Release Notes for Build 53.22 of NetScaler 12.0 Release

Additional Changes/Fixes Available in Replacement Builds

Points to Note

What's New?

• Group Attribute Parsing Support from a SAML Assertion

  You can now configure a NetScaler appliance to parse attributes in SAML assertions as group attributes. Parsing them as group attributes enables the appliance to bind policies to the groups. For more information, see http://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication.html.
  [# 681375]

• Audience Restriction Check Support for NetScaler configured as SAML SP

  A NetScaler appliance configured as a SAML service provider can now enforce an audience restriction check. The audience restriction condition evaluates to “Valid” only if the SAML replying party is a member of at least one of the specified audiences. For more information, see http://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication.html.
  [# 687628]

• Support for RSA Private Key Decryption for SAML Operations on a NetScaler MPX FIPS Appliance

  A NetScaler MPX FIPS appliance used as a SAML service provider now supports encrypted assertions.
  [# 688140, 635174]

Licensing

• Support for Higher Number of vCPUs

  With NetScaler Pooled Capacity, the NetScaler VPX instances can be configured for bandwidth licensing up to 100G and 20 vCPUs.

  With NetScaler Check-in/Check-out licensing, the NetScaler VPX instances can be configured with bandwidth licenses up to 100G
  [# 687192]

NetScaler CPX

• Ability to Assign Multiple Interfaces to NetScaler CPX

  You can now assign dedicated network interfaces to the NetScaler CPX container by using a NetScaler CPX-specific environment variable. The network interfaces that you define are held by the NetScaler CPX container until you uninstall the NetScaler CPX container. For more information, see http://docs.citrix.com/en-us/netscaler-cpx/12/deploy-using-docker-image-file.html.
  [# 656533]

NetScaler Gateway

• SNI Support for NetScaler Gateway

  A NetScaler Gateway appliance can now be configured to include a server name indication (SNI) extension in the SSL “client hello” packet sent to the backend server. The SNI extension helps the backend server identify the FQDN being requested during the SSL handshake and respond with the respective certificates.

  Note: Enable SNI support when multiple SSL domains are hosted on same server.

  For more information, see http://docs.citrix.com/en-us/netscaler-gateway/12/configuring-server-name-indication-extension.html.
  [# 624091]

NetScaler VPX Appliance

• Support for SR-IOV Interfaces for NetScaler VPX Instances on AWS

  After you have created a NetScaler virtual instance on AWS, you can use the AWS CLI to configure the virtual appliance to use SR-IOV network interfaces. For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-aws/Config-NS-VPX-SRIOV-AWS.html
  [# 673928]

• Active/Passive Multi-NIC Multi-IP HA-INC Deployment on Azure

  You can deploy a NetScaler VPX pair with multiple IP addresses and network interfaces in active/passive high availability (HA) Independent Network Configuration (INC) mode. Use the new Citrix NetScaler HA template on Azure for deployment, or use Windows PowerShell commands.

  For more information, see the following topics:

  http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/deploy-vpx-on-azure/configuring-multiple-azure-nics-ip-for-vpx-in-ha-mode.html

  http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/deploy-vpx-on-azure/configuring-gslb-active-standby-ha-deployment-azure.html
  [# 675920]

• SR-IOV Support with Intel X710 10G and XL710 40G NICs

  You can now configure a NetScaler VPX appliance to use single-root I/O virtualization (SR-IOV) technology with Intel X710 10G and XL710 40G NICs.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-kvm/configure-SR-IOV-KVM.html
  [# 679513]

• OVS DPDK for NetScaler VPX Instances Running on KVM

  You can configure a NetScaler VPX instance running on KVM to use Open vSwitch (OVS) with the Data Plane Development Kit (DPDK). This configuration provides better network performance. Also, certain NetScaler VPX deployments require the VPX host on KVM to operate on the vhost user ports exposed by OVS rather than the standard MacVTap-based vhost interfaces.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-kvm/configure-ovs-dpdk-kvm.html.
  [# 682999]

• Auto-Provision a NetScaler VPX Instance by Using Virtual Machine Manager

  You now have the option to auto-provision a NetScaler VPX instance by using the Virtual Machine Manager. If auto-provisioning is enabled, the IP address, gateway, and netmask are automatically assigned to the instance during initial setup. If auto-provisioning is not enabled, you must provide the networking configuration manually.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-kvm/provision-on-kvm-using-vmm.html
  [# 690684]

• NetScaler VPX Check-In/Check-Out Licensing Support for New Licenses

  You can now purchase and use the new 10Gbps+ NetScaler VPX Check-In/Check-Out Licenses for NetScaler VPX instances deployed on any supported hypervisors, and for instances used in cloud deployments. The newly supported licenses include 10Gbps, 15Gbps, 25Gbps, 40Gbps and 100Gbps versions of the Standard, Enterprise, and Platinum editions.
  [# 691005]

Platform

• Support for Pooled Licensing

  NetScaler MPX 115xx models are now supported with pooled licensing. For more information about pooled licensing, see http://docs.citrix.com/en-us/netscaler-mas/12/netscaler-pooled-capacity.html.
  [# 599575]

SSL

• Recording the time taken for an SSL handshake in the syslog

  The time taken for an SSL handshake to complete can now be recorded in the system log (syslog). To do this, set the log level in the syslog parameters to All.
  [# 669508]

• Secure Implementation of Session Tickets

  You can now secure session tickets by using a symmetric key to encrypt them. Additionally, to achieve forward secrecy, you can specify a time interval at which the session-ticket key is refreshed. Session-ticket keys can be generated by the appliance, or you can manually enter session-ticket key data. Entering this data manually is helpful in HA or cluster deployments so that the appliances can decrypt each other's session tickets.

  For more information about this enhancement, see http://docs.citrix.com/en-us/netscaler/12/ssl/customize-ssl-config/secure-implementation-of-session-tickets.html.
  [# 669514]

Telco

• IPFIX Logging Support for Large Scale NAT

  The NetScaler appliance supports sending information about LSN events in Internet Protocol Flow Information Export (IPFIX) format to the configured set of IPFIX collector(s).

  The appliance uses the existing AppFlow feature to send LSN events in IPFIX format to the IPFIX collectors.

  IPFIX based logging of LSN events is available for the following events in the context of NAT44, NAT64, and Dual-Stack Lite.

  * Creation or deletion of an LSN session.

  * Creation or deletion of an LSN mapping entry.

  * Allocation or de-allocation of port blocks in the context of deterministic NAT.

  * Allocation or de-allocation of port blocks in the context of dynamic NAT.

  * Whenever subscriber session quota is exceeded.

  For more information about IPFIX logging for large scale NAT44, see IPFIX Logging section in http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/lsn-introduction/lsn-logging-monitoring.html.

  For more information about IPFIX logging for dual-stack lite, see IPFIX Logging section in http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/dual-stack-lite/logging-monitoring-DS-Lite.html.

  For more information about IPFIX logging for large scale NAT64, see IPFIX Logging section in http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/lsn-nat-64/log-monitor-largescale-nat64.html.
  [# 496832, 677632]

• URL Filtering for Telco Mobile Networks

  The new NetScaler URL Filtering feature for telco mobile network provides policy based control of websites by using information contained in a URL. The feature helps administrators monitor and comply with government mandated safe internet usage policies on mobile networks. As an administrator, you can filter websites by using either the URL Categorization feature or the URL List feature.

  URL Categorization. Controls access to websites and web pages by filtering traffic on the basis of a predefined list of categories.

  URL List. Controls access to blacklisted websites and web pages by denying access to URLs contained in a URL set imported into the appliance.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/url-filtering.html
  [# 628121]

• NetScaler Video Optimization: Support for QUIC over UDP Protocol for Encrypted ABR Traffic

  The NetScaler video optimization feature is now enhanced to optimize video delivery over TCP (as HTTP and HTTPS traffic) and UDP (as QUIC traffic). The appliance can detect incoming video traffic as Adaptive Bit Rate (ABR) and optimize both the unencrypted and the encrypted video. The new capabilities are especially useful for reducing the overall network bandwidth consumption in mobile networks.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/NetScaler-Video-Optimization.html
  [# 674151]

• Configuring IPSec Application Layer Gateway for Large Scale NAT44

  If communication between two network devices (for example, client and server) uses the IPSec protocol, IKE traffic (which is over UDP) uses port fields, but Encapsulating Security Payload (ESP) traffic does not. If a NAT device on the path assigns the same NAT IP address (but different ports) to two or more clients at the same destination, the NAT device is unable to distinguish and properly route the return ESP traffic. Therefore, IPSec ESP traffic fails at the NAT device.

  NAT-Traversal (NAT-T) capable IPSec endpoints detect the presence of an intermediate NAT device during IKE phase 1 and switch to UDP port 4500 for all subsequent IKE and ESP traffic (encapsulating ESP in UDP). Without NAT-T support on the peer IPSec endpoints, IPSec protected ESP traffic is transmitted without any UDP encapsulation. Therefore, IPSec ESP traffic fails at the NAT device.

  The NetScaler appliance supports IPSec application layer gateway (ALG) functionality for large scale NAT configurations. The IPSec ALG processes IPSec ESP traffic and maintains session information so that the traffic does not fail when the IPSec endpoints do not support NAT-T (UDP encapsulation of ESP traffic).

  For more information, see For https://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/lsn-introduction/lsn-configuring-alg/configure-ipsec-application-layer-gateway-for-large-scale-nat.html.
  [# 675938, 496583]

Fixed Issues

• An attempt to change an LDAP password through the NetScaler Gateway virtual server fails if the new password includes any multibyte UTF-8 characters, such as German umlauts (for example, kölnbonn207), Latin small letter sharp s (for example, straße2017), or special characters (for example, &%$§1Lucie-Marie).
  [# 672846, 691269]

• If you set the ‘Validate LDAP Server Certificate’ parameter in an LDAP server configuration, you can log on even if the hostname does not match. With this fix, the hostname is checked when the option is enabled.
  [# 681888, 644099]

• If external LDAP authentication uses a case-insensitive user name, NetScaler AAA is unable to lock the user name after the number of attempts specified by the Max Login Attempts parameter.
  [# 683645]

• A NetScaler appliance can add multiple NetScaler AAA groups, but the “save config” operation saves only the first group.
  [# 689212, 689457]

• A NetScaler appliance configured for NetScaler AAA becomes unresponsive during a VPN session if both of the following conditions are met:

  • The primary session is in the timed out state.

  • The secondary session is in sync but the actual state of the session is reset to zero.
  [# 690468]

AppFlow

• A NetScaler appliance does not generate AppFlow records if an action is set to RESET in an SSL or responder policy.
  [# 685920]

Application Firewall

• If you use the CLI of a NetScaler AppFirewall appliance to display an enum definition, the AS_CCARD_DEFAULT_CARD_TYPE default value for credit card options is not included.
  [# 686540]

• The NetScaler appliance crashes when security insight is enabled and the application firewall detects a violation of the maximum limit for fld_name length.

  Set the fld_name length limit to the same value as MAX_AS_NAME_LEN.
  [# 690028, 690556, 690467]

• After an upgrade from an earlier release 11.0 build to release 11.1 build 55.4, the 'APPFW_RESET' and 'APPFW_DROP' AppFw profiles do not appear when you run the sh appfw profile command with the "more" option.

  For example:

  sh appfw profile | more

  1) Name: APPFW_BYPASS LogEveryPolicyHit: OFF

  2) Name: APPFW_RESET LogEveryPolicyHit: ON

  3) Name: APPFW_DROP LogEveryPolicyHit: ON

  4) Name: APPFW_BLOCK UseHTMLErrorObject: OFF

  This issue does not occur after upgrading a NetScaler AppFirewall appliance to release 11.1 build 55.8.
  [# 690261, 689327]

Clustering

• The NetScaler appliance might fail to reestablish a connection if both of the following conditions are met:

  • The policy engine (PE) receiving the traffic is in the DOWN state.

  • The NetScaler buffer (NSB) is kept on hold by a recovery mechanism.
  [# 685979, 687732]

Content Switching

• In some cases, the NetScaler appliance might fail after a set command is run on a content switching virtual server.
  [# 687467, 688523, 688071, 692366, 693777]

Load Balancing

• The NetScaler appliance resets a client-side TCP connection if a virtual server with spillover (SO) persistence enabled is bound to the load balancing group. With this fix, the client-side TCP connection is not reset.
  [# 589363]

• In a high availability (HA) setup, if domain-based services are configured and the secondary node does not receive any Service State Sync (SSS) update for the services for more than 247 days, a packet engine might crash when this node becomes the primary node.
  [# 673446, 684550, 688305]

• In a high availability (HA) setup, an unusually large spike in the number of persistent connections might result in underperformance of the Secure Socket Funneling (SSF) channel between the primary node and the secondary node. The underperformance can eventually lead to session buildup on the primary node and cause persistence to fail.
  [# 685179, 684834]

• Resetting a server connection resets the connections to all services configured with the same IP address and port number. As a result, connections to the service group members are also reset. With this fix, deleting a service that has the same IP address and port number as that of other service group members does not affect the service group connections.
  [# 685707]

• If an add lb monitor command specifies an httprequest argument value of more than 77 characters, a subsequent show command shows an incorrect httprequest value for the HTTP requests that the monitor sends to the CLIP address. The NetScaler appliance's ns.conf file also contains the incorrect httprequest value for the monitor. Also, the other nodes (non-CCO) in the cluster are updated with the incorrect httprequest value by the configsync process.
  [# 685856, 687784]

NITRO

• The .NET SDK GET call fails with the following exception if it is made with a parameter that accepts boolean values:

  Invalid argument value [<attribute>].

  Example:

  When the “internal” attribute of service_args is set to “true”, a get on service_args yields the following exception:

  Invalid argument value [internal]
  [# 595938]

• If you make multiple NITRO API calls in parallel, the responses might return incorrect results.
  [# 684543]

• Restarting a NetScaler appliance after upgrading it to release 12.0 might cause the appliance to fail to respond to NITRO requests.
  [# 686434, 672544, 689415, 690265]

NS-Gateway

• NetScaler: AAA-TM

  After an upgrade from an earlier release 10.5 build 60.7 to release 11.1 build 52.32, if the client sends an invalid basic authorization header as "Authorization: Basic (null)", then NetScaler appliance does not perform single sign-on (SSO) to access the backend.
  [# 689265]

NetScaler GUI

• When using the XenApp and XenDesktop wizard, the Retrieve Stores functionality intermittently fails on the first click.
  [# 655159]

NetScaler Gateway

• In rare cases, upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), NetScaler Gateway dumps core if SSO and Proxy are configured in Traffic policy.
  [# 676545]

• In rare scenarios, NetScaler Gateway dumps core if you have an SSL-Proxy configured at NetScaler Gateway and you access the intranet web application through a Clientless Virtual Private Network (CVPN) via Gateway that has proxy-authentication configured at proxy.
  [# 684488]

• In rare scenarios, NetScaler dumps core while binding Classic session polices to an existing binding entity, when you have multiple VPN policies configured to the NetScaler.
  [# 685463, 670544, 691767]

• If you use the NetScaler Gateway plug-in for Windows, a simultaneous download of 128 or more files fails upon accessing NetScaler Gateway.
  [# 685971]

• In rare situations, a NetScaler Gateway appliance dumps core if it receives incorrect SOCKS requests from clients.
  [# 686160, 689726, 690771]

• In a double-hop deployment, a NetScaler Gateway appliance intermittently dumps core when the first-hop server receives a TCP RST event from the second-hop server.
  [# 686508]

• NetScaler Gateway does not comply with RFC7230 for POSTLOGINFLAGS headers.
  [# 686632]

• Some traffic patterns cause application launch through NetScaler Gateway to fail if EDT is enabled on virtual desktop applications.
  [# 686774, 686960, 687587]

• In rare situations, a NetScaler Gateway appliance dumps core when processing forms based SSO to URLs larger than 4 KB.
  [# 688842]

• The NetScaler appliance deletes the JSESSIONID cookie from the HTTP request before sending the request to the origin server.
  [# 689472]

• Both of the following issues are fixed:

  - A NetScaler Gateway appliance becomes unresponsive because the Gateway plug-in continuously tries to connect to the Gateway server.

