Release Notes for NetScaler 10 Maintenance Releases

This document describes the changes, fixed issues, and known issues in the maintenance releases of the Citrix® NetScaler®, Citrix® NetScaler® SDX, and Citrix® Access Gateway® software.

Note:

Build 73.5

Release version: Citrix® NetScaler®, version 10 build 73.5

Replaces build: None

Release date: January 2013

Release notes version: 2.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (nCore and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

Access Gateway

Application Firewall

  • Issue ID 0348647: On a NetScaler appliance that has the application firewall configured, if the client sends a web form with data that contains a plus sign (+), that form field triggers a form field consistency violation. This applies for data that the user types into the form, and for data in hidden fields that was generated by a javascript or sent to the user from the server. To work around this issue, ensure that no field contains a plus sign, or temporarily disable blocking for the form field consistency check.
  • Issue ID 0354289: On a NetScaler appliance that has the application firewall configured, chunked requests sent by mobile devices to XML services might receive 400-level HTTP responses.

Cluster

  • Issue ID 0343137: The configuration utility does not display the Add button while configuring linksets.

Configuration Utility

  • Issue ID 0324797: The NetScaler configuration utility does not display the queue depth value for the configured priority queuing policies. This issue is observed only in a cluster setup.
  • Issue ID 0334292: If you navigate to HTTP Compression > Policies or HTTP Compression > Actions, the Remove button is disabled in the task pane.
  • Issue ID 0346094: The Configured table on the Monitors tab of the Configure Service dialog box does not display the correct states for monitors that are bound to a service. Any check boxes that you selected earlier, in the State column, are shown as unselected the next time you open the Configure Service dialog box for that service. However, the monitors remain active and continue to check the health of the service.
  • Issue ID 0345888: If you log off and then log back on to the NetScaler configuration utility, an “Invalid username or password" error is logged in the ns.log file.
  • Issue ID 0351805: The Monitor Name column of the Monitor details for service group member dialog box displays the name of the server instead of the name of the monitor.
  • Issue ID 0355097: If you use the configuration utility to modify the security settings of profiles for the application firewall feature, the changes are not saved.

DataStream

  • Issue ID 0354182: The flush cache contentGroup command does not flush objects that are cached in a content group of type MYSQL.

Global Server Load Balancing

  • Issue ID 0344759: If you attempt to create a CNAME based GSLB service with a CNAME that is already associated with another service, the NetScaler appliance not only disallows creation of the new service, but also removes the CNAME record for that CNAME. A subsequent attempt to create a GSLB service with that CNAME is successful, and creates a new CNAME record. Therefore, two GSLB services (the previously existing service and the new one) are associated with the same CNAME.

Integrated Caching

  • Issue ID 0337778: If both the rewrite feature and the Integrated caching feature are configured, the integrated caching feature might not function normally, and as a result the NetScaler appliance might fail. The problem can occur if objects are stored in selector based content groups and heavy traffic causes a server to respond slowly.
  • Issue ID 0347120: For HTTP callout caching, if a response gets cached in a content group that has the minimum number of hits set to a non-zero value, the show cache object command fails.

Load Balancing/AAA Application Traffic

  • Issue ID 0346093: The traffic management policy hit count shows no hits ("0") even when traffic management policies are functioning and matching traffic.

Load Balancing

  • Issue ID 0278377 (nCore): Cache policy labels cannot be bound to MYSQL or MSSQL virtual servers.
  • Issue ID 0330173: If a domain based service is configured with a wildcard port, its domain name does not get resolved to an IP address. Therefore, the service does not come up.
  • Issue ID 0331414: The states and port numbers of load balancing virtual servers and services are not included in log entries in the newnslog file.
  • Issue ID 0338196: The NetScaler appliance might fail during active-mode FTP transactions.
  • Issue ID 0350458: The servicegroupbindings NITRO request (URL: http://<NS_IP>/nitro/v1/config/servicegroupbindings/<servicegroupname>) does not retrieve the names of the load balancing virtual servers to which the service group is bound.

NetScaler SDX Appliance

  • Issue ID 0318968: If you log on to a NetScaler VPX instance and change the password for access to the instance, instead of changing the password from the Management Service, connectivity from the Management Service to the instance is lost. With this release, you can restore connectivity by creating a new profile from the Management Service, assigning it the same password that you specified on the NetScaler VPX instance, and then binding the new profile to the NetScaler VPX instance.

    To create a new administrator profile, log on to the Management Service and, on the Configuration tab, navigate to NetScaler > Admin Profiles. In the details pane, click Add. In the Create NetScaler Admin Profile dialog box, type the new profile name and password. Then navigate to NetScaler > Instances and select the instance to which you want to bind the new profile. Click Modify to open the Modify NetScaler wizard and, from the Admin Profile list, select the new profile. You do not need to restart the instance for this change to take effect.

    You can also lose connectivity to XenServer by changing the password on XenServer instead of from the Management Service. To restore connectivity, you can now change the password for XenServer from the Management Service.

    To change the password, log on to the Management Service and, on the Configuration tab, navigate to System > Users. Select the nsroot user, and then click Modify. In the Modify System User dialog box, type the same password that you specified when you were logged directly on to XenServer.

  • Issue ID 0329597: In certain cases, the status of a storage disk present in the SDX appliance might appear as "Missing" in the Management Service User interface under Monitoring > System Health > Storage > Disk node.
  • Issue ID 0336831: If you bind a new interface to a NetScaler instance, the physical to virtual interface mapping does not change. However, if you modify a NetScaler instance that involves disabling a virtual interface, the physical interface to virtual interface mapping on the instance might change.

Networking

  • Issue ID 0342151: The set l4 parameter command has a new parameter,l2connMethod, for specifying the MAC address, channel number, and VLAN ID attributes for the L2 Conn option behavior in a virtual server.

    For a load balancing virtual server with L2 Conn enabled and l2connMethod parameter of the set l4 parameter command is set to Channel or Vlan or VlanChannel, a client MAC address change no longer causes the NetScaler appliance to create a new session entry. Instead, the appliance updates the existing session entry with the new MAC address. This update resolves issues (especially with MBF) that were caused by the appliance using the old session entry instead of the new one.

  • Issue IDs 0343485 and 0358382: The NetScaler appliance becomes unresponsive when highly demanding traffic (~5000 HTTP threads at a request rate of 100 KB/s) is sent through GRE and IPsec tunnels.
  • Issue ID 0343789: In an High Availability configuration, BGP peer of the secondary node stays in open sent state.
  • Issue ID 0346654: The NetScaler appliance does not ignore some unsupported capabilities. It might reset BGP connections even when strict-capability-match is not configured on the appliance.

NITRO API

  • Issue ID 93372/0257279: You can now view the virtual servers to which a specified service is bound. The REST URL for this is http//<nsip>/nitro/v1/config/svcbindings/svcname.
  • Issue ID 0318912: On the NetScaler appliance versions 9.2, 9.3, and 10, incorrect values are returned for cpuusagepcnt and rescpuusagepcnt on the following query: /nitro/v1/stat/system.

SSL

  • Issue ID 0342706: If you bind a cipher or cipher group to a virtual server, service group, or service, and then save the configuration, the cipher group binding is missing from the configuration after you restart the appliance.
  • Issue ID 0344323: An attempt to add a CA certificate fails if the modulus value of the public key is not a multiple of 512 bits.
  • Issue IDs 0352611, 0357697, and 0358026: If you log on to a NetScaler account other than the administrative account and enter the show ssl service command or show running config command, the command output appears repeatedly.
  • Issue ID 0353680: The add ssl certkey command fails if the private key file does not have a newline at the end of the file.
  • Issue ID 0357528: On a FIPS platform, if an SSL renegotiation request is received on an SSL virtual server, the appliance fails.

