Release Notes for Build 49.23 of Citrix ADC 12.1 Release

Additional Changes/Fixes Available in Versions

Points to Note

What's New?

• Securing web traffic with HTTP RFC compliance

  You can now secure your web traffic with HTTP RFC compliance by setting the RFC profile in “Block” or “Bypass” mode. By doing this, any invalid traffic (request or response) that matches the Citrix Web App Firewall profile is implicitly blocked or bypassed accordingly.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/application-firewall/profiles/enforce-http-rfc-compliance.html
  [# 638547]

Citrix ADC SDX appliance

• Support for Citrix SD-WAN VPX instance

  You can deploy a Citrix SD-WAN VPX instance on Citrix ADC SDX 14XXX and SDX 115XX appliances.

  For more information, see https://docs.citrix.com/en-us/sdx/12-1/deploy-sd-wan-vpx.
  [# 710971]

Citrix ADC VPX appliance

• Support for vCPU-based perpetual licensing

  Virtual CPU (vCPU)-based perpetual licensing is now supported for Citrix ADC VPX instances. This licensing provides the computing power requirement of VPX on-prem and cloud customers. For each VPX model, existing Citrix ADC licensing editions apply: Citrix ADC Standard Edition, Enterprise Edition, Platinum Edition.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/licensing/netscaler-licensing-overview.html.
  [# 701340]

• Support for Azure Availability Zones in a high availability deployment

  You can deploy a pair of Citrix ADC VPX appliances with multiple NICs in an active-passive high availability setup across Azure Availability Zones. For more information about Azure Availability Zones and what they offer, see Azure documentation: https://docs.microsoft.com/en-us/azure/availability-zones/az-overview

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/deploy-vpx-on-azure/configure-vpx-pair-ha-inc.html.
  [# 710226, 712503]

• Support for VMware ESXi 6.7 server

  Citrix ADC VPX instances now support VMware ESXi 6.7 server.

  For more information, see table 2 in this page: https://docs.citrix.com/en-us/netscaler/12-1/deploying-vpx/supported-hypervisors-features-limitations.html.
  [# 710366]

Citrix Gateway

• nFactor authentication support using Windows VPN plug-in.

  nFactor authentication is now supported using a Windows VPN plug-in.
  [# 647169]

• Support for USB redirection in Citrix Gateway Enabled PCoIP proxy

  USB devices connected to the client machine can be accessed from the virtual desktops and apps.

  For more information, see https://docs.citrix.com/en-us/netscaler-gateway/12-1/netscaler-gateway-enabled-pcoip-proxy-support-for-vmware-horizon-view/configuring-netscaler-gateway-enabled-pcoip-proxy-for-vmware-horizon-view.html
  [# 670578]

• GUI enhancements aiding STA server troubleshoot and seamless app launch

  The following GUI enhancements are made:

  - In the XA-XD wizard under StoreFront setting Test STA Connectivity button is added to test STA servers connectivity.

  - In the XA-XD dashboard page, Gateway entry list shows STA server and StoreFront server status.

  - In the Citrix Gateway Virtual Server page, you can view STA server status bound to a VPN virtual server.
  [# 705538]

Citrix Secure Web Gateway

• Support for new SWG platforms

  Citrix Secure Web Gateway (SWG) is supported on Citrix SWG MPX 5900/8900 and Citrix SWG SDX 8900 platforms.

  For more information, see https://docs.citrix.com/en-us/netscaler-secure-web-gateway/12-1/supported-hardware-software-platforms.html.
  [# 704727]

Clustering

• Cluster support for ANY type of virtual server

  The Citrix ADC appliance can now support "ANY" type of virtual server while gracefully handling of nodes in a cluster deployment.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/clustering/cluster-managing/graceful-shutdown-of-nodes.html.
  [# 683859]

• GRE tunnel based steering support for L2 cluster deployments

  The Citrix ADC appliance now supports GRE tunnel based packet steering in an L2 cluster deployment.
  [# 701890]

DNS

• Jumbo frame support for DNS to handle UDP responses of large sizes

  DNS now supports jumbo frames for handling UDP responses greater than 1,280 bytes. You can set the maximum UDP packet size that the appliance can handle in proxy, ADNS, and forwarder modes by configuring the Maximum UDP Packet Size parameter value.

  The maximum UDP packet size is 16,384 bytes.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/dns/jumbo-frames-support-for-dns-to-handle-responses-of-large-sizes.html.
  [# 695871]

GSLB

• Support for generation of SNMP traps for GSLB configuration synchronization

  A Citrix ADC appliance now generates SNMP traps for both local and remote sites when you synchronize the GSLB configuration. SNMP traps are generated for both manual synchronization and real-time synchronization.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/global-server-load-balancing/synchronizing-configuration-in-gslb-setup/snmp-traps-for-gslb-configuration-synchronization.html.
  [# 694414]

• Support for GSLB parent-child topology in Citrix ADC clusters

  The GSLB parent-child topology is now supported in Citrix ADC clusters.

  For parent and child sites to exchange aggregated statistics in metric-based load balancing methods, you must add local GSLB services on the child site.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/clustering/cluster-usage-scenarios/cluster-gslb-deploy.html.
  [# 706504]

Gateway Insight

• View HDX Insight reports for EDT traffic.

  HDX Insight reports can be viewed for the EDT traffic. By default, HDX Insight and EDT feature are disabled.
  [# 690033]

Load balancing

• Support for graceful shutdown of services in Citrix ADC clusters

  The Citrix ADC clusters now support graceful shutdown of services.