  - The VPN plug-in displays the Connect button instead of automatically logging on, even when the client certificate is cached and the AlwaysON feature is enabled.
  [# 689570, 689622, 653527, 674320, 688142]

• A single sign-on (SSO) attempt might use the wrong domain in a configuration that has parent and child domains. If SSO expressions are used to compute the correct domain, the NetScaler appliance uses the domain obtained at the time of logon instead of the one computed with the expression.
  [# 689684, 689721]

• A user of Internet Explorer version 8 or 9 can't establish a VPN connection through a NetScaler Gateway appliance that uses the RfWebUI portal theme. The VPN virtual server doesn't respond.
  [# 691752]

• When you have Windows AutoLog-ON feature enabled on your NetScaler Gateway appliance, during logon the client is unable to find the "nsauto.exe" file because the path to the file is incorrectly truncated.

  The issue is noticed when you modify the following registry entry:

  NtfsDisable8dot3NameCreation

  This registry entry truncates the applications file path in Windows.
  [# 695209]

NetScaler NITRO

• NetScaler logon credentials are locked and the error message “connection limit CFE exceeded” appears if the following conditions are met:

  - The “show ns runningconfig” command takes a long time to execute

  - The same command is re-run multiple times while the first command is still running at the background.

  The NetScaler appliance remains locked until the command completes.
  [# 689426]

NetScaler Secure Web Gateway

• A NetScaler Secure Web Gateway appliance does not support the URL List feature in a high availability setup.
  [# 690428]

NetScaler VPX Appliance

• After a failover of a NetScaler VPX HA setup running on AWS, the interfaces from both the nodes do not attach and detach properly. This happens if the stack name of the Citrix CloudFormation template exceeds 25 characters.

  With the fix, the stack name of the Citrix CloudFormation template supports up to 90 characters.
  [# 689356]

• DNS resolution for existing DNS configurations fails after you upgrade a NetScaler VPX instance running on AWS to release 12.0 build 53.20.
  [# 693877]

Networking

• When you remove a static route, the NetScaler appliance does not advertise the connected route that has the same prefix as that of the removed static route and for which the DRADV mode is enabled.
  [# 686058]

• If the IP address (type VIP) of a virtual server is bound to a net profile, deleting the virtual server also removes the IP address from the net profile.
  [# 690082]

Optimization

• The Video Optimization feature is supported on 32-bit NetScaler platforms only. If you deploy the feature on a 64-bit platform, the appliance displays an error message and crashes.
  [# 676593, 677838, 679578, 681853]

Policies

• The HTTP.REQ.TXID and HTTP.RES.TXID policy expressions return the same "universally unique identifier" (UUID) for different transactions.
  [# 663414, 675873]

• A log message is not logged for the Responder module when the NetScaler appliance receives a request and processes policies for a different module while a client request sent to the Responder module awaits log processing.
  [# 685375]

• Clearing a NetScaler system configuration causes the appliance to fail if an HTTP profile references a patset configuration entity.
  [# 691227]

SSL

• In a cluster setup, a certificate update fails, with the following error, if the certificate is in DER format.

  Error :: No such resource
  [# 583715]

• The service group members do not appear in the output of the "show lb vserver <name>" command if it is run on a cluster IP address.
  [# 668935, 642802, 463835, 684073, 684892, 691890]

• Some client authentication connections might be dropped if OCSP check is set to mandatory and an OCSP domain name entry is not found in the NetScaler DNS cache.
  [# 675882, 677473]

• For requests less than 255 bytes long, you can configure the HTTP GET method for queries to an OCSP server. If you specify the GET method but the length is greater than 255 bytes, the appliance uses the POST method by default.

  To set the method by using the NetScaler CLI

  At the command prompt, type;

  set ssl ocspResponder <name> -httpMethod GET
  [# 676942]

• Session ticket parameters are saved in the configuration (ns.conf) file even though session tickets are not enabled in the SSL profile. As a result, if you upgrade to release 12.0 builds 41.x or build 51.x, you might observe a loss in configuration.
  [# 678514, 677813]

• The connection with the back-end server is terminated if OCSP validation for the server certificate fails, even though OCSP validation is optional.
  [# 686998]

• If you try to add a certificate-key pair containing an unsupported OID in the Subject Alternative Name (SAN) field of the certificate, the following error message appears:

  ERROR: Invalid OID for SAN entry in certificate
  [# 688416]

• A certificate without a common name field in the subject name fails to load.
  [# 688811]

• If two certificates issued by two different CAs have the same OCSP URL, addition of one of the certificate-key pairs might fail.

  Example

  1. CA certificate C1 is used to issue certificate S1, which contains OCSP_URL1.

  2. Certificate-key pairs for both C1 and S1 are added successfully on the NetScaler appliance.

  3. CA certificate C2 is used to issue certificate S2, which also contains OCSP_URL1.

  4. If you first add a certificate-key pair for S2, it is successful but adding a certificate-key for CA2 fails. If you reverse the order, adding a certificate-key for CA2 is successful but adding a certificate-key for S2 fails.
  [# 694395]

• In some cases, a NetScaler appliance might crash if it finds invalid data while parsing the binary certificate.
  [# 694904]

System

• In an SSL connection with a client, the NetScaler appliance does not evaluate the SSL policies for HTTP/2 streams.
  [# 670556, 660674, 672227, 689849]

• If the session ID maintained for clients exceeds the threshold of 16 million entries, the configuration engine might crash. That affects the management traffic. As a result, the management connection closes and the manager must log back on to the NetScaler appliance.
  [# 676599, 692553]

• The NetScaler appliance crashes if the total number of TimeWait connections exceeds 7000 while the MPTCP feature is enabled.
  [# 678015]

• An attempt to configure a NetScaler appliance that uses Cloudstack can cause the appliance to fail. If the Cloudstack AutoScale feature or an AutoScale policy is configured with the IP address a server, an attempt to configure the appliance through the NetScaler CLI instead of through CloudPlatform or Cloudstack binds the IP-address based server to the AutoScale Policy service group. This causes the appliance to crash.
  [# 681426]

• A NetScaler appliance might crash, if a particular sequence of white space and CR-LF characters is sent to an HTTP or SSL virtual server instead of a valid HTTP request.
  [# 683512, 699684]

• Some packets become invalid and are dropped when policies are applied. If HTTP/2 packets are dropped, the NetScaler appliance fails to send a rst_stream frame to the client, which causes the appliance to crash when new packets arrive.
  [# 684370]

• The NetScaler appliance does not include the latest DATA_ACK packet in the retransmitted data segments. It reuses DATA_ACK packets that were sent in the original data segment.
  [# 684908]

• When a client times out and sends a message longer than one packet, TCP sends a FIN packet to the application handler (for example, SSL). When TCP receives the second packet, it directly sends the packet to the application handler. As a result, the application handler generates a close notify alert for the first packet and an RST alert for the second packet.
  [# 686390]

• In a SYSLOG action, setting the netProfile parameter during a log transfer causes multiple SYSLOGTCP connections to be established but only one connection serves the log traffic.
  [# 687042]

• A NetScaler appliance might crash if it receives a FIN packet with multiple invalid SACK blocks from the origin server and tries to forward the packet to an MPTCP client.
  [# 687118, 687352, 687351]

• The user is not able to log on to NetScaler Gateway as there is a high-utilization of memory.
  [# 687462, 686135, 692657]

• If a NetScaler-inserted cookie is deleted from the end of a cookie header, the appliance does not remove the preceding semicolon. As a result, an extra semicolon is sent at the end of the cookie header when forwarding it to the back-end server.
  [# 687612]

• A NetScaler appliance can become unresponsive if it hosts a wildcard load balancing virtual server that has the use source IP option enabled and the use proxy port option disabled. The failure occurs if the virtual server associates the outgoing probe connection information with different incoming connections destined to the same server.
  [# 689915]

Telco

• In NetScaler T-13xx platform, the NetScaler software incorrectly calculates the minimum memory required for large scale NAT (LSN) configurations. The NetScaler appliance might become unresponsive if the memory limit is set to a value lower than the incorrectly calculated minimum required memory displayed in “show extendedmemory” output.
  [# 689375]

Known Issues

• The TACACS attribute or group extraction is supported only if the back end is Cisco ACS TACACS+ Server. For TACACS server other than Cisco, the attribute or group extraction is not supported. For more information, see https://support.citrix.com/article/CTX220024.
  [# 651719]

• A NetScaler appliance configured for NetScaler AAA with LDAP over SSL becomes unresponsive when the connection to the NetScaler AAA daemon is used fully. At this point, the packet engine is unable to process anymore authentication requests.
  [# 660065, 674005]

• If the back-end server's domain name does not include a dot, DNS resolution fails during Kerberos Single Sign-ON (SSO).
  [# 667953]

• In rare scenarios, response cookie from OWA 2013 server is not greater than 70 bytes when the NetScaler appliance is configured with Forms Based SSO. Hence, length check for cookie value in success-rule configured in Forms SSO action on the NetScaler appliance needs to be updated with an appropriate value.
  [# 676450]

• When SAML authentication is employed as the log on method for Gateway users on FIPS hardware, and an encrypted assertion is sent from IdP, then the NetScaler appliance dumps core memory.

  This is applicable only for FIPS hardware platforms.
  [# 677458]

• If the primary and secondary passwords in a logon request are the same, and the first-factor authentication server prompts the user to change the password, the second-factor server uses the password that was sent in the logon request.

  Workaround: Configure the second-factor authentication server to use the http.req.user.passwd expression if the first-factor server requests a password change.
  [# 678553]

• In an nFactor EPA configuration, if EPA is configured in secondary factors and requires conditional access, a passthrough factor must be configured to select EPA factors for required users. Otherwise, EPA flow starts even for users that do not require EPA.

  Workaround: Configure EPA factor only for users requiring it. This could be achieved by configuring passthrough factors to make logic decisions.
  [# 680519]

• If forms based Single Sign-On (SSO) is configured for Outlook Web Access (OWA) 2013 servers, the "successRule" configured in the forms SSO action must be corrected, because the server sends 64 byte cookie upon successful SSO.
  [# 681730]

• In an nFactor EPA configuration, if EPA is configured in secondary factors and requires conditional access, a passthrough factor must be configured to select EPA factors for required users. Otherwise, EPA flow starts even for users that do not require EPA.

  Workaround: Configure EPA factor only for users requiring it. This could be achieved by configuring passthrough factors to make logic decisions.
  [# 683224]

• The back end is not accessible through a clientless VPN (CVPN). The issue occurs when SSO is ON, the proxy is specified in a traffic action, and the back-end credentials are different from the logon credentials.

  Workaround:

  Create a traffic policy based on back-end URL and create a trafficAction with SSO OFF and No Proxy. The backend should be accessible.
  [# 689153]

• A NetScaler appliance configured as a SAML Identity Provider (IdP) for Office 365 apps displays an error message if it receives an unsigned authentication request from one of the apps.

  Workaround: Configure Office 365 to send signed authentication requests.
  [# 691669, 693361]

• In some cases, a NetScaler appliance becomes unresponsive if either or both of the following conditions are met:

  • The SSO and Proxy are configured

  • The authentication request is a POST method

  Workaround: To stop special handling of HTTP POST for single sign-on and to avoid the failure, you can run the following commands at the NetScaler shell prompt:

  - nsapimgr_wr.sh -ys arg1=0 -ys arg2=1 -ys arg3=16 -ys call="set_sso_post_data_handler
  [# 691795]

Admin Partitions

• In rare cases, one of the partitions on a partitioned appliance does not get enough slots to send Gratuitous Address Resolution Protocol (GARP) messages for all its IP addresses on the network.
  [# 692922]

AppFlow

• If multiple AppFlow policies are bound to the same bind point, only the last policy is chosen.
  [# 603177, 647386]

• When client-side-measurements is enabled on AppFlow action and if the incoming request is corrupted, the NetScaler appliance might become unresponsive.
  [# 691229]

• A NetScaler appliance might become unresponsive if an AppFlow action has client-side measurements enabled and the appliance receives an HTTP server response before the full client request.
  [# 692649]

Application Firewall

• A NetScaler AppFirewall appliance with the compression feature enabled sometimes puts blank lines in HTTP response headers, resulting in garbled page rendering by the browser.
  [# 629128]

• In the Visualizer, some buttons might not work if you use Mozilla Firefox or Internet Explorer.

  Workaround: Use the Google Chrome browser.
  [# 648272]

• The information that the GUI displays for the application firewall web services interoperability (WSI) check does not say that it is a prerequisite and cannot be disabled.
  [# 650789, 650317, 658472]

• The NetScaler application firewall should bypass requests from application firewall processing after the system reaches a specified CPU/memory usage limit, but there is currently no policy for reviewing CPU and memory capacity and bypassing the application firewall.
  [# 660546]

• An alert is generated when you set the NetScaler AppFirewall session limit to a value of 0 or lower, because such a setting affects advanced protection check functionality that requires a properly functioning application firewall session.
  [# 668892]

• If you upgrade a NetScaler appliance in a high availability (HA) setup from version 10.5.56.15 to version 11.1.51.1901 and skip 250 rules with active traffic, the GUI or CLI displays a "failed to skip some rules" error message and an operation time-out error message.

  Workaround: Turn off the Learning feature when skipping learned rules.
  [# 671807]

• In an HA environment, a NetScaler appliance running release 11.0 does not learn new rules when the application firewall feature is enabled.
  [# 672864]

• When a third-party version-0 signature object is merged with a user-defined signature that is not version 0 and has both native and user-defined rules, the resulting signatures are all version 0 and do not include the native rules.

  To include the native rules, you must update both signature objects (third-party and user-defined) before the merge. The update changes the version from 0. If you then perform the merge operation, the Native rules are included.
  [# 672970]

• Application Firewall port information about open ports, such as port 443, is not suppressed. It can therefore be detected by port scan tools such as NMAP in targeted hacker attacks.
  [# 674864]

• If you have multiple application firewall policies configured on a load balancing virtual server, and a policy has a GotoPriority Expression of NEXT, the NetScaler AppFirewall policy order bypasses all security checks in that policy's profile and moves to the next policy.
  [# 682935]

• The IP address of a content switching virtual server cannot be accessed after an upgrade from a previous release to the current release. The POST request results in a 302 redirect error.
  [# 687314]

• Turning on the logging feature on a NetScaler Application Firewall appliance stops NStrace from generating reports for the logs.
  [# 689215]

• A NetScaler AppFirewall URL transform policy deletes the range from the HTTP request header before forwarding the request to the backend server, when response inspection is required for security checks.
  [# 691001]

• A NetScaler AppFirewall custom signature request for field name value parsing does not clear the field name pattern match buffer.
  [# 691268]

• A NetScaler AppFirewall appliance running release 11.1 build 54.14 and serving as the primary node in an HA deployment crashes when freeing the allocator structure after completing the AppFirewall signature match. After a crash, the primary appliance restarts and becomes the secondary node.
  [# 691725]

• The NetScaler AppFirewall WAF service blocks valid field-format contents even when matching rules are present.

  Workaround: In the field-format rules, insert two backslash characters (\\) before each dollar sign ($) character (\\$).
  [# 691957]

• A NetScaler AppFirewall appliance running release 11.0 build 70.12 might crash in a high availability environment.
  [# 692023]

• On a NetScaler application firewall appliance in high-availability mode, the aslearner process fails to convert a string value to an integer by using the standard library function atoi.
  [# 692063]

• High CPU memory utilization is reported when AppFirewall profiling is trigerred.
  [# 693037]

• Enabling the application firewall causes the NetScaler appliance to fail with high CPU utilization.
  [# 693091]

• Attempts to upload a file to a NetScaler appliance fail when NetScaler AppFirewall is enabled. The failures occur for both large and small files.
  [# 693185]

Clustering

• For validating a Citrix NetScaler cluster setup against IPv6 ready logo suite, Citrix recommends to use cluster link aggregation (CLAG) consisting of only one interface per cluster node.
  [# 679468]

• In a layer 3 cluster deployment, fragmented traffic steered through a GRE tunnel might cause packet loops, which result in high traffic load.