System

  • Issue ID 0301065: When using the HTTP monitor, the NetScaler appliance might send SYN packets from a port on which an earlier session was not closed by the server. The server then responds with a bad syn ack response, which causes the NetScaler appliance to send a RST to the server.
  • Issue ID 0334500: High disk usage as the newnslog log files of NetScaler appliance version 9.2 are not automatically cleaned up on upgrade to NetScaler appliance version 9.3.
  • Issue ID 0335155: When USIP is enabled, the Netscaler appliance sends a probe to the server using the client IP address as the source IP address. If the server responds to the probe with a packet having incorrect acknowledgement number, the appliance tries to probe the server again using MIP address instead of client IP address.
  • Issue IDs 0355812 and 0357937: If you log on to a NetScaler appliance using an account other than the administrative account, when you execute the show monitor command, not all monitors are displayed.

Web Interface

  • Issue ID 0353708: If you modify a web interface services site (for access via Citrix receiver) using the configuration utility, on a NetScaler version 10 appliance running a build older than 72.6, the services site might stop working.

Known Issues and Workarounds

AAA Application Traffic

  • Issue ID 0283556: Currently the SAML implementation supports only RSA digital signatures. DSA digital signatures are not supported.
  • Issue ID 0303507: NetScaler automatic domain join is failing with Likewise 6.1. If you attempt to create a Kerberoes authentication action, the attempt fails with the following error message:

    LsaAdJoinDomain (40041) Invalid parameter

    To work around this issue, at the NetScaler command line open a Unix shell, and then type the following command to manually join the domain:

    /opt/likewise/bin/domainjoin-cli join <DOMAINNAME> <DomainUserName>

    Note: You must issue this command after each reboot.
  • Issue ID 0310205: If you attempt to kill a user session by using the username parameter with either the NetScaler command line 'kill session' command or the configuration utility, the session is not terminated on either the NetScaler appliance or the client.

Action Analytics/Rate Limiting

  • Issue ID 91353/0250526: If multiple stream identifiers and/or rate limiting identifiers evaluate a connection, the NetScaler appliance updates the counters for bandwidth, response time, and number of concurrent connections for only the identifier that evaluates the connection first. Those statistical counters are not updated for the other identifiers. However, the counter for number of requests is updated for all the identifiers that evaluate the connection.

AppExpert

  • Issue ID 0323436: The NetScaler configuration utility can display a maximum of 4500 bound patterns of a pattern set.

AppFlow

  • Issue ID 0327439: AppFlow records generated by the NetScaler appliances cannot be seen on SPLUNK.
  • Issue ID 0333560 (nCore): AppFlow records generated by the NetScaler appliance might contain junk characters.

Application Firewall

  • Issue ID 0272715: If you use the Google Chrome browser with the default Chrome PDF plugin to view the PCI-DSS report, certain links and pages do not render correctly. To work around this issue, disable Chrome PDF and install the Adobe Acrobat Reader plugin for Chrome.
  • Issue ID 0282932: If you use the Signature Editor to add a signature rule for a response-side check (such as the Credit Card or Safe Object check), in addition to one or more response patterns you must also add at least one request pattern. If you do not, then when you try to save the new signature rule, the configuration utility displays an error message and does not save the rule.
  • Issue ID 0283780: When you enable the sessionless URL closure feature, you must also enable the URL closure feature. If you do not enable URL closure, the sessionless URL closure feature does not work.
  • Issue ID 0284009: If sessionless URL closure is enabled, and Validate Referer Header is set to If Present, a spurious Referer header check error is generated and logged when a web form with an action URL is submitted. If blocking is enabled for the Start URL check, then requests that contain web forms with action URLs are blocked. To work around this issue, if you configure Sessionless URL Closure, set Validate Referer Header to Off.
  • Issue ID 0303044: Only QualysGuard WAS 1.0 scan reports are supported for importing as application firewall signature rules. WAS 2.0 scan reports are not supported.
  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.
  • Issue ID 0313950: On a NetScaler appliance that has the application firewall configured and the Safe Object check configured, processing extremely large web pages can cause the NetScaler appliance to crash.

Cache Redirection

  • Issue ID 0287688: If you set the L2Conn parameter for a cache redirection virtual server before you finish setting up the cache redirection configuration (including the other participating entities, such as the load balancing virtual server and the services that should be bound to the load balancing virtual server), the NetScaler appliance sends clients the SYN-ACK segments that it receives from the cache or origin servers during connection establishment with those servers. Clients respond to the SYN-ACK segments with a TCP RESET. Consequently, the requests are dropped.

    Workaround: Enable the L2Conn parameter for the cache redirection virtual server after you finish setting up the cache redirection configuration.

Configuration Utility

  • Issue ID 92269/0251344: If you upgrade from an earlier build to a later build within release 9.2 or release 9.3, or upgrade from release 9.2 to release 9.3, or upgrade from an earlier release to release 10, the time zone settings may be lost on upgrade.

    Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.

  • Issue ID 0269337: If you use the Google Chrome browser, with the toolbars installed, to access the configuration utility, the toolbars distort the views.

    Workaround: Hide the toolbars in Chrome browser when you access the configuration utility.

  • Issue ID 0278002: If you use the configuration utility to enable or disable an extended ACL or ACL6, the utility does not warn you that the change does not take effect until you apply ACLs.
  • Issue ID 0278097: In the configuration utility, if you click 'Application Firewall' in the navigation pane, the scroll bar moves up and the subnodes of the Application Firewall node disappear. You have to scroll down to view the subnodes.
  • Issue ID 0303279: In the configuration utility, in the Rewrite Policies pane, clicking Add does not display the Create Rewrite Policy dialog box but disables the main configuration utility window.
  • Issue ID 0307039: The expression builder dialog does not show the possible functions in the following scenarios:
    • When '.' is entered after the (<expression>)
    • When '.' is entered in the expression which is used as function parameter.
  • Issue ID 0323172: The NetScaler configuration utility cannot group the neighbors according to the cluster node to which they belong. This issue is observed only in a cluster setup.

    Workaround: You must use the 'show nd6' command to view the neighbors node-wise.

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.
  • Issue ID 0333048: If you access the configuration utility through Internet Explorer 8, an attempt to bind 250 or more VIP addresses to a VLAN results in an error message about an unresponsive script.
  • Issue ID 0333745: When you access the NetScaler configuration utility from a Mac machine, the keyboard short cut keys may be unresponsive. In the NetScaler configuration utility, short cut keys work differently in Java and HTML views. For example, in Java based views, short cut keys for the copy-paste functions are <CRTL C> and <CRTL V> and in HTML based views they are <CMD C> and <CMD V>.

    Workaround: Use the <CRTL key> short cut keys if the <CMD key> short cut keys are not working and vice-versa. For example, if <CRTL C> shortcut key is not working, use <CMD C> and vice-versa.

  • Issue ID 0333834: If the PDF reader plug-in is not set in your browser and you try to open an HTML document from the Downloads tab of the NetScaler configuration utility, you are prompted to open the document in Adobe Reader.
  • Issue ID 0334042: The configuration utility does not display a details panel for all the entities.

    Workaround: Click 'Edit' to display the details.

  • Issue ID 0335013: If no services are configured for a DNS view, and you use Windows Internet Explorer 9 to view the Create DNS View dialog box, the "Service(s) in this view" and "Policy(s) in this view" lists in the dialog box are not rendered correctly. The display issue is resolved if at least one service is configured for the DNS view.
  • Issue ID 0335526: If you access the configuration utility through an Internet Explorer browser that has the Java Runtime Environment (JRE) disabled, an error occurs.

    Workaround: Make sure that at least one JRE is present and enabled under the Java Runtime Environment Settings, in the Java console, on the Java tab.

  • Issue ID 0338513: When you log on to NetScaler configuration utility using Internet Explorer 8 or Internet Explorer 9, the web browser displays a blank screen as the browser is displaying the compatibility view.

    Workaround: Change to the standard view, in the Compatibility View Settings dialog box, by clearing the Display all websites in Compatibility View check box.

