April 4, 2018|Release notes version: 1.0
This release notes document describes the enhancements and changes, lists the issues that are fixed, and specifies the issues that exist, for the NetScaler release 12.0 Build 56.20. See Release history.
- This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
- This build includes fixes for the following 35 issues that existed in the previous NetScaler 12.0 release build: 691795, 692922, 691229, 692649, 691268, 693310, 658108, 692943, 688274, 691507, 678885, 686516, 692771, 693522, 687084, 689491, 692326, 693286, 690647, 685181, 693472, 688412, 690975, 675347, 686713, 688100, 692481, 693312, 693356, 633371, 684574, 691308, 692149, 692613, 690534.
- The known issues section is cumulative. It includes issues newly found in this release, and issues that were not fixed in previous NetScaler 12.0 releases.
- The [# XXXXXX] labels under the issue descriptions are internal tracking IDs used by the NetScaler team.
Points to Note
Some important aspects to keep in mind while using Build 56.20.
NetScaler SDX Appliance
- [# 699567]When you upgrade a NetScaler SDX appliance from an older release to release 11.1 51.x and later, some of the VPX instances running on the SDX appliance fail to start if the following conditions are met:- The SDX appliance is configured with Intel X710 10G and XL710 40G NICs- More than 20 VPX instances run on the SDX applianceThis happens because in older NetScaler releases (prior to 11.1 51.x) one NIC can support up to 40 VPX instances. However, from release 11.1 51.x onwards one NIC can support only up to 20 VPX instances.So, after you upgrade to release 11.1 51.x and later ensure that one NIC is configured for maximum 20 VPX instances. For additional VPX instances, configure a different NIC.
- [# 517917]Deprecating NetScaler Functionalities and Classic Policy Engine (CPE) in 12.0Citrix recommends you to use Advanced Policy Infrastructure (PI) instead of Classic Policy Engine (CPE). For more information, see Deprecating NetScaler functionalities and Classic Policy Engine (CPE) topic.Some of NetScaler features and functionalities are now deprecated. Citrix recommends that you do not use the deprecated features through the NetScaler command interface, NetScaler GUI, or Nitro automation. However, to ease the transition to new alternatives, the deprecated features are usable for a limited time and will be removed in future releases.Note: You can use the nspepi tool to convert commands, expressions, and whole configurations. For more information, see Converting Classic Expressions to Newer Default Expression Syntax topic.Use of Classic policy expressions are now deprecated in the following list:1. Classic named (policy) expression2. Application Firewall Classic policy3. Compression Classic policy4. Cache Redirection policy5. Content Switching Classic policy6. SSL Classic policy7. AAA preauthentication policy8. Audit SYSLOG policy9. Audit NSLOG policy10. Authentication local policy11. RADIUS Authentication policy12. LDAP Authentication policy13. Authentication Certification (cert) policy14. TACACS Authentication policy15. Authentication negotiate policy16. SAML Authentication policy17. Delegation Forms Authentication (DFA) policy18. Web authentication policy19. Authorization policy20. Traffic Management session policy21. Tunnel traffic policy22. VPN traffic policy23. VPN Session policy24. Trace Classic expression25. SYS.EVAL_CLASSIC_EXPR Classic expressionFollowing is a list of NetScaler features and its functionalities that are deprecated in NetScaler 12.0:1. SPDY2. SureConnect (SC)3. Priority Queuing (PQ)4. HTTP Denial of Service Protection (HDoSP)5. HTMLInjection6. Filter7. Q and S prefixes in Advanced expressions8. Pattern parameter in Rewrite action
The enhancements and changes that are available in Build 56.20.
- [# 681415]HMAC SHA256 Authentication Support for NetScaler AAAThe NetScaler appliance configured for NetScaler AAA now accepts incoming tokens that are signed using keyed-hash message authentication code (HMAC) HS256 algorithm. In addition, the public keys of the SAML Identity Provider (IdP) are read from a file, instead of learning from a URL endpoint.For more information, see https://docs.citrix.com/en-us/netscaler/12/aaa-tm/oauth-authentication.html.
- [# 691235, 691739, 617838]OpenID connect support for NetScaler AAAA NetScaler appliance can now be configured as an identity provider by using OpenID Connect protocol. OpenID Connect protocol is an add-on to OAuth mechanism to get user information from an authorization server.For more information, see https://docs.citrix.com/en-us/netscaler/12/aaa-tm/configuring-openid-connect-protocol.html.
- [# 676597]SNMP Monitoring for Partition Resource UtilizationThe SNMP Get and Walk functionalities are now supported on a partitioned NetScaler appliance for monitoring resource utilization details such as of bandwidth, memory, or connection resources.
- [# 691119, 682150]Support for Heterogeneous ClusterThe NetScaler appliance now supports heterogeneous cluster in a cluster deployment. A heterogeneous cluster spans nodes of different NetScaler hardware and you can have a combination of different platforms in the same cluster. For more information, see https://docs.citrix.com/en-us/netscaler/12/clustering/support-for-heterogeneous-cluster.html.
- [# 681813]Backup Persistence Support for SSL Session IDSource IP persistence is now supported as a backup persistence type for SSL session ID persistence. If the client and load-balanced server renegotiate the session, and source IP persistence is configured as the backup persistence, client requests are forwarded to the same server.For more information, see https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-persistence/session-id-persistence.html
- [# 669787, 655064, 687327]Changes in Create Monitor Page and Persistence Type SelectionIn Create Monitor Page, the Standard Parameters and Special Parameters are renamed to Basic Parameters and Advanced Parameters respectively. The Basic Parameters section contains the parameters that must be set for each monitor. The Advanced Parameters section contains the parameters that can be used in advanced use cases.For more information, see https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-configure-monitors/create-monitor.htmlIn Persistence Type Selection page, when selecting the persistence types, the most suitable persistence types for a virtual server is available as option buttons. Other persistence types that are applicable to the specific virtual server type can be selected from the Others list.For more information, see https://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-persistence/rule-persistence.html
- [# 481784, 402833, 508834, 682862]Support for validating the server certificate provided by the back-end server during an SSL handshake.The NetScaler Gateway appliance can now be configured to validate the server certificate provided by the back-end server during an SSL handshake.You can use the NetScaler CLI or the NetScaler GUI to configure the NetScaler appliance to validate the server certificate.For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12/validating-server--certificate-during-ssl-handshake.html.
- [# 621062]Authorization policy support for UDP, DNS, and ICMP TrafficThe NetScaler Gateway appliance now supports authorization policy configuration for UDP, DNS, and ICMP traffic. The policy can be configured by using only default syntax policies.
- [# 689493]Network Access Control and Conditional Access for Windows by using Microsoft Enterprise Mobility + Security (EMS).The NetScaler Gateway client running on Windows machine can now be configured to provide Network Access Control and Conditional Access using Microsoft Enterprise Mobility + Security (EMS).
- [# 690030]Support for End-to End Encryption with DTLS 1.0 for Enhanced Data Transport (EDT) Termination between Receiver and VDA.With this enhancement, the NetScaler Gateway appliance supports end-to end encryption with DTLS 1.0 for EDT termination between Receiver and VDA.Also, the appliance can now be configured for the Double-hop functionality for EDT traffic between Receiver and VDA.For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12/hdx-enlightened-data-transport-support.html.
- [# 690852]Proxy Auto Configuration (PAC) Support for Client Running on Mac Operating SystemThe NetScaler Gateway appliance can now be configured to support Proxy Auto Configuration (PAC) for a client running on Mac operating system.For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12/proxy-auto-configuration-for-outbound-proxy-support-for-netScaler-gateway.htmlhttps://docs.citrix.com/en-us/netscaler-gateway/12/proxy-auto-configuration-for-outbound-proxy-support-for-netScaler-gateway.html.
- [# 695727]Using Advance Policy- The following VPN policies can now be configured by using default syntax policies.- Session Policy- Authorization Policy- Traffic Policy- Tunnel Policy- Audit Policy- End Point Analysis (EPA) scan functionality can be now configured as an nFactor for authentication. Previously the EPA scan was configured as part of session policy. Now it can be linked to nFactor providing more flexibility, as to when it can be performed.For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12/using-advance-policy-to-create-vpn-policies.html.
NetScaler SDX Appliance
- [# 693950]Support for SWG Instances on a NetScaler SDX ApplianceThis release supports Secure Web Gateway (SWG) instances on all NetScaler SDX platforms. You must purchase an "SDX 2-Instance Add-On Pack for Secure Web Gateway" license to provision an SWG instance on the SDX appliance. For more information, see https://docs.citrix.com/en-us/sdx/12/deploying-sdx-swg-instances.html.
NetScaler Secure Web Gateway
- [# 695039]New nodes in the GUIThe Load Balancing and Content Switching nodes now appear, after the Secure Web Gateway node, in the NetScaler Secure Web Gateway GUI. You can configure deployments with both secure web gateway, and load balancing or content switching features from the NetScaler Secure Web Gateway GUI.Also, the SSL Interception node is renamed to SSL Interception Policies.
NetScaler VPX Appliance
- [# 693061]Support for VPX Express LicenseVPX Express license is a new license offering for NetScaler VPX on-prem and cloud deployments. If the VPX instance does not have any license, it comes up with the VPX Express license by default.The Express license includes:- 20 Mbps bandwidth- All NetScaler standard license features, except NetScaler Gateway- Maximum 250 SSL sessions- 20 Mbps SSL throughputYou can upgrade the VPX Express License to the following two options:1. A standalone NetScaler VPX license2. NetScaler Pooled Capacity license for VPX instances. For more information, see https://docs.citrix.com/en-us/netscaler-mas/12/netscaler-pooled-capacity.htmlFor more information about NetScaler licenses, see https://docs.citrix.com/en-us/netscaler/12/licensing/netscaler-licensing-overview.html.
- [# 543535, 603626]Support for ECDHE Ciphers on the Back End of NetScaler VPX InstancesCitrix NetScaler VPX instances now support the ECDHE cipher group on the back end. This group contains the following ciphers:- TLS1-ECDHE-RSA-AES256-SHA 0xc014- TLS1-ECDHE-RSA-AES128-SHA 0xc013- TLS1-ECDHE-RSA-DES-CBC3-SHA 0xc012- TLS1-ECDHE-RSA-RC4-SHA 0xc011Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.The following ECC curves are supported: P_256, P_384, P_224, and P_521.By default, all four curves are bound to an SSL virtual server.For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/cipher_protocl_support_matrix.html.
- [# 603623, 690665, 676131, 695579]Support for 4096-bit Server Certificates and 4096-bit DH Keys on a NetScaler VPX InstanceA NetScaler VPX instance now supports 4096-bit server certificates on the back end and 4096-bit DH keys on the front end and back end.For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/ssl-server-cert-support-matrix.html.
- [# 632600]Support for DTLS 1.0 on the Back End of a NetScaler ApplianceThe NetScaler appliance now supports DTLS 1.0 on the back end. With this enhancement, a NetScaler or a NetScaler Gateway appliance can talk to a virtual desktop agent over DTLS.You can use the NetScaler CLI or the NetScaler GUI to configure a DTLS back-end service on the NetScaler appliance.For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/config-ssloffloading/configuring-a-dtls-service.html.
- [# 636019, 629981]Support for Skipping Policy Extension Check in a Certificate ChainThe NetScaler appliance now supports skipping the policy extension check, if present inside a X509 certificate chain. If client authentication is enabled and client certificate is set to mandatory, you can set the "Skip Client Certificate Policy Check" in the front-end SSL profile.For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/config-client-auth.html.
- [# 636381]Support for ChaCha20-Poly1305 Ciphers on a NetScaler VPX InstanceChaCha20-Poly1305 ciphers are now supported on the front-end and back-end of NetScaler VPX instances. These ciphers are secure stream ciphers that provide better performance and security, and faster encryption. The following cipher suites are supported in this release:- TLS1.2-DHE-RSA-CHACHA20-POLY1305 (Hex: 0xCCAA)- TLS1.2-ECDHE-RSA-CHACHA20-POLY1305 (Hex: 0xCCA8)The cipher alias name is CHACHA20.For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/cipher_protocl_support_matrix.html.
- [# 673219]A new category of SSL certificatesA new category of SSL certificates called Unknown Certificates is added to the NetScaler GUI. This category is for certificates that do not meet the conditions for end-user certificates (both server and client), CA certificate, and intermediate CA certificate. To view these certificates, navigate to Traffic Management > SSL > Certificates>Unknown Certificates.
- [# 677459]Optimizing ECDHE Computation on NetScaler MPX 5900/8900 and NetScaler SDX 8900 PlatformsECDHE-RSA computation has been optimized by using a combination of software and hardware offload capabilities.For more information, see http://docs.citrix.com/en-us/netscaler/12/ssl/customize-ssl-config/ssl-hybrid-ecdhe-optimization.html.
- [# 694386]Support for FIPS 140-2 Level-3 on MPX/SDX 14000 FIPS PlatformsThis release adds support for FIPS 140-2 Level 3 on the MPX 14000 FIPS and SDX 14000 FIPS platforms. The "set fips" command allows only "Level-2" option but internally level-2 is converted to level-3.For more information, see https://docs.citrix.com/en-us/netscaler/12/ssl/configuring-mpx-14000-fips-appliance.html and https://docs.citrix.com/en-us/netscaler/12/ssl/configuring-SDX-14030-14060-14080-fips-appliance.html.
- [# 550606]SNMP Alarm for Saved NetScaler Configuration FailureYou can now enable the CONFIG-SAVE alarm for saving a configuration failure on a NetScaler appliance. On enabling the alarm, the appliance sends a proactive notification (SNMP Trap) to the trap destination. This helps administrators to timely correct system failures and respond to a configuration loss.
- [# 641912]Policy Support for RSA EncryptionA NetScaler appliance now supports policy-based RSA encryption. The algorithm uses the PKEY_ENCRYPT_PEM() function to encrypt HTTP predefined and user-defined header or body content. The function accepts only RSA public keys (not private keys) and the encrypted data cannot be longer than the length of the public key. If the data being encrypted is shorter than the key length, it will be padded using the PKCS1 padding method.For example, the function can be used with the B64ENCODE() function in a rewrite action to replace an HTTP header value with the value encrypted by an RSA public key, which can then be decrypted by the recipient with its corresponding RSA private key.
- [# 652119]HTTP Version 2 Support for Server SideThe NetScaler appliance now supports HTTP version 2 (HTTP/2) for the server side of an HTTPS or HTTP load balancing setup. If the backend server supports HTTP/2 protocol, the appliance and the server use one of the following methods to start communicating in HTTP/2.- TLS ALPN (for HTTPS load balancing setup)- HTTP/2 Upgrade ( for HTTP load balancing setup)- Direct HTTP/2 (for HTTP load balancing setup)- Direct HTTP/2 using Alternative Service (for HTTP load balancing setup)For more information, see https://docs.citrix.com/en-us/netscaler/12/system/http-configurations/configuring-http2.html.
- [# 671824]NetScaler Adaptive TCP OptimizationThe new NetScaler Adaptive TCP feature can optimize TCP and HTTP traffic over a mobile network. On receiving a connection request, the appliance uses an advanced optimization technique that independently adapts a TCP profile based on the subscriber’s network conditions. By enabling the feature on the appliance, the network operators can have deep insights of a TCP connection and adapt different TCP profiles to get maximum benefits of TCP optimization for any network condition.
- [# 677352]NetScaler Connection Quality Analytics (CQA)The NetScaler Connection Quality Analytics (CQA) feature derives CQA parameters such as network type (2G, 3G or 4G), congestion level (None, Low, Medium, or High), and signal quality (Excellent, Good, Fair, or Poor) from raw metrics extracted during an active connection. The NetScaler appliance stores the derived data in its memory and also exports it to the AppFlow collectors for TCP statistics and reporting.
- [# 684446]Advanced TCP Statistics ReportingThe Advanced TCP Statistics feature can now generate a rich insight of a TCP connection by collecting raw metrics such as maximum RTT, Maximum bytes-in-flight (BIF), Average bandwidth-delay product, and total packets transmitted or retransmitted. The statistics is calculated based on the burst detection mechanism of TCP Speed Reporting feature.
- [# 691276, 690506, 693505]Call Home Enabled by Default on All NetScaler PlatformsThe NetScaler Call Home is now enabled by default on NetScaler platforms such as MPX, VPX, and SDX. By enabling this feature on the appliance, you allow Citrix to collect NetScaler deployment and usage details for better product design, implementation, and support service.
- [# 694164]Direct HTTP/2 Version 2 Support for Server SideA NetScaler appliance supports direct HTTP/2 for the server side of an HTTP load balancing setup. When direct HTTP/2 is enabled for an HTTP load balancing service, the NetScaler appliance directly starts communicating to a server in HTTP/2 instead of using the HTTP/2 upgrade method. If the server does not support HTTP/2 or is not configured to directly accept HTTP/2 requests, it drops the HTTP/2 requests from the appliance.The NetScaler appliance also supports direct HTTP/2 using alternative service (ALT-SVC) for the server side of an HTTP load balancing setup. When alternative service is enabled for an HTTP load balancing service, the NetScaler appliance sends a direct HTTP/2 request to the server after the server advertised that it supports HTTP/2 in the ALT-SVC field in its HTTP/1.1 responses to the appliance. The appliance and the server start communicating directly in HTTP/2.For more information, see https://docs.citrix.com/en-us/netscaler/12/system/http-configurations/configuring-http2.html.
- [# 681754]Policy Support for QUIC Based Video OptimizationNetScaler now supports policy-based video optimization for QUIC traffic over UDP.
The issues that are addressed in Build 56.20.
- [# 686810]If an assertion is sent twice from the same browser, a NetScaler authentication virtual server configured by using SAML authentication returns a 404-error message.
- [# 691795]In some cases, a NetScaler appliance becomes unresponsive if either or both of the following conditions are met:• The SSO and Proxy are configured• The authentication request is a POST method
- [# 693241]A NetScaler Gateway might occasionally become unresponsive if the following set of conditions are met:• The static text string is configured in the webAuthAction parameter.• The webAuthAction action is updated or removed after using at least once.
- [# 694433, 686735]A NetScaler appliance configured for forms single sign-on (SSO) to back end adds whitespaces at the end of URL and before HTTP version.
- [# 695087]In the SAML LogoutRequest parameter, the attributes SPNameQualifier and NameQualifier are missing from the NameID element when a SAML Service Provider (SP) receives an assertion from SAML Identity Provider (IdP).
- [# 695118]If the HTTPOnly flag is not set on the NSC_TASS cookie of NetScaler AAA, the script allows you to access an application. With this fix, the script is unable to read NSC_TASS cookie.
- [# 695703]If the initial request to the traffic management virtual server is an unauthenticated POST request, the NetScaler appliance configured for NetScaler AAA, disregards the post body.
- [# 695764]A NetScaler appliance configured for NetScaler AAA might become unresponsive when trying to single sign-on (SSO) with a backend server, because the front-end loses the connection.
- [# 697392]If a SAML Identity Provider (IdP) sends a namespace for a digital signature and if the namespace is not within the signedInfo or signature parameters, the NetScaler appliance configured for SAML Service Provider (SP) rejects the namespace assertion and the signature validation fails.
- [# 692922]In rare cases, one of the partitions on a partitioned appliance does not get enough slots to send Gratuitous Address Resolution Protocol (GARP) messages for all its IP addresses on the network.
- [# 691229]A NetScaler appliance might become unresponsive if an AppFlow action has client-side measurements enabled and the appliance receives a corrupted request.
- [# 692649]A NetScaler appliance might become unresponsive if an AppFlow action has client-side measurements enabled and the appliance receives an HTTP server response before the full client request.
- [# 686540]If you use the CLI of a NetScaler AppFirewall appliance to display an enum definition, the AS_CCARD_DEFAULT_CARD_TYPE default value for credit card options is not included.
- [# 691268]A NetScaler AppFirewall custom signature request for field name value parsing does not clear the field name pattern match buffer.
- [# 692814]In some cases, when a credit card number is split across multiple packets, the learned data rules of a NetScaler application firewall report incorrect credit card information.
- [# 694195]On a NetScaler application firewall appliance in a high-availability mode, the DUT might crash when performing application security check because of memory resource constraints for the NetScaler appliance.
- [# 694727]If a signature rule is configured on POST body with the content-type “application/xml”, the NetScaler application firewall appliance might not apply the associated rule actions to a traffic even after the rule matches the traffic.
- [# 694764]On a NetScaler AppFW profile, when the charset is set to Japanese(SJIS), enabling SQL transform on AppFW profile transforms Japanese data containing Yen symbols
- [# 695903]The error message “Cannot deploy CSS relaxation with empty value” appears when you attempt to deploy CSS learned rules with value type as "$" on a NetScaler application firewall appliance.
- [# 657190]Counters for classic cache redirection policies are not incremented for HTTPS traffic.