  Workaround: Reduce the maximum segment size (MSS) to 1,360 bytes, in the cluster deployment.
  [# 692350]

DNS

• The NetScaler appliance returns incorrect NODATA responses for records that are configured by using the NetScaler CLI and if DNS queries with EDNS Client Subnet Option are sent for such records.
  [# 693310]

GSLB

• When a remote GSLB service is configured with an external monitor on a GSLB site node, the state of this service might become inconsistent across packet engines, because of core-to-core message failures. In that case, the NetScaler appliance might generate incorrect replies to GSLB domain queries.
  [# 658108, 679822, 692324, 692737]

Integrated Caching

• If the response from the Integrated Caching (IC) module has trailing spaces in the content-length header, the HTTP/2 connection times out.
  [# 688274]

Load Balancing

• The NetScaler appliance might crash if deletion of a service item and display of the service item are executed in parallel.
  [# 691507]

NetScaler CPX

• Modifying the nf_conntrack_max sysctl variable to get better network performance can cause unexpected behavior. In that case, you have to increase the size of the connection-tracking and/or the hash table, and/or decrease timeout values. For more information, see http://antmeetspenguin.blogspot.in/2011/01/high-performance-linux-router.html.
  [# 658734, 658736]

• Modifying the nf_conntrack_max sysctl variable to get better network performance can cause unexpected behavior. In that case, you have to increase the size of the connection-tracking and/or the hash table, and/or decrease timeout values. For more information, see http://antmeetspenguin.blogspot.in/2011/01/high-performance-linux-router.html.
  [# 680693]

NetScaler GUI

• In older versions of Internet Explorer version 7, the browser incompatibility message does not appear for NetScaler release 11.1. The logon page directly appears, and you can log on successfully.
  [# 649052]

• If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled, and you log on as nsroot user, an extra session is created.
  [# 657924]

• If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled and the nsroot password is changed at the first logon to the NetScaler appliance, the nsroot password change is not propagated to non-CCO nodes. Therefore, when an nsroot user logs on to non-CCO nodes, the appliance asks for password change again.
  [# 658132]

NetScaler Gateway

• An error message appears when a user logs off of a Storefront session, if Gateway logon uses SAML based authentication for ICA Proxy mode.

  Workaround: Log off by closing the browser.
  [# 646706]

• The Internet Explorer 8 browser does not display the Gateway portal if the portal theme is set to Default, Greenbubble, or X1. The portal does appear if the portal theme is set to RfWebUI.
  [# 669942]

• If custom theme is applied for NetScaler 11.1 build 50.10, text for password field is not displayed.
  [# 671802]

• After a NetScaler HA failover, Citrix Receiver takes a few seconds to reconnect.
  [# 672067, 689973]

• RfWebUI based theme is not supported for an Authentication virtual server configured with Classic Authentication policies
  [# 672333]

• When nFactor authentication is configured with multiple factors having custom password expressions, default password for all secondary factors is passwd1.

  Users need to configure passwordExpression in loginSchema to pick the right password for the given factor if the logon flow is nontrivial.
  [# 675401]

• Intermittently, a NetScaler Gateway appliance dumps core if a connection is reset during data transfer between a client and a VPN server.
  [# 678885, 674356, 676859, 676857, 684178, 692683]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), hyperlinks listed under "Sites" are nonfunctional.

  Workaround: Either copy the link, paste it to a new tab, and click the new copy of the link, or right-click the link to automatically open it on a new tab.
  [# 679117]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot upload a Profile Picture.

  Workaround: Use Chrome or Firefox.
  [# 679176]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot drag and drop files.

  Workaround: Upload the document instead of using drag and drop.
  [# 679193]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot use Internet Explorer to open a word (.doc) document.

  Workaround: Use Firefox to open the document.
  [# 679713]

• If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN), "Stop Following a Site" functionality is not available.
  [# 679744]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot use Internet Explorer to add a new item to the calendar.

  Workaround: Use Chrome or Firefox.
  [# 679747]

• If nFactor authentication is configured on a NetScaler Gateway appliance running release 11.1 build 11.1 51.x or later, native clients use authentication policies configured on the authentication virtual server. See https://support.citrix.com/article/CTX223386 for details.
  [# 680378]

• If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), a link is broken on the Setting > Master Pages screen. The link to Folders on Site is nonfunctional.

  Workaround: Either copy the link, paste it to a new tab, and click the new copy of the link, or right-click the link to automatically open it on a new tab.
  [# 680403]

• If you log on to a VPN in a cluster Deployment, the value of Total Connected Users is shown incorrectly for the NSIP addresses of all the nodes. The correct value is shown for the CLIP address.
  [# 681247]

• When a VPN virtual server is configured with RfWebUI as a portal theme, the NetScaler Gateway Windows plug-in does not automatically reconnect after the upgrade.
  [# 682689]

• You cannot edit an uploaded document on SharePoint 2013 if you log on to SharePoint 2013 through NetScaler Gateway which has Single Sign-On (SSO) enabled.
  [# 683017]

• Responder policies are not supported for a Gateway virtual server configured with a portal theme based on RfWebUI.
  [# 684658]

• Citrix Receiver fails to launch ICA sessions using Client Certificate based authentication at Gateway.

  Workaround: Log on by using a browser.
  [# 685862]

• When a user configures a NetScaler appliance for SAML Authentication, duplicate apps appear on the home page if the RfWeb UI portal theme is bound to the appliance.
  [# 686516]

• An end-point analysis scan request fails if a redirect from the SAML Service Provider (SP) to the SAML Identity Provider (IdP) is in progress.
  [# 687684]

• Intermittently, applications launched on a Windows 7 platform through NetScaler Gateway get disconnected.
  [# 688248]

• In some cases, the STA server information is not deleted from the NetScaler Gateway appliance even after clearing the configuration of the High Availability (HA) fail-over.
  [# 689076]

• Windows prevents the NetScaler Gateway virtual adapter from loading, because the Citrix VPN client is incompatible with virtualization-based code integrity.

  Workaround: Disable virtualization-based code integrity in Device Guard.
  [# 689313]

• End-point Analysis (EPA) scan fails on the client computer, even though the logs indicate otherwise, if the connection between the computer running on Mac OS and the NetScaler appliance is relatively slow (for example, if there's a client-side proxy).
  [# 692771, 687892]

• When you configure the Gateway server in ICA Proxy mode, the server occasionally becomes unresponsive if the Secure Ticket Authority (STA) servers do not respond in time or the client connection is closed.
  [# 693522, 697088]

NetScaler ICA

• If AppFlow for ICA is enabled on a NetScaler appliance, applications might disconnect intermittently under certain network traffic conditions.
  [# 650607]

• The session reliability on HA Failover feature is not supported between 64-bit and 32-bit kernels in an HA pair.
  [# 681628]

NetScaler Insight Center

• The NetScaler appliance does not respond if AppFlow for ICA is enabled under certain network traffic conditions.
  [# 687084, 689052, 696701]

• When you launch the ICA application that is enabled with advanced encryption in XenApp or XenDesktop, in some cases, NetScaler does not respond while handling the advanced encryption handshake.
  [# 689491, 696819]

• The NetScaler appliance does not respond if AppFlow for ICA is enabled under certain network traffic conditions.
  [# 692326, 692554, 698557]

NetScaler NITRO

• The HTTP daemon on a NetScaler appliance might fail if the “probe server” NITRO call to the appliance fails.
  [# 693286]

NetScaler SDX Appliance

• When you create or delete a 10G LACP or static channel, transmission stalls on the member interfaces of the channel, and therefore those interfaces stop processing traffic.

  Workaround: Delete the 10G LACP/static channel that has this issue and create it again.
  [# 600152]

• The Rx/Tx Flow Control configuration is lost if you manually set the Rx/Tx Flow Control for a 1000BASE-T copper interface to OFF, and the interface is reset.

  Workaround: Enable Flow Control Auto Negotiation (ON).
  [# 643853]

• You can only assign 22 partition MAC addresses to the following SDX platforms and the virtual machine will not start, if you assign more than 22 partition MAC addresses:

  * 11500

  * 13500

  * 14500

  * 16500

  * 18500

  * 20500

  * 115xx series
  [# 647534]

• The current software driver for 1G ports does not support hot-swap capability for 1G SFP transceivers on NetScaler SDX 115xx models.

  Workaround: After replacing the 1G SFP transceiver, reset the interface from Management Service. If the issue still persists, restart the appliance.
  [# 668696]

• In some cases, a client is unable to connect to the TCP-related VIP address of a NetScaler VPX instance on a NetScaler SDX appliance.
  [# 684106]

• In a VPX instance (standalone or part of an HA setup) running on a SDX-21550/SDX-20500 platform, TX stalls are observed and the state of the configured load balancing services in the VPX instance flaps.
  [# 690647, 697369, 694571]

• When you upgrade the NetScaler SDX Management Service from release 11.0 or lower to release 11.1 or higher, some anomalies might occur such as:

  - Management Service does not display the VPX instances running on the SDX appliance.

  - The NetScaler VPX instances fail to come up.

  - Management Service becomes unreachable.

  - XenServer upgrade is incomplete.

  These issues occur if the NetScaler database contains large sets of NetScaler events-related historical data. With this fix, reports of historical data is lost; however, reports collected after upgrade is retained.
  [# 693526, 694388]

NetScaler Secure Web Gateway

• In a transparent proxy setup, classic policies cannot be used for authentication.
  [# 670198]

• If you try to add multiple URL sets that contain one million or more entries, memory is exhausted and the appliance fails.
  [# 685181]

• The default certificate bundle is not listed when you run the show certbundle command.
  [# 685789]

• An authentication virtual server that is created by using the Secure Web Gateway wizard appears DOWN, because an SSL certificate is not bound to it. This does not affect the functionality.
  [# 686077]

• Connections using TCP protocols other than HTTP/HTTPS are dropped if SSL interception is enabled.

  Workaround: Add a policy with the following expression and bind it to a content switching virtual server of type PROXY.

  (CLIENT.TCP.DSTPORT.EQ(80)||CLIENT.TCP.DSTPORT.EQ(443))

  Example:

  add policy expression exp1 "(CLIENT.TCP.DSTPORT.EQ(80) || CLIENT.TCP.DSTPORT.EQ(443))"

  add cs vserver starcs PROXY * * -cltTimeout 180 -Listenpolicy exp1 -Listenpriority 1 -authn401 ON -authnVsName swg-auth-vs-trans
  [# 686346]

• If you create a negotiate action by using a keytab file, the SWG wizard displays the domain name and user name instead of the service principal name (SPN).
  [# 686741]

• User authentication does not fail in transparent proxy mode even though an application firewall policy to block specific traffic is configured.
  [# 687328]

• You cannot send or receive multimedia messages by using WhatsApp in a NetScaler Secure Web Gateway deployment.
  [# 687748]

• An incorrect warning "No usable ciphers configured" appears if you change the SSL settings in a profile by using the Secure Web Gateway wizard.
  [# 689581]

NetScaler VPX Appliance

• Due to a limitation of the XenServer platform, if NetScaler virtual appliances with different interfaces, such as SR-IOV and Para-virtualized (PV) mode interfaces, use the same physical NIC, traffic between the virtual appliances with different interfaces fails.
  [# 652640]

• The NetScaler virtual appliance might fail to start if you have configured 15 or more SR-IOV and PCI passthrough interfaces.
  [# 657492]

• Due to a limitation in Linux-KVM and VMware ESX platforms, if you add new PCI passthrough interfaces to an existing NetScaler virtual appliance configured with SR-IOV interface, the PCI passthrough interfaces might take precedence over the existing SR-IOV interfaces.
  [# 660000]

• The physical link status of a PCI passthrough interface of a NetScaler VPX appliance is not updated when the state of the link is changed (for example, when the link is enabled, disabled or reset), because of a limitation in the Intel XL710 NIC. As a result, any active traffic over the PCI passthrough interface fails during this time.
  [# 660159]

• If you use the IP link set command to change the VLAN ID to zero, or any valid value, on the virtual function (VF) on the host, the physical function (PF) processes the tagged packets with the original tag and does not reflect the new VLAN ID.

  Workaround: Run a reset command on the NetScaler VF, after changing the VLAN ID or removing it from the host. For example:

  reset interface 10/1
  [# 672441]

• If you configure an MTU value on a NetScaler VPX appliance running on Citrix XenServer and save the value, and force a shutdown, the saved MTU value is lost, and the appliance displays the old value.
  [# 676417]

• A NetScaler VPX instance running on a NetScaler SDX appliance does not receive any traffic under the following set of conditions:

  - The Intel 710 series NICs of the NetScaler SDX appliance are connected to a switch with an LLDP-enabled port.

  - That port has been disabled and then enabled.
  [# 684860]

• If a KVM hypervisor runs on an AMD processor-based server, the NetScaler VPX instance running on the KVM hypervisor restarts cyclically and then stabilizes after a few iterations.

  Workaround:

  Add the following entry in /flash/boot/loader.conf

  vm.pmap.pg_ps_enabled="0"
  [# 692177]

• Error messages appear when an SR-IOV-enabled NetScaler VPX instance configured with Intel X710 10G and XL710 40G NICs, running on KVM hypervisor, restarts. The error messages are harmless and can be safely ignored.
  [# 692334]

Networking

• While responding to a VXLAN broadcast (for example, ARP and ND6), the NetScaler appliance does not look up the bridge table to populate the VNI field in the VXLAN header. The VNI field in the VXLAN header of the response is same as that of the incoming broadcast. This results in the peer VTEP dropping the response packets.
  [# 675626]

• The NetScaler appliance becomes unresponsive when it accesses memory that was not properly freed and therefore contains stale information about a session.
  [# 685233]

• The NetScaler appliance drops non-SYN TCP packets, which match an INAT rule, and a RESET is sent.
  [# 688642]

• The NetScaler appliance might not properly processes the ND6 unsolicited neighbor advertisement messages and update its routing table.
  [# 693472]

Optimization

• For the NetScaler video optimization feature to work properly, you must not delete the built-in policies that have an "ns_videoopt" prefix (for example, ns_videoopt_http_abr_netflix).
  [# 670449]

• The new video optimization feature is not supported on a partitioned NetScaler appliance.
  [# 677320]

• The video insight option cannot be enabled for a specific virtual server. You can only enable it as a global setting (set appflow param -videoInsight ENABLED).
  [# 678625]

• If a response from the StoreFront server does not have a Content Type field in the header, but the appliance expects a value in the Content Type field, the appliance crashes.
  [# 688412]

• A NetScaler appliance fails when media classification mode is enabled and if there is a memory failure.
  [# 690975, 695683]

Policies

• The NetScaler appliance can sometimes time out while restoring context for the rewrite feature.

  Workaround: Modify the rewrite action to use regular (regex) expressions.
  [# 675347]

• If you use classic expressions to filter the output of the show connectiontable command, only a warning message appears.

  Workaround: Use advanced expressions instead.
  [# 680916]

• A back-end server drops an HTTP GET request if the IP address of the server does not match the server IP address in the request.
  [# 684825]

• In some cases, an attempt to retrieve the configured rewrite policies on a NetScaler appliance causes the appliance to crash.
  [# 691960]

SSL

• If a certificate has a validity of 100 years, Days to Expiration incorrectly appears as 0 in the NetScaler command line interface and the configuration utility.
  [# 509608]

• If you run the "sh ssl service group" command on the cluster IP (CLIP) address and on nodes of a cluster setup, ECC curves are displayed as unbound from the CLIP.
  [# 660257]

• In a cluster setup, if a client certificate is bound to a back-end SSL service or service group, it appears as a "Server Certificate" instead of a "Client Certificate" when you run the "show ssl service" or the "show ssl servicegroup" command on the CLIP address.
  [# 667389]

• The SSL entities to which an SSL profile is bound do not appear when you run the show ssl profile <Default-Profile> command on a cluster IP (CLIP) address.

  Workaround: You can view the bound entities from the NetScaler IP (NSIP) address.
  [# 673458]

• A session ticket issued by a non-CCO node is not honored by the CCO node.
  [# 678175, 678522, 678526]

• An expired session ticket is honored by a non-CCO node.
  [# 678176, 687205, 687098]

• An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
  [# 682859]

• The previous session-key life-time value incorrectly appears as zero in the GUI.

