Release Notes for Build 48.13 of NetScaler 12.1 Release

Points to Note

NetScaler VPX appliance

• When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the NetScaler instance. Use the "rm cloudprofile" command to delete the profile.
  [# 706104]

• When you power on the NetScaler VPX instance for the first time after you’ve configured an Intel XL710 NIC as a PCI Passthrough interface, the instance takes longer than normal to start. The issue is seen only the first time the system starts after the interface is configured. This happens due to a limitation of Intel XL710 NIC.
  [# 708142]

SSL

• Removal of SSLv2 support

  According to RFC6176 from Internet Engineering Task Force (ITEF), TLS servers must not support SSLv2. The NetScaler appliance does not support SSLv2 from release 12.1.
  [# 248625]

• Removal of weak ciphers from the DEFAULT_BACKEND cipher group

  The following weak ciphers are removed from the DEFAULT_BACKEND cipher group.

  - Cipher Name: SSL3-DES-CBC-SHA Priority : 11

  Description: SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 HexCode=0x0009

  - Cipher Name: SSL3-EXP-DES-CBC-SHA Priority : 12

  Description: SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 Export HexCode=0x0008

  - Cipher Name: SSL3-EXP-RC2-CBC-MD5 Priority : 13

  Description: SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 Export HexCode=0x0006

  - Cipher Name: SSL3-EDH-DSS-DES-CBC-SHA Priority : 14

  Description: SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 HexCode=0x0012

  - Cipher Name: TLS1-EXP1024-DHE-DSS-DES-CBC-SHA Priority : 15

  Description: TLSv1 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 Export HexCode=0x0063

  - Cipher Name: SSL3-EXP-EDH-DSS-DES-CBC-SHA Priority : 16

  Description: SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 Export HexCode=0x0011

  - Cipher Name: SSL3-EDH-RSA-DES-CBC-SHA Priority : 17

  Description: SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 HexCode=0x0015

  - Cipher Name: SSL3-EXP-EDH-RSA-DES-CBC-SHA Priority : 18

  Description: SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 Export HexCode=0x0014

  - Cipher Name: TLS1-EXP1024-RC2-CBC-MD5 Priority : 19

  Description: TLSv1 Kx=RSA(1024) Au=RSA Enc=RC2(56) Mac=MD5 Export HexCode=0x0061

  - Cipher Name: SSL3-ADH-DES-CBC-SHA Priority : 20

  Description: SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1 HexCode=0x001a

  - Cipher Name: SSL3-EXP-ADH-DES-CBC-SHA Priority : 23

  Description: SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 Export HexCode=0x0019
  [# 695490, 648914, 678149, 678152]

What's New?

• WebView credential type support for authentication mechanisms

  The authentication of NetScaler Gateway appliance can now support the AUTHv3 protocol. The WebView credential type in AUTHv3 protocol support all type of authentication mechanisms (including SAML and OAuth). The WebView credential type is a part of AUTHv3, which is implemented by Citrix Receiver and browser in web applications.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/saml-authentication.html
  [# 653138]

• Support to notify the number of unsuccessful login attempts

  The NetScaler appliance can now log the number of unsuccessful login attempts made from the last successful log on. The feature works only if the persistentLoginAttempts option is enabled on the appliance. By default, the option is disabled on the NetScaler appliance.

  A NetScaler administrator can use this information to verify if any unauthorized attempts have occurred on a secured external user account.

  To use this feature, at the NetScaler command prompt, type:

  set aaa parameter [–maxloginAttempts <value> [-failedLoginTimeout <value>]] -persistentLoginAttempts (ENABLED | DISABLED)

  Example:

  set aaa parameter –maxLoginAttempts 4 –failedLoginTimeout 3 –persistentLoginAttempts ENABLED
  [# 671478]

• Optimization of Kerberos authentication on NetScaler AAA

  The NetScaler appliance now optimizes and improves the system performance while Kerberos authentication. The NetScaler AAA daemon remembers the outstanding Kerberos request for the same user to avoid load on Key Distribution Center (KDC), which avoids the duplicate requests.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/ns-aaa-config-protocols-con/ns-aaa-config-protocols-krb5-ntlm-intro-con.html
  [# 681896, 690321]

• Support for validating end-to-end LDAP authentication

  The NetScaler appliance can now validate end-to-end LDAP authentication through NetScaler GUI. To validate this feature, a new “test” button is introduced in NetScaler GUI. A NetScaler administrator can leverage this feature to achieve the following benefits:

  • Consolidates the complete flow (packet engine – AAA daemon – external server) to provide better analysis.

  • Reduces time on validating and troubleshooting issues related to individual scenarios.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/configure-aaa-policies/ns-aaa-setup-policies-authntcn-tsk/ns-aaa-setup-policies-auth-ldap-tsk.html
  [# 697083]

• Simplified login protocol support for NetScaler AAA

  The login protocol between NetScaler AAA traffic management virtual servers and NetScaler AAA virtual servers is simplified to use internal mechanisms as opposed to sending the encrypted data through query parameters. By leveraging this feature, the replay of requests is prevented.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/authentication-virtual-server/ns-aaa-setup-tm-vserver-tsk.html
  [# 700114]

• Support of name-value attribute for LDAP authentication

  You can now configure the attributes of LDAP authentication with a unique name along with values. The names are configured in the LDAP action parameter and the values are obtained by querying for the name.

  To use this feature, at the NetScaler command prompt, type:

  add authentication ldapAction <name> [-Attribute1 <string>]

  Example:

  add authentication ldapAction ldapAct1 Attribute1 mail

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/configure-aaa-policies/ns-aaa-setup-policies-authntcn-tsk/ns-aaa-setup-policies-auth-ldap-tsk.html
  [# 700710]

• Support for AAA.USER and AAA.LOGIN expressions

  The AAA.USER expression is now implemented to replace the existing HTTP.REQ.USER expressions. The AAA.USER expression is applicable to handle non-HTTP traffic, such as Secure Web Gateway (SWG) and role-based access (RBA) mechanism. The AAA.USER expressions are equivalent to HTTP.REQ.USER expressions.