- [# 693310]The NetScaler appliance returns incorrect NODATA responses for records that are configured by using the NetScaler CLI and if DNS queries with EDNS Client Subnet Option are sent for such records.
- [# 693315]When a NetScaler appliance receives a DNS query, the NetScaler appliance does not forward the query to the back-end server. Instead, the appliance responds with a SERVFAIL error.
- [# 658108, 679822, 692324, 692737, 695765]When a remote GSLB service is configured with an external monitor on a GSLB site node, the state of this service might become inconsistent across packet engines, because of core-to-core message failures. In that case, the NetScaler appliance might generate incorrect replies to GSLB domain queries.
- [# 692943]GSLB auto synchronization might fail if the GSLB virtual server's status appears different on the sites participating in GSLB.
- [# 696496]When a responder policy with a rate limiting expression is bound to a DNS bindpoint, and DNS views are configured, the NetScaler appliance might fail to return an expected response to a GSLB domain query.
- [# 688274]If the response from the Integrated Caching (IC) module has trailing spaces in the content-length header, the HTTP/2 connection times out.
- [# 696001, 697526, 696597, 697716, 697718, 697268, 697535, 698707, 700083, 700414]A NetScaler appliance might crash when stored static objects cause the buffer to overflow and overwrite the pointer to the adjacent buffer.
- [# 691507]The NetScaler appliance might crash if deletion of a service item and display of the service item are executed in parallel.
- [# 694655]A packet engine crashes because of an invalid memory reference when memory allocation for Call ID persistence session fails. With this fix, the packet engine checks for memory allocation failure before accessing the persistence session.
- [# 695326]The NetScaler appliance crashes if a delinked TCP connection is logged incorrectly.
- [# 684653]A NetScaler appliance might crash or become unresponsive if you restart the appliance when it is under memory stress.
- [# 694638]The NetScaler GUI displays an integer value instead of a security rating (critical, important, moderate, or low) if you configure an End Point Analysis (EPA) scan for the windows update.
- [# 643029]Under the following set of conditions, the wrong error message appears:A VPN traffic action is configured with SSO OFF.A samlSSOProfile is configured.The user tries to set this samlSSOProfile to the VPN traffic action.
- [# 678701]ShoreTel Sky Softphones do not work on Windows clients accessing enterprise VPN through NetScaler Gateway.
- [# 678885, 674356, 676859, 676857, 684178, 692683]Intermittently, a NetScaler Gateway appliance dumps core if a connection is reset during data transfer between a client and a VPN server.
- [# 685421]A secure load balancing virtual server on a NetScaler appliance processes both secure and insecure cookies.
- [# 686516, 660563]When a user configures a NetScaler appliance for SAML Authentication, duplicate apps appear on the home page if the RfWeb UI portal theme is bound to the appliance.
- [# 686642]The NetScaler Gateway VPN plug-in fails to launch when you enter the logon credentials by using Google Chrome browser if the post-auth End-point Analysis(EPA) functionality is enabled and the "Client Choices" option is disabled.
- [# 688111]The NetScaler Gateway plug-in incorrectly displays a “green bullet” icon suggesting a connected VPN virtual server session status even after the session is disconnected. The plug-in UI display is not in sync with the plug-in tray icon status.
- [# 689538]NTLM Single sign-on (SSO) fails because of invalid signature of type-3 NTLM message.
- [# 689907]If a NetScaler Gateway appliance that has partitions is configured with an intranet IP address, traffic from one of the partitions to the default partition loops back to the sender instead of treating the partitioned appliance as two independent appliances.
- [# 692771, 687892]End-point Analysis (EPA) scan fails on the client computer, even though the logs indicate otherwise, if the connection between the computer running on Mac OS and the NetScaler appliance is relatively slow (for example, if there's a client-side proxy).
- [# 692821, 696260]End-point analysis (EPA) scan becomes unresponsive if the EPA plug-in is installed for the first time on the user machine that accesses the NetScaler appliance bound to the RfWeb UI portal theme.
- [# 693284]In some cases, the NetScaler appliance becomes unresponsive while back-end authentication cookies are cached when a proxy server is configured between the NetScaler appliance and a back-end server.
- [# 693522, 697088]When you configure the Gateway server in ICA Proxy mode, the server occasionally becomes unresponsive if the Secure Ticket Authority (STA) servers do not respond in time or the client connection is closed.
- [# 693573]"Authentication" submenu under "System" cannot be expanded.
- [# 694290]A NetScaler Gateway appliance stops responding after authentication, if it is configured for post-auth End-point Analysis (EPA) and is bound to an RfWebUI persona.
- [# 694328]In case the Split tunnel ON, the Automatic detect settings checkbox (under LAN Settings) in the Internet Explorer settings was being modified after connecting to VPN, because of which external traffic wasn't reachable.
- [# 694417]Upon dual refresh of the logon page, the following error message is displayed "Error 404, object not found". The error appears because "NS_TMAC" cookie is missing in the request.
- [# 694606]The NetScaler appliance sends a huge quantity of "auditlog" messages to the Syslog server when a duplicate server connection is found.
- [# 695035]The NetScaler Gateway plug-in fails to list a device certificate under the Certificate drop-down menu if the Subject field inside the certificate has no value.
- [# 695209]When you have Windows AutoLog-ON feature enabled on your NetScaler Gateway appliance, during logon the client is unable to find the "nsauto.exe" file because the path to the file is incorrectly truncated.The issue is noticed when you modify the following registry entry:NtfsDisable8dot3NameCreationThis registry entry truncates the applications file path in Windows.
- [# 695413]In some cases, the NetScaler appliance cannot load the background image when the VPN virtual server has custom theme and DFA policy bound to it.
- [# 695444, 697635]Client and server IP addresses are not displayed if a VPN session is disconnected before a successful logon.
- [# 695560, 696270, 697255]In some cases, the connection from a client computer to the NetScaler appliance is aborted.
- [# 695795]Endpoint analysis (EPA) scan fails on the client machine, because the EPA package does not get installed on the machine properly.
- [# 697356]In some cases, users using Outlook Web Application (OWA) 10 are not able to access the ECP folder.
- [# 697700]In rare cases, the NetScaler appliance configured for Session Reliability (SR) and High Availability (HA) becomes unresponsive as it misses initialization of some of the ICA context fields.
- [# 697771]In a multi-core NetScaler appliance, Enlightened Data Transport (EDT) application fails to launch on a NetScaler instance deployed on VMware ESX, and configured to use VMXNET3 NIC.
- [# 698336]In case of an End-point Analysis (EPA) failure, debugging fails because of different values of the same case ID in client-side VPN logs and in the NetScaler appliance logs. The case ID always reflects “a4a42” in the client-side logs which is not in sync with the NetScaler Case ID value.
- [# 671918, 673784, 656996, 672949, 676413]When session reliability is enabled for the high availability feature, memory usage by the NetScaler appliance spikes and causes a failover.
NetScaler Insight Center
- [# 687084, 689052, 696701]Under certain network traffic conditions, if you have enabled AppFlow for ICA, the NetScaler appliance does not respond.
- [# 689491, 696819]When you launch the ICA application that is enabled with advanced encryption in XenApp or XenDesktop, in some cases, NetScaler does not respond while handling the advanced encryption handshake.
- [# 692326, 692554, 698557]The NetScaler appliance does not respond if AppFlow for ICA is enabled under certain network traffic conditions.
- [# 693359]You cannot see analytics data in the day, week, or month report on Insight Center.
- [# 693672]HDX Insight does not display ICA channel data when Logstream transport is enabled for the AppFlow feature in the NetScaler appliance and if “smartctl” is enabled for ICA HDX Insight.
- [# 694703]When HDX Insight is enabled, the communication between NetScaler and NetScaler MAS is achieved through a set of ICA status codes. These status code values are maintained both in NetScaler and NetScaler MAS and are always in sync. Due to a new ICA status code introduced in NetScaler 12.0 release, there is a mismatch between some of the code values.When you enable SmartAccess in NetScaler and export it to NetScaler MAS, NetScaler MAS interprets it as code. An ICA session is logged as skip parse due to which records are not seen.
- [# 696552]If AppFlow for ICA is enabled, in an error scenario for ICA parser with a particular network traffic condition, the NetScaler appliance can go down.
- [# 693286]The HTTP daemon on a NetScaler appliance might fail if the “probe server” NITRO call to the appliance fails.
NetScaler SDX Appliance
- [# 684428]If a channel configuration that is created by using the Management Service is pushed to an existing VPX instance, the channel name on the VPX instance might differ from the channel name on the Management Service.Because of this behavior the channel name might differ on two VPX instances of an HA pair, running on two different SDX appliances. This causes a NetScaler VPX HA pair to break after a failover.With this fix, Management Service creates channels on VPX instances with the same names provided the LA IDs are available on the VPX instances.For example, if channel LA/3 is created on Management Service, the same is created on the VPX instance, provided LA/3 ID is available on the VPX instance.However, for example, if LA/9 is created on Management Service, the channel is created with the first available LA ID on the VPX instance, because a VPX instance can support channels only up to LA/8.Note: Upon upgrade to this version, the existing LA configurations on the SDX Management Service or on the VPX instance do not change.
- [# 690647, 697369, 694571]In a VPX instance (standalone or part of an HA setup) running on a SDX-21550/SDX-20500 platform, TX stalls are observed and the state of the configured load balancing services in the VPX instance flaps.
- [# 694571]In a VPX instance (standalone or part of an HA setup) running on a SDX-21550/SDX-20500 platform, TX stalls are observed and the state of the configured load balancing services in the VPX instance flaps.
- [# 696706]The “Date” field in the Events detail page displays no information. To see the Events details, navigate to Configuration > System > Events on the NetScaler SDX GUI.
- [# 699274]Upon restart of a NetScaler SDX appliance that has a cluster setup configured with a cluster link aggregation group (CLAG) with jumbo MTU, the cluster nodes whose interfaces are part of the CLAG might not restart properly.
- [# 699426, 696477]An attempt to log on to the NetScaler SDX appliance running software release 12.0 by using the GUI or CLI might fail under one of the following conditions- Single Bundle upgrade is attempted.- The appliance is restarted.- The SDX Management Service is restarted through XenServer.In all the above situations, the SDX Management Service database gets corrupted, which causes the logon failure.
NetScaler Secure Web Gateway
- [# 685181]If you try to add multiple URL sets that contain one million or more entries, memory is exhausted and the appliance fails.
NetScaler VPX Appliance
- [# 689356]After a failover of a NetScaler VPX HA setup running on AWS, the interfaces from both the nodes do not attach and detach properly. This happens if the stack name of the Citrix CloudFormation template exceeds 25 characters.With the fix, the stack name of the Citrix CloudFormation template supports up to 90 characters.
- [# 693877]DNS resolution for existing DNS configurations fails after you upgrade a NetScaler VPX instance running on AWS to release 12.0 build 53.20.
- [# 695516]A NetScaler VPX instance running on a VMWare ESX hypervisor becomes unreachable if you select "Register with NetScaler MAS for manageability" while configuring pooled licensing in the instance GUI.
- [# 679490, 689372]A NetScaler appliance logs an IP conflict error when it receives any unsolicited ARP message from a network device such as Check Point Firewall for a NetScaler appliance-owned IP address. The appliance logs an IP address conflict error even if the IP address to MAC address mapping is correct in the ARP message.
- [# 689441]The NetScaler appliance does not accept routes that have 0.0.0.0 prefix and non-zero prefix length.With this fix, the NetScaler appliance accepts routes with 0.0.0.0 prefix and prefix length less than eight. But routes belonging to 0.0.0.0/8 block are not accepted as they belong to the reserved IPv4 address range.
- [# 693472]The NetScaler appliance might not properly processes the ND6 unsolicited neighbor advertisement messages and update its routing table.
- [# 693995]In a high availability configuration, synchronization of session information to the secondary node happens only when the state of the secondary node is UP. When the state of the secondary node is other than UP state for a long time, session information that are to be synchronized are build up on the primary node. This results in memory crunch or session hitting maximum limits in the primary node.
- [# 694203]A NetScaler appliance might become unresponsive after applying the ACLs if the appliance has more than 1,100 ACL rules and some of these rules have overlapped conditions.
- [# 688412]If a response from the StoreFront server does not have a Content Type field in the header, but the appliance expects a value in the Content Type field, the appliance crashes.
- [# 690975, 695683]A NetScaler appliance fails when media classification mode is enabled and if there is a memory failure.
- [# 675347]The NetScaler appliance can sometimes time out while processing data with rewrite actions.
- [# 693791]The audit log action in a responder policy resets when modifying a responder action bound to the same responder policy.
- [# 632280, 631258, 674672]The cipher description for a back-end service differs for different nodes of a cluster.
- [# 654034, 678140, 666679]While using dynamic services, some SSL counters were not cleared properly when you cleared the configuration. As a result, new connections to the same dynamic services were not accepted.With this fix, new connections to the dynamic services are accepted even if the configuration is cleared.
- [# 686713]An SSL handshake might take a long time (many retries) to complete after you restart a NetScaler appliance.
- [# 688100]In some cases, a pipeline HTTP request is not forwarded to the back-end server if the back-end server sends a response before receiving the full request from a client.
- [# 691769]"Duplicate certificate error" appears when you try to bind a certificate containing a specific domain name to an SSL virtual server, if a certificate with a matching wildcard SAN entry is bound to the same virtual server.
- [# 691889]After you restart a NetScaler appliance, all the ECC curves might be bound a virtual server or service even though they were unbound from that virtual server or service before the appliance was restarted.
- [# 692481, 692823, 694291, 696851]A NetScaler appliance crashes when session ticket is enabled and continuous session ticket reuse requests are received.
- [# 693312]An OCSP responder URL is not added to an OCSP HTTP GET request. This causes OCSP failure if GET httpMethod is enabled.
- [# 693356]If Qualys scan is run on NetScaler IP (NSIP) address, subsequent SSL transactions with Thales HSM will fail.
- [# 694078]A NetScaler appliance might crash during a DHE based key exchange when an allocation failure occurs because of high memory consumption.
- [# 694395]If two certificates issued by two different CAs have the same OCSP URL, addition of one of the certificate-key pairs might fail.Example1. CA certificate C1 is used to issue certificate S1, which contains OCSP_URL1.2. Certificate-key pairs for both C1 and S1 are added successfully on the NetScaler appliance.3. CA certificate C2 is used to issue certificate S2, which also contains OCSP_URL1.4. If you first add a certificate-key pair for S2, it is successful but adding a certificate-key for CA2 fails. If you reverse the order, adding a certificate-key for CA2 is successful but adding a certificate-key for S2 fails.
- [# 694545]In a cluster setup, a custom cipher group bound to an SSL profile is lost after the "force cluster sync" command is run. As a result, there will be a configuration loss after the cluster node restarts.
- [# 694904]In some cases, a NetScaler appliance might crash if it finds invalid data while parsing the binary certificate.
- [# 696422, 696993]An SSL handshake fails if both of the following conditions are met:- OCSP stapling is configured.- Multiple clients request the status of the server certificate in parallel.
- [# 633371, 682640, 672615, 639767, 387117, 232011]A logon issue is observed if you try to insert and delete cookies at the same offset and if the AppFlow and client-side measurement features are enabled on a NetScaler appliance.
- [# 669821, 670476, 688886, 685045]A NetScaler appliance fails if multiple vulnerabilities are observed in the Network Time Protocol (NTP) daemon and if it is exploited by an external or local user authentication.
- [# 676598, 690857]In a non-end-point mode, for every out-of-order packet, NetScaler generates a duplicate acknowledgment (DUP_ACK). In a rare case of sack disabled packets, after generating a duplicate acknowledgment, the appliance does not reset the counter which results in unnecessary duplicate acknowledgments causing the connection to disconnect.
- [# 684574, 685357, 687357, 696622]A NetScaler device might fail if it sends FIN packets on a Multipath TCP (MPTCP) fallback connection and the global state variable has not been cleared.
- [# 685510]Connections can become unresponsive because of data loss that occurs under the following set of conditions:* Different traffic domains are configured on the virtual server and the service.* Data insertion causes the NetScaler appliance to split packets.
- [# 687462, 686135, 692657, 699960, 698852]The user is not able to log on to NetScaler Gateway as there is a high-utilization of memory.
- [# 691308]HTTP headers can be corrupted by the following series of events:* The rewrite feature inserts an end-of-header mark, but the next packet contains more header bytes.* The compression (CMP) feature interprets the incorrectly marked HTTP header-end as the actual end of the header, and tries to insert a content-encoding header.
- [# 692149]If a NetScaler appliance performs window management for Transparent connections with Dynamic Window Management option enabled in the TCP profile, it results in a window update acknowledgment. This causes a wrong mapping of sequence and acknowledgment numbers and connection to disconnect.
- [# 692613]If a client using the NITRO API over HTTPS to connect to a NetScaler appliance reuses the same source IP address and port within two TCP maximum segment lifetime (MSL) timeout intervals, the connection might be dropped with a TCP reset. Similarly, client TCP connections might be dropped under the following set of conditions:* Source IP address is enabled and proxy port disabled in the client's connection request.* A previous server connection still exists on the appliance and has persisted for two TCP MSL timeout intervals.
- [# 694368]A NetScaler appliance might become unresponsive if an incorrect nstrace logic is applied for collecting packets in TXB mode.
- [# 696218, 699644]A memory leak occurs if Content Filtering feature is configured with either an add prebody or an add postbody action.
- [# 698725]Strong ciphers are not enabled on a VPX appliance with Telco licenses. As a result, the VPX-T platform supports only export ciphers and denies HTTPS access. This fix addresses the issue by enabling strong ciphers for Telco platform licenses thereby enabling HTTPS access and SSL use cases for VPX-T platform.
- [# 700529]A NetScaler appliance might crash with different backtraces if any one of the following conditions is met:• Memory is freed to wrong pool.• AppQoE or HTMLInjection feature is enabled.• AppFlow feature is enabled with clientSideMeasurements option enabled in the AppFlow action.
Telco URL Filtering
- [# 692666, 695092]The NetSTAR Software Development Kit (SDK) is now upgraded to version 1.6.2-18 to support URL Filtering feature.
- [# 694947]After you upgrade the NetSTAR seed database, you must flush the cache database so that it synchronizes with the new seed database.
- [# 695350]The NetScaler URL Filtering feature now enables you to download NetSTAR seed database, in different sizes. For instructions on how you can increase the seed database size, refer to https://support.citrix.com/article/CTX2293.
- [# 695621]In a NetScaler appliance, for efficient logging, the URL Filtering log messages are now logged in the /var/log/ns.log file.
Upgrade and Downgrade
- [# 690534]Repetitive messages appear in log files when you restart the NetScaler appliance after upgrading the firmware. The messages appear regardless of whether you use the GUI or the CLI to perform the upgrade. The repetitive logging stops when you log back on to the appliance.
- [# 692757, 678095]The Dashboard and Reporting tabs in the NetScaler GUI do not display the video optimization statistics.
- [# 693423]The NetScaler appliance does not display an error message if you have configured a negative integer for the QUIC Video Pacing Rate parameter.
- [# 698919]A NetScaler appliance does not correctly regulate retransmitted TCP packets.
The issues that exist in Build 56.20.
- [# 639349]SHA256 digest algorithm is not supported on a NetScaler FIPS appliance configured for SAML authentication or as a SAML IDP. However, an appropriate error message does not appear in the browser.
- [# 651719]The TACACS attribute or group extraction is supported only if the back end is Cisco ACS TACACS+ Server. For TACACS server other than Cisco, the attribute or group extraction is not supported. For more information, see https://support.citrix.com/article/CTX220024.
- [# 652502]The group extraction for authorization policies cannot extract the groups from external access control lists (ACS) if the Identity Group parameter is configured as “All Groups.”Workaround: While creating the Device Administration Authorization Policy, specify the identity group that is required to bind to the shell profile.
- [# 660065, 674005]A NetScaler appliance configured for NetScaler AAA with LDAP over SSL can become unresponsive when the LDAP server is very slow to respond to requests. At this point, the packet engine is unable to process anymore authentication requests.
- [# 676450]In rare scenarios, response cookie from OWA 2013 server is not greater than 70 bytes when the NetScaler appliance is configured with Forms Based SSO. Hence, length check for cookie value in success-rule configured in Forms SSO action on the NetScaler appliance needs to be updated with an appropriate value.
- [# 677458]When SAML authentication is employed as the log on method for Gateway users on FIPS hardware, and an encrypted assertion is sent from IdP, then the NetScaler appliance dumps core memory.This is applicable only for FIPS hardware platforms.
- [# 678553]If the primary and secondary passwords in a logon request are the same, and the first-factor authentication server prompts the user to change the password, the second-factor server uses the password that was sent in the logon request.Workaround: Configure the second-factor authentication server to use the http.req.user.passwd expression if the first-factor server requests a password change.