  Workaround: Access the CLI and enter the "show ssl profile <frontend profile name>" command to display the correct value.
  [# 683023]

• An SSL handshake might take a long time (many retries) to complete after you restart a NetScaler appliance.
  [# 686713]

• You cannot set the previous session-key life time to its minimum value (0 seconds).
  [# 687135]

• Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
  [# 687208]

• In some cases, a pipeline HTTP request is not forwarded to the back-end server if the back-end server sends a response before receiving the full request from a client.
  [# 688100]

• In the NetScaler GUI, the Show Bindings option in an SSL profile does not list the SSL entities to which the profile is bound.
  [# 689516]

• On a NetScaler Secure Web Gateway appliance, running the clear config command does not reset the certificate bundle to the default certificate bundle.
  [# 689898]

• In a cluster setup, the CRL distribution points in a CA certificate-key pair configured on the cluster IP address do not appear when you run the show ssl certkey command.
  [# 691929]

• A NetScaler appliance crashes when session ticket is enabled and continuous session ticket reuse requests are received.
  [# 692481, 692823]

• If you associate the default front-end profile to an SSL virtual server, the state of that virtual server changes from Out-of-Service to DOWN.
  [# 692858]

• An OCSP responder URL is not added to an OCSP HTTP GET request. This causes OCSP failure if GET httpMethod is enabled.
  [# 693312]

• If Qualys scan is run on NetScaler IP (NSIP) address, subsequent SSL transactions with Thales HSM will fail.
  [# 693356]

System

• If a wildcard virtual server's redirection mode is set to IP (-m IP), the NetScaler appliance cannot forward a TCP connection request to a service bound to that virtual server if the back-end server is down.
  [# 331889]

• If AppFlow feature and client side measurements are enabled, the NetScaler appliance deletes the NSC_ESNS cookie before forwarding the request to the backend server. A rule was rewritten and configured to insert the Pback cookie in the request sent to the backend server. We are corrupting the OutllookSession cookie when we are trying to do both insert and delete in the HTTP request at the same offset. This is causing sign-on problems. This issue is under investigation.
  [# 633371, 682640]

• If a NetScaler appliance sends a large number of packets on a TCP connection, and the network randomly drops a few of the packets, multiple sets of continuous packet loss ("holes") are created. When the appliance retransmits the packets, the network interface card (NIC) drops packets.
  [# 643929]

• On a partitioned NetScaler appliance, you can no longer use the same command to bind a system user and a command policy to a system group. Instead, you must use two different commands. For example:

  "bind system group grpX -userName userX"

  "bind system group grpX -policyName superuser 1"

  If you try to bind both arguments with a single command, the appliance displays an error message: Arguments cannot both be specified [policyName, userName.]
  [# 652345]

• The initial probe connection that a NetScaler appliance makes with the back-end internet server to check for server availability is now reusable for actual server connection with the internet server.
  [# 654087]

• A NetScaler appliance might not initiate a rewrite action correctly if data is modified in adjacent fields in the message.
  [# 657565, 686496]

• If you enable Web Logging feature before configuring the log buffer size, the NetScaler appliance does not apply the buffer size after a restart.

  Workaround: Configure the log buffer size before you enable the Web Logging feature.
  [# 667392]

• When you run the set command on a NetScaler appliance, the ns.log file stores the command with all parameter values, including customer provided values.
  [# 674165]

• Instead of silently closing the connection, a NetScaler appliance in a wildcard configuration might send a response to the source of the request. Upon receiving a SYN request, the appliance sends a "probe connection" request to the back-end server and queues the SYN request. When the server sends a "reset" response, the appliance sends the response to the client instead of silently closing the connection.
  [# 677729]

• A NetScaler device might fail if it sends FIN packets on a Multipath TCP (MPTCP) fallback connection and the global state variable has not been cleared.
  [# 684574, 685357, 687357, 696622]

• A NetScaler appliance in a clustered setup displays a "Cannot allocate memory" error message if you use the set command to set the server domain name in a SYSLOG action.

  Workaround: Delete the SYSLOG action in which you set the domain name, and add a new SYSLOG action that specifies the server domain name instead of the server IP address.

  rm syslogaction

  add syslogaction -loglevel [-options ...]
  [# 687067]

• HTTP headers can be corrupted by the following series of events:

  * The rewrite feature inserts an end-of-header mark, but the next packet contains more header bytes.

  * The compression (CMP) feature interprets the incorrectly marked HTTP header-end as the actual end of the header, and tries to insert a content-encoding header.
  [# 691308]

• Data transmission from client to NetScaler appliance over a reused connection is slow, at a rate that varies. The result is an excessive delay for a subsequent HTTP request.
  [# 691984]

• If a NetScaler appliance performs window management for Transparent connections with Dynamic Window Management option enabled in the TCP profile, it results in a window update acknowledgment. This causes a wrong mapping of sequence and acknowledgment numbers and connection to disconnect.
  [# 692149]

• If a client using the NITRO API over HTTPS to connect to a NetScaler appliance reuses the same source IP address and port within two TCP maximum segment lifetime (MSL) timeout intervals, the connection might be dropped with a TCP reset. Similarly, client TCP connections might be dropped under the following set of conditions:

  * Source IP address is enabled and proxy port disabled in the client's connection request.

  * A previous server connection still exists on the appliance and has persisted for two TCP MSL timeout intervals.
  [# 692613]

• If a NetScaler appliance that is trying to convert HTTP/2 requests to HTTP/1.1 for communication with back-end servers receives an HTTP/2 request with a cookie header, all headers received after the cookie header encounter an issue during the conversion.
  [# 693095]

Upgrade and Downgrade

• When you upgrade the NetScaler firmware by using the NetScaler GUI, the appliance restarts in the background as soon as the upgrade is complete, but the GUI does not show that the upgrade has been completed.

  Workaround: Log off and log back on to the NetScaler appliance to check the firmware version.
  [# 646046]

• The auto cleanup option (/installns -c) is not supported in NetScaler release 12.0.

  Clean up flash manually if space is insufficient when upgrading or downgrading a NetScaler appliance.
  [# 683380]

• Repetitive messages appear in log files when you restart the NetScaler appliance after upgrading the firmware. The messages appear regardless of whether you use the GUI or the CLI to perform the upgrade. The repetitive logging stops when you log back on to the appliance.
  [# 690534]

User Interface

• A timezone setting ("set timezone” command) in a NetScaler appliance running release 11.1 might get lost after you upgrade it to a later release.

  Workaround: Set the required timezone (by using the "set timezone" command in the NetScaler CLI or the NetScaler GUI) again on the upgraded appliance.
  [# 692565, 683168]

• Feature name: GSLB

  GSLB auto synchronization might fail if the GSLB virtual server's status appears different on the sites participating in GSLB.
  [# 692943]

What's New in Previous NetScaler 12.0 Releases

• SAMLIDP Single Logout Support for Redirect and Post Bindings

  SAMLIDP single logout support for Redirect and Post bindings is now available.
  [From Build 35.6] [# 642105]

Admin Partitions

• VXLAN Support for Admin Partitions

  A partitioned NetScaler appliance now supports Virtual eXtensible Local Area Networks (VXLANs) protocol. A VXLAN can be created in the default partition and bound to any administrative partition. When you extend a VXLAN to a VLAN, binding a VLAN to a partition will also bind the VXLAN to the same partition. However, the appliance does not support shared VXLAN and does not allow you to extend a VXLAN to a shared VLAN.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 651332]

• Configurable Partition Resource Limit

  When you create an administrative partition, you can now set a partition resource (such as memory, bandwidth, or connections) limit to zero, which specifies that use of the resource is unlimited. The partition can consume up to the system limit. For a previously created partition, you can increase or decrease the limit or set the limit to zero.
  [From Build 35.6] [# 652187]

• Memory Management in Admin Partitions

  In a partitioned NetScaler appliance, the partition connections are now accounted from the partition quota memory. Previously, the connections were accounted from the default partition quota memory.
  [From Build 35.6] [# 652198]

• Blocking VRRP on Shared VLANs in Admin Partitions

  On a partitioned NetScaler appliance, Virtual Router Redundancy Protocol (VRRP) protocol is now supported only on non-shared VLANs. It is blocked on shared VLANs (tagged or untagged type) bound to a default or an administrative partition.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 655514]

• SNMP Traps for Admin Partition Rate Limiting

  On a partitioned NetScaler appliance, a SNMP-RATE-LIMIT alarm can generate six new SNMP traps for notification that a partition resource (such as connection or memory) has reached its limit or returned to normal. Previously, only three SNMP traps were available for rate limiting partition resources.

  Note: To enable generation of the SNMP trap messages, you must enable the SNMP-RATE-LIMIT alarm on the appliance and then configure the destination device to which the appliance can send the trap messages.

  The threshold and limit values for partition rate limiting are:

  Highest threshold = 80% (applicable for all partition rate limit traps)

  Lowest threshold = 60 % (applicable for all partition rate limit traps)

  Memory limit = 95% (applicable only for partition memory traps)

  The six new SNMP traps are:

  partitionCONNThresholdReached. Number of active connections for a partition exceeds its high threshold.

  partitionCONNThresholdNormal. Number of active connections are less than or equal to the configured normal threshold percentage.

  partitionBWThresholdReached. Partition's bandwidth usage reaches configured high threshold percentage.

  partitionMEMThresholdReached. Current memory usage of the partition exceeds its high threshold percentage.

  partitionMEMThresholdNormal. Current memory usage of the partition is less than or equal to the configured normal threshold percentage.

  partitionMEMLimitExceeded. Current memory usage of the partition exceeds its memory limit percentage
  [From Build 35.6] [# 655560]

AppExpert

• Blacklisting Up to One Million URLs by Using URL Sets

  To prevent access to restricted websites, a NetScaler appliance uses a specialized URL matching algorithm. The algorithm uses a URL set that can include up to one million (1,000,000) blacklisted URLs. Each entry can include metadata that defines URL categories and category groups as indexed patterns. The appliance can also periodically download highly sensitive URL sets managed by internet enforcement agencies (with government websites) or independent internet organizations such as the Internet Watch Foundation (IWF). After downloading and importing the URL set, the appliance encrypts it (as required by these agencies) and keeps it confidential so that the entries are not tampered with.

  The NetScaler appliance uses advanced policies to determine whether an incoming URL should be blocked, allowed, or redirected. These policies use advanced expressions to evaluate incoming URLs against blacklisted entries. An entry can include metadata. For entries that have no metadata, you can use an expression that evaluates the URL on the basis of an exact string match. For URLs that have metadata, you can use an expression that evaluates the URL's metadata, in addition to an expression that checks for an exact string match.
  [From Build 35.6] [# 628124]

Application Firewall

• Generate SNMP alarm and log message when application firewall Session limit is reached

  When NetScaler reaches appfw_session_limit and CSRF checks are enabled, the web application freezes.

  To prevent web application freeze, decrease the session timeout and increase the session limit by using the following commands:

  From CLI: > set appfw settings -sessiontimeout 300

  From shell: root@ns# nsapimgr_wr.sh -s appfw_session_limit=200000

  Logging and generating SNMP alarm when appfw_session_limit is reached assists users in troubleshooting and debugging issues.
  [From Build 35.6] [# 589567]

• Application Firewall GUI - Signature Editor

  When using the signature editor to perform an import and merge operation from the NetScaler GUI, you can now see the new, updated, duplicate, and invalid rules.

  The signature editor displays the following four new rows:

  1. New Rules

  2. Updated Rules

  3. Duplicate Rules

  4. Invalid Rules

  The output of the New Rules Only and Updated Rules Only filters also appears in the Category filter pane of the Edit window in signature editor.
  [From Build 35.6] [# 656279]

• Configure Application Firewall Session Limit Through the CLI

  You can now use the CLI to configure the Application Firewall session limit. Enter the following command:

  set appfw settings -sessionLimit <value>

  Where <value> is the maximum number of sessions allowed for each packet engine. Minimum value: 0. Maximum value: 500000. Default: 100000.
  [From Build 35.6] [# 662582]

Clustering

• SNMP MIB Support for Cluster Nodes

  In a cluster setup, you can now configure the SNMP MIB on any node by including the ownerNode parameter in the set snmp mib command. Without this parameter, the set snmp mib command applies only to the cluster coordinator node.

  To display the MIB configuration for an individual node other than the cluster coordinator node, include the ownerNode parameter in the show snmp mib command.
  [From Build 35.6] [# 628136, 623888]

• Disabling Steering for Forwarding Sessions in a Cluster Setup

  The default behavior of a NetScaler cluster is to direct the traffic that it receives (flow receiver) to another node (flow processor) that must then process the traffic. This process of directing the traffic from flow receiver to flow processor occurs over the cluster backplane and is called steering. This steering can be an overhead for real time processing or when high latency links are present in the setup.

  Steering for forwarding sessions can now be disabled so that the processing becomes local to the flow receiver and therefore makes the flow receiver the flow processor.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 636825]

• Monitor Static Route (MSR) Support for Inactive Nodes in a Spotted Cluster Configuration

  In a spotted cluster configuration, you can now configure an inactive or spare node to monitor a static route for which the MSR option is enabled. From a SNIP address owned exclusively by an inactive node, the node can send PING and ARP probes to an IPv4 route or ping5 and nd6 probes to an IPv6 route. Previously, only active nodes could monitor a static route.
  [From Build 35.6] [# 648194]

• VRID/VRID6 support for cluster

  When you migrate a high availability (HA) setup to a cluster setup, all configurations must be compatible and must be supportable in the cluster. To achieve this, you can now configure virtual router IDs (VRIDs and VRID6s) on a single-node cluster interface.
  [From Build 35.6] [# 655726]

• Managing Cluster Heartbeat Messages

  In a cluster configuration, you can now disable the heartbeat option on node interfaces. However, the heartbeat option on the backplane interface cannot be disabled, because it is required for maintaining connectivity among the cluster nodes.
  [From Build 35.6] [# 655842]

• TFTP Support in a Cluster Setup

  Trivial File Transfer Protocol (TFTP) is now supported in a NetScaler cluster setup. TFTP is a simple form of file transfer protocol and is based on the UDP protocol. TFTP does not provide any security features and is generally used for automated transfer of configuration and boot files between devices in a private network. TFTP support on a NetScaler cluster setup is compliant with RFC 1350. A server listens on port 69 for any TFTP request.

  The following features are supported:

  * INAT processing compliant with TFTP. If a NetScaler cluster receives a request packet whose destination is port 69 and that matches an INAT rule with the TFTP option enabled, the cluster's processing of the request and the corresponding response is compliant with the TFTP protocol. For an INAT configuration for a TFTP server, only spotted SNIP addresses are supported for the server-side communication.

  * RNAT processing compliant with TFTP. When a request packet generated by a server is destined to a TFTP server, and the packet matches an RNAT rule on a NetScaler cluster, the cluster's processing of the request and the corresponding response from the TFTP server is compliant with the TFTP protocol. In an RNAT configuration of TFTP servers, only spotted NAT IP addresses are supported for the TFTP server-side communication.
  [From Build 35.6] [# 658631]

• Audit-Log Support in Cluster

  A cluster setup of NetScaler appliances now supports the audit-log feature.
  [From Build 35.6] [# 669938]

DNS

• Support for Wildcard DNS Domains

  You can now use wildcard DNS domains to handle requests for a nonexistent domains and subdomains. In a zone, if you want to redirect queries for all nonexistent domains or subdomains to a particular server, you can use wildcards rather than creating a separate Resource Record (RR) for each such domain. The wildcard RRs synthesize the responses to queries for a nonexistent domain or a subdomain name.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 558993]

• Caching of EDNS0 Client Subnet (ECS) Data when the NetScaler Appliance is in Proxy Mode

  In NetScaler Proxy mode, if a back-end server that supports ECS sends a response containing the ECS option, the NetScaler appliance forwards the response as-is to the client and stores it in the cache, along with the client subnet information. Further DNS requests that are from the same subnet of the same domain, and for which the server would send the same response, are then served from the cache instead of being directed to the server.
  [From Build 35.6] [# 626837]

• Securing DNS Keys with Passwords on a Partitioned NetScaler Appliance

  You can now secure the DNS keys with passwords on a partitioned NetScaler appliance.