  To gracefully shutdown the services, you can perform one of the following tasks.

  - Explicitly disable the service, and set a delay (in seconds) or enable graceful shutdown.

  - Add a TROFS code or string to the monitor.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/clustering/cluster-managing/graceful-shutdown-of-services.html.
  [# 691848]

Networking

• USIP support on a v4-to-v6 load balancing configuration

  Earlier, in a v4-to-v6 load balancing configuration, the Citrix ADC used to include one of the configured IPv6 SNIP address as the source IP address in the translated IPv6 requests packet to the servers. The Citrix ADC used to include an IPv6 SNIP address even when the USIP option is enabled for the related load balancing services.

  Now, USIP NAT prefix parameter has been introduced for making the servers aware of the client’s IP address of the request packets. USIP NAT prefix is a global IPv6 prefix of length 96 bits (128-32=96) configured on Citrix ADC.

  For a load balancing service that has USIP enabled, the ADC translates the IPv4 request packet to an IPv6 packet and sets the source IP address of the translated IPv6 packet to a concatenation of the USIP NAT prefix [32/40/48/56/64/96 bits] and the IPv4 source address [32 bits] that was received in the request packet.

  On receiving an IPv6 response packet from the server, the ADC translates the IPv6 packet to an IPv4 packet and sets the destination IP address of the translated IPv4 packet to the last 32 bits of the destination IP address of the IPv6 packet.

  Note: This feature is not supported for gateway configuration and, content switching and cache redirection load balancing configurations.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/load-balancing/load-balancing-advanced-settings/usip-lb-v4v6.html.
  [# 699605]

Policies

• New API support for reusing a server connection for other client connections in the server context

  A Citrix ADC API support is now added for reusing a server connection for other client connections in the server context. This API can be used only if an EOM event is used (in ns.send() API) to send for sending the data in the client context.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/netscaler-extensions/api-reference.html and https://docs.citrix.com/en-us/netscaler/12-1/netscaler-extensions/netscaler-protocol-extensions.html.
  [# 699069]

• RSA encryption with no padding policy function

  Policy-based RSA encryption now supports EY_ENCRYPT_PEM_NO_PADDING() policy function for no padding operation. The policy function works similar to the PKEY_ENCRYPT_PEM() function, except it uses the RSA_NO_PADDING method instead of RSA_PKCS1_PADDING. The pkey parameter is a text string with a PEM-encoded RSA public key. Similar to PKEY_ENCRYPT_PEM(), you can use a policy expression for the key.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/appexpert/rewrite/rewrite-action-policy-examples/example-11-policy-based-rsa-encryption-no-padding-operation.html
  [# 708991]

SSL

• Support for AES-based PEM encoding

  You can now use AES256 algorithm with PEM key format to encrypt a private key on the Citrix ADC appliance. AES with 256-bit key is mathematically efficient and secure compared to the 56-bit key of DES. Select ‘aes256’ in the following CLI command.

  create ssl rsakey <keyFile> <bits> [-exponent ( 3 | F4 )] [-keyform (

  DER | PEM )] [-des | -des3 | -aes256] {-password }

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-certificates/obtain-cert-frm-cert-auth.html#create-a-private-key.
  [# 275417, 710620]

• Support for DTLS protocol on the Citrix ADC MPX FIPS platform

  The MPX 14000 FIPS platform now supports the DTLS protocol end-to-end. That is, the protocol is supported on the client side and the server side. The following cipher suites are supported.

  - TLS1-AES-256-CBC-SHA

  - TLS1-AES-128-CBC-SHA

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1-ECDHE-RSA-DES-CBC3-SHA

  Note: Enlightened Data Support (EDT) is not supported on the FIPS platform in this release.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [# 498187]

• Support for TLSv1.3 protocol on the front end of Citrix ADC VPX and select MPX appliances

  The Citrix ADC VPX and N3 chip based MPX appliances now support the TLSv1.3 protocol as specified in RFC 8446. For N3 chip based MPX appliances, the support is currently only in software. That is the processing is not offloaded to the hardware (SSL acceleration chip.) To use TLS1.3, you must use a client that conforms to the RFC 8446 specification. The following ciphers are supported on the frontend:

  - TLS1.3-AES256-GCM-SHA384 (0x1302)

  - TLS1.3_CHACHA20_POLY1305_SHA256 (0x1303)

  - TLS1.3-AES128_GCM-SHA256 (0x1301)

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/tls13-protocol-support.html.
  [# 544128, 664161]

• Support for wildcard in the subject alternative name in a certificate signing request

  You can now use wildcards in the subject alternative name (SAN) entry in the certificate signing request. For example, *.example.com.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-certificates/obtain-cert-frm-cert-auth.html#support-for-subject-alternative-name-in-a-certificate-signing-request.
  [# 686067]

• Support for client-hello based expressions and a new bind point

  A new bind point ‘CLIENTHELLO_REQ’ is now available to evaluate SSL policies when a client hello message is received. That is, the policy is evaluated after parsing the client hello message. A ‘FORWARD’ action is added to forward the client traffic to a target load balancing virtual server. The target load balancing virtual server can be of type SSL, SSL_BRIDGE or TCP.