- [# 680519]In an nFactor EPA configuration, if EPA is configured in secondary factors and requires conditional access, a passthrough factor must be configured to select EPA factors for required users. Otherwise, EPA flow starts even for users that do not require EPA.Workaround: Configure EPA factor only for users requiring it. This could be achieved by configuring passthrough factors to make logic decisions.
- [# 681730]If forms based Single Sign-On (SSO) is configured for Outlook Web Access (OWA) 2013 servers, the "successRule" configured in the forms SSO action must be corrected, because the server sends 64 byte cookie upon successful SSO.
- [# 683224]In an nFactor EPA configuration, if EPA is configured in secondary factors and requires conditional access, a passthrough factor must be configured to select EPA factors for required users. Otherwise, EPA flow starts even for users that do not require EPA.Workaround: Configure EPA factor only for users requiring it. This could be achieved by configuring passthrough factors to make logic decisions.
- [# 689153]The back end is not accessible through a clientless VPN (CVPN). The issue occurs when SSO is ON, the proxy is specified in a traffic action, and the back-end credentials are different from the logon credentials.Workaround:Create a traffic policy based on back-end URL and create a trafficAction with SSO OFF and No Proxy. The backend should be accessible.
- [# 696158]In a high availability (HA) setup, a NetScaler appliance configured for NetScaler AAA might become unresponsive if it tries to communicate with an SSL backend server through a proxy server, by using a Clientless Virtual Private Network (CVPN).
- [# 696656, 688044]In a high availability (HA) setup, webAuth action settings are not removed after you perform a clear config operation on a secondary node.Workaround: Clear the counters before you run the clear config command.
- [# 697727]If you have to set a domain wide cookie for an authentication domain, you must enable authentication profile on a load balancing virtual server.
- [# 699475]If a SAML LogoutResponse parameter does not contain destination attribute in a SAML Identity Provider (IdP), the logout request might fail on a SAML Service Provider (SP).
- [# 699513]A NetScaler appliance configured for NetScaler AAA by using advanced authentication policies over a VPN session might become unresponsive if both of the following conditions are met:• The connection is initiated from LAN to a client by using assigned Intranet IP (IIP).• The default authorization action is denied.
- [# 694892]The NetScaler Gateway login page fails to load if you have enabled client side measurements in the AppFlow action.
- [# 603177, 647386]If multiple AppFlow policies are bound to the same bind point, only the last policy is chosen.
- [# 629128]A NetScaler AppFirewall appliance with the compression feature enabled sometimes puts blank lines in HTTP response headers, resulting in garbled page rendering by the browser.
- [# 648272]In the Visualizer, some buttons might not work if you use Mozilla Firefox or Internet Explorer.Workaround: Use the Google Chrome browser.
- [# 650789, 650317, 658472]The information that the GUI displays for the application firewall web services interoperability (WSI) check does not say that it is a prerequisite and cannot be disabled.
- [# 660546]The NetScaler application firewall should bypass requests from application firewall processing after the system reaches a specified CPU/memory usage limit, but there is currently no policy for reviewing CPU and memory capacity and bypassing the application firewall.
- [# 668892]An alert is generated when you set the NetScaler AppFirewall session limit to a value of 0 or lower, because such a setting affects advanced protection check functionality that requires a properly functioning application firewall session.
- [# 671807]If you upgrade a NetScaler appliance in a high availability (HA) setup from version 10.5.56.15 to version 126.96.36.1991 and skip 250 rules with active traffic, the GUI or CLI displays a "failed to skip some rules" error message and an operation time-out error message.Workaround: Turn off the Learning feature when skipping learned rules.
- [# 672864]In an HA environment, a NetScaler appliance running release 11.0 does not learn new rules when the application firewall feature is enabled.
- [# 672970]When a third-party version-0 signature object is merged with a user-defined signature that is not version 0 and has both native and user-defined rules, the resulting signatures are all version 0 and do not include the native rules.To include the native rules, you must update both signature objects (third-party and user-defined) before the merge. The update changes the version from 0. If you then perform the merge operation, the Native rules are included.
- [# 674864]Application Firewall port information about open ports, such as port 443, is not suppressed. It can therefore be detected by port scan tools such as NMAP in targeted hacker attacks.
- [# 682935]If you have multiple application firewall policies configured on a load balancing virtual server, and a policy has a GotoPriority Expression of NEXT, the NetScaler AppFirewall policy order bypasses all security checks in that policy's profile and moves to the next policy.
- [# 687314]The IP address of a content switching virtual server cannot be accessed after an upgrade from a previous release to the current release. The POST request results in a 302 redirect error.
- [# 688390]When using IE, an RFC violation occurs when submitting a form with Form Field Name and value triggering the request as malformed multipart request. This issue does not occur in Chrome or Firefox.The correct format of the request should be; Content-Disposition: form-data; name="<fld_name>".
- [# 693905]In a HA environment, after an upgrade to release version 11.1 56.x, the NetScaler application firewall primary node fails to restart after a failover.
- [# 694743]On a NetScaler Application Firewall appliance, Analytics security insight support for content switching target LB vserver is missing.
- [# 696820]The in-use memory of a NetScaler appliance reaches 90% when the expression match type in signatures along with auto-update causes the memory leak.Workaround: To resolve memory recovery error, increase the recovery limit and number of recovery pages. Execute the following two nsapimgr commands monitor the issue.nsapimgr -ys num_recovery_pages=20nsapimgr -ys mem_recoverlimit=251658240Also append settings in the “/nsconfig/rc.netscaler” file, or else restarting the NetScaler appliance will erase above settings. If “/nsconfig/rc.netscaler” file is missing, then create new one.
- [# 697498]When NetScaler application firewall is enabled, the LB server VIPs performance is impacted with latency and application slowness. The latency issue is not observed When application firewall is disabled.
- [# 698678]In a HA mode, the NetScaler appliance crashes due to corrupted memory issue when the AppFW profile policy custom settings are not properly configured, after an upgrade to the latest release version.
- [# 698829]When the cookie proxy feature is enabled, the NetScaler application firewall appliance might crash while updating cookies.
- [# 698952]After an upgrade, the Form Field Consistency Check blocks content even if the AppFW policy rules are properly configured.
- [# 699165, 700528]The NetScaler appliance crashes when the Application Firewall feature is enabled.
- [# 699564]After an upgrade, the NetScaler appliance enabled with the application firewall feature crashes and dumps core memory.This issue has been fixed now. The application firewall logs allows requests which have multiple charsets with same value in the content-type header.
- [# 699677]The NetScaler appliance crashes with multiple fail overs due to CPU memory hike. The log messages display the following error before the crash occurs; msg=Field consistency check failed for field g-recaptcha-response.
- [# 699863]On a NetScaler appliance, traffic is impacted due to high bandwidth utilization when binding AppFW policy to the load balancing virtual server.
- [# 700048]In a HA mode, both the NetScaler appliances crash because of invalid memory address allocation in the AppFW module.
- [# 700172]Application Firewall profile requests containing UNICODE request with utf-16 encoding are not blocked.
- [# 700289]The NetScaler application firewall allows SQL injection attack if the Content-Type of the HTTP header is modified.
- [# 700413]After you upgrade the nodes in an HA setup, you cannot access the NetScaler appliance web management interface when the application firewall feature is enabled.
- [# 700701]In a HA environment, high memory utilization is observed on both the primary and secondary appliances when application firewall is configured.
- [# 679468]For validating a Citrix NetScaler cluster setup against IPv6 ready logo suite, Citrix recommends to use cluster link aggregation (CLAG) consisting of only one interface per cluster node.
- [# 692350]In a layer 3 cluster deployment, fragmented traffic steered through a GRE tunnel might cause packet loops, which result in high traffic load.Workaround: Reduce the maximum segment size (MSS) to 1,360 bytes, in the cluster deployment.
- [# 700049]The NetScaler appliance returns incorrect SERVFAIL responses for records when both of the following conditions are met:- Records are configured by using the NetScaler CLI or the records are cached.- DNS queries with EDNS Client Subnet Option are sent for such records over a content switching virtual server.
- [# 700294]The NetScaler appliance might fail and dump core memory if a load balancing virtual server of type ORACLE is configured with SOURCEIP persistence.
- [# 698278]The NetScaler appliance crashes if nstrace with some filter expressions is running in the background, and if the traffic is using GSLB geographic location parameter.
- [# 698208]NetScaler may fail to respond while serving content from NetScaler cache.
- [# 697665]When NetScaler licenses hosted on NetScaler MAS expires, the NetScaler appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the NetScaler appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.
- [# 671729]If a service group member is assigned a wildcard port (port *), the monitor details for that service group member can be viewed from the Monitor Details page.
- [# 690943]In a cluster setup, you cannot disable a service group if there are no services bound to it.
- [# 658734, 658736]Modifying the nf_conntrack_max sysctl variable to get better network performance can cause unexpected behavior. In that case, you have to increase the size of the connection-tracking and/or the hash table, and/or decrease timeout values. For more information, see http://antmeetspenguin.blogspot.in/2011/01/high-performance-linux-router.html.
- [# 680693]Modifying the nf_conntrack_max sysctl variable to get better network performance can cause unexpected behavior. In that case, you have to increase the size of the connection-tracking and/or the hash table, and/or decrease timeout values. For more information, see http://antmeetspenguin.blogspot.in/2011/01/high-performance-linux-router.html.
- [# 649052]In older versions of Internet Explorer version 7, the browser incompatibility message does not appear for NetScaler release 11.1. The logon page directly appears, and you can log on successfully.
- [# 657924]If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled, and you log on as nsroot user, an extra session is created.
- [# 658132]If the feature "Force password change for nsroot user when default nsroot password is being used" is enabled and the nsroot password is changed at the first logon to the NetScaler appliance, the nsroot password change is not propagated to non-CCO nodes. Therefore, when an nsroot user logs on to non-CCO nodes, the appliance asks for password change again.
- [# 646706]An error message appears when a user logs off of a Storefront session, if Gateway logon uses SAML based authentication for ICA Proxy mode.Workaround: Log off by closing the browser.
- [# 669942]The Internet Explorer 8 browser does not display the Gateway portal if the portal theme is set to Default, Greenbubble, or X1. The portal does appear if the portal theme is set to RfWebUI.
- [# 671802]If custom theme is applied for NetScaler 11.1 build 50.10, text for password field is not displayed.
- [# 672067, 689973]After a NetScaler HA failover, Citrix Receiver takes a few seconds to reconnect.
- [# 672333]RfWebUI based theme is not supported for an Authentication virtual server configured with Classic Authentication policies
- [# 675401]When nFactor authentication is configured with multiple factors having custom password expressions, default password for all secondary factors is passwd1.Users need to configure passwordExpression in loginSchema to pick the right password for the given factor if the logon flow is nontrivial.
- [# 679117]If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), hyperlinks listed under "Sites" are nonfunctional.Workaround: Either copy the link, paste it to a new tab, and click the new copy of the link, or right-click the link to automatically open it on a new tab.
- [# 679176]If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot upload a Profile Picture.Workaround: Use Chrome or Firefox.
- [# 679193]If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot drag and drop files.Workaround: Upload the document instead of using drag and drop.
- [# 679713]If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot use Internet Explorer to open a word (.doc) document.Workaround: Use Firefox to open the document.
- [# 679744]If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN), "Stop Following a Site" functionality is not available.
- [# 679747]If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), you cannot use Internet Explorer to add a new item to the calendar.Workaround: Use Chrome or Firefox.
- [# 680378]If nFactor authentication is configured on a NetScaler Gateway appliance running release 11.1 build 11.1 51.x or later, native clients use authentication policies configured on the authentication virtual server. See https://support.citrix.com/article/CTX223386 for details.
- [# 680403]If you log on to SharePoint 2013 through a Clientless Virtual Private Network (CVPN), a link is broken on the Setting > Master Pages screen. The link to Folders on Site is nonfunctional.Workaround: Either copy the link, paste it to a new tab, and click the new copy of the link, or right-click the link to automatically open it on a new tab.
- [# 681247]If you log on to a VPN in a cluster Deployment, the value of Total Connected Users is shown incorrectly for the NSIP addresses of all the nodes. The correct value is shown for the CLIP address.
- [# 684658]Responder policies are not supported for a Gateway virtual server configured with a portal theme based on RfWebUI.
- [# 691082]FTP over TLS is not supported in NetScaler Gateway.
- [# 695650]After upgrading to 11.1 build 55.13, the n-Factor authentication does not work if the first factor has NO-Authentication policy with "true" rule.Workaround: Avoid configuring "true" as rule for policy. Add the following expression for this policy:"http.req.url.contains("/nf/auth/doAuthentication.do")"
- [# 697457]False SNMP alarms for SYN flood are reported when the NetScaler Gateway appliance is deployed in an ICA Proxy mode and session reliability functionality is enabled.
- [# 697536]In some cases, DNE Drivers used for NetScaler Gateway VPN plugin negatively impacts the download speed.
- [# 698924]In rare cases, during a plug-in installation of the NetScaler agent on UNIX machines, an RPM package is downloaded instead of a DEB package for some browser versions.
- [# 699873]Group information is lost when a native client is used for nFactor authentication and "password change" is enabled for the active directory of the second factor.
- [# 681628]The session reliability on HA Failover feature is not supported between 64-bit and 32-bit kernels in an HA pair.
NetScaler Insight Center
- [# 626944]If you log on to a Netscaler Gateway appliance that is deployed in a full tunnel mode and access numerous URLs and IP addresses, Gateway Insight reports these URLs and IP addresses as Applications on the Application tab.
- [# 692412]In some cases, server IP addresses are incorrectly displayed for skip flow sessions when ULFD is enabled.
NetScaler SDX Appliance
- [# 600152]When you create or delete a 10G LACP or static channel, transmission stalls on the member interfaces of the channel, and therefore those interfaces stop processing traffic.Workaround: Delete the 10G LACP/static channel that has this issue and create it again.
- [# 643853]The Rx/Tx Flow Control configuration is lost if you manually set the Rx/Tx Flow Control for a 1000BASE-T copper interface to OFF, and the interface is reset.Workaround: Enable Flow Control Auto Negotiation (ON).
- [# 668696]The current software driver for 1G ports does not support hot-swap capability for 1G SFP transceivers on NetScaler SDX 115xx models.Workaround: After replacing the 1G SFP transceiver, reset the interface from Management Service. If the issue still persists, restart the appliance.
- [# 684106]In some cases, a client is unable to connect to the TCP-related VIP address of a NetScaler VPX instance on a NetScaler SDX appliance.
- [# 689767]In a cluster setup on an SDX appliance, the cluster coordinator node (CCO) cannot retrieve the MTU set for the configured cluster link aggregation group (CLAG) and sets the MTU to the default value of 1500, if the following conditions are met:- CLAG is formed with interfaces from only one of the nodes.- This node goes to an inactive state
NetScaler Secure Web Gateway
- [# 685789]The default certificate bundle is not listed when you run the show certbundle command.
- [# 686077]An authentication virtual server that is created by using the Secure Web Gateway wizard appears DOWN, because an SSL certificate is not bound to it. This does not affect the functionality.
- [# 686741]If you create a negotiate action by using a keytab file, the SWG wizard displays the domain name and user name instead of the service principal name (SPN).
- [# 687328]User authentication does not fail in transparent proxy mode even though an application firewall policy to block specific traffic is configured.
- [# 687748]You cannot send or receive multimedia messages by using WhatsApp in a NetScaler Secure Web Gateway deployment.
- [# 689581]An incorrect warning "No usable ciphers configured" appears if you change the SSL settings in a profile by using the Secure Web Gateway wizard.
NetScaler VPX Appliance
- [# 652640]Due to a limitation of the XenServer platform, if NetScaler virtual appliances with different interfaces, such as SR-IOV and Para-virtualized (PV) mode interfaces, use the same physical NIC, traffic between the virtual appliances with different interfaces fails.
- [# 657492]The NetScaler virtual appliance might fail to start if you have configured 15 or more SR-IOV and PCI passthrough interfaces.
- [# 660000]Due to a limitation in Linux-KVM and VMware ESX platforms, if you add new PCI passthrough interfaces to an existing NetScaler virtual appliance configured with SR-IOV interface, the PCI passthrough interfaces might take precedence over the existing SR-IOV interfaces.
- [# 660159]The physical link status of a PCI passthrough interface of a NetScaler VPX appliance is not updated when the state of the link is changed (for example, when the link is enabled, disabled or reset), because of a limitation in the Intel XL710 NIC. As a result, any active traffic over the PCI passthrough interface fails during this time.
- [# 672441]If you use the IP link set command to change the VLAN ID to zero, or any valid value, on the virtual function (VF) on the host, the physical function (PF) processes the tagged packets with the original tag and does not reflect the new VLAN ID.Workaround: Run a reset command on the NetScaler VF, after changing the VLAN ID or removing it from the host. For example:reset interface 10/1
- [# 676417]If you configure an MTU value on a NetScaler VPX appliance running on Citrix XenServer and save the value, and force a shutdown, the saved MTU value is lost, and the appliance displays the old value.
- [# 684860]A NetScaler VPX instance running on a NetScaler SDX appliance does not receive any traffic under the following set of conditions:- The Intel 710 series NICs of the NetScaler SDX appliance are connected to a switch with an LLDP-enabled port.- That port has been disabled and then enabled.
- [# 690896]If a NetScaler VPX instance deployed on KVM hypervisor is configured with SRIOV NICs and PCI Passthrough, when you add or remove SR-IOV or PCI Passthrough interfaces, the order in which the interfaces are presented to the NetScaler VPX instance changes. As a result, the configurations bound to the interfaces might not work.Workaround: Redo the configurations manually.
- [# 692177]If a KVM hypervisor runs on an AMD processor-based server, the NetScaler VPX instance running on the KVM hypervisor restarts cyclically and then stabilizes after a few iterations.Workaround:Add the following entry in /flash/boot/loader.confvm.pmap.pg_ps_enabled="0"
- [# 692334]Error messages appear when an SR-IOV-enabled NetScaler VPX instance configured with Intel X710 10G and XL710 40G NICs, running on KVM hypervisor, restarts. The error messages are harmless and can be safely ignored.
- [# 675626]While responding to a VXLAN broadcast (for example, ARP and ND6), the NetScaler appliance does not look up the bridge table to populate the VNI field in the VXLAN header. The VNI field in the VXLAN header of the response is same as that of the incoming broadcast. This results in the peer VTEP dropping the response packets.
- [# 685233]The NetScaler appliance becomes unresponsive when it accesses memory that was not properly freed and therefore contains stale information about a session.
- [# 688642]The NetScaler appliance drops non-SYN TCP packets, which match an INAT rule, and a RESET is sent.
- [# 698942]Netprofile source IP persistency for a load balancing configuration might not work for a set of clients if the NetScaler appliance connects these clients to the same service.
- [# 670449]For the NetScaler video optimization feature to work properly, you must not delete the built-in policies that have an "ns_videoopt" prefix (for example, ns_videoopt_http_abr_netflix).
- [# 677320]The new video optimization feature is not supported on a partitioned NetScaler appliance.
- [# 678625]The video insight option cannot be enabled for a specific virtual server. You can only enable it as a global setting (set appflow param -videoInsight ENABLED).
- [# 699392, 692176]In certain cases, a NetScaler appliance might crash or become unresponsive, if the appliance fails to serve a response from the cached content
- [# 700581, 692600]A NetScaler appliance crashes if you execute an unsupported operation using Selectors in contentgroup for observing cache objects.
- [# 680916]If you use classic expressions to filter the output of the show connectiontable command, only a warning message appears.Workaround: Use advanced expressions instead.
- [# 700461]A NetScaler appliance might crash or become unresponsive if a memory allocation failure occurs in a pattern set or dataset policy expression.
- [# 660257]If you run the "sh ssl service group" command on the cluster IP (CLIP) address and on nodes of a cluster setup, ECC curves are displayed as unbound from the CLIP.
- [# 667389]In a cluster setup, if a client certificate is bound to a back-end SSL service or service group, it appears as a "Server Certificate" instead of a "Client Certificate" when you run the "show ssl service" or the "show ssl servicegroup" command on the CLIP address.
- [# 673458, 689516]The SSL entities to which an SSL profile is bound do not appear when you run the show ssl profile <Default-Profile> command on a cluster IP (CLIP) address.Workaround: You can view the bound entities from the NetScaler IP (NSIP) address.
- [# 678175, 678522, 678526]In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
- [# 678176, 687205, 687098]Configuration loss might occur if you upgrade from release 11.1 build 54.x to release 12.0 build 41.x or 51.x, in any one of the following scenarios:Scenario 1:1. Your deployment uses an SSL profile.2. In the SSL profile, sessionTicket is enabled and one or more of the following new secure session ticket parameters have non-default values:- sessionTicketKeyRefresh- sessionTicketKeyData- sessionKeyLifeTime- prevSessionKeyLifeTimeScenario 2:1. Your deployment uses a custom SSL profile.2. In the SSL profile, sessionTicket is disabled.