  You can use the expression at a variety of actions or profiles configuration.

  For example,

  add tm trafficAction tm_act -SSO ON -userExpression "AAA.USER.NAME"

  Note: If you use HTTP.REQ.USER expression, a warning message “HTTP.REQ.USER has been deprecated. Use AAA.USER instead” appears on the command prompt.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/ns-aaa-setup-traffic-setting-con/ns-aaa-setup-traffic-prfl-tsk.html
  [# 701211]

• Support for encrypted tokens on OpenID connect

  The NetScaler appliance with OpenID Connect mechanism now supports sending of encrypted tokens along with signed tokens. The NetScaler appliance uses JSON web encryption specifications to compute the encrypted tokens and supports only compact serialization of encrypted tokens.

  A new attribute “relyingPartyMetadataURL” is introduced in both “add authentication OAuthIDPProfile” and “set authentication OAuthIDPProfile”.

  To activate this feature, at the NetScaler command prompt, type:

  • add authentication OAuthIDPProfile <name> [-relyingPartyMetadataURL <URL>]

  • set authentication OAuthIDPProfile <name> [-relyingPartyMetadataURL <URL>]

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/oauth-authentication.html
  [# 702669]

• Support for 14-day password expiry notification for LDAP based authentication

  The 14-day password feature on NetScaler appliance provides the administrator an option to notify the end users about the password expiry. By using this feature, the end users are notified about their password expiry (number of days left before expiry).

  To leverage this feature, the customer’s has to perform the following configuration changes in LDAP configuration:

  • If the LDAP configuration has “ldapBase” parameter as “cn=users, dc=domain, dc=com” attributes, then it has to be changed to “dc=domain, dc=com” attributes.

  • The LDAP search base has to be changed from “Users” to one level higher (at the domain level).

  To enable this feature, at the NetScaler command prompt, type:

  set aaa parameter –pwdExpiryNotificationDays 14 <positive_integer>

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/aaa-tm/configure-aaa-policies/ns-aaa-setup-policies-authntcn-tsk/ns-aaa-setup-policies-auth-ldap-tsk.html
  [# 703474]

Admin Partition

• Displaying the availability of partition MAC address

  You can now use the show ns PartitionMAC command to display a list of configured PMACs (Partition MAC) addresses on a NetScaler appliance. The command displays all the PMAC addresses and the corresponding partitions (if assigned). In the case of a non-SDX platform, the command displays all the PMAC addresses and their corresponding partitions because the PMAC address is assigned to a partition only on need basis (when a partition bound a shared VLAN). However, in the case of a SDX platform, you might have some unassigned PMACs in the list.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/admin-partition/display-configured-pmac-addresses-for-shared-vlan-configuration.html
  [# 683620]

Clustering

• Policy-based backplane steering support for cluster

  The policy-based backplane (PBS) steering is a mechanism in cluster deployment, which will steer the traffic across cluster nodes based on the hash method defined for the flow. The flow is defined by a combination of L2 and L3 parameters similar to Access Control List (ACL).

  The PBS will support both IPv4 and IPv6 traffic. In case of IPv6 deployments, the steering is supported by an additional option “[dfdprefix <positive_integer>]”, and provide the flexibility to choose the same flow processor for the same IP prefix. The prefix option is supported for source IP or destination IP hash methods only.

  To support this feature, new attributes are introduced in existing ACL commands.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/clustering/cluster-traffic-distribution.html
  [# 683464]

DNS

• Support for DNS name servers over TCP

  The NetScaler appliance in forwarder mode now supports TCP and UDP-TCP name servers.

  - If you have configured a TCP name server, then the NetScaler appliance sends the DNS request over TCP.

  - If you have configured a UDP-TCP name server, then the NetScaler appliance sends the DNS request over UDP. However if the truncated bit is set in the DNS response, the appliance sends such DNS requests over TCP.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/dns/configure-netscaler-forwarder/add-name-server.html.
  [# 679817, 697499, 708456]

GSLB

• Updated GEO IP database files

  The NetScaler appliance now includes the following two IP geolocation database files. These are GeoLite2 files, published by MaxMind.

  - Citrix_Netscaler_InBuilt_GeoIP_DB_IPv4

  - Citrix_Netscaler_InBuilt_GeoIP_DB_IPv6

  These database files are available in a format supported by the NetScaler appliance in the directory /var/netscaler/inbuilt_db.

  You can use these IP geolocation databases as the location file for the static proximity based GSLB method, or in location based policies.

  After an upgrade, if the /var/netscaler/inbuilt_db/ directory contains the database file (Citrix_Netscaler_InBuilt_GeoIP_DB.csv ) from the earlier NetScaler software versions, the file is retained.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/global-server-load-balancing/configuring-static-proximity/add-a-location-file-create-static-proximity-db.html.
  [# 666268]

• Support for viewing the GSLB synchronization summary

  You can now view the summary of the last GSLB sync operation. This is applicable to both manual and real-time GSLB synchronization.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/global-server-load-balancing/synchronizing-configuration-in-gslb-setup/view-gslb-synchronization-status-and-summary.html.
  [# 678547]

• New directory synchronized as part of GSLB synchronization process

  As part of the GSLB synchronization process, the /var/netscaler/inbuilt_db/ directory is also synchronized in addition to the /var/netscaler/locdb/ and /var/netscaler/ssl/ directories.
  [# 699729, 699287]

• Support for setting site persistence for the IP address based and domain name based service groups

  You can now set site persistence for the IP address based and domain name based service groups.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/global-server-load-balancing/configure/configuring-a-gslb-service-group.html.
  [# 701512]

Licensing

• Support for checking NetScaler license expiration information through GUI and CLI

  Now you can check NetScaler license expiration information through GUI or CLI. Previously, customers were notified of an expired license only after a system rebooted, causing the NetScaler appliance to restart as an unlicensed appliance.