  In this release, only the forward and reset actions are supported for CLIENTHELLO_REQ bind point. The following expression prefixes are available:

  - CLIENT.SSL.CLIENT_HELLO.CIPHERS.HAS_HEXCODE

  - CLIENT.SSL.CLIENT_HELLO.CLIENT_VERSION

  - CLIENT.SSL.CLIENT_HELLO.IS_RENEGOTIATE

  - CLIENT.SSL.CLIENT_HELLO.IS_REUSE

  - CLIENT.SSL.CLIENT_HELLO.IS_SCSV

  - CLIENT.SSL.CLIENT_HELLO.IS_SESSION_TICKET

  - CLIENT.SSL.CLIENT_HELLO.LENGTH

  - CLIENT.SSL.CLIENT_HELLO.SNI

  For more information about the new bind point, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-actions-and-policies/bind-ssl-policies-vserver.html.

  For more information about the new expression prefixes, see https://docs.citrix.com/en-us/netscaler/12-1/appexpert/policies-and-expressions/ns-pi-ae-parse-ssl-certs-wrapper-con.html#parse-ssl-client-hello.
  [# 692432]

• Increase in the OCSP cache timeout limit

  The cache timeout limit is now increased to a maximum of 43,200 minutes (30 days). Earlier the limit was 1,440 minutes (one day). The increased limit helps reduce the lookups on the OCSP server and avoids any SSL/TLS connection failures in case the OCSP server is not reachable due to network or other problems.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/monitor-cert-status-with-ocsp.html#ocsp-response-caching.
  [# 696815]

• Support for non-secure renegotiation on a DTLS service

  Non-secure renegotiation is now supported on a DTLS service (backend) on Citrix ADC MPX and VPX appliances.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [# 696904]

• Support for a new SSL action to forward traffic to another virtual server

  You can now forward the traffic received on an SSL virtual server to a load balancing virtual server to avoid SSL offloading or terminating the connection on the ADC appliance. For example, if the appliance does not have a certificate or it does not support a specific cipher, instead of terminating the connection, admins can choose to forward the request to a load balancing virtual server for further action. This virtual server can be of type: SSL, TCP, or SSL_BRIDGE.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-actions-and-policies/config-built-in-ssl-actions.html#configure-an-ssl-action-to-forward-client-traffic-to-another-virtual-server.
  [# 704106]

• Support for PFS on a DTLS virtual server

  The following cipher suites are now supported on a DTLS virtual server (frontend). These ciphers help achieve PFS (Perfect Forward Secrecy).

  - SSL3-EDH-RSA-DES-CBC3-SHA

  - SSL3-EDH-RSA-DES-CBC-SHA

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1-ECDHE-RSA-DES-CBC3-SHA

  - TLS1-DHE-RSA-AES-128-CBC-SHA

  - TLS1-DHE-RSA-AES-256-CBC-SHA

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [# 705164, 711810]

• Support for PFS on a DTLS service

  The following cipher suites are now supported on a DTLS service (backend). These ciphers help achieve PFS (Perfect Forward Secrecy).

  - TLS1-ECDHE-RSA-AES256-SHA

  - TLS1-ECDHE-RSA-AES128-SHA

  - TLS1-DHE-RSA-AES-128-CBC-SHA

  - TLS1-DHE-RSA-AES-256-CBC-SHA

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [# 705165]

• Clear the OCSP stapling cached response of server certificate

  You can now clear the cached response of the server certificate from the OCSP responder even before the timeout expires. Earlier, you had to wait until the configured timeout was over to clear the cached response.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/ssl-11-1-ocsp-stapling-solution.html#ocsp-response-caching-of-server-certificates.
  [# 709027]

• Support for SNI on a DTLS virtual server

  SNI (Server Name Indication) is now supported on a DTLS virtual server (frontend) on Citrix ADC MPX and VPX appliances. You can bind multiple SNI certificates to a DTLS virtual server.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/ssl/support-for-dtls-protocol.html.
  [# 709345, 363547]

System

• Telemetry Support in CallHome

  CallHome is now enhanced to send Citrix ADC usage metrics to Citrix Insight Services (CIS) periodically. Citrix collects the data to understand how the appliance works and how to improve the product. By default, CallHome sends the metrics once in every 7 days.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/system/configuring-call-home.html
  [# 705785]

Telco

• Support for triggering negative TTL for partial success response code 2002

  You can use the following command for triggering negative TTL for partial success response code 2002.

  set subscriber gxinterface -negativeTTLLimitedSuccess YES
  [# 680136, 699466]

• IP prefix NAT support for TCP and HTTP load balancing configurations

  IP Prefix NAT feature is now supported for TCP and HTTP load balancing configurations. IP prefix NAT translates a part of the source IP address instead of the complete address of packets received on the Citrix ADC. IP prefix NAT includes changing one or more octets or bits of the source IP address.

  For more information about IP prefix NAT, see https://docs.citrix.com/en-us/netscaler/12-1/networking/ip-addressing/configuring-network-address-translation/partial-nat.html.
  [# 699465]

Fixed Issues

• The cluster upgrade to a 12.1 build with Citrix Web App Firewall enabled on a Citrix ADC appliance is not supported.
  [# 708269]

• The leading TCP window size is rounded off when the post body limit is set to 4294967295(2^32-1). The fix ensures that the limit max TCP window set by Citrix Web App Firewall is 100 MB in non-streaming data and 20 MB for streaming data.