- [# 681878]You cannot add a CRL with X.509 version 1 on a NetScaler appliance if the explicit version field in that CRL is set to 0.
- [# 682859]An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
- [# 687135]You cannot set the previous session-key life time to its minimum value (0 seconds).
- [# 687208]Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
- [# 689898]On a NetScaler Secure Web Gateway appliance, running the clear config command does not reset the certificate bundle to the default certificate bundle.
- [# 691929]In a cluster setup, the CRL distribution points in a CA certificate-key pair configured on the cluster IP address do not appear when you run the show ssl certkey command.
- [# 692137]SSL classic policy expressions are not honored.Workaround: Use SSL default policy expressions.
- [# 697089]On the MPX 5900/8900 and SDX 8900 platforms memory allocation fails in some partitions when the memory allocated from one partition is freed in another partition. This results in incorrect memory accounting across partitions causing memory allocation failures.
- [# 697789, 697902, 698125, 699526]The NetScaler appliance becomes unresponsive if after an SNI handshake is complete, an HTTP/1.1 request is received and the SNI certificate is unbound from the virtual server simultaneously.
- [# 698207]If two SSL connections use the same SSL session ID, session reuse fails if one of the connections renegotiates the session.
- [# 700363]If your deployment uses ECDHE ciphers, ECC curves are not bound by default to a NetScaler CPX instance.Workaround: Manually bind ECC curves to the NetScaler CPX instance.
- [# 331889]If a wildcard virtual server's redirection mode is set to IP (-m IP), the NetScaler appliance cannot forward a TCP connection request to a service bound to that virtual server if the back-end server is down.
- [# 652345]On a partitioned NetScaler appliance, you can no longer use the same command to bind a system user and a command policy to a system group. Instead, you must use two different commands. For example:"bind system group grpX -userName userX""bind system group grpX -policyName superuser 1"If you try to bind both arguments with a single command, the appliance displays an error message: Arguments cannot both be specified [policyName, userName.]
- [# 654087]The initial probe connection that a NetScaler appliance makes with the back-end internet server to check for server availability is now reusable for actual server connection with the internet server.
- [# 657565, 686496]A NetScaler appliance might not initiate a rewrite action correctly if data is modified in adjacent fields in the message.
- [# 667392]If you enable Web Logging feature before configuring the log buffer size, the NetScaler appliance does not apply the buffer size after a restart.Workaround: Configure the log buffer size before you enable the Web Logging feature.
- [# 674165]When you run the set command on a NetScaler appliance, the ns.log file stores the command with all parameter values, including customer provided values.
- [# 687067]A NetScaler appliance in a clustered setup displays a "Cannot allocate memory" error message if you use the set command to set the server domain name in a SYSLOG action.Workaround: Delete the SYSLOG action in which you set the domain name, and add a new SYSLOG action that specifies the server domain name instead of the server IP address.rm syslogactionadd syslogaction -loglevel [-options ...]
- [# 689837]Random packets on loopback interface are found missing if you capture nstrace on a NetScaler appliance.
- [# 690775]Passive FTP data connections intermittently reset after a NetScaler HA failover.
- [# 691984]Data transmission from client to NetScaler appliance over a reused connection is slow, at a rate that varies. The result is an excessive delay for a subsequent HTTP request.
- [# 694416]The NetScaler appliance does not initiate subflows (MP_JOIN's). The appliance expects the client to initiate subflows.
- [# 695668]A NetScaler appliance silently truncates and drops HTTP request body packets greater than the maximum HTTP header size configured in the HTTP profile. The request body is truncated only if the appliance receives an HTTP request after an incomplete header assembly (request header spanning more than one packet) and the request body is received when the appliance awaits a TCP acknowledgment for the request header sent to the server. The truncation results in TCP retransmission and latency issues.
- [# 697267]A NetScaler appliance might crash if it receives original and retransmitted MP_JOIN SYN packets in succession.
- [# 698292]If you have a VPX appliance on an SDX platform or NetScaler devices managed by MAS, after an upgrade, the appliance does not display a notification message, “Call home is enabled by default” on the first user log on for 24 hours.
- [# 698360]A NetScaler appliance might crash if it selects a MP_JOIN subflow that is not fully established to send a FASTCLOSE packet.
- [# 693421]The NetScaler appliance displays an error message if you have configured a negative value for the Random Sampling Percentage parameter.Workaround: Configure a positive integer ranging from 0 to 100 for the parameter.
Upgrade and Downgrade
- [# 646046]When you upgrade the NetScaler firmware by using the NetScaler GUI, the appliance restarts in the background as soon as the upgrade is complete, but the GUI does not show that the upgrade has been completed.Workaround: Log off and log back on to the NetScaler appliance to check the firmware version.
- [# 683380]The auto cleanup option (/installns -c) is not supported in NetScaler release 12.0.Clean up flash manually if space is insufficient when upgrading or downgrading a NetScaler appliance.
- [# 692565, 683168]A timezone setting ("set timezone” command) in a NetScaler appliance running release 11.1 might get lost after you upgrade it to a later release.Workaround: Set the required timezone (by using the "set timezone" command in the NetScaler CLI or the NetScaler GUI) again on the upgraded appliance.
- [# 697461]A NetScaler appliance is unable to optimize QUIC-based video traffic if pacing policies are bound to QUIC load balancing virtual server at response time.Workaround: Bind the policies to the QUIC load balancing virtual server only at request time.
What's New in Previous NetScaler 12.0 Releases
The enhancements and changes that were available in NetScaler 12.0 releases prior to Build 56.20. The build number provided below the issue description indicates the build in which this enhancement or change was provided.
- [From Build 35.6] [# 642102]POST and Redirect Bindings Support during LogoutA NetScaler appliance used as a SAML SP now supports POST and Redirect bindings during logout. Previously, only POST binding was supported.
- [From Build 35.6] [# 642105]SAMLIDP Single Logout Support for Redirect and Post BindingsSAMLIDP single logout support for Redirect and Post bindings is now available.
- [From Build 53.22] [# 673799]Support for SHA2 Message Digest on a NetScaler MPX FIPS ApplianceA NetScaler MPX FIPS appliance functioning as a SAML service provider or a SAML identity provider can now be configured to use the SHA2 algorithms on FIPS hardware.
- [From Build 53.22] [# 681375]Group Attribute Parsing Support from a SAML AssertionYou can now configure a NetScaler appliance to parse attributes in SAML assertions as group attributes. Parsing them as group attributes enables the appliance to bind policies to the groups. For more information, see http://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication.html.
- [From Build 53.22] [# 687628]Audience Restriction Check Support for NetScaler configured as SAML SPA NetScaler appliance configured as a SAML service provider can now enforce an audience restriction check. The audience restriction condition evaluates to “Valid” only if the SAML replying party is a member of at least one of the specified audiences. For more information, see http://docs.citrix.com/en-us/netscaler/12/aaa-tm/saml-authentication.html.
- [From Build 53.22] [# 688140, 635174]Support for RSA Private Key Decryption for SAML Operations on a NetScaler MPX FIPS ApplianceA NetScaler MPX FIPS appliance used as a SAML service provider now supports encrypted assertions.
- [From Build 35.6] [# 651332]VXLAN Support for Admin PartitionsA partitioned NetScaler appliance now supports Virtual eXtensible Local Area Networks (VXLANs) protocol. A VXLAN can be created in the default partition and bound to any administrative partition. When you extend a VXLAN to a VLAN, binding a VLAN to a partition will also bind the VXLAN to the same partition. However, the appliance does not support shared VXLAN and does not allow you to extend a VXLAN to a shared VLAN.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 35.6] [# 652187]Configurable Partition Resource LimitWhen you create an administrative partition, you can now set a partition resource (such as memory, bandwidth, or connections) limit to zero, which specifies that use of the resource is unlimited. The partition can consume up to the system limit. For a previously created partition, you can increase or decrease the limit or set the limit to zero.
- [From Build 35.6] [# 652198]Memory Management in Admin PartitionsIn a partitioned NetScaler appliance, the partition connections are now accounted from the partition quota memory. Previously, the connections were accounted from the default partition quota memory.
- [From Build 35.6] [# 655514]Blocking VRRP on Shared VLANs in Admin PartitionsOn a partitioned NetScaler appliance, Virtual Router Redundancy Protocol (VRRP) protocol is now supported only on non-shared VLANs. It is blocked on shared VLANs (tagged or untagged type) bound to a default or an administrative partition.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 35.6] [# 655560]SNMP Traps for Admin Partition Rate LimitingOn a partitioned NetScaler appliance, a SNMP-RATE-LIMIT alarm can generate six new SNMP traps for notification that a partition resource (such as connection or memory) has reached its limit or returned to normal. Previously, only three SNMP traps were available for rate limiting partition resources.Note: To enable generation of the SNMP trap messages, you must enable the SNMP-RATE-LIMIT alarm on the appliance and then configure the destination device to which the appliance can send the trap messages.The threshold and limit values for partition rate limiting are:Highest threshold = 80% (applicable for all partition rate limit traps)Lowest threshold = 60 % (applicable for all partition rate limit traps)Memory limit = 95% (applicable only for partition memory traps)The six new SNMP traps are:partitionCONNThresholdReached. Number of active connections for a partition exceeds its high threshold.partitionCONNThresholdNormal. Number of active connections are less than or equal to the configured normal threshold percentage.partitionBWThresholdReached. Partition's bandwidth usage reaches configured high threshold percentage.partitionMEMThresholdReached. Current memory usage of the partition exceeds its high threshold percentage.partitionMEMThresholdNormal. Current memory usage of the partition is less than or equal to the configured normal threshold percentage.partitionMEMLimitExceeded. Current memory usage of the partition exceeds its memory limit percentage
- [From Build 35.6] [# 628124]Blacklisting Up to One Million URLs by Using URL SetsTo prevent access to restricted websites, a NetScaler appliance uses a specialized URL matching algorithm. The algorithm uses a URL set that can include up to one million (1,000,000) blacklisted URLs. Each entry can include metadata that defines URL categories and category groups as indexed patterns. The appliance can also periodically download highly sensitive URL sets managed by internet enforcement agencies (with government websites) or independent internet organizations such as the Internet Watch Foundation (IWF). After downloading and importing the URL set, the appliance encrypts it (as required by these agencies) and keeps it confidential so that the entries are not tampered with.The NetScaler appliance uses advanced policies to determine whether an incoming URL should be blocked, allowed, or redirected. These policies use advanced expressions to evaluate incoming URLs against blacklisted entries. An entry can include metadata. For entries that have no metadata, you can use an expression that evaluates the URL on the basis of an exact string match. For URLs that have metadata, you can use an expression that evaluates the URL's metadata, in addition to an expression that checks for an exact string match.
- [From Build 35.6] [# 589567]Generate SNMP alarm and log message when application firewall Session limit is reachedWhen NetScaler reaches appfw_session_limit and CSRF checks are enabled, the web application freezes.To prevent web application freeze, decrease the session timeout and increase the session limit by using the following commands:From CLI: > set appfw settings -sessiontimeout 300From shell: root@ns# nsapimgr_wr.sh -s appfw_session_limit=200000Logging and generating SNMP alarm when appfw_session_limit is reached assists users in troubleshooting and debugging issues.
- [From Build 35.6] [# 656279]Application Firewall GUI - Signature EditorWhen using the signature editor to perform an import and merge operation from the NetScaler GUI, you can now see the new, updated, duplicate, and invalid rules.The signature editor displays the following four new rows:1. New Rules2. Updated Rules3. Duplicate Rules4. Invalid RulesThe output of the New Rules Only and Updated Rules Only filters also appears in the Category filter pane of the Edit window in signature editor.
- [From Build 35.6] [# 662582]Configure Application Firewall Session Limit Through the CLIYou can now use the CLI to configure the Application Firewall session limit. Enter the following command:set appfw settings -sessionLimit <value>Where <value> is the maximum number of sessions allowed for each packet engine. Minimum value: 0. Maximum value: 500000. Default: 100000.
- [From Build 35.6] [# 628136, 623888]SNMP MIB Support for Cluster NodesIn a cluster setup, you can now configure the SNMP MIB on any node by including the ownerNode parameter in the set snmp mib command. Without this parameter, the set snmp mib command applies only to the cluster coordinator node.To display the MIB configuration for an individual node other than the cluster coordinator node, include the ownerNode parameter in the show snmp mib command.
- [From Build 35.6] [# 636825]Disabling Steering for Forwarding Sessions in a Cluster SetupThe default behavior of a NetScaler cluster is to direct the traffic that it receives (flow receiver) to another node (flow processor) that must then process the traffic. This process of directing the traffic from flow receiver to flow processor occurs over the cluster backplane and is called steering. This steering can be an overhead for real time processing or when high latency links are present in the setup.Steering for forwarding sessions can now be disabled so that the processing becomes local to the flow receiver and therefore makes the flow receiver the flow processor.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 35.6] [# 648194]Monitor Static Route (MSR) Support for Inactive Nodes in a Spotted Cluster ConfigurationIn a spotted cluster configuration, you can now configure an inactive or spare node to monitor a static route for which the MSR option is enabled. From a SNIP address owned exclusively by an inactive node, the node can send PING and ARP probes to an IPv4 route or ping5 and nd6 probes to an IPv6 route. Previously, only active nodes could monitor a static route.
- [From Build 35.6] [# 655726]VRID/VRID6 support for clusterWhen you migrate a high availability (HA) setup to a cluster setup, all configurations must be compatible and must be supportable in the cluster. To achieve this, you can now configure virtual router IDs (VRIDs and VRID6s) on a single-node cluster interface.
- [From Build 35.6] [# 655842]Managing Cluster Heartbeat MessagesIn a cluster configuration, you can now disable the heartbeat option on node interfaces. However, the heartbeat option on the backplane interface cannot be disabled, because it is required for maintaining connectivity among the cluster nodes.
- [From Build 35.6] [# 658631]TFTP Support in a Cluster SetupTrivial File Transfer Protocol (TFTP) is now supported in a NetScaler cluster setup. TFTP is a simple form of file transfer protocol and is based on the UDP protocol. TFTP does not provide any security features and is generally used for automated transfer of configuration and boot files between devices in a private network. TFTP support on a NetScaler cluster setup is compliant with RFC 1350. A server listens on port 69 for any TFTP request.The following features are supported:* INAT processing compliant with TFTP. If a NetScaler cluster receives a request packet whose destination is port 69 and that matches an INAT rule with the TFTP option enabled, the cluster's processing of the request and the corresponding response is compliant with the TFTP protocol. For an INAT configuration for a TFTP server, only spotted SNIP addresses are supported for the server-side communication.* RNAT processing compliant with TFTP. When a request packet generated by a server is destined to a TFTP server, and the packet matches an RNAT rule on a NetScaler cluster, the cluster's processing of the request and the corresponding response from the TFTP server is compliant with the TFTP protocol. In an RNAT configuration of TFTP servers, only spotted NAT IP addresses are supported for the TFTP server-side communication.
- [From Build 35.6] [# 669938]Audit-Log Support in ClusterA cluster setup of NetScaler appliances now supports the audit-log feature.
- [From Build 35.6] [# 558993]Support for Wildcard DNS DomainsYou can now use wildcard DNS domains to handle requests for a nonexistent domains and subdomains. In a zone, if you want to redirect queries for all nonexistent domains or subdomains to a particular server, you can use wildcards rather than creating a separate Resource Record (RR) for each such domain. The wildcard RRs synthesize the responses to queries for a nonexistent domain or a subdomain name.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 35.6] [# 626837]Caching of EDNS0 Client Subnet (ECS) Data when the NetScaler Appliance is in Proxy ModeIn NetScaler Proxy mode, if a back-end server that supports ECS sends a response containing the ECS option, the NetScaler appliance forwards the response as-is to the client and stores it in the cache, along with the client subnet information. Further DNS requests that are from the same subnet of the same domain, and for which the server would send the same response, are then served from the cache instead of being directed to the server.
- [From Build 35.6] [# 655295]Securing DNS Keys with Passwords on a Partitioned NetScaler ApplianceYou can now secure the DNS keys with passwords on a partitioned NetScaler appliance.Specify the password in the create dns key command, and then specify the same password in the add dns key command when adding the DNS key to the NetScaler appliance.
- [From Build 35.6] [# 664467]Configuring GSLB by Using a Wizard in the NetScaler GUIYou can now use a wizard to configure the GSLB deployment types (active-active and active-passive) and parent-child topologies. In the NetScaler GUI, navigate to Configuration > Traffic Management > GSLB, and click Get Started.You can also start the GSLB configuration wizard from the dashboard. The dashboard provides the overall status of the GSLB sites participating in GSLB. You can also synchronize the sites and test the GSLB setup from the dashboard. To access the GSLB dashboard, navigate to Configuration > Traffic Management > GSLB > Dashboard.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 53.22] [# 687192]Support for Higher Number of vCPUsWith NetScaler Pooled Capacity, the NetScaler VPX instances can be configured for bandwidth licensing up to 100G and 20 vCPUs.With NetScaler Check-in/Check-out licensing, the NetScaler VPX instances can be configured with bandwidth licenses up to 100G
- [From Build 35.6] [# 346825]SNMP OID for Tracking Persistence Sessions on a Per-Vserver BasisThe vsvrCurPersistenceSessions (188.8.131.52.4.1.59184.108.40.206.1.1.76) SNMP OID provides the number of current persistence sessions on each virtual server.
- [From Build 35.6] [# 422816]Setting alertRetries to a Value Higher than the Retries ValueThe alertRetries parameter, which specifies the maximum number of consecutive monitoring-probe failures after which the NetScaler appliance generates an SNMP trap called monProbeFailed, can now be set to a value higher than the Retries value (which specifies the maximum number of probes to send to establish the state of a service for which a monitoring probe failed). If the alertRetries value is higher than the Retries value, the SNMP trap is not sent until after the service is DOWN.For example, if you set Retries to 3, alertRetries to 12, and the time interval to 5 seconds, the service is marked DOWN after 15 seconds (3*5), but no alert is generated. If the monitor probes are still failing after 60 seconds (12*5), the NetScaler appliance generates a monProbeFailed trap. If a probe succeeds at some time between 15 and 60 seconds, the service is marked UP and no alert is generated.
- [From Build 35.6] [# 472611]Connection Failover Support for IPv6 Load Balancing ConfigurationsConnection failover support has been extended for IPv6 load balancing configurations. Connection failover helps prevent disruption of access to applications deployed in a distributed environment. In a NetScaler High Availability (HA) setup, connection failover (or connection mirroring) refers to keeping an established TCP or UDP connection active when a failover occurs. The new primary NetScaler appliance has information about the connections established before the failover and continues to serve those connections. After failover, the client remains connected to the same physical server. The new primary appliance synchronizes the information with the new secondary appliance by using the SSF framework. If the L2Conn parameter is set, Layer 2 connection parameters are also synchronized with the secondary.You can set up connection failover in either stateless or stateful mode. In the stateless connection failover mode, the HA nodes do not exchange any information about the connections that fail over. This method has no runtime overhead. In the stateful connection failover mode, the primary appliance synchronizes the data of the failed-over connections with the new secondary appliance. Connection failover is helpful if your deployment has long lasting connections.For example, if you are downloading a large file over HTTP and a failover occurs during the download, the connection breaks and the download is aborted. However, if you configure connection failover in stateful mode, the download continues even after the failover.
- [From Build 35.6] [# 519440]Configuring Backup PersistenceYou can now configure a virtual server to use source IP persistence as the backup persistence type when the primary persistence type is rule-based. If the primary persistence lookup fails, the appliance uses source-IP based persistence when the parameter specified in the rule is missing in the incoming request.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 35.6] [# 564185]Support for RADIUS Shared SecretA shared secret must now be configured in RADIUS load balancing deployments. A RADIUS client and server communicate with each other by using a shared secret that is configured on the client and the server. Transactions between the client and RADIUS server are authenticated through the use of a shared secret. This secret is also used to encrypt some of the information in the RADIUS packet.You can configure a default RADIUS shared secret, or you can configure a shared secret on a per-node basis. The appliance uses the client IP address or the server IP address in the RADIUS packet to decide which shared secret to use.In telco deployments, you must now configure a RADIUS client when you configure a RADIUS listener service. If a shared secret is not configured, the RADIUS message is silently dropped.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 51.24] [# 675763]RADIUS Interim Message Support for RADIUS-Only ModeRADIUS interim message support has been added for RADIUS-only mode, to treat interim messages as start messages.
- [From Build 51.24] [# 677540]Support for Autofill of username from SAML Service Provider (SP)A NetScaler appliance used as a SAML Service Provider (SP) with Multi-Factor (nFactor) authentication now prepopulates the user-name field on the login page. The appliance sends a NameID attribute as part of an SAML authorization request, retrieves the NameID attribute value from the NetScaler SAML Identity Provider (IdP), and prepopulates the user-name field.