  • Issue ID 0349813: If you use the configuration utility to unbind all the cipher suites from a user-defined SSL cipher group, the user-defined cipher group is deleted from the appliance.
  • Issue ID 0352307: If you access the NetScaler configuration utility from a Mac machine with a client environment running JRE 1.7 or later, you cannot select the fields in the Java based configuration views.

    Workaround: If you click outside and return to the browser window, you will be able to select the fields in the configuration views.

  • Issue ID 0353015: Load balancing virtual servers that are used by AppExpert applications are displayed in nodes other than the AppExpert node, wherever the configuration utility displays a list of load balancing virtual servers that are configured on the NetScaler appliance. For example, load balancing virtual servers that are used by AppExpert applications are displayed in the Available Virtual Servers list in the dialog boxes that are used to configure persistency groups (Load Balancing > Persistency Groups > Add), and in the Target LB Virtual Server list in the Create Content Switching Action dialog box (Content Switching > Actions > Add > Target LB Virtual Server > Name option button).

Documentation

  • Issue ID 0277923: The documentation for the Content Switching feature states that if a policy that is bound to a content switching virtual server evaluates to TRUE, and the policy's Goto expression specifies END, policy evaluation terminates at that policy. However, the documentation does not mention that, if the content switching virtual server has a default virtual server, the request is forwarded to the default load balancing virtual server when policy evaluation is terminated.

Domain Name System

  • Issue ID 0301348: Even though the NetScaler user interface allows you to create DNS policy labels, the DNS policy label functionality is not supported in this release.

Global Server Load Balancing

  • Issue IDs 0287825 and 0287827: If the master node and slave node in a Global Server Load Balancing (GSLB) configuration are running different NetScaler releases, the site synchronization process fails when the master node is collecting GSLB configuration information from the slave node. The issue is specific to NetScaler releases 9.2, 9.3, and 10. The issue occurs if one node (either the master or the slave) is running NetScaler release 10 and the other node is running NetScaler release 9.2 or 9.3.
  • Issue ID 0291053: The NetScaler appliance does not rewrite responses that are DNSSEC-enabled and/or sent over TCP. So, when a security-aware DNS server sends the NetScaler appliance a DNSSEC-enabled NXDOMAIN response, or when a DNS server sends the appliance an NXDOMAIN response over TCP, the appliance relays the negative response to the client and caches the negative response. For subsequent requests for the same non-existent domain, the appliance responds with the cached, DNSSEC-enabled response, even if the clients are security-oblivious or use UDP. This behavior is expected, and ensures that all clients receive the same response.
  • Issue ID 0326001: If a GSLB virtual server’s primary GSLB method is set to round trip time (RTT) and backup GSLB method is set to static proximity, or if the primary GSLB method is set to static proximity and backup GSLB method is set to RTT, and source IP persistence is enabled, when the primary GSLB method fails, the backup GSLB method also fails.

    Workaround: If you use RTT as the primary GSLB method, do not use static proximity as the backup GSLB method. Similarly, if you use static proximity as the primary GSLB method, do not use RTT as the backup GSLB method.

Load Balancing

  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the "show lb persistentSessions" CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'client.tcp.payload(n)', and a request is received in multiple parts such that there is a delay between the parts and a FIN is sent from client before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91711/0250846: If the string (or "token") that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000).BEFORE_STR("string2").AFTER_STR("string1") if the string that is enclosed by "string1" and "string2" is not larger than 64 KB.
  • Issue ID 94405/0258207: If you specify a persistence rule for a load balancing virtual server without specifying a persistence type or setting the load balancing method to TOKEN, the NetScaler appliance discards the rule without checking its validity. This behavior is by design.

Load Balancing/SSL

  • Issue ID 0331621: While creating SSL or load balancing virtual servers with default responder action, the NetScaler appliance throws a “No such resource” error. This issue is observed only in a cluster setup.

NetScaler SDX Appliance

  • Issue ID 0261232: If you set the date on the Management Service to an earlier date, the inventory and stats are not updated in the Management Service user interface.

    Workaround: Log on to the Management Service by using an SSH client, such as PuTTY. At the shell prompt, type: #/etc/rc.d/svmd restart

  • Issue ID 0337386: When restored from a backup, a NetScaler instance is reprovisioned by using the NetScaler XVA image currently available on the appliance, even if the backup was taken from an upgraded configuration. If multiple XVA images are available, the XVA image that was used to originally provision the instance is used, if available, to reprovision the instance. If that image is not available, any XVA image is used.

Networking

  • Issue ID 0276933: When you change the next hop parameter of a PBR for IPv4 traffic, the new hop is taken into account even if you have not applied the PBRs.
  • Issue IDs 0283035 and 0299716: In a cluster setup, the bind vlan command throws an error when interface and IP address are specified together.
  • Issue ID 0288450: The show lacp command does not display the lacp configurations. This issue is observed only in a cluster setup.
  • Issue ID 0316144: In a cluster setup, the Precision Time Protocol (PTP) time across cluster nodes will not be synchronized when PTP packets are dropped due to backplane switch or if the physical resources are over-committed in a virtual environment.
    Workaround:
    • Disable PTP using the command set ptp -state disable and configure NTP to synchronize the time across the cluster nodes.
    • If the backplane switch is like the Extreme switch, disable the multicast PTP packets from reaching the CPU by using the following command (this might cause some relevant features, such as routing, from not working):

      ipmcforwarding to-cpu off ports 41-48 <backplane-interfaces>

Rewrite

  • Issue ID 0305831: The man pages for add and set rewrite action do not include xpath_html (xp<delimiter>xpath expression<delimiter>) as a search expression.

SSL

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 0283661: In a cluster setup, if you add an SSL certificate on the configuration coordinator, and immediately execute the add certkey command, the command succeeds on the configuration coordinator but might fail on the other cluster nodes if the certificates on the configuration coordinator are not synchronized with the other cluster nodes before the command is executed.

    Workaround: Copy the certkey under /nsconfig/ssl/ folder on all the cluster nodes or confirm that the certificates are synchronized before executing the add certkey command on the configuration coordinator.

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with RSA 4096-bit key.
  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.
  • Issue ID 0352334: TLS protocol, version 1.2, handshake fails if all the following conditions are met:
    • The Client browser is Internet Explorer.
    • Client authentication is set to mandatory on the virtual server.
    • The configured client certificate on IE browser is not signed by SHA256 hash algorithm.

XML API

  • Issue ID 0321005: The API to set the hostname for a NetScaler appliance is changed to include the owner node parameter for a cluster node.

Build 72.5

Release version: Citrix® NetScaler®, version 10 build 72.5

Replaces build: None

Release date: November 2012

Release notes version: 4.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (nCore and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes

Configuration Utility

  • Issue ID 0317403: On the Monitoring tab, when you disable a virtual server or a service, a confirmation window is displayed to confirm the disable operation.

Content Switching

  • Issue ID 0248750: In this release, for a content switching policy that uses a default syntax rule, you can specify the target load balancing virtual server in a content switching action. In the content switching action, you can specify the name of the target load balancing virtual server, or you can configure a request-based expression that, at run time, computes the name of the load balancing virtual server to which to send the request. The expression option can drastically reduce the size of your content switching configuration, because you need only one policy per content switching virtual server. Content switching policies that use an action can also be bound to multiple content switching virtual servers, because the target load balancing virtual server is no longer specified in the content switching policy. The ability to bind a single policy to multiple content switching virtual servers helps to further reduce the size of your content switching configuration.

    You can also, for a content switching policy that uses a default syntax rule, specify the target load balancing virtual server when binding the policy to a content switching virtual server, as you would in earlier releases, without the need for a separate action. For domain-based and URL-based policies, an action is not available, and you continue to specify the name of the target load balancing virtual server when binding the policy to a content switching virtual server.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-cs-basicconfig-actions-tsk.html.