  As a workaround, please add the post body limit on profile to values <=512MB, preferably to value 100MB. Also when requests are of larger sizes, please ensure that the profile has streaming enabled. Enable streaming only if backend server is able to accept chunked requests.
  [# 708394, 708678, 707955, 708851, 711014]

• When you use special characters in AppFW SessionCookieName, the AppFirewall policy resets website URLs. The issue is resolved, if you remove special characters and use alphabets in the cookie name.
  [# 708601]

• After an upgrade to Citrix ADC 11.1 build 57.13, the URL transformation policy for cookie domains is not applied to application secure cookies.
  [# 708975]

• A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.
  [# 709465, 710841]

• Citrix Web App Firewall Cookie proxying feature is not working in Cluster 12.1 deployment.
  [# 710139]

• A Citrix ADC appliance crashes if you canonicalize (percent-decoding & other normalizations) header names and values only once instead of multiple times before running Citrix Web App Firewall signature protections.
  [# 710596]

• After an upgrade, if Applicable Firewall is enabled on a Citrix ADC appliance, it causes memory leak leading to a high memory usage.
  [# 712290, 711993]

Authentication, authorization, and auditing

• A Citrix ADC appliance is unable to evaluate an advanced policy expression if you either bind the policy to a virtual server or to an authentication, authorization, and auditing group.
  [# 705898]

• A Citrix ADC appliance becomes unresponsive because of memory corruption when it handles jumbo frames.
  [# 705972, 712490, 711718, 698974, 714419, 712489]

• The Citrix ADC appliance might fail to establish an SSO connection to a back-end server, if the form-SSO has a hidden value containing special characters such as &, <, >, and ‘.
  [# 707018]

• In case of nFactor authentication, the extracted authentication, authorization, and auditing group name from certificate-factor are concatenated with the first extracted group from LDAP-factor without any delimiter.
  [# 709794]

• The authentication, authorization, and auditing feature does not evaluate the advanced authorization policies that are bound to authentication, authorization, and auditing user and group entities.
  [# 710288]

• The Citrix ADC appliance might become unresponsive if both of the following conditions are met:

  • Login schema policy with reset action provokes the reset function to send reset packet, and then free it later.

  • The same packet is freed again, resulting in a duplicate packet free condition.
  [# 710993]

• The request to the back-end server fails if the following conditions are met:

  • Request URL to the back-end server is encoded prior to establishing authentication, authorization, and auditing session.

  • Citrix ADC appliance decodes the URL after log on.
  [# 711287, 711806, 713423]

• If you configure "add kcdaccount xxx -keytab yyy" on release 12.1 build 49.x, the Citrix ADC appliance might become unresponsive.
  [# 712411, 713603, 713300]

• A Citrix ADC appliance with two factor SAML authentication might eternally cause authentication loop.
  [# 714523, 714736]

CLI

• If a user tries to log on to a Citrix ADC appliance through any console, the system displays a log message with an incorrect client type. For example, if the user logs on to the appliance through the XenServer console, the system displays the log message as follows:

  "Apr 9 12:27:02 <local0.info> 10.102.201.11 04/09/2018:06:57:02 GMT 0-PPE-0 : d

  efault UI CMD_EXECUTED 502 0 : User nsroot - Remote_ip 127.0.0.1 - Command "log

  in nsroot "********"" - Status "Success"
  [# 701582]

Citrix Gateway

• In a Citrix Gateway deployment, the log out operation for Outlook Web Access (OWA) application intermittently fails.
  [# 708643, 710636, 709652, 710570]

• When IPv6 is disabled globally, the connection reset is mandated, if the IPv6 packet arrives on MUX channel.
  [# 709903]

• The Citrix Gateway appliance does not display the right logon form when the user clicks the "Go Back" button in the following case:

  The session initialization fails because the user does not belong to any of the groups configured on the Citrix ADC appliance.
  [# 710342]

• If StoreFront is load balanced using an internal load balanced virtual server, IPv6 clients is not evenly load balanced.
  [# 710351]

• Authentication fails when Citrix Gateway is configured with advanced policies, that is nFactor, and the client is configured only for certificate authentication.
  [# 710801]

Clustering

• In a layer 3 cluster deployment, fragmented traffic steered through a GRE tunnel might cause packet loops, which result in high traffic load.
  [# 692350]

GSLB

• In a GSLB cluster setup, when a parent site is removed, the corresponding child site and its services are also removed.
  [# 713908]

GUI

• A Citrix ADC appliance might crash if some entity names in the database have quotations and if a closing quotation is found missing. The issue is resolved if you upgrade your appliance to the latest version.
  [# 707993]

Gateway Insight

• Receivers which are not white-listed fail to launch apps using Citrix Gateway with HDX Insight feature enabled.
  [# 710678, 712929]

Licensing

• When the connection between a Citrix ADC appliance (MPX, SDX, or VPX) and the NetScaler MAS licensing server is lost, the Citrix ADC appliance revokes the licensing capacity immediately. As a result, the throughput drops.

  After the connection with the MAS licensing server is established, you must manually reconfigure the license to restore.
  [# 712434]

Load Balancing

• Traffic disruptions might occur if the encoded redirect URL is greater than 2048 bytes.
  [# 709311]

• The “Operation not permitted” error appears when you try to execute the set operation on domain name based service group member.
  [# 712840]

Load balancing

• A Citrix ADC appliance crashes if you add a Rate Limiting expression to a DNS responder policy.
  [# 708722]

• If the REGISTER request processing for a specific service fails during the Session Initiation Protocol (SIP) call, the memory usage of the Citrix ADC appliance starts building up.
  [# 710763]

Citrix Gateway

• In rare cases, a Citrix Gateway appliance configured for EDT becomes unresponsive because of memory corruption.
  [# 706704, 709305, 709349, 706229, 705896, 710041, 710117, 707924, 709493, 709911, 710415, 710907, 710891, 711509, 711523, 710808, 712343, 715140, 715145]

• A Citrix Gateway appliance does not fallback to the LDAP policy if the following conditions are met:

  - Certificate authentication and LDAP are configured as the first factor and LDAP checks data from login Schema.