  To check license information through the NetScaler GUI, navigate to Configuration > System > Licenses. Alternatively, run the command “show ns license” to view the license information.

  For more information, see the "Check license expiration information" section in this topic: https://docs.citrix.com/en-us/netscaler/12-1/licensing/netscaler-licensing-overview.html
  [# 556558]

Load Balancing

• Packets per second rate limiting support on DSR virtual servers

  Packets per second rate limiting are now supported on DSR virtual servers. You can configure a stream selector and a responder policy to collect statistics at the packet level flowing through all the connections identified by the selector. If the number of packets per second exceeds the configured threshold, the policy applies the configured action (RESET or DROP).

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/appexpert/rate-limiting/configure-rate-limit-at-packet-level.html.
  [# 688195]

• Addition of IPANDVLAN as a subscriber lookup method

  You can now choose either the IP or IPANDVLAN as the key lookup method to the subscriber policy enforcement and management system. IPANDVLAN key lookup method is supported only when the subscriber interface is set to GxOnly.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-support-for-telecom-service-providers/lsn-telco-subscriber-management.html#IPANDVLAN.
  [# 698306]

NITRO

• Retrieving LOM Port firmware version

  The nshardware NITRO API resource now supports retrieving the LOM port’s firmware version of a NetScaler appliance.

  For more information, see https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/latest/configuration/ns/nshardware/nshardware/
  [# 695712]

• Auto-ordering of operations in NITRO macro API

  The NetScaler appliance performs the operations listed in NITRO macro API request in the correct order even if they are listed incorrectly. For example, even if a bind operation is listed before an add operation for a load balancing virtual server in a NITRO macro API request, the appliance performs the add operation before the bind operation.

  For more information, see https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/latest/performing-netscaler-resource-operations/#performing-bulk-operations
  [# 701814]

• Auto-enabling of features in NITRO macro API

  The NetScaler appliance can automatically enable those features whose operations are listed in a NITRO macro API request. For auto-enabling of features, the following header must be specified in the NITRO macro API request:

  X-NITRO-ENABLEFEATURE: YES

  For example, if a NITRO macro API request lists operations related to load balancing feature and if this feature is not enabled, the appliance automatically enables the feature before performing the load balancing operations.

  For more information, see https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/latest/performing-netscaler-resource-operations/#performing-bulk-operations
  [# 701817]

• Auto save config for NITRO macro API

  The NetScaler appliance can automatically perform save config operation after performing all the operations listed in a NITRO macro API request. For auto save config operation, the following header must be specified in the NITRO macro API request:

  X-NITRO-SAVECONFIG: YES

  For more information, see https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/latest/performing-netscaler-resource-operations/#performing-bulk-operations
  [# 701917]

NetScaler CLI

• Displaying number of unsuccessful logon attempts

  Upon successful logon to a NetScaler appliance, the command interface now displays the number of unsuccessful logon attempts since the last successful logon. A NetScaler administrator can use this information to verify if any unauthorized activity has occurred on a secured user account.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/system/ns-ag-aa-intro-wrapper-con/display-unsuccessful-external-user-logon-attempts.html
  [# 682166]

NetScaler GUI

• Configuring priority load balancing

  You can now configure priority load balancing using the NetScaler GUI. The priority load balancing feature enables you to assign a priority number for each of the services or service groups that are bound to a priority load balancing virtual server. A service or a service group with the lowest number has the highest priority. Application traffic is distributed only to this service or a service group as long as this service or a service group is UP. The service or a service group that is assigned the next priority number becomes operational only when all the services or members in the service group with the highest priority are DOWN. However, when any of the services or a member in the service group with the highest priority becomes available again, the traffic is directed to that service or the service group.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/priority-load-balancing.html.
  [# 697183, 696663]

NetScaler Gateway

• Support for RDP redirection

  A NetScaler Gateway appliance now supports RDP redirection with connection broker or session directory. An RDP proxy communication no longer requires an exclusive URL for every connection from client to the server. Instead, the proxy uses a single URL to connect to an RDP server farm, reducing the maintenance and configuration overhead for an administrator. For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12-1/rdp-redirection.html.
  [# 612519]

• Support for randomizing RDP file name with RDP proxy

  When you click on an RDP URL, an RDP file is downloaded. Upon clicking the RDP URL again a new RDP file with the same name is downloaded, resulting in a pop-up for the replacement of the new file with the existing file. To avoid this, the RDP file name is now randomized by appending output of time () function in the format <rdpFileName>_<outputof time()>.rdp. By doing this, the appliance generates a unique RDP file name every time you download a file.

  Configuration:

  add rdpclientprofile <profileName> -rdpfileName <filename> -randomizeRDPFilename <YES/NO>

  For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12-1/rdp-redirection.html.
  [# 695990]

• Populate RDP URLs based on LDAP attribute

  You can now configure a NetScaler Gateway appliance to retrieve a list of RDP servers (IP/FQDN) from an LDAP server attribute. Based on the list you retrieve, the appliance displays the RDP URLs for the servers to be accessed.

  Configuration:

  add rdpclientprofile <Name> –rdpUrlLinkAttribute <string>

  For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12-1/rdp-redirection.html.
  [# 698917, 699370]

• Simplified SaaS apps configuration

  With this enhancement, configuring and publishing a SaaS app is simplified using an app catalogue. The NetScaler Gateway appliance now has built-in catalogues of commonly used SaaS apps that allow app specific fields to get auto populated for a simplified configuration experience. Also, administrators can create their own SaaS apps catalouge. For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12-1/saas-app-configuration-using-a-template.html.
  [# 699991]

NetScaler SDX appliance

• Support for SDX 8900 appliance

  This release supports the NetScaler SDX 8900 appliance.