Load Balancing

  • Issue ID 0345300: If a UDP connection that is being managed by a load balancing virtual server of type UDP, SIP_UDP , DNS, RADIUS , or ANY is blocked pending a decision on persistence, and the associated protocol control block is freed before all the NetScaler buffers that reference the protocol control block are processed, the appliance might fail.

SSL

  • Issue ID 0236585: You can now load a certificate bundle containing one server certificate, up to nine intermediate certificates, and optionally, a server key. Separate steps for loading and linking the certificates are no longer required.
  • Issue ID 0338862: If you unbind all the cipher suites from a user-defined cipher group by using the command line, the user-defined cipher group is not deleted from the appliance.

Bug Fixes

AAA Application Traffic

  • Issue IDs 0272417 and 0344661: SSO using 401-based authentication fails when an initial user request is redirected to another URL.
  • Issue ID 0345220: If a AAA virtual server is configured for two-factor authentication with RADIUS challenge/response in a single-signon (SSO) environment, with the SSO name extracted from the primary authentication service and the second factor from RADIUS challenge/response, the wrong user name might be extracted. This can result in intermittent authentication failures.

Access Gateway

  • Issue ID 0330636: When users log on with the Access Gateway Plug-in to an nCore Access Gateway appliance, occasionally when server-initiated connections occur, depending on the core through which the traffic is passed, the user device may fail.
  • Issue IDs 0332483 and 0336091: If you have a VLAN configuration on the NetScaler appliance, when users log on with the Access Gateway Plug-in, occasionally server-initiated connections to the user device fail.
  • Issue ID 0337609: When you integrate Access Gateway with a SharePoint site, after users log on successfully, when they open a Microsoft Office document, the session ends and the logon page appears.
  • Issue IDs 0340122 and 0337613: After users upgrade to Access Gateway 10, Build 70.7, if you have a high availability configuration that includes an FTP server, when users log on with the Access Gateway Plug-in and initiate an FTP session, occasionally Access Gateway fails on both primary and secondary appliances while the FTP connection is active.
  • Issue ID 0348694: If a published application is configured to require a user name with both capital and lower-case letters and is configured for single sign-on, after users log on with the Access Gateway Plug-in with the same user name, when they open a published desktop from the Web Interface and try to open the published application, they are prompted to enter their credentials again.
  • Issue ID 0349178: After users log on to the StoreFront-based store remotely over Access Gateway from a browser and then select Log out under the users' name on the page, a page appears with message "Logoff is successful" and includes a Log on button. If users click Log on, the Storefront store-based web page is available again and authentication is not required.

AppFlow

  • Issue ID 0344666: When the appflow policy evaluation fails, the NetScaler appliance sometimes continues to attempt “Appflow Logging” because of which it fails.

Application Firewall

  • Issue ID 0346118: If sessionless form field consistency is enabled, a memory leak can cause fill up on the NetScaler appliance’s memory.
  • Issue ID 0346384: If the Start URL feature is configured to use an uploaded HTML error object instead of an error URL, the start URL feature cannot block access to "/" even if you exclude "/" from the start URLs list.

CloudBridge

  • Issue ID 0325718 (nCore): The amount of memory allocated to a packet engine can be retrieved by using show ns stat command (value of InUseMemory) or by SNMP polling (value of resMemUsage). There was a mismatch in InUseMemory and resMemUsage value for the same packet engine due to difference method used to calculate the allocated memory. This mismatch problem is now resolved and both the methods return the correct value.

Cluster

  • Issue ID 0343514: The cluster instance view in the configuration utility does not display which node is the configuration coordinator.

Configuration Utility

  • Issue ID 0329547 (nCore): In some cases, the value to which you set the prefetchPeriodMilliSec parameter for a cache content group might not be saved in the nsconfig file.
  • Issue ID 0332839: If you access the configuration utility through Internet Explorer 8, the System > Settings > Configure TCP Parameters, dialog box has no spaces between field names and fields.
  • Issue ID 0334292: If you navigate to HTTP Compression > Policies or HTTP Compression > Actions, the 'Remove' button is disabled in the task pane.
    Note: You can access the command line interface from the configuration utility. Navigate to System > Diagnostics > Command Line interface.
  • Issue ID 0335701: You cannot add an SSL service with the Clear Text Port option in the configuration utility, because the option is disabled.
  • Issue ID 0336854: When you open a log file in Syslog messages viewer, all the logs are not displayed when the uncompressed log file size is more than 10MB.
  • Issue ID 0342735: Users might not be able to enable or disable NTP synchronization by using the configuration utility.
  • Issue ID 0345828: When you log on to the NetScaler configuration utility by using certain versions of Internet Explorer 8, the web browser does not load the configuration utility.
  • Issue ID 0346060: When you access the NetScaler configuration utility from a client environment using JRE 7, in certain configurations, the NetScaler configuration utility displays "Operation in Progress" message when you open a load balancing virtual server configuration.

Content Switching

  • Issue ID 0315161: A NetScaler appliance fails under the following sequence of events:
    1. You associate an HTTP load balancing virtual server with an HTTP profile and a backup load balancing virtual server of type TCP.
    2. You configure a content switching virtual server to switch requests on the basis of content switching policies, and you set the load balancing virtual server as a target for the content switching virtual server.
    3. The HTTP load balancing virtual server goes down.
    4. When the content switching virtual server receives a request, it happens to select the load balancing virtual server.
    5. Because the HTTP virtual server is down, the content switching virtual server selects the backup load balancing virtual server, which is of type TCP.
    6. The appliance attempts to access the HTTP profile, which cannot be associated with a load balancing virtual server of type TCP.
  • Issue ID 0344944: When you remove a content switching virtual server, the NetScaler appliance fails to remove some or all of the configuration information that binds load balancing virtual servers to the content switching virtual server. Consequently, if the state of a load balancing virtual server changes, the appliance attempts to update the state of the content switching virtual server, which no longer exists. When attempting such a state update, the appliance fails.

Domain Name System

  • Issue IDs 0330529 and 0322151: The following message might be displayed if you disable a virtual server-based DNS name server: 'ERROR: Name server does not exist. [nsnet_recvrpcioctl]'

Global Server Load Balancing

  • Issue ID 0308555: In certain scenarios, if the primary and backup GSLB methods are static proximity and dynamic RTT, respectively, requests for domain name resolution are not processed correctly. As a result, the appliance can fail.

Integrated Caching

  • Issue ID 0331520: After an upgrade to 10.0, the NetScaler appliance might occasionally fail because of internal memory handling issues.

Load Balancing

  • Issue ID 0333200: If rule based persistence is configured for a load balancing virtual server, and the virtual server receives traffic from a content switching virtual server, the load balancing virtual server’s persistence sessions expire at the end of the configured timeout period, even if new requests arrive before session expiry.

Load Balancing/AAA Application Traffic

  • Issue ID 0346093: The traffic management policy hit count shows no hits ("0"), even when traffic management policies are functioning and matching traffic.

Monitoring

  • Issue ID 0339736: The NetScaler appliance might fail when generating the SNMP trap described in the following scenario:
    • You set the response timeout threshold parameter for a monitor that is bound to a domain based service.
    • You configure the MONITOR-RTO-THRESHOLD SNMP alarm on the NetScaler appliance.
    • The response timeout threshold is exceeded by a domain based service, and the appliance attempts to generate the monRespTimeoutAboveThresh trap.

Networking

  • Issue ID 0334312: During a warm restart of the NetScaler appliance, a daemon might fail to start. After not receiving heartbeats from the daemon, the Pitboss process restarts the appliance.
  • Issue ID 0336136: If a NetScaler appliance acting as a DHCP relay agent receives DHCP Discover traffic that is not from a Layer 3 VLAN, the appliance might disconnect from the default gateway and remain disconnected for some time.
  • Issue ID 0336886: When a VIP with OSPF LSA TYPE-1 exists on the NetScaler appliance, any new VIPs configured with TYPE-5 are saved as TYPE-1.
  • Issue ID 0341895: The state of the IPSEC tunnel becomes DOWN and SA reformation/rekeying does not happen after the IKE lifetime expires.
  • Issue ID 0343578: The NetScaler appliance drops an ARP request if it arrives on a VLAN to which two different subnets are bound and the source IP address and the destination IP address in the ARP request packet belongs to these different subnets bound to the VLAN.