  - The certificate authentication fails.
  [# 708140]

• In rare cases, the Citrix Gateway appliance dumps core when DTLS is enabled on a VPN virtual server.
  [# 708703, 709315, 711421, 710131]

• Connectionlist corruption occurs if VMware horizon client reuses the same SPI for UDP connections, resulting in eventual crashes when show or kill command is executed.
  [# 709325]

• In case of network errors, cached client certificates were removed, prompting user to select the certificate from the drop-down menu manually.
  [# 709689]

• A Citrix Gateway appliance dumps core if a Regex in a patset takes a long time to execute.
  [# 709923, 710642]

• In rare cases, the Citrix Gateway appliance dumps core when a client machine tries to open more than one DTLS connection.
  [# 710131]

• The session through a Citrix Gateway appliance using RfWebUI goes to unresponsive mode after you click cancel on the "Change Password" error window.
  [# 710220]

• Accessing a Citrix Gateway appliance results in 404 error, if the Citrix Gateway and Authentication, Authorization, and Auditing are deployed on the same Citrix ADC appliance in the same domain but outside of Citrix Gateway domain.
  [# 711330]

• In some cases, the Citrix Gateway appliance with multiple core crashes if the HDX Insight feature is enabled.
  [# 711720, 712124, 712553, 714141, 714351, 714721]

• A Citrix Gateway appliance does not allow post body expressions for relaystateRule parameter when sending SAML assertions.
  [# 712790]

NetScaler Insight Center

• When Citrix Gateway appliance is used with NSAP enabled for VDAs (7.16 and above) and if HDX Insight is configured, the Citrix Gateway might fail.
  [# 710363, 704912]

• In certain scenarios, if SR-HA feature is enabled for ICA AppFlow, the secondary Citrix ADC appliance in the high-availability deployment might fail.
  [# 713607]

Citrix ADC SDX appliance

• When you create or delete a 10G LACP or static channel, transmission stalls on the member interfaces of the channel, and therefore those interfaces stop processing traffic.
  [# 600152, 697276, 704954]

• On Citrix ADC SDX 26000 and SDX 15000-50G platforms, the virtual router ID (VRID) configuration on a static or a link aggregation control protocol (LACP) channel does not work if any one of the following conditions is met:

  - The VPX instance configured with the VRID restarts.

  - The SDX appliance on which the VPX instance is running restarts.
  [# 710320]

• The message "Appliance license expired" appears when you log on to the Citrix ADC SDX GUI, after upgrading from any previous Citrix ADC version to 12.1 48.13/12.0-58.15. This is a harmless message and can be ignored safely.
  [# 710430]

• The VPX instance restarts by itself in the following case.

  - You change the admin profile associated with a Citrix ADC VPX instance with channel configuration; and

  - The Citrix ADC VPX instance is running on Citrix ADC SDX 26XXX and 15XXX appliances.
  [# 714041]

Citrix ADC VPX Appliance

• A Citrix ADC VPX instance configured with VMXNET3 interfaces and running on VMware ESX server might crash if the ESX server sends a zero-length packet through these interfaces.
  [# 695358, 706660, 707542]

Networking

• In some deployments, ICMP error packets, sourced from the NSIP address and destined to 127.0.0.2 address, might go in loops within the Citrix ADC appliance causing high CPU usage in the appliance.
  [# 707489]

• In a high availability configuration in INC mode, dynamic routing parameters might not get set properly because of the conversion errors.
  [# 708496]

• In a Citrix ADC appliance, BGP daemon fails when a routemap, which includes a 'match ip peer' command entry, is applied to the kernel routes.
  [# 709231]

• In a cluster setup, a node has the following entities in the same traffic domain:

  - a VIP address and,

  - a load balancing virtual server with the same VIP address.

  When the traffic domain is removed, virtual server configuration is removed but the VIP address is not removed. The node crashes when it sends out a GARP message for this VIP address.
  [# 710326, 711605]

• HTTPS access to a SNIP address in a traffic domain fails because the appliance performs port allocation in non-default traffic domain when accessing the NSIP address internally from underlying FreeBSD operating system.
  [# 710982]

• BGP IPv6 address family configuration might not get saved in a cluster setup.
  [# 711033]

Policies

• An error is encountered when you convert a classic policy expression with domain option to advanced policy expression using NSPEPI tool.
  [# 710610]

SSL

• A Citrix ADC MPX/SDX 14000 FIPS appliance becomes unresponsive if it receives a packet of size > 18 KB from the backend server.
  [# 707061]

• The symmetric operations fail because the SSL card becomes unresponsive.
  [# 708375, 709406, 708978, 708923, 711264, 711404, 712257]

• A Citrix ADC appliance might crash if an OCSP responder is configured with nonce disabled and the integrated caching feature is enabled so that OCSP objects are cached.
  [# 709491, 707452, 710458, 707610]

• The “No Certificates present in the certificate bundle file" error appears when you try to add a PFX file using the Citrix ADC GUI.
  [# 710202]

• GSLB virtual servers are not accessible if you make any changes to the enabled default SSL profile.