  For more information see the following documentation:

  Citrix NetScaler SDX 8900

  https://docs.citrix.com/en-us/netscaler-hardware-platforms/sdx/hardware-platforms/8900.html
  [# 653122, 636909]

• Support for SNMP version 3

  While provisioning a NetScaler VPX instance, now you use either SNMP version 3 (v3) or SNMP v2. Earlier, only SNMP v2 was supported in admin profiles. SNMP v3 sets up a secure channel between the VPX instance and the SDX user interface to send SNMP traps. To enable SNMP v3, from the NetScaler Management Service select Configuration>NetScaler>Admin Profiles>Add. In the Admin Profiles page, select the radio button for SNMP v3 and add the details.

  For more information, see the "Creating Admin Profiles" section in this topic: https://docs.citrix.com/en-us/sdx/12-1/provision-netscaler-instances.html
  [# 674022]

• SSH public key authentication support for LDAP users

  The NetScaler SDX appliance can now authenticate the LDAP users through SSH public key authentication for logon. The list of public keys is stored on the user object in the LDAP server. During authentication, SSH extracts the SSH public keys from the LDAP server. The logon succeeds if any of the retrieved public key works with SSH.

  For key-based authentication, you must specify the location of the public keys by setting a value of Authorizedkeysfile in /etc/sshd_config file in the following aspect:

  AuthorizedKeysFile .ssh/authorized_keys

  For more information, see https://docs.citrix.com/en-us/sdx/12-1/configuring-management-service/configuring-external-authentication-server.html
  [# 696281]

• SNMP OIDs for health monitoring

  Now you can use specific OIDs for health monitoring items such as power supply, fan, temperature, and voltage through OID 1.3.6.1.4.1.5951.6.2.1000.6.
  [# 697395]

NetScaler VPX appliance

• Support for Azure autoscale feature

  Now NetScaler VPX instances deployed on Azure support autoscale with Azure virtual machine scale sets. When integrated with the autoscale feature, NetScaler VPX instances provide improved:

  - Load balancing and load management

  - High availability

  - Network availability

  For more information, see:

  Add Azure autoscale settings: https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/deploy-vpx-on-azure/Autoscale.html

  Overview of autoscale with Azure virtual machine scale sets: https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-autoscale-overview
  [# 690441]

• Support for VMware vMotion

  From this release, you can migrate a NetScaler VPX instance by using VMware vMotion. The vMotion feature does not support NetScaler VPX instances configured to use SR-IOV and PCI passthrough interfaces. Supported interfaces are E1000 and VMXNET3.

  For more information, see Install a NetScaler VPX instance on VMware ESX topic: https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/install-vpx-on-esx.html
  [# 690477, 676805, 460577]

• Support for high availability across AWS availability zones

  For a high availability setup on AWS, now you can deploy a VPX pair running on two different AWS availability zones or two different subnets. Previously, a VPX pair running on the same availability zone and the same subnet only could be deployed in a high availability setup.

  For more information, see the High availability across AWS availability zones topic: https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/deploy-aws/high-availability-different-zones.html
  [# 696692]

• Support for XenServer versions 7.1 and 7.4

  Now VPX appliances are supported on XenServer versions 7.1 and 7.4.

  For more information, see Support matrix and usage guidelines: https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/supported-hypervisors-features-limitations.html.
  [# 702581]

• Support for RHEL7.4 for KVM

  Now VPX appliances are supported on KVM running RHEL version 7.4. For more information, see Support matrix and usage guidelines: https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/supported-hypervisors-features-limitations.html.
  [# 710108]

Networking

• Virtual servers with multiple IP addresses

  The NetScaler supports creating a single load balancing virtual server with multiple non-consecutive/consecutive IPv4 and IPv6 addresses of type VIP. Each VIP address bound to a virtual server is treated as an individual virtual server. These virtual servers have the same protocol and other virtual server level settings. A virtual server with multiple VIP addresses is also called multi-IP virtual server.

  The following are some advantages of using multi-IP virtual servers:

  - A multi-IP virtual server offloads the work of creating many virtual servers with the same settings and service bindings.

  - Multi-IP virtual servers effectively reduce the possibility of reaching the maximum limit on virtual server entities.

  - One multi-IP virtual server can be used for clients in different subnets to connect to the same set of servers.

  - Only one multi-IP virtual server can be used for IPv6 and IPv4 clients to connect to the same set of servers.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/load-balancing/load-balancing-customizing/multi-ip-virtual-servers.html
  [# 249033]

• MD5 authentication support for Border Gateway Protocol

  The NetScaler appliance supports MD5 authentication for Border Gateway Protocol (BGP). When authentication is enabled, any TCP segment belonging to BGP exchanged between the NetScaler appliance and its peer device is verified and accepted only if authentication is successful. For authentication to be successful, both the peers must be configured with the same MD5 password. If authentication fails, the BGP neighbor relationship is not being established.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/networking/ip-routing/configuring-dynamic-routes/configuring-bgp.html
  [# 455254]

• MAC based forwarding for a load balancing setup

  Some load balancing setups require that the NetScaler appliance bypasses the global MBF (if enabled) for these setups and instead use the route/ARP lookups for sending packets to the destination.

  The MBF parameter of a net profile is used to disable or enable MBF for a specific load balancing configuration. MBF can be set for the client side as well as the server side of a load balancing configuration by binding net profiles (MBF enabled or disabled) to the virtual server and the services.

  For example, if a net profile with MBF disabled is bound to the virtual server of a load balancing configuration, the NetScaler appliance bypasses the global MBF (if enabled) and instead use the route/ARP lookups for sending response packets to clients.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/networking/interfaces/configuring-mac-based-forwarding.html
  [# 466092]

• Stateful ACL rules

  A stateful ACL rule creates a session when a request matches the rule and allows the resulting responses even if these responses matches a deny ACL rule in NetScaler appliance. A stateful ACL offloads the work of creating additional ACL rules/forwarding session rules for allowing these specific responses.