Policies

  • Issue ID 0291487: NetScaler appliances running version 9.2 build 52.1 or later and have a large number (in the hundreds) of policy bindings can experience performance issues on 'save ns config' and 'show config' operations. This can lead to interruption in services.
  • Issue IDs 0332600 and 0335877: The running configuration does not show the command used to bind a policy to a load balancing virtual server, in the following scenarios:
    • When a policy is globally bound.
    • When a service is bound to same load balancing virtual server.

SSL

  • Issue ID 0302532: The NetScaler appliance fails if all of the following conditions are met:
    • A certificate revocation list (CRL) is present and linked with a CA certificate, and the CA certificate is continuously updated.
    • The CRL is uploaded by using HTTP, and auto refresh is enabled on the CRL.
    • Client authentication is enabled. Therefore, the client is verified for every GET request.

System

  • Issue ID 0241964: The SNMP engine ID does not get saved to the ns.conf file after the configurations are saved. Hence the engine ID is not retained across reboots. Also, the default SNMP engine ID is not displayed on issuing the 'show snmp engineid' command.
  • Issue ID 0306237: If the number of dynamic services running on the NetScaler appliance exceeds 64k, any service created could not be accessed even after when the number of services is less than 64k.
  • Issue ID 0334585: The NetScaler appliance runs out of memory when processing the traffic management logout URL.

Web Interface

  • Issue ID 0341459: An invalid argument error is thrown when you try to create a web interface site with default access method selected as 'GatewayDirect' and authentication point selected as 'Web Interface'.

Known Issues and Workarounds

AAA Application Traffic

  • Issue ID 0283556: Currently, the SAML implementation supports only RSA digital signatures. DSA digital signatures are not supported.
  • Issue ID 0303507: NetScaler automatic domain join is failing with Likewise 6.1. If you attempt to create a Kerberoes authentication action, the attempt fails with the following error message:

    LsaAdJoinDomain (40041) Invalid parameter

    To work around this issue, at the NetScaler command line open a Unix shell, and then type the following command to manually join the domain:

    /opt/likewise/bin/domainjoin-cli join <DOMAINNAME> <DomainUserName>

    Note: You must issue this command after each reboot.
  • Issue ID 0310205: If you attempt to kill a user session by using the username parameter with either the NetScaler command line 'kill session' command or the configuration utility, the session is not terminated on either the NetScaler appliance or the client.

Access Gateway

  • Issue ID 92543/0251596: After you configure Access Gateway to provide user connections through Citrix Receiver, when users right-click the Receiver icon in the notification area, the 'Log on' option does not appear. Users must connect by using the Web browser or they must right-click the Receiver icon. Then, depending on the version of Receiver they are using, they must click 'About' or 'Preferences' and 'Plug-in Status' or 'Advanced'. You can also enable the log on option to appear when users right-click the Receiver icon by adding the following settings in the registry:
    • Add the Receiver key (if the key does not already exist) under the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\
      • HKEY_LOCAL_MACHINE\Software\Citrix\
    • Add the Inventory key in the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
    • In the 'Inventory' key, configure the following 'REG_SZ' values:
      • VPNAddress. Provide the value as the Web address for the Access Gateway appliance; for example, https://<AccessGatewayFQDN>.
      • VPNPrompt1. Provide the value as 'UserName'.
      • VPNPrompt2. Provide the value as 'Password'.

        In addition, if you configure double-source authentication that requires authentication with LDAP plus RSA authentication, you need to also add the following as 'REG_SZ':

      • VPNPrompt3. Provide the value as 'Passcode'.
  • Issue ID 0261547: When you enable Access Gateway as a reverse proxy and you enable basic preauthentication and post- authentication scans, as well as encryption and client choices, when users log on with the Access Gateway Plug-in, the preauthentication scan passes, but the post-authentication scan fails.
  • Issue ID 0275079: When users access applications published on XenApp, each user consumes multiple Access Gateway licenses per application. Instead, one session ID should be shared across the applications the user accesses. As a result, users exceed their allocated license count and an SSL error occurs.
  • Issue ID 0278218: If you configure an endpoint policy, the preauthentication policy runs as expected. When users try to log on with the Access Gateway Plug-in, however, occasionally the post-authentication policy does not work as expected and authentication fails.
  • Issue ID 0285995: If you configure Access Gateway to assign an intranet IP address to user devices that connect to Access Gateway, when users log on with the Access Gateway Plug-in, the secure DNS dynamic update does not occur and the intranet IP address is not registered with the DNS Server.
  • Issue ID 0288469: After you configure a virtual server to use the Access Gateway Plug-in for Java, when users log on with the Access Gateway Plug-in by using a browser that has a 64-bit Java Runtime Environment (JRE) installed, the plug-in fails to establish a connection.
  • Issue ID 0291264: If you create a Web Interface 5.4 site and enable authentication through Access Gateway, and you enable single sign-on with a smart card to the Web Interface that enables smart card pass-through, when users log on with the Access Gateway Plug-in, the users' desktops are not listed on the Web Interface.
  • Issue ID 0291821: If you create a Web Interface 5.4 site and enable authentication with a smart card through Access Gateway, and you configure the 'Single Sign-on Domain' on the 'Published Applications' tab using the format domainname.com instead of domainname, when users start a published application or desktop, authentication fails.
  • Issue ID 0292005: When users connect with clientless access and try to download a file larger than 1 gigabyte (GB) from the file share on the home page, as the file is downloading, if an upload is attempted, the download process fails but the upload continues.
  • Issue ID 0298971: When users log on with the Access Gateway Plug-in for Java and the Web Interface opens in Internet Explorer 9, if users do not turn on Compatibility View in Internet Explorer, when they click a published application, the following error appears: Resource shortcuts are not available.
  • Issue ID 0299515: If you configure an intranet IP address on Access Gateway, when users connect with the Access Gateway Plug-in on a computer running Windows XP Service Pack 3 and try to access a CIFS share hosted on a computer in the secure network, users receive an error that the share is inaccessible.
  • Issue ID 0300511: When users log on using clientless access and click a bookmark from the home page to open a Distributed File Share (DFS), if the target folder resides on a different computer than the computer where the domain DFS server resides, the share does not open.
  • Issue ID 0309017: When you configure a preauthentication and post-authentication policy with an expression to scan a user device for a file, Access Gateway does not check for expression syntax. As a result, Access Gateway accepts inappropriate syntax configuration and the scan fails.
  • Issue ID 0327433: If you configure a virtual server by using the Remote Access wizard and configure a Secure Ticket Authority (STA), the status of the server appears as UP. However, in the configuration utility, on the Home tab, under Alerts, a message states that the STA server is not configured. You must bind the server globally in order to clear the message.
  • Issue ID 0337886: If users select Automatically detect settings in Internet Explorer on a computer running Windows XP, when users log on with the Access Gateway Plug-in and then log off from Access Gateway, the Automatically detect settings check box is not restored to the previously configured setting.
  • Issue ID 0338451: If hundreds of concurrent sessions occur, the generation of a support file takes several hours.
  • Issue ID 0340346: If you configure a session time-out setting, after users connect to Access Gateway, even though the session expires according to the value you enter, the actual process of closing the session takes longer.

AppExpert

  • Issue ID 0323436: The NetScaler configuration utility can display a maximum of 4500 bound patterns of a pattern set.

AppFlow

  • Issue ID 0327439: AppFlow records generated by the NetScaler appliances cannot be seen on SPLUNK.
  • Issue ID 0333560 (nCore): AppFlow records generated by the NetScaler appliance might contain junk characters.

Application Firewall

  • Issue ID 0272715: If you use the Google Chrome browser with the default Chrome PDF plugin to view the PCI-DSS report, certain links and pages do not render correctly.