  Specify the password in the create dns key command, and then specify the same password in the add dns key command when adding the DNS key to the NetScaler appliance.
  [From Build 35.6] [# 655295]

GSLB

• Configuring GSLB by Using a Wizard in the NetScaler GUI

  You can now use a wizard to configure the GSLB deployment types (active-active and active-passive) and parent-child topologies. In the NetScaler GUI, navigate to Configuration > Traffic Management > GSLB, and click Get Started.

  You can also start the GSLB configuration wizard from the dashboard. The dashboard provides the overall status of the GSLB sites participating in GSLB. You can also synchronize the sites and test the GSLB setup from the dashboard. To access the GSLB dashboard, navigate to Configuration > Traffic Management > GSLB > Dashboard.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 664467]

Load Balancing

• SNMP OID for Tracking Persistence Sessions on a Per-Vserver Basis

  The vsvrCurPersistenceSessions (1.3.6.1.4.1.5951.4.1.3.1.1.76) SNMP OID provides the number of current persistence sessions on each virtual server.
  [From Build 35.6] [# 346825]

• Setting alertRetries to a Value Higher than the Retries Value

  The alertRetries parameter, which specifies the maximum number of consecutive monitoring-probe failures after which the NetScaler appliance generates an SNMP trap called monProbeFailed, can now be set to a value higher than the Retries value (which specifies the maximum number of probes to send to establish the state of a service for which a monitoring probe failed). If the alertRetries value is higher than the Retries value, the SNMP trap is not sent until after the service is DOWN.

  For example, if you set Retries to 3, alertRetries to 12, and the time interval to 5 seconds, the service is marked DOWN after 15 seconds (3*5), but no alert is generated. If the monitor probes are still failing after 60 seconds (12*5), the NetScaler appliance generates a monProbeFailed trap. If a probe succeeds at some time between 15 and 60 seconds, the service is marked UP and no alert is generated.
  [From Build 35.6] [# 422816]

• Connection Failover Support for IPv6 Load Balancing Configurations

  Connection failover support has been extended for IPv6 load balancing configurations. Connection failover helps prevent disruption of access to applications deployed in a distributed environment. In a NetScaler High Availability (HA) setup, connection failover (or connection mirroring) refers to keeping an established TCP or UDP connection active when a failover occurs. The new primary NetScaler appliance has information about the connections established before the failover and continues to serve those connections. After failover, the client remains connected to the same physical server. The new primary appliance synchronizes the information with the new secondary appliance by using the SSF framework. If the L2Conn parameter is set, Layer 2 connection parameters are also synchronized with the secondary.

  You can set up connection failover in either stateless or stateful mode. In the stateless connection failover mode, the HA nodes do not exchange any information about the connections that fail over. This method has no runtime overhead. In the stateful connection failover mode, the primary appliance synchronizes the data of the failed-over connections with the new secondary appliance. Connection failover is helpful if your deployment has long lasting connections.

  For example, if you are downloading a large file over HTTP and a failover occurs during the download, the connection breaks and the download is aborted. However, if you configure connection failover in stateful mode, the download continues even after the failover.
  [From Build 35.6] [# 472611]

• Configuring Backup Persistence

  You can now configure a virtual server to use source IP persistence as the backup persistence type when the primary persistence type is rule-based. If the primary persistence lookup fails, the appliance uses source-IP based persistence when the parameter specified in the rule is missing in the incoming request.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 519440]

• Support for RADIUS Shared Secret

  A shared secret must now be configured in RADIUS load balancing deployments. A RADIUS client and server communicate with each other by using a shared secret that is configured on the client and the server. Transactions between the client and RADIUS server are authenticated through the use of a shared secret. This secret is also used to encrypt some of the information in the RADIUS packet.

  You can configure a default RADIUS shared secret, or you can configure a shared secret on a per-node basis. The appliance uses the client IP address or the server IP address in the RADIUS packet to decide which shared secret to use.

  In telco deployments, you must now configure a RADIUS client when you configure a RADIUS listener service. If a shared secret is not configured, the RADIUS message is silently dropped.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 564185]

• RADIUS Interim Message Support for RADIUS-Only Mode

  RADIUS interim message support has been added for RADIUS-only mode, to treat interim messages as start messages.
  [From Build 51.24] [# 675763]

• Support for Autofill of username from SAML Service Provider (SP)

  A NetScaler appliance used as a SAML Service Provider (SP) with Multi-Factor (nFactor) authentication now prepopulates the user-name field on the login page. The appliance sends a NameID attribute as part of an SAML authorization request, retrieves the NameID attribute value from the NetScaler SAML Identity Provider (IdP), and prepopulates the user-name field.
  [From Build 51.24] [# 677540]

NITRO

• Prevent XSS and CSRF Attacks by Disabling Basic Authentication

  As an administrator or a root user, you can now prevent users from making API calls after using basic authentication (such as one-time credentials) to log on. You can use this feature to prevent Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and other types of attacks.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 611690, 570838]

• View Individual Counter Information

  To view global counters that are not otherwise shown by the NetScaler CLI or the NITRO API, you can now use the following URL format.

  URL: http://<NSIP>/nitro/v1/stat/nsglobalcntr?args=counters:<counter1>;<counter2>

  Previously, these counter values could be viewed only through the "nsconmsg" Shell command.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 622976]

NetScaler CPX

• Support for Licensing the NetScaler CPX with Multiple Cores

  You can use NetScaler MAS to pool your NetScaler CPX licenses, and use NetScaler MAS as a licensing server. You can use the NetScaler GUI to install licenses in MAS by uploading the license files or using the License Access Codes (LACs) that you purchased from Citrix. If you are provisioning a NetScaler CPX deployment with multiple vCPU cores, each core is allocated a CPX license from the license pool. For more information, see http://docs.citrix.com/en-us/netscaler-cpx/12/cpx-licensing.html.
  [From Build 51.24] [# 673368]

• Ability to Control the Throughput Performance of NetScaler CPX

  When a NetScaler CPX container does not receive any incoming traffic to process, it yields CPU cycles, which causes low throughput performance. When provisioning the NetScaler CPX container, you can now use the CPX_CONFIG environment variable to control the throughput performance of the NetScaler CPX container in such cases. For more information, see http://docs.citrix.com/en-us/netscaler-cpx/12/deploy-using-docker-image-file.html.
  [From Build 51.24] [# 687896]

NetScaler GUI

• PHP Version Upgraded from Version 5.3.17 to 7.0.13

  PHP has been upgraded from version 5.3.17 to version 7.0.13 on the NetScaler appliance to resolve security vulnerabilities and stability issues with PHP.
  [From Build 35.6] [# 572765]

• NetScaler GUI Masks Full Path

  To enhance security, the NetScaler GUI no longer displays the full path to an admin partition when a file browser is opened for an activity such as SSL certificate installation. Everything except the last part of the path is masked.
  [From Build 35.6] [# 661475]

• Support for Atomocity in Wizards

  The new atomicity feature removes the residual configuration left by an unsuccessful configuration attempt, so that you can successfully reconfigure the entity by using a wizard in Citrix XenMobile, XenApp, NetScaler Gateway, NetScaler Unified Gateway, or GSLB. Previously, co-entities and other unwanted configurations left by the unsuccessful configuration attempt caused error messages to appear.
  [From Build 35.6] [# 669990]

NetScaler Gateway

• Configuring Separate Ports of a RADIUS Server for Accounting and Authentication Functionalities

  You can now configure separate ports of a RADIUS server (other than the default ports) for accounting and authentication functionalities.
  [From Build 35.6] [# 355523, 634307]

• Proxy Auto Configuration for Outbound Proxy

  You can now configure the NetScaler Gateway appliance to support Proxy Auto Configuration (PAC). Upon configuration, a PAC file URL is pushed to the client browser, the traffic initiated from browser is then redirected to the respective proxies based on the conditions defined in the PAC file.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 378411]

• Support for One Time Password (OTP)

  NetScaler Gateway now supports one-time passwords (OTPs) without having to use a third-party server. In addition to reducing capital and operating expenses, this feature enhances the administrator's control by keeping the entire configuration on the NetScaler appliance.

  Note that, since third-party servers are no longer needed, the gateway administrator has to configure an interface to manage and validate user devices.

  To use the OTP feature, a user must be registered with a NetScaler Gateway virtual server. Registration is required only once per unique device, and typically is restricted to certain environments. Configuring validation of a registered user is similar to configuring an additional authentication policy. For more information about this feature, see http://docs.citrix.com/en-us/netscaler-gateway/12/native-otp-support.html
  [From Build 51.24] [# 603663]

• Support for EPA in GSLB Active-Active deployment

  EPA now functions reliably on GSLB Active-Active deployment.
  [From Build 35.6] [# 619596]

• PCoIP Proxy Support for VMware View

  NetScaler Gateway now supports the PCoIP protocol which is the core building block for several VDI solutions, including VMware Horizon View solution. This enables the solution to deliver desktops and applications and secure data on a variety of endpoint devices more efficiently.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 632624]

• Support for Logon Lockdown Control

  Logon lockdown control is now supported on a NetScaler cluster. Unsuccessful logon attempts are recorded in a distributed hash table (DHT). The advantage of using the DHT is that both n2n (node to node) and c2c (cluster to cluster) messaging are supported.
  [From Build 35.6] [# 635415]

• Support for Logon Lockdown Control

  The User Lockdown Control feature is now available for system role-based access control users on a cluster.
  [From Build 35.6] [# 650547, 490670]

• Support for logging out from a VPN session upon removal of smart-card from the logged on device.

  You can now optionally log out from a VPN session if you remove smart-card from the logged on device.
  [From Build 35.6] [# 654943]

• EDT as a Data Transmission Path Support for NetScaler Gateway

  The NetScaler Gateway appliance now supports the HDX Enlightened Data Transport (EDT) as a data transmission path. EDT provides a high definition in-session user experience of virtual desktops for users running a Citrix Receiver.
  [From Build 35.6] [# 659795, 666135]

• Logging "Destination IP address" and "ICA Proxy policy name" for Outbound ICA Proxy

  Now "Destination IP address" and "ICA Proxy policy name" are logged additionally along with other information logged earlier for Outbound ICA Proxy.
  [From Build 35.6] [# 661832]

• Support for SAML ForceAuthn Parameter and Artifact Binding (when NetScaler is SP) using GET HTTP Method

  NetScaler SAML SP (Service Provider) module now sends additional attribute called 'ForceAuth' in the authentication request to external IDP (Identity Provider). By default, the ForceAuthn carries a value of 'false'. It can be set to 'true' to provide a hint to IDP to force authentication despite existing authentication context.

  Additionally, NetScaler SP does authentication request in query parameter when configured with artifact binding.
  [From Build 35.6] [# 665828]

• Inter-operability with OAuth

  NetScaler Gateway is now able to process JWT (Json Web Tokens) during logon. Gateway is required to be configured with an OAuth action that contains a URL to fetch the certificates to verify incoming JWT. This enables Gateway to inter-operate with OAuth providers.
  [From Build 35.6] [# 671380]

• Multi-Stream ICA Functionality Support for EDT

  NetScaler Gateway now supports multi-stream ICA functionality while using HDX Enlightened Data Transport (EDT) as a data transmission path.
  [From Build 35.6] [# 671878]

• Support for End-point analysis and VPN plugins for Firefox

  End-point analysis and VPN plug-ins get launched from Firefox browser, build 52.0 or later, even though the browser no longer supports NPAPI plug-ins.
  [From Build 51.24] [# 679998, 682798]

NetScaler SDX Appliance

• Support for FQDN as External Server Name

  For LDAP and RADIUS servers, you can now use Fully Qualified Domain Names (FQDNs) to specify external servers. Previously you had to specify IP addresses for all external servers.

  For more information, see http://docs.citrix.com/en-us/sdx/12/configuring-management-service/configuring-external-authentication-server.html.
  [From Build 51.24] [# 684417]

NetScaler Secure Web Gateway

• Support for a new product called NetScaler Secure Web Gateway

  The NetScaler Secure Web Gateway (SWG) implementation supports the following features:

  * SSL Interception - Intercept HTTPS traffic and apply policies to enforce compliance rules and security checks. The traffic is intercepted, blocked, or bypassed on the basis of the configured policies.

  * Forward Proxy - Support for transparent and explicit proxy modes. In explicit proxy mode, an IP address must be specified in the client's browser, unless the organization pushes the setting onto the client's device. This address is the IP address and port of a proxy server that is configured on the SWG appliance. All client requests are sent to this IP address. In transparent proxy mode, a proxy is not configured on the client's device. The SWG appliance is configured in an inline deployment, and the appliance transparently accepts all HTTP and HTTPs traffic.

  * Identity Management - Tag traffic to the users so that administrators can take user based actions. Authentication is explicitly enabled, or user information from the active directory is extracted and tagged to the traffic.

  * URL Threat Intelligence - Enable the appliance to categorize internet sites to more effectively enforce compliance policies around internet usage. URL threat intelligence also provides the reputation score of the URLs that are being accessed, to protect the users from exposure to harmful (malware/phishing) internet sites. You can also deploy custom URL lists that are managed by independent internet organizations, such as the Internet Watch Foundation (IWF), or create blacklists and whitelists of URLs by using pattern sets.

  * Analytics - The transaction-level records are exported from Secure Web Gateway to NetScaler MAS by using the Logstream transport mechanism. In NetScaler MAS, the User Behaviour Analytics dashboard displays user internet-usage information. It also shows the transaction-level details per user. From the Outbound Traffic Dashboard, you can view the overall network details, and the top websites in terms of maximum bandwidth consumption.

  Using the above features, an administrator can protect the enterprise network from external threats coming from the web in the form of malware, by defining policies to do the following:

  - Block access to URLs identified as serving harmful content.

  - Identify end users in the enterprise (employees) who are accessing malicious websites, and categorize them as high-risk users.

  For more information about this feature, see http://docs.citrix.com/en-us/netscaler-secure-web-gateway/12.html.

  Important! Secure Web Gateway requires its own platform license. Contact your local Citrix sales representative to purchase your license.
  [From Build 51.24] [# 653661]

NetScaler VPX Appliance

• Support for AWS Auto Scaling Service

  AWS Auto Scaling in now supported on VPX instances.

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-aws/configuring-aws-auto-scaling-service.html.
  [From Build 51.24] [# 432348, 432345, 487534]

• Support for Key-Pair Based Authentication

  For VPX deployment on KVM OpenStack, you can now use key-pair based authentication to log on and access a VPX instance in a more secure way. You can also execute custom scripts with a userdata file.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 617478]

• Two New Commands to Control CPU Usage Behavior

  Two new commands, set ns vpxparam and show ns vpxparam, control the CPU-usage behavior of VPX instances in VMWare ESX and Citrix XEN environments:

  1. set ns vpxparam -cpuyield (YES | NO | DEFAULT)

  Allow each VM to use CPU resources that have been allocated to another VM but are not being used.

  Set ns vpxparam parameters:

  -cpuyield: Release or do not release of allocated but unused CPU resources.

  YES: Allow allocated but unused CPU resources to be used by another VM.

  NO: Reserve all CPU resources for the VM to which they have been allocated.

  DEFAULT: Reset -cpuyield to its factory default value based on license.

  - If license <= 8G, release CPU resources.

  - If license > 8G, use up all the CPU resources allocated to it.

  2. show ns vpxparam

  Display the current vpxparam settings.
  [From Build 35.6] [# 625698]

• Two New Commands to Control CPU Usage Behavior

  Two new commands, set ns vpxparam and show ns vpxparam, control the CPU-usage behavior of VPX instances in VMWare ESX and Citrix XEN environments:

  1. set ns vpxparam -cpuyield (YES | NO | DEFAULT)

  Allow each VM to use CPU resources that have been allocated to another VM but are not being used.

  Set ns vpxparam parameters:

  -cpuyield: Release or do not release of allocated but unused CPU resources.

  YES: Allow allocated but unused CPU resources to be used by another VM.

  NO: Reserve all CPU resources for the VM to which they have been allocated. This option shows higher percentage in hypervisor for VPX CPU usage.

  DEFAULT: NO

  Note: On all NetScaler VPX platforms, the vCPU usage on the host system will be 100 percent. Type the set ns vpxparam –cpuyield YES command to override this usage.