  Stateful ACLs can be best used in an edge firewall deployment of a NetScaler appliance having the following requirements:

  - The NetScaler appliance must allow requests initiated from internal clients and the related responses from the Internet.

  - The appliance must drop the packets from the Internet that are not related to any client connections.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/networking/access-control-lists-acls/extended-acls-and-extended-acl6s.html
  [# 646179]

• Statistics for RNAT6 rules

  You can display statistics related to the RNAT6 feature to monitor the performance or to troubleshoot problems related to the RNAT6 feature. You can display a summary of statistics of the RNAT6 rules. The statistical counters reflect events since the NetScaler appliance was last restarted. All these counters are reset to 0 when the NetScaler appliance is restarted.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/networking/ip-addressing/configuring-network-address-translation/configuring-rnat.html
  [# 667022]

• Support for processing Class E IPv4 packets

  By default, the NetScaler appliance drops any packets if they contain any Class E IPv4 address in the source IP or the destination IP fields. If your setup is using Class E IPv4 addresses, you can configure the NetScaler appliance to process Class E IPv4 packets.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/networking/ip-addressing/class-e-packets.html
  [# 694316]

• Logging support extended ACL6 rules

  You can configure the NetScaler appliance to log details for packets that match an extended ACL6 rule. In addition to the ACL6 name, the logged details include packet-specific information, such as the source and destination IP addresses. The information is stored either in a syslog or nslog file, depending on the type of logging (syslog or nslog) that you have configured in the NetScaler appliance.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/networking/access-control-lists-acls/extended-acls-and-extended-acl6s.html
  [# 694979]

Optimization

• Deprecating SPDY from NetScaler 12.0

  The SPDY functionality is deprecated from NetScaler 12.0 onwards. As an alternative, Citrix recommends you to use HTTP2 protocol for handling HTTP traffic.
  [# 700025]

SSL

• Selective SSL logging

  In a large deployment comprising thousands of virtual servers, all SSL-related information is logged. If only a few virtual servers are critical to the deployment, examining the entire log to find information about the client authentication and SSL handshake successes and failures for just those critical virtual servers is a time-consuming and tedious task. With this enhancement, you can log SSL-related information, such as client authentication and SSL handshake failures, for only a specific virtual server or group of virtual servers. This information is especially helpful in debugging failures. To log the information, you must add an SSL log profile.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/selective-ssl-logging.html
  [# 492689]

• Support for ECDHE ciphers on the front end of Thales nShield® external HSM

  The NetScaler appliance now supports ECDHE ciphers on the front end of Thales nShield® external HSM. This group contains the following ciphers:

  - TLS1-ECDHE-RSA-AES256-SHA 0xc014

  - TLS1-ECDHE-RSA-AES128-SHA 0xc013

  - TLS1-ECDHE-RSA-DES-CBC3-SHA 0xc012

  - TLS1-ECDHE-RSA-RC4-SHA 0xc011

  Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.

  The following ECC curves are supported: P_256, P_384, P_224, and P_521.

  By default, all four curves are bound to an SSL virtual server.

  For more information, see https://docs.citrix.com/content/dam/docs/en-us/netscaler/12-1/cipher-support-on-an-external-hsm-thales-safenet.pdf
  [# 505629, 703038]

• Support for ECDHE ciphers on the front end of SafeNet network external HSM

  The NetScaler appliance now supports ECDHE ciphers on the front end of SafeNet Network external HSM. This group contains the following ciphers:

  - TLS1-ECDHE-RSA-AES256-SHA 0xc014

  - TLS1-ECDHE-RSA-AES128-SHA 0xc013

  - TLS1-ECDHE-RSA-DES-CBC3-SHA 0xc012

  - TLS1-ECDHE-RSA-RC4-SHA 0xc011

  Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.

  The following ECC curves are supported: P_256, P_384, P_224, and P_521.

  By default, all four curves are bound to an SSL virtual server.

  For more information, see https://docs.citrix.com/content/dam/docs/en-us/netscaler/12-1/cipher-support-on-an-external-hsm-thales-safenet.pdf
  [# 594000]

• Support for ECDSA ciphers on the front end and back end of NetScaler MPX/SDX 14000 FIPS appliances

  The NetScaler MPX/SDX 14000 FIPS appliances now support the elliptical curve digital signature algorithm (ECDSA) cipher group end to end. ECDSA cipher suites use elliptical curve cryptography (ECC). Because of its smaller size, it is helpful in environments where processing power, storage space, bandwidth, and power consumption are constrained.

  Note: ECDSA certificates with only the following curves are supported:

  -prime256v1

  -secp384r1

  -secp521r1

  -secp224r1

  The following ciphers are supported with ECDSA:

  -ECDHE-ECDSA-AES256-GCM-SHA384

  -ECDHE-ECDSA-AES256-SHA384

  -ECDHE-ECDSA-AES256-SHA

  -ECDHE-ECDSA-AES128-GCM-SHA256

  -ECDHE-ECDSA-AES128-SHA256

  -ECDHE-ECDSA-AES128-SHA

  -ECDHE-ECDSA-RC4-SHA

  -ECDHE-ECDSA-DES-CBC3-SHA

  For more information, see https://docs.citrix.com/content/dam/docs/en-us/netscaler/12-1/cipher-support-on-a-citrix-mpx-sdx-14000-fips-appliance.pdf
  [# 603605]

• Support for AES-GCM and SHA2 ciphers at the back end of the NetScaler VPX appliances

  The NetScaler VPX appliances now supports the following AES-GCM and SHA2 ciphers for a secure server-side connection.