    Workaround: Disable Chrome PDF and install the Adobe Acrobat Reader plugin for Chrome.

  • Issue ID 0282932: If you use the Signature Editor to add a signature rule for a response-side check (such as the Credit Card or Safe Object check), in addition to one or more response patterns you must also add at least one request pattern. If you do not, then when you try to save the new signature rule, the configuration utility displays an error message and does not save the rule.
  • Issue ID 0283780: If you enable the sessionless URL closure feature, you must also enable the URL closure feature. If you do not, the sessionless URL closure feature does not work.
  • Issue ID 0284009: If sessionless URL closure is enabled, and Validate Referer Header is set to If Present, a spurious Referer header check error is generated and logged when a web form with an action URL is submitted. If blocking is enabled for the Start URL check, then requests that contain web forms with action URLs are blocked. To work around this issue, if you configure Sessionless URL Closure, set Validate Referer Header to Off.
  • Issue ID 0303044: Only QualysGuard WAS 1.0 scan reports are supported for importing as application firewall signature rules. WAS 2.0 scan reports are not supported.
  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.

Cache Redirection

  • Issue ID 0287688: If you set the L2Conn parameter for a cache redirection virtual server before you finish setting up the cache redirection configuration (including the other participating entities, such as the load balancing virtual server and the services that should be bound to the load balancing virtual server), the NetScaler appliance sends clients the SYN-ACK segments that it receives from the cache or origin servers during connection establishment with those servers. Clients respond to the SYN-ACK segments with a TCP RESET. Consequently, the requests are dropped.

    Workaround: Enable the L2Conn parameter for the cache redirection virtual server after you finish setting up the cache redirection configuration.

Cluster

  • Issue ID 0343137: The configuration utility does not display the "Add" button while configuring linksets.

Configuration Utility

  • Issue ID 92269/0251344: If you upgrade from an earlier build to a later build within release 9.2 or release 9.3, or upgrade from release 9.2 to release 9.3, or upgrade from an earlier release to release 10, the time zone settings may be lost on upgrade.

    Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.

  • Issue ID 0269337: If you use the Google Chrome browser, with the toolbars installed, to access the configuration utility, the toolbars distort the views.

    Workaround: Hide the toolbars in Chrome browser when you access the configuration utility.

  • Issue ID 0278002: If you use the configuration utility to enable or disable an extended ACL or ACL6, the utility does not warn you that the change does not take effect until you apply ACLs.
  • Issue ID 0278097: In the configuration utility, if you click 'Application Firewall' in the navigation pane, the scroll bar moves up and the subnodes of the Application Firewall node disappear. You have to scroll down to view the subnodes.
  • Issue ID 0303279: In the configuration utility, in the Rewrite Policies pane, clicking Add does not display the Create Rewrite Policy dialog box but disables the main configuration utility window.
  • Issue ID 0307039: The expression builder dialog does not show the possible functions in the following scenarios:
    • When '.' is entered after the (<expression>)
    • When '.' is entered in the expression which is used as function parameter.
  • Issue ID 0323172: The NetScaler configuration utility cannot group the neighbors according to the cluster node to which they belong. This issue is observed only in a cluster setup.

    Workaround: You must use the 'show nd6' command to view the neighbors node-wise.

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.
  • Issue ID 0324797: The NetScaler configuration utility does not display the queue depth value for the configured priority queuing policies. This issue is observed only in a cluster setup.

    Workaround: You can view the queue depth of the policy by using the 'show pq policy' command on the command line interface.

  • Issue ID 0333048: Using the Configuration Utility in Internet Explorer version 8, when you attempt to bind 250 or more VIP addresses to a VLAN, the Configuration Utility displays an unresponsive script error.
  • Issue ID 0333745: When you access the NetScaler configuration utility from a Mac machine, the keyboard short cut keys may be unresponsive. In the NetScaler configuration utility, short cut keys work differently in Java and HTML views. For example, in Java based views, short cut keys for the copy-paste functions are <CRTL C> and <CRTL V> and in HTML based views they are <CMD C> and <CMD V>.

    Workaround: Use the <CRTL key> short cut keys if the <CMD key> short cut keys are not working and vice-versa. For example, if <CRTL C> shortcut key is not working, use <CMD C> and vice-versa.

  • Issue ID 0333834: If the PDF reader plug-in is not set in your browser and you try to open an HTML document from the Downloads tab of the NetScaler configuration utility, you are prompted to open the document in Adobe Reader.
  • Issue ID 0334042: The configuration utility does not display a details panel for all the entities.

    Workaround: Click 'Edit' to display the details.

  • Issue ID 0335013: If no services are configured for a DNS view, and you use Windows Internet Explorer 9 to view the 'Create DNS View' dialog box, the 'Service(s) in this view' and 'Policy(s) in this view' lists in the dialog box are not rendered correctly. The display issue is resolved if at least one service is configured for the DNS view.
  • Issue ID 0335526: If you access the configuration utility through an Internet Explorer browser that has the Java Runtime Environment (JRE) disabled, an error occurs.

    Workaround: Make sure that at least one JRE is present and enabled under the Java Runtime Environment Settings, in the Java console, on the Java tab.

  • Issue ID 0338513: When you log on to NetScaler configuration utility using Internet Explorer 8 or Internet Explorer 9, the web browser displays a blank screen as the browser is displaying the compatibility view.

    Workaround: Change to the standard view, in the Compatibility View Settings dialog box, by clearing the Display all websites in Compatibility View check box.

  • Issue ID 0349813: If you use the configuration utility to unbind all the cipher suites from a user-defined SSL cipher group, the user-defined cipher group is deleted from the appliance.
  • Issue ID 0352307: If you access the NetScaler configuration utility from a Mac machine with a client environment running JRE 1.7 or later, you cannot select the fields in the Java based configuration views.

    Workaround: If you click outside and return to the browser window, you will be able to select the fields in the configuration views.

  • Issue ID 0353015: Load balancing virtual servers that belong to AppExpert applications are displayed in nodes other than the AppExpert node, wherever the configuration utility displays a list of load balancing virtual servers that are configured on the NetScaler appliance. For example, load balancing virtual servers that belong to AppExpert applications are displayed in the Available Virtual Servers list in the dialog boxes that are used to configure persistency groups (Load Balancing > Persistency Groups > Add), and in the Target LB Virtual Server list in the Create Content Switching Action dialog box (Content Switching > Actions > Add > Target LB Virtual Server > Name option button).

Documentation

  • Issue ID 0277923: The documentation for the Content Switching feature states that if a policy that is bound to a content switching virtual server evaluates to TRUE, and the policy's Goto expression specifies END, policy evaluation terminates at that policy. However, the documentation does not mention that, if the content switching virtual server has a default virtual server, the request is forwarded to the default load balancing virtual server when policy evaluation is terminated.

Domain Name System

  • Issue ID 0301348: Even though the NetScaler user interface allows you to create DNS policy labels, the DNS policy label functionality is not supported in this release.

Global Server Load Balancing

  • Issue IDs 0287825 and 0287827: If the master node and slave node in a Global Server Load Balancing (GSLB) configuration are running different NetScaler releases, the site synchronization process fails when the master node is collecting GSLB configuration information from the slave node. The issue is specific to NetScaler releases 9.2, 9.3, and 10. The issue occurs if one node (either the master or the slave) is running NetScaler release 10 and the other node is running NetScaler release 9.2 or 9.3.
  • Issue ID 0291053: The NetScaler appliance does not rewrite responses that are DNSSEC-enabled and/or sent over TCP. So, when a security-aware DNS server sends the NetScaler appliance a DNSSEC-enabled NXDOMAIN response, or when a DNS server sends the appliance an NXDOMAIN response over TCP, the appliance relays the negative response to the client and caches the negative response. For subsequent requests for the same non-existent domain, the appliance responds with the cached, DNSSEC-enabled response, even if the clients are security-oblivious or use UDP. This behavior is expected, and ensures that all clients receive the same response.
  • Issue ID 0326001: If a GSLB virtual server’s primary GSLB method is set to round trip time (RTT) and backup GSLB method is set to static proximity, or if the primary GSLB method is set to static proximity and backup GSLB method is set to RTT, and source IP persistence is enabled, when the primary GSLB method fails, the backup GSLB method also fails.