  2. show ns vpxparam

  Display the current vpxparam settings.
  [From Build 51.24] [# 625698]

• Support for VMware ESXi 6.5 server

  NetScaler VPX appliances now support VMware ESXi 6.5 server.
  [From Build 35.6] [# 643974]

• Support for High-Performance VPX on OpenStack

  You can now deploy high-performance NetScaler VPX instances that use single-root I/O virtualization (SR-IOV) technology, on OpenStack. Also, on the OpenStack host, you can configure VLAN tagging on the SR-IOV virtual functions.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 660055]

• Support for Subscription-Based Licensing Model

  A subscription based licensing model is now supported for NetScaler VPX in the Azure Marketplace. When creating a NetScaler VPX instance on Azure, you can choose either subscription (pay by hour) or Bring Your Own License (BYOL).

  For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/deploy-vpx-on-azure.html.
  [From Build 51.24] [# 683144, 644004]

• Support for NetScaler Pooled Capacity Licensing Framework

  The NetScaler pooled-capacity licensing framework is now supported on Microsoft Azure and Hyper-V, and Amazon Web Services. A pooled-capacity enabled NetScaler VPX instance can check out licenses from a bandwidth pool of any NetScaler software edition (Platinum/Enterprise/Standard) hosted on and served by NetScaler MAS server. The bandwidth pool is the total bandwidth that can be shared by NetScaler instances. You can dynamically modify the bandwidth of a VPX instance as appropriate for the available pool.

  For more information, see http://docs.citrix.com/en-us/netscaler-mas/12/netscaler-pooled-capacity.html.
  [From Build 51.24] [# 684408]

Networking

• Support for Bidirectional Forwarding Detection Protocol

  Bidirectional Forwarding Detection (BFD) protocol is a mechanism for fast detection of failures of forwarding paths. BFD detects path failures in the order of milliseconds. BFD is used in conjunction with dynamic routing protocols.

  In BFD operation, routing peers exchange BFD packets at a negotiated interval. If a packet is not received from a peer within the negotiated interval plus grace interval, the peer is considered to be dead and a notification will be sent to the set of registered routing protocols. In turn, the routing protocols recalculate the best path and reprogram the routing table. BFD supports smaller time interval, when compared to the timers provided by the routing protocols, thus resulting in faster detection of failures.

  The NetScaler appliance supports BFD for the following routing protocols: BGP (IPv4 and IPv6), OSPFv2 (IPv4), and OSPFv3 (IPv6). BFD support in the NetScaler appliance is compliant with RFCs 5880, 5881, and 5883.

  For more information about this feature, see http://docs.citrix.com/en-us/netscaler/12/networking/ip-routing/configuring-dynamic-routes/configuring-bidirectional-forwarding-detection.html.
  [From Build 51.24] [# 647447]

• IPv6 Virtual Router Redundancy Protocol Support for a Cluster Setup

  IPv6 Virtual Router Redundancy Protocol (VRRP6) protocol is now supported on a cluster setup.

  The following are the two VRRP6 features supported on a cluster setup:

  * Interface based VRRP6: This feature is only applicable to a two-node cluster where one of node is in active state and the other in Spare. In this feature, same VMAC address is configured on both the nodes of a cluster setup. This VMAC address is used in GARP advertisements and ARP responses for the IPv6 addresses configured on a node. This feature is useful in an active-spare two-node cluster setup that has external devices/routers that do not accept GARP advertisements. By configuring a same VMAC address on both cluster nodes, when the active node goes down and the spare node takes over as active, the MAC address for the IP addresses in the new active node remain unchanged and the ARP tables on the external devices/ routers do not need to be updated.

  * IP based VRRP6: In this feature, striped VIP6 addresses bound to the same VRID6 are configured on all nodes of a cluster setup. These VIP6 addresses are active on all the nodes One of the cluster nodes acts as the VRID6 owner and sends out the VRRP6 advertisement to other nodes. In case of failure of the VRID6 owner node, another node in the cluster assumes the ownership of the VRID6 and starts sending VRRP6 advertisements.
  [From Build 35.6] [# 657315]

• Removing RNAT Sessions

  You can remove any unwanted or inefficient RNAT sessions from the NetScaler appliance. The appliance immediately releases resources (such as a port of the NAT IP address, and memory) allocated for these sessions, making the resources available for new sessions. The appliance also drops all the subsequent packets related to these removed sessions. You can remove all or selected RNAT sessions from the NetScaler appliance.

  For more information about this feature, see http://docs.citrix.com/en-us/netscaler/12/networking/ip-addressing/configuring-network-address-translation/configuring-rnat.html.
  [From Build 51.24] [# 672953]

• Using the Client IP address in the Outer Header of Tunnel Packets in DSR IP tunneling mode

  The NetScaler supports using the client IP address as the source IP address in the outer header of tunnel packets related to direct server return mode using IP tunneling. This feature is supported for DSR with IPv4 and DSR with IPv6 tunneling modes. For enabling this feature, enable the use client source IP address parameter for IPv4 or IPv6. This setting is applied globally to all the DSR configurations that use IP tunneling.

  For more information about this feature, see the section "Using the Client IP address in the Outer Header of Tunnel Packets" at http://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-dsrmode-tos-ipoverip.html.
  [From Build 51.24] [# 677829]

• Increase in Maximum Value for VRRP Dead Interval

  In an active-active setup of NetScaler appliances using Virtual Router Redundancy Protocol (VRRP), VRRP dead interval is the time interval after which the master VIP address is marked down if the VRRP advertisements are not received from the node of the master VIP address.

  The maximum value that can be set for VRRP dead interval has been increased from 3 to 60 seconds.
  [From Build 51.24] [# 679999]

SSL

• Support for AES-GCM and SHA2 Ciphers at the Front End of MPX/SDX 14000 FIPS Appliances

  The NetScaler MPX/SDX 14000 FIPS appliance now supports AES-GCM and SHA2 ciphers at the front end.

  The following AES-GCM and SHA2 ciphers are supported at the front end of the MPX/SDX 14000 FIPS appliance:

  - TLS1.2-AES256-GCM-SHA384

  - TLS1.2-AES128-GCM-SHA256

  - TLS1.2-ECDHE-RSA-AES256-GCM-SHA384

  - TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

  - TLS1.2-AES-256-SHA256

  - TLS1.2-AES-128-SHA256
  [From Build 35.6] [# 579751]

• Support for New FIPS Platform

  This release supports the MPX 14000 FIPS platform, which is a high-end platform containing 63 crypto cores, available in the following models:

  Model number System Throughput

  MPX 14030 FIPS 30 Gbps

  MPX 14060 FIPS 60 Gbps

  MPX 14080 FIPS 80 Gbps

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 592833, 498222, 590397]

• Support for New SDX FIPS Platform

  This release supports the SDX 14000 FIPS platform, which is a high-end platform containing 63 crypto cores, available in the following models:

  Model number System Throughput

  SDX 14030 FIPS 30 Gbps

  SDX 14060 FIPS 60 Gbps

  SDX 14080 FIPS 80 Gbps

  For more information, see http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/configuring-SDX-14030-14060-14080-fips-appliance.html.
  [From Build 35.6] [# 597890]

• Support for AES-GCM and SHA2 Ciphers at the Back End of MPX/SDX 14000 FIPS Appliances

  The NetScaler MPX/SDX 14000 FIPS appliance now supports AES-GCM and SHA2 ciphers at the back end.

  The following AES-GCM and SHA2 ciphers are supported at the back end of the MPX/SDX 14000 FIPS appliance:

  - TLS1.2-AES256-GCM-SHA384

  - TLS1.2-AES128-GCM-SHA256

  - TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

  - TLS1.2-AES-256-SHA256

  - TLS1.2-AES-128-SHA256
  [From Build 35.6] [# 611983]

• Support for HTTP strict transport security (HSTS)

  NetScaler appliances now support HTTP strict transport security (HSTS) as an inbuilt option in SSL profiles and SSL virtual servers. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client. That is, the site can be accessed only by using HTTPS. Support for HSTS is required for A+ certification from SSL Labs.

  You can enable HSTS in an SSL front-end profile or on an SSL virtual server. By setting the maximum age header, you specify that HSTS is in force for that duration for that client. You can also specify whether subdomains should be included.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 636384, 651353]

• Support for ECDHE Ciphers at the Front End and Back End on NetScaler MPX//SDX 14000 FIPS Appliances

  Citrix NetScaler MPX/SDX 14000 FIPS appliances now support the ECDHE cipher group.

  The following ciphers are supported at the front end of the MPX/SDX 14000 FIPS appliance:

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1.2-ECDHE-RSA-AES-256-SHA384

  - TLS1.2-ECDHE-RSA-AES-128-SHA256

  - TLS1-ECDHE-RSA-DES-CBC3-SHA

  This following ciphers are supported at the back end of the MPX/SDX 14000 FIPS appliance:

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1.2-ECDHE-RSA-AES-128-SHA256

  - TLS1-ECDHE-RSA-DES-CBC3-SHA

  Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment. It is also very useful in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.

  The following ECC curves are supported: P_256, P_384, P_224, and P_521.

  By default, all four curves are bound to an SSL virtual server.
  [From Build 35.6] [# 651524]

• Support for a Hybrid FIPS Mode on the MPX 14000 FIPS Platform

  The new MPX 14000 FIPS platform contains one primary card and one or more secondary cards. If you enable the hybrid FIPS mode, the pre-master secret decryption commands are run on the primary card because the private key is stored on this card, but the bulk encryption and decryption is offloaded to a secondary card. This significantly increases the bulk encryption throughput on a MPX 14000 FIPS platform as compared to non-hybrid FIPS mode and the existing MPX 9700/10500/12500/15000 FIPS platform. Enabling the hybrid FIPS mode also increases the SSL transactions per second on this platform.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 651814]

System

• Option to Allocate an Extra Management CPU

  According to your requirement, now you can allocate an extra management CPU from packet engine pool in the NetScaler MPX appliance, and achieve better performance for configuring and monitoring of your appliance. This feature is supported in NetScaler MPX models 250xxx, 220xxx, 14xxx, 115xx.
  [From Build 35.6] [# 352233, 235321, 559207, 604165, 615657]

• Configuring HMAC Keys for PI Function

  A new parameter of the ns hmackey command specifies the HMAC key value. A NetScaler default syntax policy expression uses the HMAC () function to compute a Hash-based Message Authentication Code on selected text. This function is derived from the RFC 2104 technique to authenticate the sender of a message and verify that the contents of the message have not been altered. To set this value, type:

  HMAC (<keyValue>)

  The HMAC key value specifies the digest method and the shared secret key to be used for the HMAC computation.
  [From Build 35.6] [# 415808]

• Call Home Support for NetScaler Services in Citrix Service Provider (CSP) Deployments

  In a Citrix Service Provider (CSP) environment where NetScaler services are deployed on VPX instances, the call home feature can now monitor and track the license specific information and securely send it to Citrix Insight Services (CIS). The CIS in turn sends the information to the License Usage Insights (LUI) portal for accounting purposes and for CSP customers to review their license usage. Currently, CSP environments support NetScaler services on VPX instances only, not on MPX or SDX appliances. The VPX instances can be deployed in either standalone or high availability mode.

  For more information about this feature, see http://docs.citrix.com/en-us/netscaler/12/system/configuring-call-home.html.
  [From Build 51.24] [# 637763]

• Displaying MPTCP Statistics

  The new "stat mptcp" command displays statistical information about MPTCP counters, including counters for total MPTCP traffic, current traffic, and erroneous traffic flowing through the NetScaler appliance.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 646498, 350115]

• Configuring SYN-Cookie Timeout Interval

  In addition to the SYN Cookie setting in the TCP profile, a NetScaler appliance now maintains a second SYN Cookie setting for each virtual server. This enhancement is especially important for cluster deployments. To protect the appliance against SYN attacks, the SYN Cookie parameter in the TCP profile is enabled by default. Previously, if you disabled it, its value would toggle to ENABLED if a SYN attack was detected. If the appliance was deployed in a cluster, the cluster configuration would become inconsistent until the parameter was toggled back to the DISABLED state after the attack. Now, the SYN Cookie parameter is enabled and disabled only for the virtual server that detects the SYN attack.

  Note: A SYN attack does not enable the SYN Cookie parameter for a virtual server unless the SYN Cookie parameter in the TCP profile is set to DISABLED.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 651196]

• Protection Against Wrapped Sequence (PAWS) Algorithm

  On a NetScaler appliance, you can now enable the TCP timestamp option in the default TCP profile to use the Protection Against Wrapped Sequence (PAWS) algorithm. The algorithm can identify and discard old packets whose sequence numbers are within the current TCP connection's receive window because the sequence has "wrapped" (reached its maximum value and restarted from 0).

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 652210]

• HTTP version 2 Protocol Support for Plaintext

  A NetScaler appliance now supports HTTP version 2 (HTTP/2) protocol for plaintext messaging. The appliance advertises the service availability to its clients by including an Alt-Svc field in its response so that the client can directly send a subsequent HTTP/2 request instead of an HTTP 1.1 or HTTP/2 upgrade request. Previously, the appliance supported plaintext messaging only as an upgrade request in HTTP version 1.1.
  [From Build 35.6] [# 653154]

• Configuring Heartbeat Time Interval for Call Home

  The Call Home feature periodically reports the latest status of the NetScaler appliance to Citrix Technical Support servers. The report has the same content as the registration message. Previously, CallHome sent the report once every 30 days, but you can now specify a time interval of from 1 to 30 days. However, a value of less than 5 days is not recommended, because the frequent uploads are usually not very useful.
  [From Build 35.6] [# 655515]

• Monitoring Rate Limit Errors in Call Home

  The NetScaler Call Home feature can now monitor rate-limiting packet drops caused by exceeding either the throughput (Mbps or Gbps) limit or the packets-per-second (pps) limit.
  [From Build 35.6] [# 656569]

• Encrypting user passwords by using SHA-512

  For enhanced security, the NetScaler appliance now uses the SHA-512 hashing algorithm to encrypt user passwords.

  Note: A user to which the following set of conditions applies cannot log on:

  1. The user is added, or the user's credentials are modified.

  2. The NetScaler software is then downgraded to an earlier build, but the modified configuration file (ns.conf) is used.
  [From Build 35.6] [# 658393, 204279, 658859]

• Audit-log Support for Admin Partitions

  A partitioned NetScaler appliance now supports audit logging for non-default partitions by using advanced (PI) policies. Previously, you could configure the audit-log feature only in a default partition, not in administrative partitions.
  [From Build 35.6] [# 659649]

• Configuring TCP Burst Control Parameters by using NetScaler GUI

  The following TCP Burst Control parameters are now configurable through either the NetScaler GUI or the command line interface. Previously, you could configure the following parameters through only the command line interface:

  - BurstRateCntrl

  - CreditBytePrms

  - RateBytePerms

  - RateSchedulerQ
  [From Build 35.6] [# 660828]

• Silently Dropping Idle TCP Connections

  In a Telco network, almost 50 percent of a NetScaler appliance's TCP connections become idle, and the appliance sends RST packets to close them. The packets sent over radio channels activate those channels unnecessarily, causing a flood of messages that in turn cause the appliance to generate a flood of service reject messages. The default TCP profile now includes DropHalfClosedConnOnTimeout and DropEstConnOnTimeout parameters, which by default are disabled. If you enable both of them, neither a half-closed connection nor an established connection causes an RST packet to be sent to the client when the connection times out. The appliance just drops the connection.

  For more information, see the Citrix NetScaler 12.0 Beta features document.
  [From Build 35.6] [# 664057]

Telco

• Large Scale NAT64 SIP and RTSP ALGs Support for 464XLAT Connections

  NetScaler appliances now support Large Scale NAT64 RTSP and SIP ALGs for 464XLAT connections that use large Scale NAT64.

  For a 464XLAT SIP connection using NAT64 and SIP ALG, the show lsn sipalgcall command now displays the IPv4 address (XLAT IP) of the subscriber. For a 464XLAT RTSP connection using NAT64 and RTSP ALG, the show lsn rtspalgsession command now displays the IPv4 address (XLAT IP) of the subscriber.