  With this fix, any change to the SSL profile does not affect the state of the GSLB virtual servers.
  [# 710207, 710428]

• Ciphers bound to an SSL service group are not included in the running config if the following commands are run in a sequence:

  1. set ssl servicegroup <servicegroup name> -sslprofile <profile name>

  2. bind ssl servicegroup <servicegroup name> -ciphername <profile name>

  As a result, after you save the config and restart your appliance, the ciphers are not bound to the service group.

  With this fix, the commands are included in the running config. However, you must run the bind command once after upgrading your appliance to include the command in the running and saved configuration files.
  [# 710573]

• In rare cases, an attempt to install a new certificate on an MPX 9700/10500/12500/15500 appliance might fail with the “bad pkcs error” counter incremented if the private key “CRT Params” size is not equal to the maximum size allowed.
  [# 711066, 706981]

• ECC curve bindings to a DTLS virtual server are not saved in the configuration (ns.conf) after you enable the SSL default profile in the the global SSL parameter.
  [# 713913]

System

• A Citrix ADC appliance might crash if it sends messages from one processor to another processor, for deleting a steering session in some error cases.
  [# 700423]

• A Citrix ADC appliance crashes because of a timer issue. The issue occurs if the stats are collected after the SYSLOGUDP connection is deleted, but before the appliance deletes the SYSLOGUDP service.
  [# 705574]

• If you configure an HTTP type load balancing virtual server with HTTP/2 option enabled on the HTTP profile, the appliance fails to load balance gRPC traffic.
  [# 709214]

• If the trace aggregator processor leak opens a file descriptors every time you execute the nstrace command, the Citrix ADC appliance might display the following error message: "kern.maxfiles limit exceeded".
  [# 709430, 712687, 712970]

• A Citrix ADC appliance might crash if an external authentication server takes more than 20 seconds to respond.
  [# 711282]

Telco GUI

• The libqos actions are displayed in the QOS action page of the Citrix ADC T-series platform GUI.
  [# 697178]

Telco Traffic Management

• GUI settings are missing in the Traffic Management page of the Citrix ADC T-series platform i.e the following ones:

  - Cache redirection

  - Subscriber

  - Service chaining

  - User

  As a workaround, one can visit MAS and configure a configuration job to run the relevant commands for the missing configuration. Please refer to the citrix documentation for exact details.
  [# 712839]

URL Categorization

• If you execute the command "show urlset <urlset_name>", the Citrix ADC appliance returns information for the requested urlset and any other urlsets added after it.
  [# 709042]

Web App Firewall

• A Citrix ADC appliance crashes when it attempts to access the return address of a stack frame which is not present in an XML payload.
  [# 703461, 712938, 714297]

Known Issues

• The functionality for importing Citrix Web App Firewall profile configuration fails, if the profile contains user-defined field types and if the field types are used in multiple relaxation rules.
  [# 706747]

• In a rare case, when Citrix Web App Firewall Learning option is enabled, the resulting aslearn.log file can consume a high amount of hard disk space, starving other disk users.
  [# 712139]

Authentication, authorization, and auditing

• The back end is not accessible through a clientless VPN (CVPN). The issue occurs when SSO is ON, the proxy is specified in a traffic action, and the back-end credentials are different from the logon credentials.

  Workaround:

  Create a traffic policy based on back-end URL and create a trafficAction with SSO OFF and No Proxy. The backend should be accessible.
  [# 689153]

• The LDAP authentication might fail on a Citrix Gateway appliance when a nested group extraction is configured and LDAP groups exceed 16000 bytes.
  [# 696784, 706081]

• The following behavior is observed in a Citrix ADC appliance:

  • In a high availability setup, the primary node overwrites the invalid login counters of the secondary node.

  • In a cluster setup, the invalid login counters on Cluster Management IP address (CLIP) node overwrite the invalid login counters of the cluster nodes.
  [# 708177]

Citrix Gateway

• Google reCAPTCHA is not supported for Citrix Gateway plug-in for Windows.
  [# 712951]

DNS

• A Citrix ADC appliance crashes when negative responses for root domain are cached.

  Workaround: Disable caching of negative responses.
  [# 710624]

GSLB

• GSLB configuration synchronization failed because the "set ssl servicegroup"command was also synchronized. With this fix, the command is not synchronized. As a result, the GSLB configuration is synchronized successfully.
  [# 709722]

• In some cases, the Citrix ADC appliance might crash in the following scenario:

  - You have configured a GSLB parent-child cluster setup.

  - The appliance is handling load balancing traffic and GSLB site persistence traffic.
  [# 711055]

GUI

• A time zone setting ("set timezone” command) in a Citrix ADC appliance running release 11.1 might get lost after you upgrade it to a later release.

  Workaround: Set the required timezone (by using the "set timezone" command in the Citrix ADC CLI or the Citrix ADC GUI) again on the upgraded appliance.
  [# 692565, 683168]

• After you upgrade a Citrix ADC appliance when a non-shell access user creates a certificate signing request (CSR), the appliance adds a "" (backslash) appears before a " "(space) for organization name, locality name, etc.
  [# 713382]

Licensing

• When Citrix ADC licenses hosted on NetScaler MAS expires, the Citrix ADC appliance moves into a grace period of 30 days. If valid licenses are updated during the grace period, the Citrix ADC appliance continues to function as usual. If not, licenses are revoked and the appliance ceases to function.
  [# 697665]

NITRO API

• The Citrix ADC appliance does not send a response for a NITRO API request for restarting the appliance.
  [# 708209]

Citrix Gateway

• The global settings for the graphical user interface are not shown correctly.
  [# 603701]

• After an upgrade to version 11.1, the Citrix Gateway logon page does not appear on the Citrix ADC GUI.