  - TLS1.2-AES256-GCM-SHA384

  - TLS1.2-AES128-GCM-SHA256

  - TLS1.2-ECDHE-RSA-AES128-GCM-SHA256

  - TLS1.2-AES-256-SHA256

  - TLS1.2-AES-128-SHA256

  For more information, see https://docs.citrix.com/content/dam/docs/en-us/netscaler/12-1/cipher-support-on-a-citrix-vpx-appliance.pdf
  [# 636383]

• Support for creating an ECDSA certificate-key pair

  You can now create an ECDSA certificate-key pair directly on a NetScaler appliance by using the NetScaler CLI or the NetScaler GUI. Earlier, you could install and bind an ECC certificate-key pair on the appliance, but you had to use OpenSSL to create a certificate-key pair.

  Only P_256 and P_384 curves are supported.

  Note: This support is available on all platforms except NetScaler MPX 9700/1050/12500/15500.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ciphers-available-on-the-citrix-ADC-appliances/ecdsa-cipher-suite-support-on-mpx-appliances.html#create-ecdsa-certkey-pair
  [# 636962]

• Built-in secure front-end SSL profile

  The SSL infrastructure on the NetScaler appliance is continually updated to address the ever-growing requirements for security and performance. A new built-in front-end SSL profile, called ns_default_ssl_profile_secure_frontend, is now available for setting up a highly secure SSL virtual server. The settings required for an A+ rating (as of May 2018) from Qualys SSL Labs are preloaded into this profile. Earlier, you had to explicitly set each of the parameters required for an A+ rating to an SSL virtual server or an SSL front-end profile. You can now bind the ns_default_ssl_profile_secure_frontend profile to the SSL virtual server and the required parameters are automatically set on the SSL virtual server. To get an A+ rating for the server, you must also bind a SHA2 or SHA256 server certificate to the SSL virtual server.

  Note: The secure front-end profile cannot be edited.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-profiles/secure-front-end-profile.html
  [# 644007, 636386]

• Optimizing ECDSA computation on some NetScaler appliances

  ECDSA computation has been optimized by using a combination of software and hardware offload capabilities.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ciphers-available-on-the-citrix-ADC-appliances/leverage-hardware-and-software-to-improve-ecdhe-and-ecdsa-cipher-performance.html
  [# 677460]

• Addition of TLS1.2 ciphers in the DEFAULT_BACKEND cipher group

  TLS1.2 ciphers are added to the DEFAULT_BACKEND cipher group.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ciphers-available-on-the-citrix-ADC-appliances.html
  [# 698452]

Secure Web Gateway

• Support for ICAP for Remote Content Inspection

  The NetScaler Secure Web Gateway (SWG) appliance can now act as an ICAP client and use policies for interacting with third-party security vendors that specialize in antimalware and data leak prevention (DLP). The encrypted files, which were earlier bypassed, can now be scanned by security vendors using ICAP on a NetScaler SWG appliance.

  The appliance intercepts client traffic (HTTP and HTTPS), decrypts it, and sends the decrypted traffic to the ICAP server(s). The appliance supports content inspection in both request mode (REQMOD) and response mode (RESPMOD). While REQMOD is ideal for DLP integration, RESPMOD is used in checking for antimalware. You must configure policies to select the traffic to send to the ICAP servers.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/security-configuration/using-icap-for-remote-content-inspection.html

  For the use case, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/use-case-icap-for-remote-malware-inspection.html
  [# 638345]

Security

• Audit Logging support for ICAP content inspection

  If an HTTP request or response is content inspected using ICAP protocol, the appliance stores the ICAP details as log messages in the ns.log file.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html
  [# 699320]

• ICAP support for NetScaler ADC

  A NetScaler appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and send back responses to the appliance as modified messages. The adapted messages are either an HTTP or HTTPS response or request.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html
  [# 702971]

System

• 64-bit images for MPX and VPX appliances

  The NetScaler image for MPX and VPX appliances now is 64 bit. In previous releases, the NetScaler image for MPX and VPX appliances was 32 bit.

  When compared to a 32-bit image, a 64-bit NetScaler image delivers:

  - Better performance for DNS, SYN, and Logstream

  - More available memory on most platforms

  - 2X improvement in TCP Concurrent Connections (on platforms with large system memory)

  - 2.5X improvement in SSL and SSLVPN concurrent sessions (on platforms with large system memory)

  - 25X improvement in cache objects (on platforms with large system memory)

  For more information about how to upgrade your NetScaler appliance, see https://docs.citrix.com/en-us/netscaler/12-1/upgrade-downgrade-netscaler-appliance.html
  [# 513830]

• USIP configuration support for HTTP 1.1 and HTTP/2 protocols

  The User Source IP (USIP) address configuration is now supported for both HTTP/1.1 AND HTTP/2 protocols in a NetScaler appliance.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/system/http-configurations.html
  [# 652126, 678599]

• Extending audit log message limit for SYSLOG server

  The NetScaler appliance can now send audit log messages up to 16 KB to an external SYSLOG server. Previously, the appliance can send messages only up to 1 KB.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/system/audit-logging.html
  [# 685218]

• Securing passwords and community strings in NetScaler GUI

  To secure user password, LDAP password, RADIUS key, administrator password, and SNMP community string, the NetScaler GUI now masks all the characters in the string. Previously, the characters appeared as clear text.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/system/ns-ag-aa-intro-wrapper-con/ns-ag-aa-config-users-and-grps-tsk.html
  [# 695293]

Telco

• Large Scale NAT support in a NetScaler cluster setup

  A NetScaler cluster is group of NetScaler appliances that are configured and managed as a single system. Clustering provides scalability and availability. Each NetScaler appliance in a cluster setup acts as an independent LSN entity, but, it is managed as single system.

  The LSN configuration in a cluster setup is similar to the config on a standalone appliance. A pool of LSN IP addresses is owned by only one node at a time. In other words, an LSN IP pool entity is configured as a spotted entity on a particular node. In order to ensure that the packets related to a LSN session are processed on the same cluster node, policy-based backplane (PBS) steering has to be configured with source IP address as the match criteria.