    Workaround: If you use RTT as the primary GSLB method, do not use static proximity as the backup GSLB method. Similarly, if you use static proximity as the primary GSLB method, do not use RTT as the backup GSLB method.

Load Balancing

  • Issue ID 0278377 (nCore): Cache policy labels cannot be bound to MYSQL or MSSQL virtual servers.
  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the 'show lb persistentSessions' CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'client.tcp.payload(n)', and a request is received in multiple parts such that there is a delay between the parts and a FIN is sent from client before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91711/0250846: If the string (or 'token') that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000).BEFORE_STR('string2').AFTER_STR('string1') if the string that is enclosed by 'string1' and 'string2' is not larger than 64 KB.
  • Issue ID 94405/0258207: If you specify a persistence rule for a load balancing virtual server without specifying a persistence type or setting the load balancing method to TOKEN, the NetScaler appliance discards the rule without checking its validity. This behavior is by design.
  • Issue ID 0278377 (nCore): Cache policy labels cannot be bound to MYSQL or MSSQL virtual servers.

Load Balancing/SSL

  • Issue ID 0331621: While creating SSL or load balancing virtual servers with default responder action, the NetScaler appliance throws a 'No such resource' error. This issue is observed only in a cluster setup.

NetScaler SDX Appliance

  • Issue ID 0261232: If you set the date on the Management Service to an earlier date, the inventory and stats are not updated in the Management Service user interface.

    Workaround: Log on to the Management Service by using an SSH client, such as PuTTY. At the shell prompt, type : #/etc/rc.d/svmd restart

  • Issue ID 0337386: When restored from a backup, a NetScaler instance reverts to the release and build in which it was originally provisioned, even if the backup was taken from an upgraded configuration.

Networking

  • Issue ID 0276933: When you change the next hop parameter of a PBR for IPv4 traffic, the new hop is taken into account even if you have not applied the PBRs.
  • Issue IDs 0283035 and 0299716: In a cluster setup, the 'bind vlan' command throws an error when interface and IP address are specified together.
  • Issue ID 0288450: The 'show lacp' command does not display the lacp configurations. This issue is observed only in a cluster setup.
  • Issue ID 0316144: In a cluster setup, the Precision Time Protocol (PTP) time across cluster nodes will not be synchronized when PTP packets are dropped due to backplane switch or if the physical resources are over-committed in a virtual environment.
    Workaround:
    • Disable PTP using the command 'set ptp -state disable' and configure NTP to synchronize the time across the cluster nodes.
    • If the backplane switch is like the Extreme switch, disable the multicast PTP packets from reaching the CPU by using the following command (this might cause some relevant features, such as routing, from not working):

      ipmcforwarding to-cpu off ports 41-48 <backplane-interfaces>

Rewrite

  • Issue ID 0305831: The man pages for add and set rewrite action do not include xpath_html (xp<delimiter>xpath expression<delimiter>) as a search expression.

SSL

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 0283661: In a cluster setup, if you add an SSL certificate on the configuration coordinator, and immediately execute the add certkey command, the command succeeds on the configuration coordinator but might fail on the other cluster nodes if the certificates on the configuration coordinator are not synchronized with the other cluster nodes before the command is executed.

    Workaround: Copy the certkey under /nsconfig/ssl/ folder on all the cluster nodes or confirm that the certificates are synchronized before executing the add certkey command on the configuration coordinator.

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with RSA 4096-bit key.
  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.
  • Issue ID 0352334: TLS protocol, version 1.2, handshake fails if all the following conditions are met:
    • The Client browser is Internet Explorer.
    • Client authentication is set to mandatory on the virtual server.
    • The configured client certificate on IE browser is not signed by SHA256 hash algorithm.

XML API

  • Issue ID 0321005: The API to set the hostname for a NetScaler appliance is changed to include the owner node parameter for a cluster node.

Build 71.6

Release version: Citrix® NetScaler® release 10 build 71.6

Replaces build: None

Release date: October 2012

Release notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (nCore and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes

Configuration Utility

  • Issue ID 0319070: The Setup wizard is not launched automatically if a mapped IP (MIP) address or a Subnet IP (SNIP) address is not configured on the NetScaler appliance.

NetScaler SDX Appliance

  • Issue ID 0332251: You can now configure LACP from within a NetScaler VPX instance hosted on a NetScaler SDX appliance. Make sure that the interfaces that are part of the channel are not shared with other instances, and a dedicated channel is configured for an instance. For more information, see Configuring LACP on a NetScaler VPX Instance.

Bug Fixes

AAA Application Traffic

  • Issue ID 0319434: If 401 basic authentication is enabled on a load balancing virtual server, and authentication fails either due to invalid credentials or a Kerberos authentication failure, the NetScaler packet engine might crash.

Access Gateway

  • Issue ID 82828/0243556: You can configure a forced time-out to disconnect the Access Gateway Plug-in automatically with a value (in minutes) that exceeds 255. You can now enter a value as high as 3,000 (in minutes, which is equivalent to 50 hours).
  • Issue ID 0331288: When split tunneling is OFF, when users try to connect with an Access Gateway Plug-in, occasionally host routes added by the plug-in may block communication between the Internet IP address and the Domain Name Server. Users may experience network connectivity issues, such as the inability to access file shares on the network.
  • Issue ID 0329113: When you configure Intranet IP addresses on Access Gateway and bind the addresses to a virtual server, the bound IPs addresses do not appear in the configuration utility.
  • Issue ID 0329603: When you enable a preauthentication scan, and you enable the user device to connect through a proxy server, when users log on with the Access Gateway Plug-in for the Mac OX X Version 2.1.3, Access Gateway fails.
  • Issue ID 0336499: When users log on to Access Gateway by using Citrix Receiver and then log off by using the Receiver icon in the taskbar, the computer loses network access. To restore network access, users must either disable and then enable their network interface or restart their computer. To avoid the issue, users can log off from the Access Interface home page.
  • Issue ID 0338220: If you configure client certificate-based expressions for preauthentication or post-authentication scans, when users try log on to Access Gateway, occasionally, the scan fails. To avoid the issue, you can use the classic or MPX 5500 platforms or you can bind the certificate-based policy globally to a virtual server.

Application Firewall

  • Issue ID 0329401: On a NetScaler appliance that has the Application Firewall enabled and both cookie transformation and encryption on, secure memory usage increases slowly and continuously until the NetScaler appliance starts to drop connections.
  • Issue ID 0332176: On a NetScaler appliance that has the Application Firewall enabled, user logons can be extremely slow. The cause is that a back-end server does not set a Content-Length header that the NetScaler expects. As a result the NetScaler appliance does not close the connection with the user's browser. To work around this issue, you can do one of the following:
    • Add a rewrite policy to the configuration that appends a content-length header of zero ('Content-Length: 0') to the logon page.
    • Disable the application firewall.
  • Issue ID 0333332: When signatures that work on post body are enabled, a large post request may cause an HA failover.
  • Issue ID 0335102: On a NetScaler appliance that has the Application Firewall enabled, adding a large number of signatures objects can cause high CPU loads.

CloudBridge

  • Issue ID 0313629: When the time on a NetScaler is modified, either due to Network Time Protocol Daemon (NTPD) or other external factors to the time lesser than the boot time, the iked process may start consuming 100% of CPU resources.
  • Issue ID 0334949: If you use configuration utility to remove an IPv4 tunnel for CloudBridge from a NetScaler appliance, the remove process succeeds but the following Java exception is displayed 'ClassNotFoundException'.

