-Connection header over the Connection header.
  For example, nsapimgr -ys proxyconnection=1
  
  [ NSHELP-8842 ]

• If multiple AppFlow policies are bound to the same bind point, only the last policy is chosen.
  
  [ NSBASE-4140 ]

• The NetScaler appliance is unable to reuse an existing probe connection if an HTTP wildcard load balancing virtual server is configured in MAC mode with use source IP (USIP) mode enabled and the Use Proxy Port option turned off. As a result, the connection fails and client the receives a TCP reset.
  
  [ NSBASE-2785 ]

• The initial probe connection that a NetScaler appliance makes with the back-end internet server to check for server availability is now reusable for actual server connection with the internet server.
  
  [ NSBASE-1185 ]

User Interface

• In the Visualizer, some buttons might not work if you use Mozilla Firefox or Internet Explorer.
  
  Workaround: Use the Google Chrome browser.
  
  [ NSUI-8412 ]

• When you import an UTF-8/S-JIS based HTML file type by using the NetScaler GUI, the following error message appears:
  "URL malformed"
  
  Workaround: Before importing, save the file in UTF-8 format.
  
  [ NSHELP-19512 ]

• The Actions tab is missing from "Unknown Certificates" page in the GUI.
  
  [ NSHELP-12948 ]

• The Events page in the NetScaler GUI (Configuration > System > Diagnostics > View events > Events) does not display the "Start Date Time" field. The issue is observed only in the Firebox browser.
  
  [ NSHELP-12591 ]

• When you run the set command on a NetScaler appliance, the ns.log file stores the command with all parameter values, including customer provided values.
  
  [ NSHELP-11291 ]

• If you (system administrator) perform all the following steps on a NetScaler appliance, the system users might fail to log in to the downgraded NetScaler appliance.
  
  1. Upgrade the NetScaler appliance to one of the builds:
  
  - 13.0 52.24 build
  - 12.1 57.18 build
  
  2. Add a system user, or change the password of an existing system user, and save the configuration, and
  3. Downgrade the NetScaler appliance to any older build.
  
  To display the list of these system users by using the CLI:
  At the command prompt, type:
  
  query ns config -changedpassword [-config ]
  
  Workaround:
  
  To fix this issue, use one of the following independent options:
  
  - If the NetScaler appliance is not yet downgraded (step 3 in above mentioned steps), downgrade the NetScaler appliance using a previously backed up configuration file (ns.conf) of the same release build.
  
  - Any system administrator whose password was not changed on the upgraded build, can log in to the downgraded build, and update the passwords for other system users.
  
  - If none of the above options work, a system administrator can reset the system user passwords. For more information, see: https://docs.citrix.com/en-us/citrix-adc/13/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-reset-default-amin-pass-tsk.html
  
  
  [ NSCONFIG-3188 ]

• If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled and the nsroot password is changed at the first logon to the NetScaler appliance, the nsroot password change is not propagated to non-CCO nodes. Therefore, when an nsroot user logs on to non-CCO nodes, the appliance asks for password change again.
  
  [ NSCONFIG-2370 ]