  Most of the features of large scale NAT44 and large scale NAT64, are available in the cluster mode of operation.

  For more information on large scale NAT44, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-support-for-telecom-service-providers/lsn-introduction/lsn44-cluster.html

  For more information on large scale NAT64, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-support-for-telecom-service-providers/lsn-nat-64/lsn64-cluster.html
  [# 620717]

• Support for disabling ARP on large scale NAT IP addresses

  The NetScaler appliance now supports disabling of ARP for large scale NAT (LSN) IP addresses. In a large scale deployment of NetScaler appliance with dynamic routing protocol configured, LSN IP addresses are advertised through the dynamic routing protocol. Disabling ARP for LSN IP addresses in this deployment prevents the NetScaler appliance from unnecessarily advertising these IP addresses through ARP.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-support-for-telecom-service-providers/lsn-introduction/configuration-steps-lsn.html
  [# 667547, 683981]

• Statistics for large scale NAT IP pools

  The NetScaler appliance displays statistical information on the utilization of large scale NAT (LSN) IP pools. You can display a summary of statistics of all LSN IP pools or of a particular LSN IP pool. The summary statistics of all LSN IP pools display the total number of NAT IP addresses utilized by each type of LSN configuration: Large Scale NAT44, DS-Lite, and Large Scale NAT64. This statistics also displays IP pool percentage utilization for TCP and non-TCP sessions for each type of LAN configuration.

  The statistical counters reflect events since the NetScaler appliance was last restarted. All these counters are reset to 0 when the NetScaler appliance is restarted.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-support-for-telecom-service-providers/lsn-introduction/lsn-logging-monitoring.html
  [# 679517]

• Change of default allocation policy for deterministic Large Scale NAT configurations

  For deterministic Large Scale NAT Configurations, the default NAT IP allocation policy (as part of LSN group entity) has been changed to IP address sequence allocation method.

  IP Address sequence allocation method is useful in deployments where the upstream servers have limitations on the number of connections per IP address. Such deployments need a wide range of NAT-IP address and port block allocation. IP Address sequence allocation method helps to address this requirement.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-support-for-telecom-service-providers/lsn-introduction/configuration-steps-lsn.html
  [# 702428]

Known Issues

• The client authentication request from a NetScaler AAA might become unresponsive while receiving an authentication response from the back-end server because the client has dropped the connection.
  [# 697237, 707200]

• The following behavior is observed in a NetScaler appliance:

  • In a high availability setup, the primary node overwrites the invalid login counters of the secondary node.

  • In a cluster setup, the invalid login counters on Cluster Management IP address (CLIP) node overwrite the invalid login counters of the cluster nodes.
  [# 708177]

Application Firewall

• In a HA environment, after an upgrade to release version 11.1 56.x, the NetScaler Application Firewall primary node fails to restart after a failover.
  [# 693905]

• On a NetScaler Application Firewall appliance, Analytics security insight support for content switching target load balancing virtual server is missing.
  [# 694743]

• The HTML response page does not render properly if you enable URL transformation, and if the page attribute values contain non-breaking space ("&nbsp").
  [# 703641]

• When you deploy CSRF learned rules from the application firewall GUI, the rules do not get deleted and the following error "The CrossSiteRequestForgery check is already in use" is displayed if you try to redeploy the rules.
  [# 704487]

• The cluster upgrade to a 12.1 build with Application Firewall enabled on a NetScaler appliance is not supported.
  [# 708269]

Licensing

• When NetScaler licenses hosted on NetScaler MAS expires, the NetScaler appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the NetScaler appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.
  [# 697665]

NetScaler Gateway

• The global settings for the graphical user interface are not shown correctly.
  [# 603701]

• After an upgrade to version 11.1, the NetScaler Gateway logon page does not appear on the NetScaler GUI.

  Workaround: Clear the web browser cache.
  [# 702580]

• SOCKS Proxy CR virtual server configuration for a NetScaler Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).

  Workaround: Use an IP address for VDA.
  [# 704511]

• In rare cases, a NetScaler Gateway appliance configured for EDT becomes unresponsive because of memory corruption.
  [# 706704, 709305, 709349, 706229, 705896]

NetScaler Insight Center

• NetScaler Insight Center does not report an application-launch failure caused by a user trying to launch an application or desktop to which the user does not have access.
  [# 609604]

• The appflowLog option is enabled by default in NetScaler Appliance version 11.1.58.x.

  Consider you have enabled the appflowLog option on a VPN virtual server and upgraded the NetScaler Appliance to version 11.1.58.x. The appflowLog option on the VPN virtual server is disabled when you downgrade the NetScaler appliance version back to version 11.1.

  Workaround: Manually enable the appflowLog option on the VPN virtual server after you downgraded from NetScaler Appliance version 11.1 58.x.
  [# 707744]

• During cluster upgrade, the HDX Insight records for the reconnect session is not reported if the cluster nodes have different NetScaler appliance build versions.
  [# 708282]

NetScaler SDX appliance

• When you log on to the SDX appliance as an external user by using an RADIUS, LDAP, or TACACS server, the NetScaler VPX instances that have not been configured under the groups for external authentication don’t appear under NetScaler > Instances in the SDX GUI. This happens after you’ve upgraded the NetScaler SDX appliance from the following releases, any build:

  - From release 10.5 to release 11.1 or 12.0

  - From release 11.0 to release 11.1 or 12.0

  Workaround: Log on to the SDX appliance by using your nsroot credentials. From the SDX GUI, go to System > User Administration > Group. Select the group and click Edit. Under Instances, move the Available instances to Configured instances. Click OK to save changes. Log out from the SDX appliance and log on back as an external user.
  [# 703323]

NetScaler VPX appliance

• If a NetScaler VPX instance deployed on KVM hypervisor is configured with SRIOV NICs and PCI Passthrough, when you add or remove SR-IOV or PCI Passthrough interfaces, the order in which the interfaces are presented to the NetScaler VPX instance changes. As a result, the configurations bound to the interfaces might not work.