- [From Build 35.6] [# 611690, 570838]Prevent XSS and CSRF Attacks by Disabling Basic AuthenticationAs an administrator or a root user, you can now prevent users from making API calls after using basic authentication (such as one-time credentials) to log on. You can use this feature to prevent Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and other types of attacks.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 35.6] [# 622976]View Individual Counter InformationTo view global counters that are not otherwise shown by the NetScaler CLI or the NITRO API, you can now use the following URL format.URL: http://<NSIP>/nitro/v1/stat/nsglobalcntr?args=counters:<counter1>;<counter2>Previously, these counter values could be viewed only through the "nsconmsg" Shell command.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 53.22] [# 656533]Ability to Assign Multiple Interfaces to NetScaler CPXYou can now assign dedicated network interfaces to the NetScaler CPX container by using a NetScaler CPX-specific environment variable. The network interfaces that you define are held by the NetScaler CPX container until you uninstall the NetScaler CPX container. For more information, see http://docs.citrix.com/en-us/netscaler-cpx/12/deploy-using-docker-image-file.html.
- [From Build 51.24] [# 673368]Support for Licensing the NetScaler CPX with Multiple CoresYou can use NetScaler MAS to pool your NetScaler CPX licenses, and use NetScaler MAS as a licensing server. You can use the NetScaler GUI to install licenses in MAS by uploading the license files or using the License Access Codes (LACs) that you purchased from Citrix. If you are provisioning a NetScaler CPX deployment with multiple vCPU cores, each core is allocated a CPX license from the license pool. For more information, see http://docs.citrix.com/en-us/netscaler-cpx/12/cpx-licensing.html.
- [From Build 51.24] [# 687896]Ability to Control the Throughput Performance of NetScaler CPXWhen a NetScaler CPX container does not receive any incoming traffic to process, it yields CPU cycles, which causes low throughput performance. When provisioning the NetScaler CPX container, you can now use the CPX_CONFIG environment variable to control the throughput performance of the NetScaler CPX container in such cases. For more information, see http://docs.citrix.com/en-us/netscaler-cpx/12/deploy-using-docker-image-file.html.
- [From Build 35.6] [# 572765]PHP Version Upgraded from Version 5.3.17 to 7.0.13PHP has been upgraded from version 5.3.17 to version 7.0.13 on the NetScaler appliance to resolve security vulnerabilities and stability issues with PHP.
- [From Build 35.6] [# 661475]NetScaler GUI Masks Full PathTo enhance security, the NetScaler GUI no longer displays the full path to an admin partition when a file browser is opened for an activity such as SSL certificate installation. Everything except the last part of the path is masked.
- [From Build 35.6] [# 669990]Support for Atomocity in WizardsThe new atomicity feature removes the residual configuration left by an unsuccessful configuration attempt, so that you can successfully reconfigure the entity by using a wizard in Citrix XenMobile, XenApp, NetScaler Gateway, NetScaler Unified Gateway, or GSLB. Previously, co-entities and other unwanted configurations left by the unsuccessful configuration attempt caused error messages to appear.
- [From Build 35.6] [# 355523, 634307]Configuring Separate Ports of a RADIUS Server for Accounting and Authentication FunctionalitiesYou can now configure separate ports of a RADIUS server (other than the default ports) for accounting and authentication functionalities.
- [From Build 35.6] [# 378411]Proxy Auto Configuration for Outbound ProxyYou can now configure the NetScaler Gateway appliance to support Proxy Auto Configuration (PAC). Upon configuration, a PAC file URL is pushed to the client browser, the traffic initiated from browser is then redirected to the respective proxies based on the conditions defined in the PAC file.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 51.24] [# 603663]Support for One Time Password (OTP)NetScaler Gateway now supports one-time passwords (OTPs) without having to use a third-party server. In addition to reducing capital and operating expenses, this feature enhances the administrator's control by keeping the entire configuration on the NetScaler appliance.Note that, since third-party servers are no longer needed, the gateway administrator has to configure an interface to manage and validate user devices.To use the OTP feature, a user must be registered with a NetScaler Gateway virtual server. Registration is required only once per unique device, and typically is restricted to certain environments. Configuring validation of a registered user is similar to configuring an additional authentication policy. For more information about this feature, see http://docs.citrix.com/en-us/netscaler-gateway/12/native-otp-support.html
- [From Build 35.6] [# 619596]Support for EPA in GSLB Active-Active deploymentEPA now functions reliably on GSLB Active-Active deployment.
- [From Build 53.22] [# 624091]SNI Support for NetScaler GatewayA NetScaler Gateway appliance can now be configured to include a server name indication (SNI) extension in the SSL “client hello” packet sent to the backend server. The SNI extension helps the backend server identify the FQDN being requested during the SSL handshake and respond with the respective certificates.Note: Enable SNI support when multiple SSL domains are hosted on same server.For more information, see http://docs.citrix.com/en-us/netscaler-gateway/12/configuring-server-name-indication-extension.html.
- [From Build 35.6] [# 632624]PCoIP Proxy Support for VMware ViewNetScaler Gateway now supports the PCoIP protocol which is the core building block for several VDI solutions, including VMware Horizon View solution. This enables the solution to deliver desktops and applications and secure data on a variety of endpoint devices more efficiently.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 35.6] [# 635415]Support for Logon Lockdown ControlLogon lockdown control is now supported on a NetScaler cluster. Unsuccessful logon attempts are recorded in a distributed hash table (DHT). The advantage of using the DHT is that both n2n (node to node) and c2c (cluster to cluster) messaging are supported.
- [From Build 35.6] [# 650547, 490670]Support for Logon Lockdown ControlThe User Lockdown Control feature is now available for system role-based access control users on a cluster.
- [From Build 35.6] [# 654943]Support for logging out from a VPN session upon removal of smart-card from the logged on device.You can now optionally log out from a VPN session if you remove smart-card from the logged on device.
- [From Build 35.6] [# 659795, 666135]EDT as a Data Transmission Path Support for NetScaler GatewayThe NetScaler Gateway appliance now supports the HDX Enlightened Data Transport (EDT) as a data transmission path. EDT provides a high definition in-session user experience of virtual desktops for users running a Citrix Receiver.
- [From Build 35.6] [# 661832]Logging "Destination IP address" and "ICA Proxy policy name" for Outbound ICA ProxyNow "Destination IP address" and "ICA Proxy policy name" are logged additionally along with other information logged earlier for Outbound ICA Proxy.
- [From Build 35.6] [# 665828]Support for SAML ForceAuthn Parameter and Artifact Binding (when NetScaler is SP) using GET HTTP MethodNetScaler SAML SP (Service Provider) module now sends additional attribute called 'ForceAuth' in the authentication request to external IDP (Identity Provider). By default, the ForceAuthn carries a value of 'false'. It can be set to 'true' to provide a hint to IDP to force authentication despite existing authentication context.Additionally, NetScaler SP does authentication request in query parameter when configured with artifact binding.
- [From Build 35.6] [# 671380]Inter-operability with OAuthNetScaler Gateway is now able to process JWT (Json Web Tokens) during logon. Gateway is required to be configured with an OAuth action that contains a URL to fetch the certificates to verify incoming JWT. This enables Gateway to inter-operate with OAuth providers.
- [From Build 35.6] [# 671878]Multi-Stream ICA Functionality Support for EDTNetScaler Gateway now supports multi-stream ICA functionality while using HDX Enlightened Data Transport (EDT) as a data transmission path.
- [From Build 51.24] [# 679998, 682798]Support for End-point analysis and VPN plugins for FirefoxEnd-point analysis and VPN plug-ins get launched from Firefox browser, build 52.0 or later, even though the browser no longer supports NPAPI plug-ins.
NetScaler SDX Appliance
- [From Build 51.24] [# 684417]Support for FQDN as External Server NameFor LDAP and RADIUS servers, you can now use Fully Qualified Domain Names (FQDNs) to specify external servers. Previously you had to specify IP addresses for all external servers.For more information, see http://docs.citrix.com/en-us/sdx/12/configuring-management-service/configuring-external-authentication-server.html.
NetScaler Secure Web Gateway
- [From Build 51.24] [# 653661]Support for a new product called NetScaler Secure Web GatewayThe NetScaler Secure Web Gateway (SWG) implementation supports the following features:* SSL Interception - Intercept HTTPS traffic and apply policies to enforce compliance rules and security checks. The traffic is intercepted, blocked, or bypassed on the basis of the configured policies.* Forward Proxy - Support for transparent and explicit proxy modes. In explicit proxy mode, an IP address must be specified in the client's browser, unless the organization pushes the setting onto the client's device. This address is the IP address and port of a proxy server that is configured on the SWG appliance. All client requests are sent to this IP address. In transparent proxy mode, a proxy is not configured on the client's device. The SWG appliance is configured in an inline deployment, and the appliance transparently accepts all HTTP and HTTPs traffic.* Identity Management - Tag traffic to the users so that administrators can take user based actions. Authentication is explicitly enabled, or user information from the active directory is extracted and tagged to the traffic.* URL Threat Intelligence - Enable the appliance to categorize internet sites to more effectively enforce compliance policies around internet usage. URL threat intelligence also provides the reputation score of the URLs that are being accessed, to protect the users from exposure to harmful (malware/phishing) internet sites. You can also deploy custom URL lists that are managed by independent internet organizations, such as the Internet Watch Foundation (IWF), or create blacklists and whitelists of URLs by using pattern sets.* Analytics - The transaction-level records are exported from Secure Web Gateway to NetScaler MAS by using the Logstream transport mechanism. In NetScaler MAS, the User Behaviour Analytics dashboard displays user internet-usage information. It also shows the transaction-level details per user. From the Outbound Traffic Dashboard, you can view the overall network details, and the top websites in terms of maximum bandwidth consumption.Using the above features, an administrator can protect the enterprise network from external threats coming from the web in the form of malware, by defining policies to do the following:- Block access to URLs identified as serving harmful content.- Identify end users in the enterprise (employees) who are accessing malicious websites, and categorize them as high-risk users.For more information about this feature, see http://docs.citrix.com/en-us/netscaler-secure-web-gateway/12.html.Important! Secure Web Gateway requires its own platform license. Contact your local Citrix sales representative to purchase your license.
NetScaler VPX Appliance
- [From Build 51.24] [# 432348, 432345, 487534]Support for AWS Auto Scaling ServiceAWS Auto Scaling in now supported on VPX instances.For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-aws/configuring-aws-auto-scaling-service.html.
- [From Build 35.6] [# 617478]Support for Key-Pair Based AuthenticationFor VPX deployment on KVM OpenStack, you can now use key-pair based authentication to log on and access a VPX instance in a more secure way. You can also execute custom scripts with a userdata file.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 51.24] [# 625698]Two New Commands to Control CPU Usage BehaviorTwo new commands, set ns vpxparam and show ns vpxparam, control the CPU-usage behavior of VPX instances in VMWare ESX and Citrix XEN environments:1. set ns vpxparam -cpuyield (YES | NO | DEFAULT)Allow each VM to use CPU resources that have been allocated to another VM but are not being used.Set ns vpxparam parameters:-cpuyield: Release or do not release of allocated but unused CPU resources.YES: Allow allocated but unused CPU resources to be used by another VM.NO: Reserve all CPU resources for the VM to which they have been allocated. This option shows higher percentage in hypervisor for VPX CPU usage.DEFAULT: NONote: On all NetScaler VPX platforms, the vCPU usage on the host system will be 100 percent. Type the set ns vpxparam –cpuyield YES command to override this usage.2. show ns vpxparamDisplay the current vpxparam settings.
- [From Build 35.6] [# 625698]Two New Commands to Control CPU Usage BehaviorTwo new commands, set ns vpxparam and show ns vpxparam, control the CPU-usage behavior of VPX instances in VMWare ESX and Citrix XEN environments:1. set ns vpxparam -cpuyield (YES | NO | DEFAULT)Allow each VM to use CPU resources that have been allocated to another VM but are not being used.Set ns vpxparam parameters:-cpuyield: Release or do not release of allocated but unused CPU resources.YES: Allow allocated but unused CPU resources to be used by another VM.NO: Reserve all CPU resources for the VM to which they have been allocated.DEFAULT: Reset -cpuyield to its factory default value based on license.- If license <= 8G, release CPU resources.- If license > 8G, use up all the CPU resources allocated to it.2. show ns vpxparamDisplay the current vpxparam settings.
- [From Build 35.6] [# 643974]Support for VMware ESXi 6.5 serverNetScaler VPX appliances now support VMware ESXi 6.5 server.
- [From Build 35.6] [# 660055]Support for High-Performance VPX on OpenStackYou can now deploy high-performance NetScaler VPX instances that use single-root I/O virtualization (SR-IOV) technology, on OpenStack. Also, on the OpenStack host, you can configure VLAN tagging on the SR-IOV virtual functions.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 53.22] [# 673928]Support for SR-IOV Interfaces for NetScaler VPX Instances on AWSAfter you have created a NetScaler virtual instance on AWS, you can use the AWS CLI to configure the virtual appliance to use SR-IOV network interfaces. For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-aws/Config-NS-VPX-SRIOV-AWS.html
- [From Build 53.22] [# 675920]Active/Passive Multi-NIC Multi-IP HA-INC Deployment on AzureYou can deploy a NetScaler VPX pair with multiple IP addresses and network interfaces in active/passive high availability (HA) Independent Network Configuration (INC) mode. Use the new Citrix NetScaler HA template on Azure for deployment, or use Windows PowerShell commands.For more information, see the following topics:http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/deploy-vpx-on-azure/configuring-multiple-azure-nics-ip-for-vpx-in-ha-mode.htmlhttp://docs.citrix.com/en-us/netscaler/12/deploying-vpx/deploy-vpx-on-azure/configuring-gslb-active-standby-ha-deployment-azure.html
- [From Build 53.22] [# 679513]SR-IOV Support with Intel X710 10G and XL710 40G NICsYou can now configure a NetScaler VPX appliance to use single-root I/O virtualization (SR-IOV) technology with Intel X710 10G and XL710 40G NICs.For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-kvm/configure-SR-IOV-KVM.html
- [From Build 53.22] [# 682999]OVS DPDK for NetScaler VPX Instances Running on KVMYou can configure a NetScaler VPX instance running on KVM to use Open vSwitch (OVS) with the Data Plane Development Kit (DPDK). This configuration provides better network performance. Also, certain NetScaler VPX deployments require the VPX host on KVM to operate on the vhost user ports exposed by OVS rather than the standard MacVTap-based vhost interfaces.For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-kvm/configure-ovs-dpdk-kvm.html.
- [From Build 51.24] [# 683144, 644004]Support for Subscription-Based Licensing ModelA subscription based licensing model is now supported for NetScaler VPX in the Azure Marketplace. When creating a NetScaler VPX instance on Azure, you can choose either subscription (pay by hour) or Bring Your Own License (BYOL).For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/deploy-vpx-on-azure.html.
- [From Build 51.24] [# 684408]Support for NetScaler Pooled Capacity Licensing FrameworkThe NetScaler pooled-capacity licensing framework is now supported on Microsoft Azure and Hyper-V, and Amazon Web Services. A pooled-capacity enabled NetScaler VPX instance can check out licenses from a bandwidth pool of any NetScaler software edition (Platinum/Enterprise/Standard) hosted on and served by NetScaler MAS server. The bandwidth pool is the total bandwidth that can be shared by NetScaler instances. You can dynamically modify the bandwidth of a VPX instance as appropriate for the available pool.For more information, see http://docs.citrix.com/en-us/netscaler-mas/12/netscaler-pooled-capacity.html.
- [From Build 53.22] [# 690684]Auto-Provision a NetScaler VPX Instance by Using Virtual Machine ManagerYou now have the option to auto-provision a NetScaler VPX instance by using the Virtual Machine Manager. If auto-provisioning is enabled, the IP address, gateway, and netmask are automatically assigned to the instance during initial setup. If auto-provisioning is not enabled, you must provide the networking configuration manually.For more information, see http://docs.citrix.com/en-us/netscaler/12/deploying-vpx/install-vpx-on-kvm/provision-on-kvm-using-vmm.html
- [From Build 53.22] [# 691005]NetScaler VPX Check-In/Check-Out Licensing Support for New LicensesYou can now purchase and use the new 10Gbps+ NetScaler VPX Check-In/Check-Out Licenses for NetScaler VPX instances deployed on any supported hypervisors, and for instances used in cloud deployments. The newly supported licenses include 10Gbps, 15Gbps, 25Gbps, 40Gbps and 100Gbps versions of the Standard, Enterprise, and Platinum editions.
- [From Build 51.24] [# 647447]Support for Bidirectional Forwarding Detection ProtocolBidirectional Forwarding Detection (BFD) protocol is a mechanism for fast detection of failures of forwarding paths. BFD detects path failures in the order of milliseconds. BFD is used in conjunction with dynamic routing protocols.In BFD operation, routing peers exchange BFD packets at a negotiated interval. If a packet is not received from a peer within the negotiated interval plus grace interval, the peer is considered to be dead and a notification will be sent to the set of registered routing protocols. In turn, the routing protocols recalculate the best path and reprogram the routing table. BFD supports smaller time interval, when compared to the timers provided by the routing protocols, thus resulting in faster detection of failures.The NetScaler appliance supports BFD for the following routing protocols: BGP (IPv4 and IPv6), OSPFv2 (IPv4), and OSPFv3 (IPv6). BFD support in the NetScaler appliance is compliant with RFCs 5880, 5881, and 5883.For more information about this feature, see http://docs.citrix.com/en-us/netscaler/12/networking/ip-routing/configuring-dynamic-routes/configuring-bidirectional-forwarding-detection.html.
- [From Build 35.6] [# 657315]IPv6 Virtual Router Redundancy Protocol Support for a Cluster SetupIPv6 Virtual Router Redundancy Protocol (VRRP6) protocol is now supported on a cluster setup.The following are the two VRRP6 features supported on a cluster setup:* Interface based VRRP6: This feature is only applicable to a two-node cluster where one of node is in active state and the other in Spare. In this feature, same VMAC address is configured on both the nodes of a cluster setup. This VMAC address is used in GARP advertisements and ARP responses for the IPv6 addresses configured on a node. This feature is useful in an active-spare two-node cluster setup that has external devices/routers that do not accept GARP advertisements. By configuring a same VMAC address on both cluster nodes, when the active node goes down and the spare node takes over as active, the MAC address for the IP addresses in the new active node remain unchanged and the ARP tables on the external devices/ routers do not need to be updated.* IP based VRRP6: In this feature, striped VIP6 addresses bound to the same VRID6 are configured on all nodes of a cluster setup. These VIP6 addresses are active on all the nodes One of the cluster nodes acts as the VRID6 owner and sends out the VRRP6 advertisement to other nodes. In case of failure of the VRID6 owner node, another node in the cluster assumes the ownership of the VRID6 and starts sending VRRP6 advertisements.
- [From Build 51.24] [# 672953]Removing RNAT SessionsYou can remove any unwanted or inefficient RNAT sessions from the NetScaler appliance. The appliance immediately releases resources (such as a port of the NAT IP address, and memory) allocated for these sessions, making the resources available for new sessions. The appliance also drops all the subsequent packets related to these removed sessions. You can remove all or selected RNAT sessions from the NetScaler appliance.For more information about this feature, see http://docs.citrix.com/en-us/netscaler/12/networking/ip-addressing/configuring-network-address-translation/configuring-rnat.html.
- [From Build 51.24] [# 677829]Using the Client IP address in the Outer Header of Tunnel Packets in DSR IP tunneling modeThe NetScaler supports using the client IP address as the source IP address in the outer header of tunnel packets related to direct server return mode using IP tunneling. This feature is supported for DSR with IPv4 and DSR with IPv6 tunneling modes. For enabling this feature, enable the use client source IP address parameter for IPv4 or IPv6. This setting is applied globally to all the DSR configurations that use IP tunneling.For more information about this feature, see the section "Using the Client IP address in the Outer Header of Tunnel Packets" at http://docs.citrix.com/en-us/netscaler/12/load-balancing/load-balancing-dsrmode-tos-ipoverip.html.
- [From Build 51.24] [# 679999]Increase in Maximum Value for VRRP Dead IntervalIn an active-active setup of NetScaler appliances using Virtual Router Redundancy Protocol (VRRP), VRRP dead interval is the time interval after which the master VIP address is marked down if the VRRP advertisements are not received from the node of the master VIP address.The maximum value that can be set for VRRP dead interval has been increased from 3 to 60 seconds.
- [From Build 53.22] [# 599575]Support for Pooled LicensingNetScaler MPX 115xx models are now supported with pooled licensing. For more information about pooled licensing, see http://docs.citrix.com/en-us/netscaler-mas/12/netscaler-pooled-capacity.html.