  464XLAT is an architecture that provides IPv4 connectivity across an IPv6-only ISP core network by combining the existing and well-known stateful translation at the core (Stateful NAT64; RFC 6146) and stateless protocol translation at the edge (IP/ICMP Translation algorithm; RFC 6145). In other words, 464XLAT provides connectivity between IPv4-only applications on IPv6 subscriber hosts and IPv4 Servers on the internet through an IPv6-only ISP core network.

  For more information about configuring SIP and RTSP ALGs for Large NAT64, see https://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-nat-64/configuring-agl-large-scale-NAT64.html.
  [From Build 35.6] [# 635880]

Fixed Issues in Previous NetScaler 12.0 Releases

• The NetScaler appliance might fail if you use Kerberos authentication and the cached ticket incorrectly points to NULL, because the Kerberos ticket has expired and removed from the Distributed Hash Table (DHT).
  [From Build 51.24] [# 678865]

• The NetScaler appliance crashes because of a failure to access the NetScaler AAA logon credentials. The failure occurs while attempting to match the rewrite policy against an AAA group.
  [From Build 51.24] [# 680099]

• NetScaler fails to perform SAML Single Logout, if NetScaler is configured for SAML Authentication with an Identity Provider (IdP) that sends session index of 64 bytes. If the session index is less than 64 bytes, Single Logout is performed as expected.
  [From Build 51.24] [# 683429]

• Client logons are delayed by 15 seconds if Kerberos Constrained Delegation (KCD) is used on a NetScaler appliance. The delay occurs during the process of issuing a Kerberos ticket to the client.
  [From Build 51.24] [# 683869]

• In rare scenarios, NetScaler dumps core if dialogue mode operation like password change operation happens during RBA authentication.
  [From Build 51.24] [# 684648]

• In some authentication modes, a NetScaler appliance configured for NetScaler AAA becomes unresponsive if a “Max Login Attempt” value is configured on an authentication virtual server.
  [From Build 51.24] [# 688463]

Admin Partitions

• When you access a partitioned appliance through the NetScaler GUI, the Dashboard does not display the "CPU vs. Memory Usage and HTTP Requests Rate" graph in the left pane.
  [From Build 51.24] [# 676700]

• When you configure an administrative partition, validation of the partition's VMAC address might fail, causing the NetScaler appliance to crash.
  [From Build 51.24] [# 677765]

• WWhen you configure an administrative partition, validation of the partition's VMAC address might fail, causing the NetScaler appliance to crash.
  [From Build 41.24] [# 677765]

• On a partitioned NetScaler appliance, the system memory counters are not updated properly unless they are cleared during partition deletion.
  [From Build 51.24] [# 681422, 682240]

AppExpert

• When a NetScaler appliance receives a client request for evaluating a responder policy, it might not log the responder data. Before evaluation, the appliance sets the ns_auditlog_module_id global variable and uses the data for log processing. If during the evaluation you block the log action and wait for more data, and while you are waiting the appliance receives another client request to evaluate a different policy, the responder log data is not recorded for the responder module.
  [From Build 51.24] [# 687140]

AppFlow

• The NetScaler appliance crashes, dumps core, and restarts if a certificate is unbound from an SSL virtual server while an SSL transaction is in progress.
  [From Build 51.24] [# 679995]

• When ClientSide Measurements is enabled, and you access the NetScaler Gateway, then the Microsoft Internet Explorer browser displays an error.
  [From Build 51.24] [# 680567, 688758]

• A NetScaler appliance crashes and dumps core if an ECDSA certificate is bound to the SSL virtual server that processes an SSL transaction.
  [From Build 51.24] [# 683567, 686195]

• When both Logstream and IPFIX (AppFlow) collectors are configured on a NetScaler instance, NSBs leak while trying to send an IPFIX msg on a Logstream collector.
  [From Build 51.24] [# 687908, 686407]

Application Firewall

• On a NetScaler appliance running release 11.1 build 64, SQL and cross-site scripting relaxations might not work for application or json content types. The AppFW logs display the following message, even when the relaxation rules are applied for User-Agent:

  SQL Keyword check failed for header User-Agent.
  [From Build 51.24] [# 651054]

• A large number of DHT operations causes high CPU usage when StartURLClosure is enabled. Packet per engine (PPE) operations consume over 95% of the CPU cycles after an upgrade to NetScaler 11.1.
  [From Build 51.24] [# 672807, 672753]

• Form based NetScaler AppFirewall checks can be bypassed by a multipart POST request in which the Content-type header has been tampered with.
  [From Build 51.24] [# 674658]

• The NetScaler AppFirewall appliance crashes while copying form data if the form field consistency check is enabled.
  [From Build 51.24] [# 678297, 689073]

• A NetScaler appliance running release 11.1 and build 52 might fail because of a mismatch during memory allocation and display the following error message:

  userspace_panic as_free().
  [From Build 51.24] [# 681746, 683564, 684632]

• Since release 11.1 build 41, the ImportSizeLimit parameter in the AppFW settings can be set to limit the size of the objects that are imported to the NetScaler appliance. This limit is now extended from 128 MB to 256 MB. Execute the following set command from the CLI to change the value to meet your requirement:

  set appfw setting -importsizelimit

  Maximum value: 268435456

  Minimum value: 1

  Default: 134217728

  Example

  > set appfw setting -importsizelimit 268435457
  [From Build 51.24] [# 682219]

• The application firewall signature-update warning messages are not delivered in standard syslog message format. Therefore, NetScaler MAS does not process them. The warning messages do not include the module name or a time stamp, both of which are part of the syslog standard. Signature update messages are also not in standard syslog format.
  [From Build 51.24] [# 682416]

• Applying cross-site scripting checks to complete URLs causes applications to stop after an upgrade. With this fix, cross-site scripting checks run only on the URL's base path if the CrossSiteScriptingCheckCompleteURLs option is enabled in the AppFw profile.
  [From Build 51.24] [# 682770]

• Application firewall log messages generated when data is dropped because of Unknown Content-Type do not include the Content-Type Header value, which would facilitate tracking and monitoring.

  This issue has been fixed now. The application firewall logs allows requests which have multiple charsets with same value in the content-type header.
  [From Build 51.24] [# 682778]

• On a NetScaler AppFirewall appliance, URL global pages cause memory buildup on the secondary node when the URL closure protection feature is enabled.
  [From Build 51.24] [# 683366]

• When you attempt to export learned data for an application firewall profile, the appliance fails because of improper initialization of a stack variable. The Aslearn process restarts continuously because of connection failure.
  [From Build 51.24] [# 684988]

• Traffic to a back-end application is blocked by the HTML cross-site scripting check when the profile type is XML. The cross-site scripting check fails for field with following tags; &lt;?xml version="Bad tag: ?xml" <blocked>.

  When you have cross-site scripting enabled, the application firewall makes the following changes to requests that match the HTML Cross-Site Scripting check:

  Left angle bracket (<) to HTML character entity equivalent (&lt;) Right angle bracket (>) to HTML character entity equivalent (&gt;) This prevents browsers from interpreting unsafe html tags, such as <script>, and thereby executing malicious code. If you enable both request-header checking and XSS transformation, any special characters found in request headers are also modified as described above. If scripts on your protected web site contain cross-site scripting features, but your web site does not rely upon those scripts to operate correctly, you can safely disable blocking and enable transformation. This configuration allows legitimate web traffic while stopping any potential cross-site scripting attacks.
  [From Build 51.24] [# 685775]

• The NetScaler packet processing engine fails to start when URL transform regression scripts are executed during a low-memory condition.
  [From Build 51.24] [# 687625]

Clustering

• When secure connection is enabled on CCO, config sync doesn't work.
  [From Build 51.24] [# 525671]

DNS

• In a cluster setup, the default DNS policy is not made available to packet engines. With this fix, the default DNS policy is loaded into the packet engine.
  [From Build 51.24] [# 669829]

• If a NetScaler appliance receives a CNAME chain that includes some entries that are currently cached, the appliance returns a valid address record instead of reporting that the bailiwick check failed.
  [From Build 51.24] [# 675553]

• When a NetScaler appliance in resolver mode receives a DNS response from a name server and forwards it to an alternative name server, the NetScaler appliance goes DOWN.
  [From Build 51.24] [# 682730, 683138, 680141]

Front End Optimization

• The NetScaler appliance dumps core when the front end optimization (FEO) feature is enabled for one virtual server and an AppFlow action with client-side measurement is enabled for another virtual server.
  [From Build 51.24] [# 686146]

GSLB

• In a new cluster deployment or when the NetScaler firmware in a cluster deployment is upgraded to build 11.1-53.11, management CPU usage spikes to up to 99% on every cluster node. This issue occurs in the absence of any additional configuration, management, or data traffic.
  [From Build 41.24] [# 682766, 683601, 685391]

• In a new cluster deployment or when the NetScaler firmware in a cluster deployment is upgraded to build 11.1-53.11, management CPU usage spikes to up to 99% on every cluster node. This issue occurs in the absence of any additional configuration, management, or data traffic.
  [From Build 51.24] [# 682766, 683601, 685391]

Integrated Cache

• The integrated cache does not have enough memory to accommodate the policy updates required when all policies bound to a content group have to be updated because of a change in the cache configuration. This fix increases the cache memory allocation from 4 Kb to 80 KB.
  [From Build 51.24] [# 675025, 675504]

• The NetScaler Integrated Cache might delay processing of client requests if you enable the flash cache.
  [From Build 51.24] [# 681664]

Integrated Caching

• When a request is sent and if the back-end server responds with a 301 status code, the cache stores the response meaning the URL is permanently moved and Cache is trying to serve range request. This causes the NetScaler appliance to crash.
  [From Build 41.24] [# 673506, 684404]

Load Balancing

• The NetScaler appliance crashes, because an issue in the internal timer logic in stream analytics causes the system to spend more time than expected for ageing tasks.
  [From Build 51.24] [# 672899]

• A spillover trap might be sent even though a backup virtual server is not configured.

  With this fix, a spillover trap is sent only if one of the following conditions applies:

  - A spillover method or policy is configured.

  - No spillover method or policy is configured, but a backup virtual server is configured to accept the traffic when the primary virtual server is DOWN.
  [From Build 51.24] [# 679991]

• NetScaler: AAA

  A cached ticket is expired before server receives it. This happens when a NetScaler is used as a kerberos SSO to backend servers. This usually happens just around the time ticket expires, which is typically 10 hours.
  [From Build 51.24] [# 681026]

• When you rename an HTTPS virtual server that is associated with an internal HTTP virtual server, the internal virtual server's name is not changed correctly.
  [From Build 51.24] [# 681559, 674427]

• The maximum string size of Target Vserver Expression is 1500. If the configuration includes an expression greater than 1500, the NetScaler appliance crashes. With this fix, the maximum string size of Target Vserver Expression is limited to 1499.
  [From Build 51.24] [# 684131]

• The RADIUS shared secret key is now an optional configuration for all RADIUS load balancing and RADIUS Listener deployments. All existing configurations continue to function as they did before.

  The validation of the RADIUS shared secret key happens in the following scenarios:

  - RADIUS shared secret key is configured for both the radius client and the radius server: The NetScaler appliance uses the RADIUS secret key for both the client side and the server side. If the verification succeeds, the appliance allows the RADIUS message to go through. Otherwise, it drops the RADIUS message.

  - RADIUS shared secret key is not configured for either the radius client or the radius server: The NetScaler appliance drops the RADIUS message, because shared-secret-key validation cannot be performed on a node that has no radkey configured.

  - RADIUS shared secret key is not configured for both the RADIUS client and the RADIUS server: The NetScaler appliance bypasses the RADIUS secret key validation and allows the RADIUS messages to go through.
  [From Build 51.24] [# 687326, 688713, 690164]

NITRO

• In a partitioned NetScaler appliance, you can add authentication loginschemas with inbuilt schemas through the NetScaler command line interface only.

  To add authentication login schemas through the NetScaler CLI, use the switch partition command. For example:

  > switch partition p1

  Done

  p1> add loginSchema ls1 -authenticationSchema LoginSchema/DualAuth.xml

  Done
  [From Build 51.24] [# 687133]

NetScaler 1000V Appliance

• TCP services that go through tagged VLAN interfaces might go down.
  [From Build 51.24] [# 683196]

NetScaler GUI

• Certificate bundles are not supported in cluster setups.
  [From Build 51.24] [# 644199]

NetScaler Gateway

• When encryption is enabled for client security expressions (in the VPN session action parameter), the device might fail occasionally.
  [From Build 51.24] [# 607555, 616311]

• When HTTP Strict Transport Security (HSTS) is enabled on a virtual server and on a NetScaler appliance, the appliance adds an STS header to the response. An HSTS-enabled response advertises that the appliance accepts only HTTPS requests. It does not accept plain-text HTTP. This option prevents privacy leaks and downgrade attacks and uses trusted certificates to establish a secure connection to the server.

  When HSTS is enabled on a NetScaler appliance, a browser that supports HSTS does the following:

  - Automatically redirects the HTTP requests to HTTPS for the target domain. For example, http://example.com/some/page/ is changed to https://example.com/some/page/ before the appliance accesses the server.

  - Does not allow access to the server unless the connection is secure. For example, the server's TLS certificate must be valid, trusted, and not expired.
  [From Build 51.24] [# 654092]

• The NetScaler appliance becomes unresponsive if you change the NTLM path from HTTP to HTTPS.
  [From Build 51.24] [# 657633]

• The Certificate Revocation Lists (CRL) checks and Online Certificate Status Protocol (OCSP) validation are not done on a NetScaler appliance through an SSL renegotiation as part of certificate based authentication.
  [From Build 51.24] [# 658120, 684909]

• In rare cases, a NetScaler appliance dumps core if the server-side connection closes while NTLM Authentication is in progress..
  [From Build 51.24] [# 670062, 657633, 684467, 686139, 672074, 681078]

• When you run the "sh icaconnection summary" command, the columns in the output are misaligned.
  [From Build 51.24] [# 670277]

• Memory leak in SSLVPN pool is encountered when connection to AAAD daemon is closed at the time of authentication.
  [From Build 51.24] [# 670586, 683809, 671944]

• If you configure TACACS authentication in “password*OTP” format, and a user types an invalid credential, the following incorrect error message appears:

  Error in retrieving Versions. Cannot read property ‘replace’ of undefined.

  You can ignore the message.
  [From Build 51.24] [# 672001]

• With this enhancement, Storefront server can be used to validate user credentials instead of Active Directory server. This simplifies Gateway configuration in XA/XD deployments where StoreFront server is mandatory.

  This is applicable only for end user login with password. This feature cannot be used for group extraction without user password. Please check documentation for details.
  [From Build 51.24] [# 672398]

• User session exists on NetScaler appliance after client machine logs out of VPN because of SmartCard removal.
  [From Build 51.24] [# 675596]

• In rare cases, upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), NetScaler Gateway dumps core if SSO and Proxy are configured in Traffic policy.
  [From Build 51.24] [# 676545]

• NetScaler Gateway dumps core in case SingleSignOn (SS0) is disabled and the connection to server is removed or gatetimeout happens during TCP handshake with the back-end server.
  [From Build 41.24] [# 678251]

• NetScaler Gateway dumps core in case SingleSignOn (SS0) is disabled and the connection to server is removed or gatetimeout happens during TCP handshake with the back-end server.
  [From Build 51.24] [# 678251]

• The NetScaler appliance dumps core when a user connected, through Unified Gateway, to a VPN virtual server bound to an AppFlow policy does the following:

  1. Changes the content switching (CS) action to connect to another VPN virtual server, which is not bound to an Appflow policy.