  Workaround: Clear the web browser cache.
  [# 702580]

• SOCKS Proxy CR virtual server configuration for a Citrix Gateway appliance fails if you use a Fully Qualified Domain Name (FQDN) for Virtual Delivery Agent (VDA).

  Workaround: Use an IP address for VDA.
  [# 704511]

• VPN tunneling is ceased because Windows firewall on Citrix virtual adapter drops the packets. The packet drop is caused because of cross firewall profile switch (profile switch from domain to public) for any inbound connection.
  [# 710165, 707791, 704144, 716197]

NetScaler Insight Center

• NetScaler Insight Center does not report an application-launch failure caused by a user trying to launch an application or desktop to which the user does not have access.
  [# 609604]

• The appflowLog option is enabled by default in Citrix ADC Appliance version 11.1.58.x.

  Consider you have enabled the appflowLog option on a VPN virtual server and upgraded the Citrix ADC Appliance to version 11.1.58.x. The appflowLog option on the VPN virtual server is disabled when you downgrade the Citrix ADC appliance version back to version 11.1.

  Workaround: Manually enable the appflowLog option on the VPN virtual server after you downgraded from Citrix ADC Appliance version 11.1 58.x.
  [# 707744]

• Citrix Gateway might fail, if you use HDX Insight feature on the Citrix Gateway appliance in a cluster setup.
  [# 707867]

• During cluster upgrade, the HDX Insight records for the reconnect session is not reported if the cluster nodes have different Citrix ADC appliance build versions.
  [# 708282]

Citrix ADC SDX appliance

• When you log on to the SDX appliance as an external user by using an RADIUS, LDAP, or TACACS server, the Citrix ADC VPX instances that have not been configured under the groups for external authentication don’t appear under Citrix ADC > Instances in the SDX GUI. This happens after you’ve upgraded the Citrix ADC SDX appliance from the following releases, any build:

  - From release 10.5 to release 11.1 or 12.0

  - From release 11.0 to release 11.1 or 12.0

  Workaround: Log on to the SDX appliance by using your nsroot credentials. From the SDX GUI, go to System > User Administration > Group. Select the group and click Edit. Under Instances, move the Available instances to Configured instances. Click OK to save changes. Log out from the SDX appliance and log on back as an external user.
  [# 703323]

Citrix ADC VPX appliance

• If a Citrix ADC VPX instance deployed on KVM hypervisor is configured with SRIOV NICs and PCI Passthrough, when you add or remove SR-IOV or PCI Passthrough interfaces, the order in which the interfaces are presented to the Citrix ADC VPX instance changes. As a result, the configurations bound to the interfaces might not work.

  Workaround: Redo the configurations manually.
  [# 690896]

• If a KVM hypervisor runs on an AMD processor-based server, the Citrix ADC VPX instance running on the KVM hypervisor restarts cyclically and then stabilizes after a few iterations.

  Workaround:

  Add the following entry in /flash/boot/loader.conf

  vm.pmap.pg_ps_enabled="0"
  [# 692177]

• Error messages appear when an SR-IOV-enabled Citrix ADC VPX instance configured with Intel X710 10G and XL710 40G NICs, running on KVM hypervisor, restarts. The error messages are harmless and can be safely ignored.
  [# 692334]

• The cloud profile configuration for Azure autoscale shows the load balancing protocol as HTTP irrespective of the protocol selected while configuring the cloud profile. This issue appears both in GUI and CLI.

  Workaround: Ignore this behavior, as this does not affect the functionality of the VPX instance.
  [# 705295, 689807]

• In a high availability setup on Azure, upon logon to the secondary node through GUI, the first-time user (FTU) screen for autoscale cloud profile configuration appears.

  Workaround: Skip the screen, and log on to the primary node to create the cloud profile. The cloud profile should be always configured on the primary node.
  [# 705793]

• When you delete an autoscale setting or a VM scale set from an Azure resource group, delete the corresponding cloud profile configuration from the Citrix ADC instance. Use the "rm cloudprofile" command to delete the profile.
  [# 706104]

• When you power on the Citrix ADC VPX instance for the first time after you’ve configured an Intel XL710 NIC as a PCI Passthrough interface, the instance takes longer than normal to start. The issue is seen only the first time the system starts after the interface is configured. This happens due to a limitation of Intel XL710 NIC.
  [# 708142]

Networking

• In some cases of FTP data connections, the Citrix ADC appliance performs only NAT operation and not TCP processing on the packets for TCP MSS negotiation. As a result, the optimal interface MTU is not set for the connection. This incorrect MTU setting results in fragmentation of packets and impacts CPU performance.
  [# 485678]

• In a high availability setup, the Citrix ADC appliance does not send jumbo frames on interfaces that are Jumbo enabled. This issue cause the state of the LACP channels and interfaces to flap, which in turn results in repetitive HA failover in the setup.
  [# 708050]

SSL

• You cannot remove an SSL log profile if it is attached to the SSL default profile and client authentication is enabled on the SSL default profile.
  [# 664622]

• In a cluster setup, some cluster nodes might not honor the reuse request of a session ticket, but the SSL full handshake succeeds.
  [# 678175, 678522, 678526]

• An expired session ticket is honored on a non-CCO node and on an HA node after an HA failover.
  [# 678176, 687205, 687098]

• An incorrect warning message, "Warning: No usable ciphers configured on the SSL vserver/service," appears if you try to change the SSL protocol or cipher in the SSL profile.
  [# 682859]

• Session Key Auto Refresh incorrectly appears as disabled on a cluster IP address. (This option cannot be disabled.)
  [# 687208]

• SSL classic policy expressions are not honored.