  Workaround: Redo the configurations manually.
  [# 690896]

• If a KVM hypervisor runs on an AMD processor-based server, the NetScaler VPX instance running on the KVM hypervisor restarts cyclically and then stabilizes after a few iterations.

  Workaround:

  Add the following entry in /flash/boot/loader.conf

  vm.pmap.pg_ps_enabled="0"
  [# 692177]

• Error messages appear when an SR-IOV-enabled NetScaler VPX instance configured with Intel X710 10G and XL710 40G NICs, running on KVM hypervisor, restarts. The error messages are harmless and can be safely ignored.
  [# 692334]

• The cloud profile configuration for Azure autoscale shows the load balancing protocol as HTTP irrespective of the protocol selected while configuring the cloud profile. This issue appears both in GUI and CLI.

  Workaround: Ignore this behavior, as this does not affect the functionality of the VPX instance.
  [# 705295]

• In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.

  Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.
  [# 705793]

Networking

• In some cases of FTP data connections, the NetScaler appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
  [# 485678]

• The NetScaler appliance ignores Layer 2 information (for example, MAC address, VLAN IDs and Interface IDs) in the Policy-based Route (PBR) rules while processing Large Scale NAT related packets.
  [# 707838]

• In a high availability configuration in INC mode, dynamic routing parameters might not get set properly because of the conversion errors.
  [# 708496]

• If a NetScaler appliance has ECMP routes with gateways in the same subnet as of the source IP address, the appliance uses only the first route for sending out the appliance originated traffic.
  [# 709350]

SSL

• You cannot remove an SSL log profile if it is attached to the SSL default profile and client authentication is enabled on the SSL default profile.
  [# 664622]

• In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
  [# 678175, 678522, 678526]

• An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
  [# 678176, 687205, 687098]

• An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
  [# 682859]

• Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
  [# 687208]

• SSL classic policy expressions are not honored.

  Workaround: Use SSL default policy expressions.
  [# 692137]

• You cannot bind two certificates with public keys signed by different algorithms (for example, RSA and ECDSA) to a virtual server, as an SNI certificate if the domain name is the same.
  [# 701822]

• In some cases, the NetScaler appliance terminates the VPN connection because of SNI and HTTP host-header mismatch. As a result, VDI might fail to launch.
  [# 702182]

• If you create an ECDSA key by using the GUI, the type of curve is not displayed.
  [# 705612]

• A NetScaler MPX/SDX 14000 FIPS appliance becomes unresponsive if it receives a packet of size > 18 KB from the backend server.
  [# 707061]

• The OCSP response is considered invalid if the time zone on a NetScaler appliance includes daylight saving time (DST), and the next update time in the OCSP response is before the time on the appliance.
  [# 707641]

• In a cluster setup, cipher suites bound to a custom cipher group are lost from the CLIP node after you upgrade the setup.

  Workaround: Unbind and rebind the cipher suites to the custom cipher group after the upgrade.
  [# 707738, 708168]

• In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.
  [# 708057]

• Any ECDSA keys created on the appliance by using the GUI do not appear under SSL > SSL Files > Keys.

  Workaround: You can view the ECDSA keys by using the CLI.
  [# 709865]

• If you use the FIPS wizard to create an ECDSA key, the exponent is incorrectly set to 3.
  [# 709866]

• If you use the NetScaler GUI to add a PFX file, the following error appears:

  "No Certificates present in the certificate bundle file"

  Workaround: Use the CLI to add a PFX file.
  [# 710202]

System

• A TCP transaction delay is observed if a NetScaler appliance is unable to use the TCP connection to connect to the back-end server. In this case, the appliance opens a new connection to forward the client requests to the back-end server after some waiting period. The waiting period ranges from 400 ms to 600 ms.
  [# 690965]

• In a large scale NAT deployment of two NetScaler appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or “staysecondary” option set.
  [# 691283]

• A NetScaler appliance might crash if it sends messages from one processor to another processor, for deleting a steering session in some error cases.
  [# 700423]

• In a cluster deployment, if you run "force cluster sync" command on a non-cco node, the ns.log file contains duplicate log entries.
  [# 702608]

• In a cluster deployment, the RESPONDER log messages do not appear when you run the following commands:

  - The "show audit messages" command from command line interface.

  - The "recent audit messages" command from NetScaler GUI.

  Workaround:

  You can locate the RESPONDER logs in /var/log/ns.log.
  [# 703928]

• A NetScaler appliance crashes because of a timer issue. The issue occurs if the stats are collected after the SYSLOGUDP connection is deleted, but before the appliance deletes the SYSLOGUDP service.
  [# 705574]

• Memory utilization might increase in some NetScaler MPX and VPX appliances running 64-bit NetScaler images.

  High-end platforms with large system memory are not affected.
  [# 705709]

• Connections might hang if the size of processing data is more than the configured default TCP buffer size.

  Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
  [# 707209]

• If you configure an HTTP type load balancing virtual server with HTTP/2 option enabled on the HTTP profile, the appliance fails to load balance gRPC traffic.
  [# 709214]

Telco

• In a large scale NAT deployment of a NetScaler appliance with SIP ALG configured, SIP service registration might fail. This registration fails because of an internal issue related to paired IP retrieval.
  [# 709643]

URL Filtering

• When a NetScaler appliance optimizes a video traffic using a Nile based TCP profile with Video Optimization enabled, the following issues are identified:

  - Long video startup time

  - Excessive buffering time
  [# 704755]

Video Optimization

• A NetScaler appliance is unable to optimize QUIC-based video traffic if pacing policies are bound to QUIC load balancing virtual server at response time.

  Workaround: Bind the policies to the QUIC load balancing virtual server only at request time.
  [# 697461]