  2. Then removes the first VPN virtual server.

  3. Continues to access resources over the initial VPN session.
  [From Build 51.24] [# 678847]

• DTLS feature must not be enabled on a virtual server configured with "listen" policy. Using command "add vpn vser" on a virtual server with the DTLS feature enabled and "listen" policy configured returns success but the DTLS feature does not get enabled on the virtual server.
  [From Build 51.24] [# 679025]

• In rare scenarios, NetScaler dumps core while accessing virtual server information when the RDP traffic is handled by separate RDP listener on NetScaler and the virtual server information is not present.
  [From Build 51.24] [# 679360]

• In rare situations, the Windows plug-in fails during VPN session logout.
  [From Build 51.24] [# 679570]

• Upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), back-end sites take too long to open.
  [From Build 51.24] [# 679582]

• In rare cases, a NetScaler Gateway appliance in a Unified Gateway (UG) deployment dumps core if the traffic management (TM) virtual server behind the UG is configured for SAML with advanced policies and the content switching (CS) policies are not properly configured to route SAML responses to TM.
  [From Build 51.24] [# 679768]

• If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN) and the Gantt chart option under Tasks is selected, some of the options in the Tasks section (for example, Completed, and Late Task) are not accessible.
  [From Build 51.24] [# 681689]

• If Gateway is configured for certificate authentication in primary cascade with ldap group extraction in secondary, Gateway is disregarding errors from aaad when group extraction is attempted.
  [From Build 51.24] [# 681913]

• In rare scenarios, blue screen appears (BSOD) when NetScaler VPN plug-in is installed along with Pulse Secure plug-in.
  [From Build 51.24] [# 683009]

• If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN), you can't access the "OneDrive" and "Sites" options on the home page if Clientless Mode URL Encoding is set to ENCRYPT.
  [From Build 51.24] [# 683390]

• In rare cases, the NetScaler appliance dumps core when a client sends a FIN event without an HTTP body.
  [From Build 51.24] [# 683452]

• HTML5 Receiver app launch fails while accessing a NetScaler Gateway bound with RfWebUI theme portal.
  [From Build 51.24] [# 683987]

• In rare scenarios, after rebooting the system, AlwaysON enabled VPN plugin fails to connect to Gateway.
  [From Build 51.24] [# 684709]

• When hundreds of users try to log on to NetScaler Gateway at about the same time, the logon page might stop loading, or it might load very slowly, in which case the logon process takes a very long time to complete.
  [From Build 51.24] [# 684774]

• Mail synchronization fails on iOS and Android devices if secure mail is configured to use secure ticket authority (STA).

  As written in the XenMobile Server known issue doc: http://docs.citrix.com/en-us/xenmobile/server/known-issues.html

  With NetScaler 12.0.41.16, when Secure Mail is configured with STA, mail sync fails on iOS and Android devices. The issue is fixed in NetScaler 10.0 build 41.22. For details and updates, see this Support Knowledge Center article. [#685075]
  [From Build 51.24] [# 685075]

• Mail synchronization fails on iOS and Android devices if secure mail is configured to use secure ticket authority (STA).
  [From Build 41.24] [# 685075]

• If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN) and upload a form that has a post body exceeding 8 KB, NetScaler rewrite policies do not decode the form content beyond 8 KB.
  [From Build 51.24] [# 685215]

• In rare cases, a NetScaler Gateway appliance dumps core when the single-sign-on feature tries to access an authentication resource that has been removed.
  [From Build 51.24] [# 685389]

• A secure load balancing virtual server on a NetScaler appliance processes both secure and insecure cookies.
  [From Build 51.24] [# 685421]

• The client detection logic for Citrix Receiver does not work in Firefox, because the browser no longer supports NPAPI plug-ins.
  [From Build 51.24] [# 686337]

• The NetScaler appliance fails to access the gateway home page after an upgrade to software release 11.1 build 51.21. The cause of the failure is the presence of an unexpected parameter (/ilearn).
  [From Build 51.24] [# 686715, 687092]

• In rare cases, while accessing Gateway via proxy, NetScaler dumps core if KCD based Single Sign-On is attempted to back-end servers.
  [From Build 51.24] [# 686858]

• In rare situations, VPN plug-in installation fails and a "Citrix Access Gateway is not supported on this platform" error message appears on a machine running a 64-bit operating system.
  [From Build 51.24] [# 687139]

• The NetScaler appliance dumps core during Core2Core communication as resetting the TCP connection closes the connection without cleaning the connection structure.
  [From Build 51.24] [# 687211]

• The NetScaler appliance fails when it tries to authenticate an invalid incoming HTTP packet.
  [From Build 51.24] [# 688215]

NetScaler ICA

• When session Reliability on HA Failover is enabled on a NetScaler high availability pair, the primary NetScaler has a buffer to maintain CGP sequence updates, which will be sent to secondary. After a reconnect, buffer updates wrong offset, resulting in corruption. Once the buffer corruption happens, wrong addresses will be accessed which can lead the NetScaler instance to become unresponsive.
  [From Build 41.24] [# 679494, 684204]

NetScaler SDX Appliance

• When you use a single-bundle image file to upgrade a NetScaler SDX appliance, the upgrade-progress page might become unresponsive.
  [From Build 51.24] [# 672042, 686510]

• A NetScaler SDX appliance does not propagate a global MAC address to the VPX instances if you do both of the following:

  - Assign a global base MAC address in generated mode to a manual channel or an LACP channel.

  - Reset the global base MAC address.
  [From Build 51.24] [# 682573]

• If system logs are not rotated properly, over time they consume too much disk space. This causes the XenServer server to run out of disk space and creates unexpected system behavior.
  [From Build 51.24] [# 683171, 684959, 685535]

• A NetScaler VPX instance's configuration is deleted if you use the Management Service to force a reboot of the instance.
  [From Build 51.24] [# 683743]

NetScaler VPX Appliance

• In a NetScaler VPX HA deployment running on AWS, when a failover makes the secondary node primary, the network interfaces are attached to the new primary in the wrong order.

  For example, if the primary node has NICS 1/2 (AA:BB:CC:DD:EE:FF), 1/3 (12:34:56:78:90:12), and 1/4 (1A:2B:3C:4D:5E:6F), upon failover the new primary would have 1/2 (1A:2B:3C:4D:5E:6F), 1/3(AA:BB:CC:DD:EE:FF), 1/4(12:34:56:78:90:12). Here, the interface MAC order has changed. However, this behavior does not apply to the NIC that's configured with the NetScaler management IP address.
  [From Build 51.24] [# 675746]

• In a NetScaler cluster, the configuration coordinator (CCO) node does not support the set ns vpxparam -cpuyield command for controlling CPU-usage behavior.
  [From Build 51.24] [# 678401]

Networking

• A NetScaler appliance might become unresponsive or a high CPU is observed during the following scenario:

  * The appliance resolves a domain into two IP addresses, one of the IP addresses is a NetScaler owned IP address and the other is an external IP address.

  * The appliance sends a packet destined to the external IP address from LO/1.

  * The response packet keeps looping after the appliance receives it.
  [From Build 51.24] [# 669754, 669977, 687943]

• In a high availability setup, when a critical interface goes to DOWN state because of TX stall, HA failover might not happen.
  [From Build 51.24] [# 677815, 679068, 680001]

• In a high availability setup, when a critical interface goes to DOWN state because of TX stall, HA failover might not happen.
  [From Build 51.24] [# 679068]

• Memory allocated for a TCP session might not get free after a failure in reassembling fragments of a size of more than 1500 bytes. This accumulation over a period of time depletes available memory.
  [From Build 51.24] [# 680185, 680186]

• Interfaces in MUTED state might drop the LLDP packets instead of processing them.
  [From Build 51.24] [# 682769]

• The NetScaler appliance drops ND6 solicitation packets received on interfaces that are in muted state.
  [From Build 51.24] [# 684119]

• The NetScaler appliance updates the ND entry of a next hop router with its MAC address after learning it from the router advertisement packets received from the router. The appliance might not update the state of the ND entry from INCOMPLETE to STALE. This update failure results in looping the outgoing packets ( destined through the next hop router) in the NetScaler queue. As a result, the NetScaler appliance becomes unresponsive.
  [From Build 51.24] [# 684126]

• The NetScaler appliance does not process the BGP remote-as configuration for an IPv6 peer after a reboot resulting in the loss of BGP configuration for this peer.
  [From Build 51.24] [# 685123]

• In a NetScaler telco deployment, the NetScaler appliance reuses the outgoing probe connection information for two different incoming connections with the same 4-tuple that are destined to the same server. This reuse of probe connection might cause the NetScaler appliance to become unresponsive.
  [From Build 51.24] [# 685344]

Optimization

• With this fix, the built-in video detection policies have new names, which more clearly represent the purposes of the policies.
  [From Build 51.24] [# 681308]

• With this fix, the built-in video detection policies have new names, which more clearly represent the purposes of the policies.
  [From Build 41.24] [# 681308]

• When configuring the NetScaler video optimization feature, you cannot bind built-in detection policies or custom optimization policies to multiple virtual servers. An attempt to do so produces the following error message, "ERROR: CVPN Policies cannot be bound to multiple entities."

  For example:

  > bind lb vserver IPv4_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 600 -gotoPriorityExpression 3300 -type RESPONSE

  > bind lb vserver IPv6_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 601 -gotoPriorityExpression 3301 -type REQUEST

  ERROR: CVPN Policies cannot be bound to multiple entities
  [From Build 41.24] [# 682864]

• When configuring the NetScaler video optimization feature, you cannot bind built-in detection policies or custom optimization policies to multiple virtual servers. An attempt to do so produces the following error message, "ERROR: CVPN Policies cannot be bound to multiple entities."

  For example:

  > bind lb vserver IPv4_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 600 -gotoPriorityExpression 3300 -type RESPONSE

  > bind lb vserver IPv6_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 601 -gotoPriorityExpression 3301 -type REQUEST

  ERROR: CVPN Policies cannot be bound to multiple entities
  [From Build 51.24] [# 682864]

• A NetScaler appliance crashes if you generate AppFlow or ULFD records for clear-text video transactions.
  [From Build 41.24] [# 682947]

• A NetScaler appliance crashes if you generate AppFlow or ULFD records for clear-text video transactions.
  [From Build 51.24] [# 682947]

Policies

• In some cases, the system encounters a fault if, when adding an entry to a pattern set, you experience errors such as too long patset strings, bad UTF-8 characters, or bad regular expressions.
  [From Build 51.24] [# 675677]

• When an Advanced expression function in an ALT expression blocks the current evaluation of the expression, then upon resumption it may cause the NetScaler appliance to crash.
  [From Build 51.24] [# 687345]

SSL

• Even though TLS protocol versions 1.1 and 1.2 are not supported by firmware version 1.1, the protocols appear as enabled by default on an SSL virtual server.
  [From Build 51.24] [# 576274]

• After you upgrade to this build, the priority of the cipher groups changes in the default profile.
  [From Build 41.24] [# 579059, 679085]

• A configuration loss, such as the ECC curve and ciphers unbinding from an SSL virtual server or service, might occur after you upgrade to this build.
  [From Build 51.24] [# 613912, 643135, 647100]

• If you add a partition and later remove it, the state of all the SSL virtual servers configured on the appliance changes to DOWN.
  [From Build 51.24] [# 660319, 667130, 671887]

• A NetScaler appliance might dump core and restart if you have configured policy based SSL renegotiation and a client sends multiple SSL records before renegotiation is initiated.
  [From Build 51.24] [# 673348, 682192, 682160, 684547, 684992, 687515]

• In rare cases, a NetScaler appliance might dump core and restart if you add a certificate revocation list (CRL) larger than 256 KB.
  [From Build 51.24] [# 674278, 678890]

• The NetScaler appliance might occasionally send a wrong certificate if SNI is enabled.
  [From Build 51.24] [# 675158]

• If an OCSP responder URL incorrectly resolves to a NetScaler reserved IP address, the appliance dumps core memory and restarts.
  [From Build 51.24] [# 675887]

• If an OCSP responder URL incorrectly resolves to a NetScaler reserved IP address, the appliance dumps core memory and restarts.
  [From Build 41.24] [# 675887]

• If the destination IP address in an OCSP request is an IPv6 address, the NetScaler appliance dumps core memory and restarts.
  [From Build 41.24] [# 678474]

• If the destination IP address in an OCSP request is an IPv6 address, the NetScaler appliance dumps core memory and restarts.
  [From Build 51.24] [# 678474]

• If both OCSP stapling and session ticket are enabled on an SSL virtual server, and a client sends a session reuse request that contains an OCSP stapling status extension, the appliance dumps core memory and restarts.
  [From Build 41.24] [# 678743, 678740]

• If both OCSP stapling and session ticket are enabled on an SSL virtual server, and a client sends a session reuse request that contains an OCSP stapling status extension, the appliance dumps core memory and restarts.
  [From Build 51.24] [# 678743, 678740]

• You cannot modify the internal OCSP responder parameters in this build. This is a temporary limitation.
  [From Build 41.24] [# 679708]

• You cannot modify the internal OCSP responder parameters in this build.
  [From Build 51.24] [# 679708]

• The value for days to expiration of a certificate appears incorrectly on a cluster IP (CLIP) address.
  [From Build 51.24] [# 682493]

• In a cluster setup, if you remove a service group, the corresponding entries on the CCO node are not deleted.
  [From Build 51.24] [# 682767]

• The NetScaler appliance dumps core and restarts if a wildcard SSL virtual server has the -m mac option enabled.
  [From Build 51.24] [# 682775]

• In a cluster setup, if you rename a service group, the corresponding entries on the CCO node are not updated.
  [From Build 51.24] [# 682784]

• On a NetScaler MPX or SDX 14000 FIPS appliance, requests are not forwarded to the back-end server if virtual-server based transparent access with a wildcard IP address (*:443) is configured in a transparent SSL acceleration setup.
  [From Build 51.24] [# 684413]

• Memory usage might continuously increase on a partitioned NetScaler VPX appliance processing SSL traffic. As a result, the appliance might become unresponsive after some time.
  [From Build 51.24] [# 685669]

• The NetScaler appliance dumps core and restarts if it receives a request while both session-ticket and SSL-session persistence are enabled.
  [From Build 51.24] [# 687575]

• The NetScaler appliance dumps core and restarts if both client authentication and session ticket are enabled and a session ticket reuse request is continuously received on the appliance.
  [From Build 51.24] [# 687777]

System

• Enabling both the AppFlow option and the AppQoE option might cause a memory leak, which can degrade performance and eventually cause the appliance to fail.
  [From Build 51.24] [# 640545, 685334, 686832, 687603]

• If the integrated cache (IC) memory limit is set to a value greater than 4 GB and front end optimization (FEO) is enabled, the NetScaler appliance crashes.
  [From Build 51.24] [# 666208]

• A NetScaler appliance adds an SNMP trap for TCP-level synflood if the Varbindings are incorrect for the synflood trap.
  [From Build 51.24] [# 671128]

• Snmpd communicates with nsaggregatord to process the requests it receives. The SNMP Code also maintains a cache of the responses from aggregator in the form of a CacheTable. If the CacheTable is corrupted, a crash might result.
  [From Build 51.24] [# 675631]

• If you enable Front End Optimization (FEO) and configure Integrated Cache (IC) with cache selectors, the NetScaler appliance might crash.
  [From Build 51.24] [# 677943]

• In a high availability setup, the following command-propagation warning message appears when a backup is created for a large configuration file on the primary node: "Warning: There is no response from secondary. Propagation Timed out” However, propagation of the backup file succeeds after some time.
  [From Build 51.24] [# 679376]

• A NetScaler appliance crashes if the content-type header is missing from an HTTP responder.
  [From Build 51.24] [# 681284]

• If a client sends an HTTP/2 header continuation frame, the NetScaler appliance dumps core.
  [From Build 51.24] [# 681361, 683274]

• If a load balancing virtual server configured with a backup server is down, the si_cur_Client counter underflows, causing client connections for the virtual server to display abnormal values in the NetScaler GUI.
  [From Build 51.24] [# 682762]

• If multiple trap destinations have the same IP address but different SNMP versions, one of which is SNMPv3, modifying an SNMPv3 trap message leads to an appliance failure.
  [From Build 51.24] [# 683622, 683806]

• If the MSS value in a client TCP handshake with a NetScaler appliance is from 1322 to 1329, the appliance sends 1330-byte segments, which cause packet drops, and the TCP connection fails.
  [From Build 51.24] [# 684148, 687638]

• A NetScaler appliance in a high availability configuration crashes when using TCP transport to send log messages.
  [From Build 51.24] [# 685898]

• The NetScaler appliance does not send buffered log messages when the SYSLOG server is ready to accept them.
  [From Build 51.24] [# 686751]

User Interface

• When secure connection is enabled on CCO, config sync doesn't work.
  [From Build 41.24] [# 525671]

Release history