- [From Build 35.6] [# 579751]Support for AES-GCM and SHA2 Ciphers at the Front End of MPX/SDX 14000 FIPS AppliancesThe NetScaler MPX/SDX 14000 FIPS appliance now supports AES-GCM and SHA2 ciphers at the front end.The following AES-GCM and SHA2 ciphers are supported at the front end of the MPX/SDX 14000 FIPS appliance:- TLS1.2-AES256-GCM-SHA384- TLS1.2-AES128-GCM-SHA256- TLS1.2-ECDHE-RSA-AES256-GCM-SHA384- TLS1.2-ECDHE-RSA-AES128-GCM-SHA256- TLS1.2-AES-256-SHA256- TLS1.2-AES-128-SHA256
- [From Build 35.6] [# 592833, 498222, 590397]Support for New FIPS PlatformThis release supports the MPX 14000 FIPS platform, which is a high-end platform containing 63 crypto cores, available in the following models:Model number System ThroughputMPX 14030 FIPS 30 GbpsMPX 14060 FIPS 60 GbpsMPX 14080 FIPS 80 GbpsFor more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 35.6] [# 597890]Support for New SDX FIPS PlatformThis release supports the SDX 14000 FIPS platform, which is a high-end platform containing 63 crypto cores, available in the following models:Model number System ThroughputSDX 14030 FIPS 30 GbpsSDX 14060 FIPS 60 GbpsSDX 14080 FIPS 80 GbpsFor more information, see http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/configuring-SDX-14030-14060-14080-fips-appliance.html.
- [From Build 35.6] [# 611983]Support for AES-GCM and SHA2 Ciphers at the Back End of MPX/SDX 14000 FIPS AppliancesThe NetScaler MPX/SDX 14000 FIPS appliance now supports AES-GCM and SHA2 ciphers at the back end.The following AES-GCM and SHA2 ciphers are supported at the back end of the MPX/SDX 14000 FIPS appliance:- TLS1.2-AES256-GCM-SHA384- TLS1.2-AES128-GCM-SHA256- TLS1.2-ECDHE-RSA-AES128-GCM-SHA256- TLS1.2-AES-256-SHA256- TLS1.2-AES-128-SHA256
- [From Build 35.6] [# 636384, 651353]Support for HTTP strict transport security (HSTS)NetScaler appliances now support HTTP strict transport security (HSTS) as an inbuilt option in SSL profiles and SSL virtual servers. Using HSTS, a server can enforce the use of an HTTPS connection for all communication with a client. That is, the site can be accessed only by using HTTPS. Support for HSTS is required for A+ certification from SSL Labs.You can enable HSTS in an SSL front-end profile or on an SSL virtual server. By setting the maximum age header, you specify that HSTS is in force for that duration for that client. You can also specify whether subdomains should be included.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 35.6] [# 651524]Support for ECDHE Ciphers at the Front End and Back End on NetScaler MPX//SDX 14000 FIPS AppliancesCitrix NetScaler MPX/SDX 14000 FIPS appliances now support the ECDHE cipher group.The following ciphers are supported at the front end of the MPX/SDX 14000 FIPS appliance:- TLS1-ECDHE-RSA-AES256-SHA- TLS1-ECDHE-RSA-AES128-SHA- TLS1.2-ECDHE-RSA-AES-256-SHA384- TLS1.2-ECDHE-RSA-AES-128-SHA256- TLS1-ECDHE-RSA-DES-CBC3-SHAThis following ciphers are supported at the back end of the MPX/SDX 14000 FIPS appliance:- TLS1-ECDHE-RSA-AES256-SHA- TLS1-ECDHE-RSA-AES128-SHA- TLS1.2-ECDHE-RSA-AES-128-SHA256- TLS1-ECDHE-RSA-DES-CBC3-SHABecause of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment. It is also very useful in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.The following ECC curves are supported: P_256, P_384, P_224, and P_521.By default, all four curves are bound to an SSL virtual server.
- [From Build 35.6] [# 651814]Support for a Hybrid FIPS Mode on the MPX 14000 FIPS PlatformThe new MPX 14000 FIPS platform contains one primary card and one or more secondary cards. If you enable the hybrid FIPS mode, the pre-master secret decryption commands are run on the primary card because the private key is stored on this card, but the bulk encryption and decryption is offloaded to a secondary card. This significantly increases the bulk encryption throughput on a MPX 14000 FIPS platform as compared to non-hybrid FIPS mode and the existing MPX 9700/10500/12500/15000 FIPS platform. Enabling the hybrid FIPS mode also increases the SSL transactions per second on this platform.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 53.22] [# 669508]Recording the time taken for an SSL handshake in the syslogThe time taken for an SSL handshake to complete can now be recorded in the system log (syslog). To do this, set the log level in the syslog parameters to All.
- [From Build 53.22] [# 669514]Secure Implementation of Session TicketsYou can now secure session tickets by using a symmetric key to encrypt them. Additionally, to achieve forward secrecy, you can specify a time interval at which the session-ticket key is refreshed. Session-ticket keys can be generated by the appliance, or you can manually enter session-ticket key data. Entering this data manually is helpful in HA or cluster deployments so that the appliances can decrypt each other's session tickets.For more information about this enhancement, see http://docs.citrix.com/en-us/netscaler/12/ssl/customize-ssl-config/secure-implementation-of-session-tickets.html.
- [From Build 35.6] [# 352233, 235321, 559207, 604165, 615657]Option to Allocate an Extra Management CPUAccording to your requirement, now you can allocate an extra management CPU from packet engine pool in the NetScaler MPX appliance, and achieve better performance for configuring and monitoring of your appliance. This feature is supported in NetScaler MPX models 250xxx, 220xxx, 14xxx, 115xx.
- [From Build 35.6] [# 415808]Configuring HMAC Keys for PI FunctionA new parameter of the ns hmackey command specifies the HMAC key value. A NetScaler default syntax policy expression uses the HMAC () function to compute a Hash-based Message Authentication Code on selected text. This function is derived from the RFC 2104 technique to authenticate the sender of a message and verify that the contents of the message have not been altered. To set this value, type:HMAC (<keyValue>)The HMAC key value specifies the digest method and the shared secret key to be used for the HMAC computation.
- [From Build 51.24] [# 637763]Call Home Support for NetScaler Services in Citrix Service Provider (CSP) DeploymentsIn a Citrix Service Provider (CSP) environment where NetScaler services are deployed on VPX instances, the call home feature can now monitor and track the license specific information and securely send it to Citrix Insight Services (CIS). The CIS in turn sends the information to the License Usage Insights (LUI) portal for accounting purposes and for CSP customers to review their license usage. Currently, CSP environments support NetScaler services on VPX instances only, not on MPX or SDX appliances. The VPX instances can be deployed in either standalone or high availability mode.For more information about this feature, see http://docs.citrix.com/en-us/netscaler/12/system/configuring-call-home.html.
- [From Build 35.6] [# 646498, 350115]Displaying MPTCP StatisticsThe new "stat mptcp" command displays statistical information about MPTCP counters, including counters for total MPTCP traffic, current traffic, and erroneous traffic flowing through the NetScaler appliance.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 35.6] [# 651196]Configuring SYN-Cookie Timeout IntervalIn addition to the SYN Cookie setting in the TCP profile, a NetScaler appliance now maintains a second SYN Cookie setting for each virtual server. This enhancement is especially important for cluster deployments. To protect the appliance against SYN attacks, the SYN Cookie parameter in the TCP profile is enabled by default. Previously, if you disabled it, its value would toggle to ENABLED if a SYN attack was detected. If the appliance was deployed in a cluster, the cluster configuration would become inconsistent until the parameter was toggled back to the DISABLED state after the attack. Now, the SYN Cookie parameter is enabled and disabled only for the virtual server that detects the SYN attack.Note: A SYN attack does not enable the SYN Cookie parameter for a virtual server unless the SYN Cookie parameter in the TCP profile is set to DISABLED.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 35.6] [# 652210]Protection Against Wrapped Sequence (PAWS) AlgorithmOn a NetScaler appliance, you can now enable the TCP timestamp option in the default TCP profile to use the Protection Against Wrapped Sequence (PAWS) algorithm. The algorithm can identify and discard old packets whose sequence numbers are within the current TCP connection's receive window because the sequence has "wrapped" (reached its maximum value and restarted from 0).For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 35.6] [# 653154]HTTP version 2 Protocol Support for PlaintextA NetScaler appliance now supports HTTP version 2 (HTTP/2) protocol for plaintext messaging. The appliance advertises the service availability to its clients by including an Alt-Svc field in its response so that the client can directly send a subsequent HTTP/2 request instead of an HTTP 1.1 or HTTP/2 upgrade request. Previously, the appliance supported plaintext messaging only as an upgrade request in HTTP version 1.1.
- [From Build 35.6] [# 655515]Configuring Heartbeat Time Interval for Call HomeThe Call Home feature periodically reports the latest status of the NetScaler appliance to Citrix Technical Support servers. The report has the same content as the registration message. Previously, CallHome sent the report once every 30 days, but you can now specify a time interval of from 1 to 30 days. However, a value of less than 5 days is not recommended, because the frequent uploads are usually not very useful.
- [From Build 35.6] [# 656569]Monitoring Rate Limit Errors in Call HomeThe NetScaler Call Home feature can now monitor rate-limiting packet drops caused by exceeding either the throughput (Mbps or Gbps) limit or the packets-per-second (pps) limit.
- [From Build 35.6] [# 658393, 204279, 658859]Encrypting user passwords by using SHA-512For enhanced security, the NetScaler appliance now uses the SHA-512 hashing algorithm to encrypt user passwords.Note: A user to which the following set of conditions applies cannot log on:1. The user is added, or the user's credentials are modified.2. The NetScaler software is then downgraded to an earlier build, but the modified configuration file (ns.conf) is used.
- [From Build 35.6] [# 659649]Audit-log Support for Admin PartitionsA partitioned NetScaler appliance now supports audit logging for non-default partitions by using advanced (PI) policies. Previously, you could configure the audit-log feature only in a default partition, not in administrative partitions.
- [From Build 35.6] [# 660828]Configuring TCP Burst Control Parameters by using NetScaler GUIThe following TCP Burst Control parameters are now configurable through either the NetScaler GUI or the command line interface. Previously, you could configure the following parameters through only the command line interface:- BurstRateCntrl- CreditBytePrms- RateBytePerms- RateSchedulerQ
- [From Build 35.6] [# 664057]Silently Dropping Idle TCP ConnectionsIn a Telco network, almost 50 percent of a NetScaler appliance's TCP connections become idle, and the appliance sends RST packets to close them. The packets sent over radio channels activate those channels unnecessarily, causing a flood of messages that in turn cause the appliance to generate a flood of service reject messages. The default TCP profile now includes DropHalfClosedConnOnTimeout and DropEstConnOnTimeout parameters, which by default are disabled. If you enable both of them, neither a half-closed connection nor an established connection causes an RST packet to be sent to the client when the connection times out. The appliance just drops the connection.For more information, see the Citrix NetScaler 12.0 Beta features document.
- [From Build 53.22] [# 496832, 677632]IPFIX Logging Support for Large Scale NATThe NetScaler appliance supports sending information about LSN events in Internet Protocol Flow Information Export (IPFIX) format to the configured set of IPFIX collector(s).The appliance uses the existing AppFlow feature to send LSN events in IPFIX format to the IPFIX collectors.IPFIX based logging of LSN events is available for the following events in the context of NAT44, NAT64, and Dual-Stack Lite.* Creation or deletion of an LSN session.* Creation or deletion of an LSN mapping entry.* Allocation or de-allocation of port blocks in the context of deterministic NAT.* Allocation or de-allocation of port blocks in the context of dynamic NAT.* Whenever subscriber session quota is exceeded.For more information about IPFIX logging for large scale NAT44, see IPFIX Logging section in http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/lsn-introduction/lsn-logging-monitoring.html.For more information about IPFIX logging for dual-stack lite, see IPFIX Logging section in http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/dual-stack-lite/logging-monitoring-DS-Lite.html.For more information about IPFIX logging for large scale NAT64, see IPFIX Logging section in http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/lsn-nat-64/log-monitor-largescale-nat64.html.
- [From Build 53.22] [# 628121]URL Filtering for Telco Mobile NetworksThe new NetScaler URL Filtering feature for telco mobile network provides policy based control of websites by using information contained in a URL. The feature helps administrators monitor and comply with government mandated safe internet usage policies on mobile networks. As an administrator, you can filter websites by using either the URL Categorization feature or the URL List feature.URL Categorization. Controls access to websites and web pages by filtering traffic on the basis of a predefined list of categories.URL List. Controls access to blacklisted websites and web pages by denying access to URLs contained in a URL set imported into the appliance.For more information, see http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/url-filtering.html
- [From Build 35.6] [# 635880]Large Scale NAT64 SIP and RTSP ALGs Support for 464XLAT ConnectionsNetScaler appliances now support Large Scale NAT64 RTSP and SIP ALGs for 464XLAT connections that use large Scale NAT64.For a 464XLAT SIP connection using NAT64 and SIP ALG, the show lsn sipalgcall command now displays the IPv4 address (XLAT IP) of the subscriber. For a 464XLAT RTSP connection using NAT64 and RTSP ALG, the show lsn rtspalgsession command now displays the IPv4 address (XLAT IP) of the subscriber.464XLAT is an architecture that provides IPv4 connectivity across an IPv6-only ISP core network by combining the existing and well-known stateful translation at the core (Stateful NAT64; RFC 6146) and stateless protocol translation at the edge (IP/ICMP Translation algorithm; RFC 6145). In other words, 464XLAT provides connectivity between IPv4-only applications on IPv6 subscriber hosts and IPv4 Servers on the internet through an IPv6-only ISP core network.For more information about configuring SIP and RTSP ALGs for Large NAT64, see https://docs.citrix.com/en-us/netscaler/11-1/netscaler-support-for-telecom-service-providers/lsn-nat-64/configuring-agl-large-scale-NAT64.html.
- [From Build 53.22] [# 674151]NetScaler Video Optimization: Support for QUIC over UDP Protocol for Encrypted ABR TrafficThe NetScaler video optimization feature is now enhanced to optimize video delivery over TCP (as HTTP and HTTPS traffic) and UDP (as QUIC traffic). The appliance can detect incoming video traffic as Adaptive Bit Rate (ABR) and optimize both the unencrypted and the encrypted video. The new capabilities are especially useful for reducing the overall network bandwidth consumption in mobile networks.For more information, see http://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/NetScaler-Video-Optimization.html
- [From Build 53.22] [# 675938, 496583]Configuring IPSec Application Layer Gateway for Large Scale NAT44If communication between two network devices (for example, client and server) uses the IPSec protocol, IKE traffic (which is over UDP) uses port fields, but Encapsulating Security Payload (ESP) traffic does not. If a NAT device on the path assigns the same NAT IP address (but different ports) to two or more clients at the same destination, the NAT device is unable to distinguish and properly route the return ESP traffic. Therefore, IPSec ESP traffic fails at the NAT device.NAT-Traversal (NAT-T) capable IPSec endpoints detect the presence of an intermediate NAT device during IKE phase 1 and switch to UDP port 4500 for all subsequent IKE and ESP traffic (encapsulating ESP in UDP). Without NAT-T support on the peer IPSec endpoints, IPSec protected ESP traffic is transmitted without any UDP encapsulation. Therefore, IPSec ESP traffic fails at the NAT device.The NetScaler appliance supports IPSec application layer gateway (ALG) functionality for large scale NAT configurations. The IPSec ALG processes IPSec ESP traffic and maintains session information so that the traffic does not fail when the IPSec endpoints do not support NAT-T (UDP encapsulation of ESP traffic).For more information, see For https://docs.citrix.com/en-us/netscaler/12/netscaler-support-for-telecom-service-providers/lsn-introduction/lsn-configuring-alg/configure-ipsec-application-layer-gateway-for-large-scale-nat.html.
Fixed Issues in Previous NetScaler 12.0 Releases
The issues that were addressed in NetScaler 12.0 releases prior to Build 56.20. The build number provided below the issue description indicates the build in which this issue was addressed.
- [From Build 53.22] [# 654375, 689891]If the LDAP bind account password used on a NetScaler appliance contains the "at" special character (@), test connection performed on LDAP server fails, and the dashboard shows that the LDAP server is down.
- [From Build 53.22] [# 672846, 691269]An attempt to change an LDAP password through the NetScaler Gateway virtual server fails if the new password includes any multibyte UTF-8 characters, such as German umlauts (for example, kölnbonn207), Latin small letter sharp s (for example, straße2017), or special characters (for example, &%$§1Lucie-Marie).
- [From Build 51.24] [# 677747]NTLM authentication fails when the NetScaler tries to negotiate with an LB virtual server in front of the NTLM server.
- [From Build 51.24] [# 678865]The NetScaler appliance might fail if you use Kerberos authentication and the cached ticket incorrectly points to NULL, because the Kerberos ticket has expired and removed from the Distributed Hash Table (DHT).
- [From Build 51.24] [# 680099]The NetScaler appliance crashes because of a failure to access the NetScaler AAA logon credentials. The failure occurs while attempting to match the rewrite policy against an AAA group.
- [From Build 53.22] [# 681888, 644099]If you set the ‘Validate LDAP Server Certificate’ parameter in an LDAP server configuration, you can log on even if the hostname does not match. With this fix, the hostname is checked when the option is enabled.
- [From Build 51.24] [# 683429]NetScaler fails to perform SAML Single Logout, if NetScaler is configured for SAML Authentication with an Identity Provider (IdP) that sends session index of 64 bytes. If the session index is less than 64 bytes, Single Logout is performed as expected.
- [From Build 53.22] [# 683645]If external LDAP authentication uses a case-insensitive user name, NetScaler AAA is unable to lock the user name after the number of attempts specified by the Max Login Attempts parameter.
- [From Build 51.24] [# 683869]Client logons are delayed by 15 seconds if Kerberos Constrained Delegation (KCD) is used on a NetScaler appliance. The delay occurs during the process of issuing a Kerberos ticket to the client.
- [From Build 51.24] [# 684648]In rare scenarios, NetScaler dumps core if dialogue mode operation like password change operation happens during RBA authentication.
- [From Build 51.24] [# 688463]In some authentication modes, a NetScaler appliance configured for NetScaler AAA becomes unresponsive if a “Max Login Attempt” value is configured on an authentication virtual server.
- [From Build 53.22] [# 689212, 689457]A NetScaler appliance can add multiple NetScaler AAA groups, but the “save config” operation saves only the first group.
- [From Build 53.22] [# 690468]A NetScaler appliance configured for NetScaler AAA becomes unresponsive during a VPN session if both of the following conditions are met:• The primary session is in the timed out state.• The secondary session is in sync but the actual state of the session is reset to zero.
- [From Build 51.24] [# 676700]When you access a partitioned appliance through the NetScaler GUI, the Dashboard does not display the "CPU vs. Memory Usage and HTTP Requests Rate" graph in the left pane.
- [From Build 51.24] [# 677765]When you configure an administrative partition, validation of the partition's VMAC address might fail, causing the NetScaler appliance to crash.
- [From Build 41.24] [# 677765]WWhen you configure an administrative partition, validation of the partition's VMAC address might fail, causing the NetScaler appliance to crash.
- [From Build 51.24] [# 681422, 682240]On a partitioned NetScaler appliance, the system memory counters are not updated properly unless they are cleared during partition deletion.
- [From Build 51.24] [# 687140]When a NetScaler appliance receives a client request for evaluating a responder policy, it might not log the responder data. Before evaluation, the appliance sets the ns_auditlog_module_id global variable and uses the data for log processing. If during the evaluation you block the log action and wait for more data, and while you are waiting the appliance receives another client request to evaluate a different policy, the responder log data is not recorded for the responder module.
- [From Build 51.24] [# 679995]The NetScaler appliance crashes, dumps core, and restarts if a certificate is unbound from an SSL virtual server while an SSL transaction is in progress.
- [From Build 51.24] [# 680567, 688758]When ClientSide Measurements is enabled, and you access the NetScaler Gateway, then the Microsoft Internet Explorer browser displays an error.
- [From Build 51.24] [# 683567, 686195]A NetScaler appliance crashes and dumps core if an ECDSA certificate is bound to the SSL virtual server that processes an SSL transaction.
- [From Build 53.22] [# 685920]A NetScaler appliance does not generate AppFlow records if an action is set to RESET in an SSL or responder policy.
- [From Build 51.24] [# 687908, 686407]When both Logstream and IPFIX (AppFlow) collectors are configured on a NetScaler instance, NSBs leak while trying to send an IPFIX msg on a Logstream collector.
- [From Build 51.24] [# 651054]On a NetScaler appliance running release 11.1 build 64, SQL and cross-site scripting relaxations might not work for application or json content types. The AppFW logs display the following message, even when the relaxation rules are applied for User-Agent:SQL Keyword check failed for header User-Agent.
- [From Build 51.24] [# 672807, 672753]A large number of DHT operations causes high CPU usage when StartURLClosure is enabled. Packet per engine (PPE) operations consume over 95% of the CPU cycles after an upgrade to NetScaler 11.1.