  Workaround: Use SSL default policy expressions.
  [# 692137]

• Existing TLS 1.3 connections to a virtual server break if you update the certificate-key pair bound to that virtual server.
  [# 696241]

• If you create an ECDSA key by using the GUI, the type of curve is not displayed.
  [# 705612]

• In a cluster setup, SSL log profile is not displayed on the CLIP address even though it is set in the SSL profile.
  [# 708057]

• Any ECDSA keys created on the appliance by using the GUI do not appear under SSL > SSL Files > Keys.

  Workaround: You can view the ECDSA keys by using the CLI.
  [# 709865]

• The TLS 1.3 server sends an "internal_error" alert and breaks the connection if all of the following conditions are met:

  - TLS 1.3 is negotiated for a connection.

  - An ssl policy action is configured that causes the server to request a certificate from the client.

  - The client's response is received for the post-handshake certificate request.
  [# 713257]

• When TLS 1.3 is negotiated for a connection, policy rules that inspect TLS data received from the client (for example, rules that make use of "add ssl policy pol1 -rule client.ssl...") do not trigger the configured action. In addition, ssl policies that use the SSL control actions (for example, CLIENTAUTH or NOCLIENTAUTH) do not trigger the configured action when TLS 1.3 is negotiated.
  [# 713570]

• On a Citrix ADC VPX appliance, memory leak is observed when policy-based renegotiation happens.
  [# 714186, 706370]

• You cannot create an RSA key by using the GUI if the PEM algorithm is DES or DES3.

  Workaround: Use the CLI.
  [# 716709]

Security

• ICAP support for Citrix ADC

  A Citrix ADC appliance now supports Internet Content Adaptation Protocol (ICAP) for content transformation service on HTTP and HTTPS traffic. The appliance acts as an ICAP client and interoperates with third-party ICAP servers, such as antimalware and Data Leak Prevention (DLP). The ICAP servers perform a content transformation on the HTTP and HTTPS messages and send back responses to the appliance as modified messages. The adapted messages are either an HTTP or HTTPS response or request.

  For more information, see https://docs.citrix.com/en-us/netscaler/12-1/security/icap-for-remote-content-inspection.html
  [# 702971]

System

• A TCP transaction delay is observed if a Citrix ADC appliance is unable to use the TCP connection to connect to the back-end server. In this case, the appliance opens a new connection to forward the client requests to the back-end server after some waiting period. The waiting period ranges from 400 ms to 600 ms.
  [# 690965]

• In a large scale NAT deployment of two Citrix ADC appliances in a high availability setup, IPSec ALG might not work properly if the high availability configuration has "stayprimary" or “staysecondary” option set.
  [# 691283]

• In a cluster deployment, if you run "force cluster sync" command on a non-cco node, the ns.log file contains duplicate log entries.
  [# 702608]

• In a cluster deployment, the RESPONDER log messages do not appear when you run the following commands:

  - The "show audit messages" command from command line interface.

  - The "recent audit messages" command from Citrix ADC GUI.

  Workaround:

  You can locate the RESPONDER logs in /var/log/ns.log.
  [# 703928]

• Memory utilization might increase in some Citrix ADC MPX and VPX appliances running 64-bit Citrix ADC images.

  High-end platforms with large system memory are not affected.
  [# 705709]

• Connections might hang if the size of processing data is more than the configured default TCP buffer size.

  Workaround: Set the TCP buffer size to maximum size of data that needs to be processed.
  [# 707209]

• When you upgrade a Citrix ADC appliance to release 12.1, SNMP does not work as expected. Instead, it responds with the "No Such Object" error message.
  [# 713612, 714913]

• A Citrix ADC appliance crashes if invalid MP_JOIN options of MP_JOIN SYN packet are sent in an MP_CAPABLE subflow.
  [# 714030]

Telco Video Optimization

• The Citrix ADC TCP/IP processing module (also known as, Packet Processing Engine (PPE)) crashes when a TCP connection attached to a non-master TCP processing module stays open for more than 3,276 seconds.
  [# 710123]

• Memory leak is observed in the SSL detected domain extraction algorithm. The issue occurs if the SSL detected domain is extracted by the server certificate. The memory leak eventually causes the Citrix ADC appliance to become unresponsive.
  [# 714470]

URL Filtering

• When a Citrix ADC appliance optimizes a video traffic using a Nile based TCP profile with Video Optimization enabled, the following issues are identified:

  - Long video startup time

  - Excessive buffering time
  [# 704755]

• If a consecutive import of URLset times out because of connectivity issues with the download server, the Comman Line tool will freeze, create a core dump, and will restart. The appliance's traffic will run as expected.

  Workaround: Download the URL set from the same server and disperse their download frequency.
  [# 712904, 711078]

Video Optimization

• During video optimization, buffering occurs because of a conflict between the Nile congestion handler and the pacing scheduler.
  [# 705099]

Release history