- [From Build 51.24] [# 674658]Form based NetScaler AppFirewall checks can be bypassed by a multipart POST request in which the Content-type header has been tampered with.
- [From Build 51.24] [# 678297, 689073]The NetScaler AppFirewall appliance crashes while copying form data if the form field consistency check is enabled.
- [From Build 51.24] [# 681746, 683564, 684632]A NetScaler appliance running release 11.1 and build 52 might fail because of a mismatch during memory allocation and display the following error message:userspace_panic as_free().
- [From Build 51.24] [# 682219]Since release 11.1 build 41, the ImportSizeLimit parameter in the AppFW settings can be set to limit the size of the objects that are imported to the NetScaler appliance. This limit is now extended from 128 MB to 256 MB. Execute the following set command from the CLI to change the value to meet your requirement:set appfw setting -importsizelimitMaximum value: 268435456Minimum value: 1Default: 134217728Example> set appfw setting -importsizelimit 268435457
- [From Build 51.24] [# 682416]The application firewall signature-update warning messages are not delivered in standard syslog message format. Therefore, NetScaler MAS does not process them. The warning messages do not include the module name or a time stamp, both of which are part of the syslog standard. Signature update messages are also not in standard syslog format.
- [From Build 51.24] [# 682770]Applying cross-site scripting checks to complete URLs causes applications to stop after an upgrade. With this fix, cross-site scripting checks run only on the URL's base path if the CrossSiteScriptingCheckCompleteURLs option is enabled in the AppFw profile.
- [From Build 51.24] [# 682778]Application firewall log messages generated when data is dropped because of Unknown Content-Type do not include the Content-Type Header value, which would facilitate tracking and monitoring.This issue has been fixed now. The application firewall logs allows requests which have multiple charsets with same value in the content-type header.
- [From Build 51.24] [# 683366]On a NetScaler AppFirewall appliance, URL global pages cause memory buildup on the secondary node when the URL closure protection feature is enabled.
- [From Build 51.24] [# 684988]When you attempt to export learned data for an application firewall profile, the appliance fails because of improper initialization of a stack variable. The Aslearn process restarts continuously because of connection failure.
- [From Build 51.24] [# 685775]Traffic to a back-end application is blocked by the HTML cross-site scripting check when the profile type is XML. The cross-site scripting check fails for field with following tags; <?xml version="Bad tag: ?xml" <blocked>.When you have cross-site scripting enabled, the application firewall makes the following changes to requests that match the HTML Cross-Site Scripting check:Left angle bracket (<) to HTML character entity equivalent (<) Right angle bracket (>) to HTML character entity equivalent (>) This prevents browsers from interpreting unsafe html tags, such as <script>, and thereby executing malicious code. If you enable both request-header checking and XSS transformation, any special characters found in request headers are also modified as described above. If scripts on your protected web site contain cross-site scripting features, but your web site does not rely upon those scripts to operate correctly, you can safely disable blocking and enable transformation. This configuration allows legitimate web traffic while stopping any potential cross-site scripting attacks.
- [From Build 53.22] [# 686540]If you use the CLI of a NetScaler AppFirewall appliance to display an enum definition, the AS_CCARD_DEFAULT_CARD_TYPE default value for credit card options is not included.
- [From Build 51.24] [# 687625]The NetScaler packet processing engine fails to start when URL transform regression scripts are executed during a low-memory condition.
- [From Build 53.22] [# 690028, 690556, 690467]The NetScaler appliance crashes when security insight is enabled and the application firewall detects a violation of the maximum limit for fld_name length.Set the fld_name length limit to the same value as MAX_AS_NAME_LEN.
- [From Build 53.22] [# 690261, 689327]After an upgrade from an earlier release 11.0 build to release 11.1 build 55.4, the 'APPFW_RESET' and 'APPFW_DROP' AppFw profiles do not appear when you run the sh appfw profile command with the "more" option.For example:sh appfw profile | more1) Name: APPFW_BYPASS LogEveryPolicyHit: OFF2) Name: APPFW_RESET LogEveryPolicyHit: ON3) Name: APPFW_DROP LogEveryPolicyHit: ON4) Name: APPFW_BLOCK UseHTMLErrorObject: OFFThis issue does not occur after upgrading a NetScaler AppFirewall appliance to release 11.1 build 55.8.
- [From Build 51.24] [# 525671]When secure connection is enabled on CCO, config sync doesn't work.
- [From Build 53.22] [# 685979, 687732]The NetScaler appliance might fail to reestablish a connection if both of the following conditions are met:• The policy engine (PE) receiving the traffic is in the DOWN state.• The NetScaler buffer (NSB) is kept on hold by a recovery mechanism.
- [From Build 53.22] [# 687467, 688523, 688071, 692366, 693777]In some cases, the NetScaler appliance might fail after a set command is run on a content switching virtual server.
- [From Build 51.24] [# 669829]In a cluster setup, the default DNS policy is not made available to packet engines. With this fix, the default DNS policy is loaded into the packet engine.
- [From Build 51.24] [# 675553]If a NetScaler appliance receives a CNAME chain that includes some entries that are currently cached, the appliance returns a valid address record instead of reporting that the bailiwick check failed.
- [From Build 51.24] [# 682730, 683138, 680141]When a NetScaler appliance in resolver mode receives a DNS response from a name server and forwards it to an alternative name server, the NetScaler appliance goes DOWN.
Front End Optimization
- [From Build 51.24] [# 686146]The NetScaler appliance dumps core when the front end optimization (FEO) feature is enabled for one virtual server and an AppFlow action with client-side measurement is enabled for another virtual server.
- [From Build 41.24] [# 682766, 683601, 685391]In a new cluster deployment or when the NetScaler firmware in a cluster deployment is upgraded to build 11.1-53.11, management CPU usage spikes to up to 99% on every cluster node. This issue occurs in the absence of any additional configuration, management, or data traffic.
- [From Build 51.24] [# 682766, 683601, 685391]In a new cluster deployment or when the NetScaler firmware in a cluster deployment is upgraded to build 11.1-53.11, management CPU usage spikes to up to 99% on every cluster node. This issue occurs in the absence of any additional configuration, management, or data traffic.
- [From Build 51.24] [# 675025, 675504]The integrated cache does not have enough memory to accommodate the policy updates required when all policies bound to a content group have to be updated because of a change in the cache configuration. This fix increases the cache memory allocation from 4 Kb to 80 KB.
- [From Build 51.24] [# 681664]The NetScaler Integrated Cache might delay processing of client requests if you enable the flash cache.
- [From Build 41.24] [# 673506, 684404]When a request is sent and if the back-end server responds with a 301 status code, the cache stores the response meaning the URL is permanently moved and Cache is trying to serve range request. This causes the NetScaler appliance to crash.
- [From Build 53.22] [# 589363]The NetScaler appliance resets a client-side TCP connection if a virtual server with spillover (SO) persistence enabled is bound to the load balancing group. With this fix, the client-side TCP connection is not reset.
- [From Build 51.24] [# 672899]The NetScaler appliance crashes, because an issue in the internal timer logic in stream analytics causes the system to spend more time than expected for ageing tasks.
- [From Build 53.22] [# 673446, 684550, 688305]In a high availability (HA) setup, if domain-based services are configured and the secondary node does not receive any Service State Sync (SSS) update for the services for more than 247 days, a packet engine might crash when this node becomes the primary node.
- [From Build 51.24] [# 679991]A spillover trap might be sent even though a backup virtual server is not configured.With this fix, a spillover trap is sent only if one of the following conditions applies:- A spillover method or policy is configured.- No spillover method or policy is configured, but a backup virtual server is configured to accept the traffic when the primary virtual server is DOWN.
- [From Build 51.24] [# 681026]NetScaler: AAAA cached ticket is expired before server receives it. This happens when a NetScaler is used as a kerberos SSO to backend servers. This usually happens just around the time ticket expires, which is typically 10 hours.
- [From Build 51.24] [# 681559, 674427]When you rename an HTTPS virtual server that is associated with an internal HTTP virtual server, the internal virtual server's name is not changed correctly.
- [From Build 51.24] [# 684131]The maximum string size of Target Vserver Expression is 1500. If the configuration includes an expression greater than 1500, the NetScaler appliance crashes. With this fix, the maximum string size of Target Vserver Expression is limited to 1499.
- [From Build 53.22] [# 685179, 684834]In a high availability (HA) setup, an unusually large spike in the number of persistent connections might result in underperformance of the Secure Socket Funneling (SSF) channel between the primary node and the secondary node. The underperformance can eventually lead to session buildup on the primary node and cause persistence to fail.
- [From Build 53.22] [# 685707]Resetting a server connection resets the connections to all services configured with the same IP address and port number. As a result, connections to the service group members are also reset. With this fix, deleting a service that has the same IP address and port number as that of other service group members does not affect the service group connections.
- [From Build 53.22] [# 685856, 687784]If an add lb monitor command specifies an httprequest argument value of more than 77 characters, a subsequent show command shows an incorrect httprequest value for the HTTP requests that the monitor sends to the CLIP address. The NetScaler appliance's ns.conf file also contains the incorrect httprequest value for the monitor. Also, the other nodes (non-CCO) in the cluster are updated with the incorrect httprequest value by the configsync process.
- [From Build 51.24] [# 687326, 688713, 690164]The RADIUS shared secret key is now an optional configuration for all RADIUS load balancing and RADIUS Listener deployments. All existing configurations continue to function as they did before.The validation of the RADIUS shared secret key happens in the following scenarios:- RADIUS shared secret key is configured for both the radius client and the radius server: The NetScaler appliance uses the RADIUS secret key for both the client side and the server side. If the verification succeeds, the appliance allows the RADIUS message to go through. Otherwise, it drops the RADIUS message.- RADIUS shared secret key is not configured for either the radius client or the radius server: The NetScaler appliance drops the RADIUS message, because shared-secret-key validation cannot be performed on a node that has no radkey configured.- RADIUS shared secret key is not configured for both the RADIUS client and the RADIUS server: The NetScaler appliance bypasses the RADIUS secret key validation and allows the RADIUS messages to go through.
- [From Build 53.22] [# 595938]The .NET SDK GET call fails with the following exception if it is made with a parameter that accepts boolean values:Invalid argument value [<attribute>].Example:When the “internal” attribute of service_args is set to “true”, a get on service_args yields the following exception:Invalid argument value [internal]
- [From Build 53.22] [# 684543]If you make multiple NITRO API calls in parallel, the responses might return incorrect results.
- [From Build 53.22] [# 686434, 672544, 689415, 690265]Restarting a NetScaler appliance after upgrading it to release 12.0 might cause the appliance to fail to respond to NITRO requests.
- [From Build 51.24] [# 687133]In a partitioned NetScaler appliance, you can add authentication loginschemas with inbuilt schemas through the NetScaler command line interface only.To add authentication login schemas through the NetScaler CLI, use the switch partition command. For example:> switch partition p1Donep1> add loginSchema ls1 -authenticationSchema LoginSchema/DualAuth.xmlDone
- [From Build 53.22] [# 689265]NetScaler: AAA-TMAfter an upgrade from an earlier release 10.5 build 60.7 to release 11.1 build 52.32, if the client sends an invalid basic authorization header as "Authorization: Basic (null)", then NetScaler appliance does not perform single sign-on (SSO) to access the backend.
NetScaler 1000V Appliance
- [From Build 51.24] [# 683196]TCP services that go through tagged VLAN interfaces might go down.
- [From Build 51.24] [# 644199]Certificate bundles are not supported in cluster setups.
- [From Build 53.22] [# 655159]When using the XenApp and XenDesktop wizard, the Retrieve Stores functionality intermittently fails on the first click.
- [From Build 51.24] [# 607555, 616311]When encryption is enabled for client security expressions (in the VPN session action parameter), the device might fail occasionally.
- [From Build 51.24] [# 654092]When HTTP Strict Transport Security (HSTS) is enabled on a virtual server and on a NetScaler appliance, the appliance adds an STS header to the response. An HSTS-enabled response advertises that the appliance accepts only HTTPS requests. It does not accept plain-text HTTP. This option prevents privacy leaks and downgrade attacks and uses trusted certificates to establish a secure connection to the server.When HSTS is enabled on a NetScaler appliance, a browser that supports HSTS does the following:- Automatically redirects the HTTP requests to HTTPS for the target domain. For example, http://example.com/some/page/ is changed to https://example.com/some/page/ before the appliance accesses the server.- Does not allow access to the server unless the connection is secure. For example, the server's TLS certificate must be valid, trusted, and not expired.
- [From Build 51.24] [# 657633]The NetScaler appliance becomes unresponsive if you change the NTLM path from HTTP to HTTPS.
- [From Build 51.24] [# 658120, 684909]The Certificate Revocation Lists (CRL) checks and Online Certificate Status Protocol (OCSP) validation are not done on a NetScaler appliance through an SSL renegotiation as part of certificate based authentication.
- [From Build 51.24] [# 670062, 657633, 684467, 686139, 672074, 681078]In rare cases, a NetScaler appliance dumps core if the server-side connection closes while NTLM Authentication is in progress..
- [From Build 51.24] [# 670277]When you run the "sh icaconnection summary" command, the columns in the output are misaligned.
- [From Build 51.24] [# 670586, 683809, 671944]Memory leak in SSLVPN pool is encountered when connection to AAAD daemon is closed at the time of authentication.
- [From Build 51.24] [# 672001]If you configure TACACS authentication in “password*OTP” format, and a user types an invalid credential, the following incorrect error message appears:Error in retrieving Versions. Cannot read property ‘replace’ of undefined.You can ignore the message.
- [From Build 51.24] [# 672398]With this enhancement, Storefront server can be used to validate user credentials instead of Active Directory server. This simplifies Gateway configuration in XA/XD deployments where StoreFront server is mandatory.This is applicable only for end user login with password. This feature cannot be used for group extraction without user password. Please check documentation for details.
- [From Build 51.24] [# 675596]User session exists on NetScaler appliance after client machine logs out of VPN because of SmartCard removal.
- [From Build 53.22] [# 676545]In rare cases, upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), NetScaler Gateway dumps core if SSO and Proxy are configured in Traffic policy.
- [From Build 51.24] [# 676545]In rare cases, upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), NetScaler Gateway dumps core if SSO and Proxy are configured in Traffic policy.
- [From Build 41.24] [# 678251]NetScaler Gateway dumps core in case SingleSignOn (SS0) is disabled and the connection to server is removed or gatetimeout happens during TCP handshake with the back-end server.
- [From Build 51.24] [# 678251]NetScaler Gateway dumps core in case SingleSignOn (SS0) is disabled and the connection to server is removed or gatetimeout happens during TCP handshake with the back-end server.
- [From Build 51.24] [# 678847]The NetScaler appliance dumps core when a user connected, through Unified Gateway, to a VPN virtual server bound to an AppFlow policy does the following:1. Changes the content switching (CS) action to connect to another VPN virtual server, which is not bound to an Appflow policy.2. Then removes the first VPN virtual server.3. Continues to access resources over the initial VPN session.
- [From Build 51.24] [# 679025]DTLS feature must not be enabled on a virtual server configured with "listen" policy. Using command "add vpn vser" on a virtual server with the DTLS feature enabled and "listen" policy configured returns success but the DTLS feature does not get enabled on the virtual server.
- [From Build 51.24] [# 679360]In rare scenarios, NetScaler dumps core while accessing virtual server information when the RDP traffic is handled by separate RDP listener on NetScaler and the virtual server information is not present.
- [From Build 51.24] [# 679570]In rare situations, the Windows plug-in fails during VPN session logout.
- [From Build 51.24] [# 679582]Upon accessing NetScaler Gateway using Clientless Virtual Private Network (CVPN), back-end sites take too long to open.
- [From Build 51.24] [# 679768]In rare cases, a NetScaler Gateway appliance in a Unified Gateway (UG) deployment dumps core if the traffic management (TM) virtual server behind the UG is configured for SAML with advanced policies and the content switching (CS) policies are not properly configured to route SAML responses to TM.
- [From Build 51.24] [# 681689]If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN) and the Gantt chart option under Tasks is selected, some of the options in the Tasks section (for example, Completed, and Late Task) are not accessible.
- [From Build 51.24] [# 681913]If Gateway is configured for certificate authentication in primary cascade with ldap group extraction in secondary, Gateway is disregarding errors from aaad when group extraction is attempted.
- [From Build 51.24] [# 683009]In rare scenarios, blue screen appears (BSOD) when NetScaler VPN plug-in is installed along with Pulse Secure plug-in.
- [From Build 51.24] [# 683390]If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN), you can't access the "OneDrive" and "Sites" options on the home page if Clientless Mode URL Encoding is set to ENCRYPT.
- [From Build 51.24] [# 683452]In rare cases, the NetScaler appliance dumps core when a client sends a FIN event without an HTTP body.
- [From Build 51.24] [# 683987]HTML5 Receiver app launch fails while accessing a NetScaler Gateway bound with RfWebUI theme portal.
- [From Build 53.22] [# 684488]In rare scenarios, NetScaler Gateway dumps core if you have an SSL-Proxy configured at NetScaler Gateway and you access the intranet web application through a Clientless Virtual Private Network (CVPN) via Gateway that has proxy-authentication configured at proxy.
- [From Build 51.24] [# 684709]In rare scenarios, after rebooting the system, AlwaysON enabled VPN plugin fails to connect to Gateway.
- [From Build 51.24] [# 684774]When hundreds of users try to log on to NetScaler Gateway at about the same time, the logon page might stop loading, or it might load very slowly, in which case the logon process takes a very long time to complete.
- [From Build 41.24] [# 685075]Mail synchronization fails on iOS and Android devices if secure mail is configured to use secure ticket authority (STA).
- [From Build 51.24] [# 685075]Mail synchronization fails on iOS and Android devices if secure mail is configured to use secure ticket authority (STA).As written in the XenMobile Server known issue doc: http://docs.citrix.com/en-us/xenmobile/server/known-issues.htmlWith NetScaler 220.127.116.11, when Secure Mail is configured with STA, mail sync fails on iOS and Android devices. The issue is fixed in NetScaler 10.0 build 41.22. For details and updates, see this Support Knowledge Center article. [#685075]
- [From Build 51.24] [# 685215]If you log on to SharePoint 13 through a Clientless Virtual Private Network (CVPN) and upload a form that has a post body exceeding 8 KB, NetScaler rewrite policies do not decode the form content beyond 8 KB.
- [From Build 51.24] [# 685389]In rare cases, a NetScaler Gateway appliance dumps core when the single-sign-on feature tries to access an authentication resource that has been removed.
- [From Build 51.24] [# 685421]A secure load balancing virtual server on a NetScaler appliance processes both secure and insecure cookies.
- [From Build 53.22] [# 685463, 670544, 691767]In rare scenarios, NetScaler dumps core while binding Classic session polices to an existing binding entity, when you have multiple VPN policies configured to the NetScaler.
- [From Build 53.22] [# 685971]If you use the NetScaler Gateway plug-in for Windows, a simultaneous download of 128 or more files fails upon accessing NetScaler Gateway.
- [From Build 53.22] [# 686160, 689726, 690771]In rare situations, a NetScaler Gateway appliance dumps core if it receives incorrect SOCKS requests from clients.
- [From Build 51.24] [# 686337]The client detection logic for Citrix Receiver does not work in Firefox, because the browser no longer supports NPAPI plug-ins.
- [From Build 53.22] [# 686508]In a double-hop deployment, a NetScaler Gateway appliance intermittently dumps core when the first-hop server receives a TCP RST event from the second-hop server.
- [From Build 53.22] [# 686632]NetScaler Gateway does not comply with RFC7230 for POSTLOGINFLAGS headers.
- [From Build 51.24] [# 686715, 687092]The NetScaler appliance fails to access the gateway home page after an upgrade to software release 11.1 build 51.21. The cause of the failure is the presence of an unexpected parameter (/ilearn).
- [From Build 53.22] [# 686774, 686960, 687587]Some traffic patterns cause application launch through NetScaler Gateway to fail if EDT is enabled on virtual desktop applications.
- [From Build 51.24] [# 686858]In rare cases, while accessing Gateway via proxy, NetScaler dumps core if KCD based Single Sign-On is attempted to back-end servers.
- [From Build 51.24] [# 687139]In rare situations, VPN plug-in installation fails and a "Citrix Access Gateway is not supported on this platform" error message appears on a machine running a 64-bit operating system.
- [From Build 51.24] [# 687211]The NetScaler appliance dumps core during Core2Core communication as resetting the TCP connection closes the connection without cleaning the connection structure.
- [From Build 51.24] [# 688215]The NetScaler appliance fails when it tries to authenticate an invalid incoming HTTP packet.
- [From Build 53.22] [# 688842]In rare situations, a NetScaler Gateway appliance dumps core when processing forms based SSO to URLs larger than 4 KB.
- [From Build 53.22] [# 689472]The NetScaler appliance deletes the JSESSIONID cookie from the HTTP request before sending the request to the origin server.
- [From Build 53.22] [# 689570, 689622, 653527, 674320, 688142]Both of the following issues are fixed:- A NetScaler Gateway appliance becomes unresponsive because the Gateway plug-in continuously tries to connect to the Gateway server.- The VPN plug-in displays the Connect button instead of automatically logging on, even when the client certificate is cached and the AlwaysON feature is enabled.
- [From Build 53.22] [# 689684, 689721]A single sign-on (SSO) attempt might use the wrong domain in a configuration that has parent and child domains. If SSO expressions are used to compute the correct domain, the NetScaler appliance uses the domain obtained at the time of logon instead of the one computed with the expression.
- [From Build 53.22] [# 691752]A user of Internet Explorer version 8 or 9 can't establish a VPN connection through a NetScaler Gateway appliance that uses the RfWebUI portal theme. The VPN virtual server doesn't respond.
- [From Build 53.22] [# 695209]When you have Windows AutoLog-ON feature enabled on your NetScaler Gateway appliance, during logon the client is unable to find the "nsauto.exe" file because the path to the file is incorrectly truncated.The issue is noticed when you modify the following registry entry:NtfsDisable8dot3NameCreationThis registry entry truncates the applications file path in Windows.
- [From Build 41.24] [# 679494, 684204]When session Reliability on HA Failover is enabled on a NetScaler high availability pair, the primary NetScaler has a buffer to maintain CGP sequence updates, which will be sent to secondary. After a reconnect, buffer updates wrong offset, resulting in corruption. Once the buffer corruption happens, wrong addresses will be accessed which can lead the NetScaler instance to become unresponsive.
- [From Build 53.22] [# 689426]NetScaler logon credentials are locked and the error message “connection limit CFE exceeded” appears if the following conditions are met:- The “show ns runningconfig” command takes a long time to execute- The same command is re-run multiple times while the first command is still running at the background.The NetScaler appliance remains locked until the command completes.
NetScaler SDX Appliance
- [From Build 51.24] [# 672042, 686510]When you use a single-bundle image file to upgrade a NetScaler SDX appliance, the upgrade-progress page might become unresponsive.
- [From Build 51.24] [# 682573]A NetScaler SDX appliance does not propagate a global MAC address to the VPX instances if you do both of the following:- Assign a global base MAC address in generated mode to a manual channel or an LACP channel.- Reset the global base MAC address.
- [From Build 51.24] [# 683171, 684959, 685535]If system logs are not rotated properly, over time they consume too much disk space. This causes the XenServer server to run out of disk space and creates unexpected system behavior.
- [From Build 51.24] [# 683743]A NetScaler VPX instance's configuration is deleted if you use the Management Service to force a reboot of the instance.
NetScaler Secure Web Gateway
- [From Build 53.22] [# 690428]A NetScaler Secure Web Gateway appliance does not support the URL List feature in a high availability setup.
NetScaler VPX Appliance
- [From Build 51.24] [# 675746]In a NetScaler VPX HA deployment running on AWS, when a failover makes the secondary node primary, the network interfaces are attached to the new primary in the wrong order.For example, if the primary node has NICS 1/2 (AA:BB:CC:DD:EE:FF), 1/3 (12:34:56:78:90:12), and 1/4 (1A:2B:3C:4D:5E:6F), upon failover the new primary would have 1/2 (1A:2B:3C:4D:5E:6F), 1/3(AA:BB:CC:DD:EE:FF), 1/4(12:34:56:78:90:12). Here, the interface MAC order has changed. However, this behavior does not apply to the NIC that's configured with the NetScaler management IP address.
- [From Build 51.24] [# 678401]In a NetScaler cluster, the configuration coordinator (CCO) node does not support the set ns vpxparam -cpuyield command for controlling CPU-usage behavior.
- [From Build 53.22] [# 689356]After a failover of a NetScaler VPX HA setup running on AWS, the interfaces from both the nodes do not attach and detach properly. This happens if the stack name of the Citrix CloudFormation template exceeds 25 characters.With the fix, the stack name of the Citrix CloudFormation template supports up to 90 characters.
- [From Build 53.22] [# 693877]DNS resolution for existing DNS configurations fails after you upgrade a NetScaler VPX instance running on AWS to release 12.0 build 53.20.
- [From Build 51.24] [# 669754, 669977, 687943]A NetScaler appliance might become unresponsive or a high CPU is observed during the following scenario:* The appliance resolves a domain into two IP addresses, one of the IP addresses is a NetScaler owned IP address and the other is an external IP address.* The appliance sends a packet destined to the external IP address from LO/1.* The response packet keeps looping after the appliance receives it.
- [From Build 51.24] [# 677815, 679068, 680001]In a high availability setup, when a critical interface goes to DOWN state because of TX stall, HA failover might not happen.
- [From Build 51.24] [# 679068]In a high availability setup, when a critical interface goes to DOWN state because of TX stall, HA failover might not happen.
- [From Build 51.24] [# 680185, 680186]Memory allocated for a TCP session might not get free after a failure in reassembling fragments of a size of more than 1500 bytes. This accumulation over a period of time depletes available memory.
- [From Build 51.24] [# 682769]Interfaces in MUTED state might drop the LLDP packets instead of processing them.
- [From Build 51.24] [# 684119]The NetScaler appliance drops ND6 solicitation packets received on interfaces that are in muted state.
- [From Build 51.24] [# 684126]The NetScaler appliance updates the ND entry of a next hop router with its MAC address after learning it from the router advertisement packets received from the router. The appliance might not update the state of the ND entry from INCOMPLETE to STALE. This update failure results in looping the outgoing packets ( destined through the next hop router) in the NetScaler queue. As a result, the NetScaler appliance becomes unresponsive.
- [From Build 51.24] [# 685123]The NetScaler appliance does not process the BGP remote-as configuration for an IPv6 peer after a reboot resulting in the loss of BGP configuration for this peer.
- [From Build 51.24] [# 685344]In a NetScaler telco deployment, the NetScaler appliance reuses the outgoing probe connection information for two different incoming connections with the same 4-tuple that are destined to the same server. This reuse of probe connection might cause the NetScaler appliance to become unresponsive.
- [From Build 53.22] [# 686058]When you remove a static route, the NetScaler appliance does not advertise the connected route that has the same prefix as that of the removed static route and for which the DRADV mode is enabled.
- [From Build 53.22] [# 690082]If the IP address (type VIP) of a virtual server is bound to a net profile, deleting the virtual server also removes the IP address from the net profile.
- [From Build 53.22] [# 676593, 677838, 679578, 681853]The Video Optimization feature is supported on 32-bit NetScaler platforms only. If you deploy the feature on a 64-bit platform, the appliance displays an error message and crashes.
- [From Build 51.24] [# 681308]With this fix, the built-in video detection policies have new names, which more clearly represent the purposes of the policies.
- [From Build 41.24] [# 681308]With this fix, the built-in video detection policies have new names, which more clearly represent the purposes of the policies.
- [From Build 51.24] [# 682864]When configuring the NetScaler video optimization feature, you cannot bind built-in detection policies or custom optimization policies to multiple virtual servers. An attempt to do so produces the following error message, "ERROR: CVPN Policies cannot be bound to multiple entities."For example:> bind lb vserver IPv4_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 600 -gotoPriorityExpression 3300 -type RESPONSE> bind lb vserver IPv6_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 601 -gotoPriorityExpression 3301 -type REQUESTERROR: CVPN Policies cannot be bound to multiple entities
- [From Build 41.24] [# 682864]When configuring the NetScaler video optimization feature, you cannot bind built-in detection policies or custom optimization policies to multiple virtual servers. An attempt to do so produces the following error message, "ERROR: CVPN Policies cannot be bound to multiple entities."For example:> bind lb vserver IPv4_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 600 -gotoPriorityExpression 3300 -type RESPONSE> bind lb vserver IPv6_TCP_80-ABR -policyName ns_videoopt_http_abr_netflix -priority 601 -gotoPriorityExpression 3301 -type REQUESTERROR: CVPN Policies cannot be bound to multiple entities
- [From Build 51.24] [# 682947]A NetScaler appliance crashes if you generate AppFlow or ULFD records for clear-text video transactions.
- [From Build 41.24] [# 682947]A NetScaler appliance crashes if you generate AppFlow or ULFD records for clear-text video transactions.
- [From Build 53.22] [# 663414, 675873]The HTTP.REQ.TXID and HTTP.RES.TXID policy expressions return the same "universally unique identifier" (UUID) for different transactions.
- [From Build 51.24] [# 675677]In some cases, the system encounters a fault if, when adding an entry to a pattern set, you experience errors such as too long patset strings, bad UTF-8 characters, or bad regular expressions.
- [From Build 53.22] [# 685375]A log message is not logged for the Responder module when the NetScaler appliance receives a request and processes policies for a different module while a client request sent to the Responder module awaits log processing.
- [From Build 51.24] [# 687345]When an Advanced expression function in an ALT expression blocks the current evaluation of the expression, then upon resumption it may cause the NetScaler appliance to crash.
- [From Build 53.22] [# 691227]Clearing a NetScaler system configuration causes the appliance to fail if an HTTP profile references a patset configuration entity.
- [From Build 51.24] [# 576274]Even though TLS protocol versions 1.1 and 1.2 are not supported by firmware version 1.1, the protocols appear as enabled by default on an SSL virtual server.
- [From Build 41.24] [# 579059, 679085]After you upgrade to this build, the priority of the cipher groups changes in the default profile.
- [From Build 53.22] [# 583715]In a cluster setup, a certificate update fails, with the following error, if the certificate is in DER format.Error :: No such resource
- [From Build 51.24] [# 613912, 643135, 647100]A configuration loss, such as the ECC curve and ciphers unbinding from an SSL virtual server or service, might occur after you upgrade to this build.
- [From Build 51.24] [# 660319, 667130, 671887]If you add a partition and later remove it, the state of all the SSL virtual servers configured on the appliance changes to DOWN.
- [From Build 53.22] [# 668935, 642802, 463835, 684073, 684892, 691890]The service group members do not appear in the output of the "show lb vserver <name>" command if it is run on a cluster IP address.
- [From Build 51.24] [# 673348, 682192, 682160, 684547, 684992, 687515]A NetScaler appliance might dump core and restart if you have configured policy based SSL renegotiation and a client sends multiple SSL records before renegotiation is initiated.
- [From Build 51.24] [# 674278, 678890]In rare cases, a NetScaler appliance might dump core and restart if you add a certificate revocation list (CRL) larger than 256 KB.
- [From Build 51.24] [# 675158]The NetScaler appliance might occasionally send a wrong certificate if SNI is enabled.
- [From Build 53.22] [# 675882, 677473]Some client authentication connections might be dropped if OCSP check is set to mandatory and an OCSP domain name entry is not found in the NetScaler DNS cache.
- [From Build 41.24] [# 675887]If an OCSP responder URL incorrectly resolves to a NetScaler reserved IP address, the appliance dumps core memory and restarts.
- [From Build 51.24] [# 675887]If an OCSP responder URL incorrectly resolves to a NetScaler reserved IP address, the appliance dumps core memory and restarts.
- [From Build 53.22] [# 676942]For requests less than 255 bytes long, you can configure the HTTP GET method for queries to an OCSP server. If you specify the GET method but the length is greater than 255 bytes, the appliance uses the POST method by default.To set the method by using the NetScaler CLIAt the command prompt, type;set ssl ocspResponder <name> -httpMethod GET
- [From Build 41.24] [# 678474]If the destination IP address in an OCSP request is an IPv6 address, the NetScaler appliance dumps core memory and restarts.
- [From Build 51.24] [# 678474]If the destination IP address in an OCSP request is an IPv6 address, the NetScaler appliance dumps core memory and restarts.
- [From Build 53.22] [# 678514, 677813]Session ticket parameters are saved in the configuration (ns.conf) file even though session tickets are not enabled in the SSL profile. As a result, if you upgrade to release 12.0 builds 41.x or build 51.x, you might observe a loss in configuration.
- [From Build 51.24] [# 678743, 678740]If both OCSP stapling and session ticket are enabled on an SSL virtual server, and a client sends a session reuse request that contains an OCSP stapling status extension, the appliance dumps core memory and restarts.
- [From Build 41.24] [# 678743, 678740]If both OCSP stapling and session ticket are enabled on an SSL virtual server, and a client sends a session reuse request that contains an OCSP stapling status extension, the appliance dumps core memory and restarts.
- [From Build 41.24] [# 679708]You cannot modify the internal OCSP responder parameters in this build. This is a temporary limitation.
- [From Build 51.24] [# 679708]You cannot modify the internal OCSP responder parameters in this build.
- [From Build 51.24] [# 682493]The value for days to expiration of a certificate appears incorrectly on a cluster IP (CLIP) address.
- [From Build 51.24] [# 682767]In a cluster setup, if you remove a service group, the corresponding entries on the CCO node are not deleted.
- [From Build 51.24] [# 682775]The NetScaler appliance dumps core and restarts if a wildcard SSL virtual server has the -m mac option enabled.
- [From Build 51.24] [# 682784]In a cluster setup, if you rename a service group, the corresponding entries on the CCO node are not updated.
- [From Build 51.24] [# 684413]On a NetScaler MPX or SDX 14000 FIPS appliance, requests are not forwarded to the back-end server if virtual-server based transparent access with a wildcard IP address (*:443) is configured in a transparent SSL acceleration setup.
- [From Build 51.24] [# 685669]Memory usage might continuously increase on a partitioned NetScaler VPX appliance processing SSL traffic. As a result, the appliance might become unresponsive after some time.
- [From Build 53.22] [# 686998]The connection with the back-end server is terminated if OCSP validation for the server certificate fails, even though OCSP validation is optional.
- [From Build 51.24] [# 687575]The NetScaler appliance dumps core and restarts if it receives a request while both session-ticket and SSL-session persistence are enabled.
- [From Build 51.24] [# 687777]The NetScaler appliance dumps core and restarts if both client authentication and session ticket are enabled and a session ticket reuse request is continuously received on the appliance.
- [From Build 53.22] [# 688416]If you try to add a certificate-key pair containing an unsupported OID in the Subject Alternative Name (SAN) field of the certificate, the following error message appears:ERROR: Invalid OID for SAN entry in certificate
- [From Build 53.22] [# 688811]A certificate without a common name field in the subject name fails to load.
- [From Build 53.22] [# 694395]If two certificates issued by two different CAs have the same OCSP URL, addition of one of the certificate-key pairs might fail.Example1. CA certificate C1 is used to issue certificate S1, which contains OCSP_URL1.2. Certificate-key pairs for both C1 and S1 are added successfully on the NetScaler appliance.3. CA certificate C2 is used to issue certificate S2, which also contains OCSP_URL1.4. If you first add a certificate-key pair for S2, it is successful but adding a certificate-key for CA2 fails. If you reverse the order, adding a certificate-key for CA2 is successful but adding a certificate-key for S2 fails.
- [From Build 53.22] [# 694904]In some cases, a NetScaler appliance might crash if it finds invalid data while parsing the binary certificate.
- [From Build 51.24] [# 640545, 685334, 686832, 687603]Enabling both the AppFlow option and the AppQoE option might cause a memory leak, which can degrade performance and eventually cause the appliance to fail.
- [From Build 51.24] [# 666208]If the integrated cache (IC) memory limit is set to a value greater than 4 GB and front end optimization (FEO) is enabled, the NetScaler appliance crashes.
- [From Build 53.22] [# 670556, 660674, 672227, 689849]In an SSL connection with a client, the NetScaler appliance does not evaluate the SSL policies for HTTP/2 streams.
- [From Build 51.24] [# 671128]A NetScaler appliance adds an SNMP trap for TCP-level synflood if the Varbindings are incorrect for the synflood trap.
- [From Build 51.24] [# 675631]Snmpd communicates with nsaggregatord to process the requests it receives. The SNMP Code also maintains a cache of the responses from aggregator in the form of a CacheTable. If the CacheTable is corrupted, a crash might result.
- [From Build 53.22] [# 676599, 692553]If the session ID maintained for clients exceeds the threshold of 16 million entries, the configuration engine might crash. That affects the management traffic. As a result, the management connection closes and the manager must log back on to the NetScaler appliance.
- [From Build 51.24] [# 677943]If you enable Front End Optimization (FEO) and configure Integrated Cache (IC) with cache selectors, the NetScaler appliance might crash.
- [From Build 53.22] [# 678015]The NetScaler appliance crashes if the total number of TimeWait connections exceeds 7000 while the MPTCP feature is enabled.
- [From Build 51.24] [# 679376]In a high availability setup, the following command-propagation warning message appears when a backup is created for a large configuration file on the primary node: "Warning: There is no response from secondary. Propagation Timed out” However, propagation of the backup file succeeds after some time.
- [From Build 51.24] [# 681284]A NetScaler appliance crashes if the content-type header is missing from an HTTP responder.
- [From Build 51.24] [# 681361, 683274]If a client sends an HTTP/2 header continuation frame, the NetScaler appliance dumps core.
- [From Build 53.22] [# 681426]An attempt to configure a NetScaler appliance that uses Cloudstack can cause the appliance to fail. If the Cloudstack AutoScale feature or an AutoScale policy is configured with the IP address a server, an attempt to configure the appliance through the NetScaler CLI instead of through CloudPlatform or Cloudstack binds the IP-address based server to the AutoScale Policy service group. This causes the appliance to crash.
- [From Build 51.24] [# 682762]If a load balancing virtual server configured with a backup server is down, the si_cur_Client counter underflows, causing client connections for the virtual server to display abnormal values in the NetScaler GUI.
- [From Build 53.22] [# 683512, 699684]A NetScaler appliance might crash, if a particular sequence of white space and CR-LF characters is sent to an HTTP or SSL virtual server instead of a valid HTTP request.
- [From Build 51.24] [# 683622, 683806]If multiple trap destinations have the same IP address but different SNMP versions, one of which is SNMPv3, modifying an SNMPv3 trap message leads to an appliance failure.
- [From Build 51.24] [# 684148, 687638]If the MSS value in a client TCP handshake with a NetScaler appliance is from 1322 to 1329, the appliance sends 1330-byte segments, which cause packet drops, and the TCP connection fails.
- [From Build 53.22] [# 684370]Some packets become invalid and are dropped when policies are applied. If HTTP/2 packets are dropped, the NetScaler appliance fails to send a rst_stream frame to the client, which causes the appliance to crash when new packets arrive.
- [From Build 53.22] [# 684908]The NetScaler appliance does not include the latest DATA_ACK packet in the retransmitted data segments. It reuses DATA_ACK packets that were sent in the original data segment.
- [From Build 51.24] [# 685898]A NetScaler appliance in a high availability configuration crashes when using TCP transport to send log messages.
- [From Build 53.22] [# 686390]When a client times out and sends a message longer than one packet, TCP sends a FIN packet to the application handler (for example, SSL). When TCP receives the second packet, it directly sends the packet to the application handler. As a result, the application handler generates a close notify alert for the first packet and an RST alert for the second packet.
- [From Build 51.24] [# 686751]The NetScaler appliance does not send buffered log messages when the SYSLOG server is ready to accept them.
- [From Build 53.22] [# 687042]In a SYSLOG action, setting the netProfile parameter during a log transfer causes multiple SYSLOGTCP connections to be established but only one connection serves the log traffic.
- [From Build 53.22] [# 687118, 687352, 687351]A NetScaler appliance might crash if it receives a FIN packet with multiple invalid SACK blocks from the origin server and tries to forward the packet to an MPTCP client.
- [From Build 53.22] [# 687462, 686135, 692657]The user is not able to log on to NetScaler Gateway as there is a high-utilization of memory.
- [From Build 53.22] [# 687612]If a NetScaler-inserted cookie is deleted from the end of a cookie header, the appliance does not remove the preceding semicolon. As a result, an extra semicolon is sent at the end of the cookie header when forwarding it to the back-end server.
- [From Build 53.22] [# 689915]A NetScaler appliance can become unresponsive if it hosts a wildcard load balancing virtual server that has the use source IP option enabled and the use proxy port option disabled. The failure occurs if the virtual server associates the outgoing probe connection information with different incoming connections destined to the same server.
- [From Build 53.22] [# 689375]In NetScaler T-13xx platform, the NetScaler software incorrectly calculates the minimum memory required for large scale NAT (LSN) configurations. The NetScaler appliance might become unresponsive if the memory limit is set to a value lower than the incorrectly calculated minimum required memory displayed in “show extendedmemory” output.
- [From Build 41.24] [# 525671]When secure connection is enabled on CCO, config sync doesn't work.
For details of a specific release, see the corresponding release notes.
- Build 56.20 (2017-12-20) (Current build)
- Build 53.22 (2017-08-28) Replaces: 53.13
- Build 51.24 (2017-07-14)
- Build 41.24 (2017-05-25) Replaces: 41.22
- Build 35.6 (2017-03-02)