Cluster

  • Issue ID 0332594: The RIP (Routing Information Protocol) and Cache Redirection features cannot be enabled in a NetScaler cluster setup.

Configuration Utility

  • Issue ID 93754/0257608: When you view the configuration difference between files, the corrective commands generated for bind or unbind commands of load balancing and content switching virtual servers might not be accurate in some cases.
  • Issue ID 0305248: In the Reporting tool, when users try to generate a 'system entities statistics' report for load balancing virtual servers, the load balancing virtual servers configured on the appliance might be displayed as being inactive. Users cannot choose the virtual server to view the statistics.
  • Issue ID 0310203: In the Reporting tool, when users try to generate a custom report for load balancing virtual servers, the virtual servers might be displayed as being inactive. Users cannot choose the virtual server to view the statistics.
  • Issue ID 0333577: When configuring the Transformation URL Profile, an error occurs if you set Priority to a value higher than 2147483647 (maximum allowed value).
  • Issue ID 0333836: If you have configured global server load balancing by using the GSLB wizard, Wizard for Citrix XenApp, or Wizard for Citrix XenDesktop, and you attempt to view the GSLB Visualizer, Prefuse information might be logged to the Java console. However, you can view the GSLB Visualizer, and the functionality is not affected.
  • Issue ID 0334280: After you rename a compression policy, the new name might not be reflected in the configuration utility.
  • Issue ID 0334284 If you navigate to HTTP Compression > Policies and click Policy Manager in the task pane, the following error message might appear: No such policy exists.
  • Issue ID 0334773: In the Synchronize 'GSLB Configuration' dialog box, the Command parameter is unavailable when the 'Synchronization Option' parameter is set to its default value (automatic synchronization).
  • Issue ID 0335008: The exception 'netscape.javascript.JSException' is logged to the Java console when you create a DNS key by using the NetScaler configuration utility. However, the DNS key is created, and there is no loss in functionality.
  • Issue ID 0335235: The NetScaler configuration utility does not show globally bound AppFlow policies in the policy manager. This issue is observed only in a cluster setup.
  • Issue ID 0335701: You cannot add an SSL service with the Clear Text Port option in the configuration utility, because the option is disabled.
  • Issue ID 0335719: The exception 'netscape.javascript.JSException' is logged to the Java console when you sign a DNS zone by using the NetScaler configuration utility, and the browser’s status bar does not report the status of the zone-signing operation. However, the zone is signed, and there is no loss in functionality.
  • Issue ID 0335913: In a cluster setup, you cannot enable a server entry that is disabled, because the 'Enable' button is unavailable. However, you can disable a server entry by using the NetScaler command line interface.

Domain Name System

  • Issue IDs 0268748 and 0333310: In a cluster setup, if you save the configuration and reboot an appliance, the default name-server records for the thirteen root servers, and their associated address records, become unavailable. If you need them, you have to add them manually after you perform a reboot.
  • Issue ID 0318199: If core memory is not available when the NetScaler appliance is processing an RRSIG record received in a response, the appliance fails.
  • Issue ID 0319100: Default DNS actions, policies, and policy bindings are not displayed in a cluster setup.

Integrated Caching

  • Issue ID 0334895: On a NetScaler appliance configured with five policy engines, responses might not be cached even if memory is available for caching.
  • Issue ID 0337446: When a byte-range request sent to integrated cache is larger than the size of cached object and the if-range header is also set, the NetScaler appliance fails.

Load Balancing

  • Issue ID 0314738: If you issue the 'force HA sync -force' command when HA synchronization is disabled on both nodes, the services on the secondary node are marked as DOWN. The services remain in that state until after a failover. When a failover occurs, the failover of some services might be delayed by a few seconds while monitors learn the actual states of those services. Until the monitors learn and correct the states, new connections to those services might be rejected. Consequently, you might also observe a brief period of outage following a failover.
  • Issue ID 0318310: While creating a load balancing monitor, you cannot specify a send string that has a length of more than 76 characters. This issue is observed only in a cluster setup.
  • Issue ID 0336400: In a two-node cluster that has been configured with a small number of services, if you restart a node or disable and reenable a node, the node might indefinitely remain in the service-state-synchronization stage.

NetScaler SDX Appliance

  • Issue ID 0331900: If you try to upload a file larger than 300 MB to the NetScaler SDX appliance, the upload fails.
  • Issue ID 0332313: 100 percent CPU usage is observed when the Management Service takes daily backup.
  • Issue ID 0332819: If you try to create a high availability pair between two VPX instances without explicitly logging on to the second instance, an error message appears.
  • Issue ID 0334340: If you upgrade the Management Service on which a NetScaler instance with a description of greater than 32 characters is provisioned, the instance is not migrated, and therefore, complete data related to the instance is not available in the database. Later, if you delete this instance and provision a new instance with the same IP address, the operation fails.
  • Issue ID 0337090: A NetScaler VPX instance provisioned on an SDX appliance might fail if a warm restart is performed on the instance.

Networking

  • Issue ID 0322026: In an L2 DSR configuration, packets arriving on the loop back interface are dropped even when the traffic rate on the interface is low.

Platform

  • Issue ID 0321989: NetScaler release 10 build 71.x is supported on the new MPX 5550/5650 platforms.

Policies

  • Issue ID 0291975: The SYS.VSERVER('<vserver_name>').THROUGHPUT expression returns an incorrect throughput value.
  • Issue ID 0337576: The Netscaler might become unresponsive, if you used a request URL with encoding (for example, using %20) in an expression to the left of ALT, &&, or ||, and clauses to the right used strings. In addition, if the request URL was concatenated with another string, the final result would incorrectly contain a decoded URL, not the encoded one.
  • Issue ID 0338916: Policies that are bound to policy labels are not available in the ns.conf file after saving the configurations. As a result, these bindings are lost after the appliance is rebooted.

SSL

  • Issue ID 0257122: The close-notify parameter setting for an entity no longer has to be inherited from the global settings. You can set the close-notify parameter at the entity (virtual server, service, or service group) level. This enhancement provides the flexibility to set this parameter for one entity and unset it for another entity. However, make sure that you set this parameter at the global level. Otherwise, the setting at the entity level does not apply.
  • Issue ID 0336920: On a cluster setup, replicating session entries across the nodes of the cluster is not supported.

System

  • Issue ID 0277102: When you execute the 'show events' command, the NetScaler appliance might fail if the number of events to be displayed is more than 2^31.
  • Issue ID 0333385: A hash collision might put the NetScaler aggregator into a recursive loop, causing the aggregator to fail. The NetScaler appliance might also fail, because of the aggregator failure.
  • Issue ID 0336838: If HTML Injection and EdgeSight Monitoring are enabled on a NetScaler appliance and an HTTP request with a blank referer header is received, the appliance fails.
  • Issue ID 0338244: The CallHome feature checks for compact flash drive and hard disk drive errors every six minutes instead of every six hours. If any errors are found, the appliance's data is uploaded to the Citrix Technical Support server.

Known Issues and Workarounds

AAA Application Traffic

  • Issue ID 0303507: NetScaler automatic domain join is failing with Likewise 6.1. If you attempt to create a Kerberoes authentication action, the attempt fails with the following error message:

    LsaAdJoinDomain (40041) Invalid parameter

    To work around this issue, at the NetScaler command line open a Unix shell, and then type the following command to manually join the domain:

    /opt/likewise/bin/domainjoin-cli join <DOMAINNAME> <DomainUserName>

    Note: You must issue this command after each reboot.
  • Issue ID 0310205: If you attempt to kill a user session by using the username parameter with either the NetScaler command line 'kill session' command or the configuration utility, the session is not terminated on either the NetScaler appliance or the client.
  • Issue ID 0327446: On an Outlook for Web Access (OWA) 2010 server that is protected by AAA-TM with single sign-on (SSO) enabled, when a user who uses the Firefox or Chrome browsers logs off, some OWA 2010 images do not appear.
  • Issue ID 0334363: In the Citrix NetScaler configuration utility, when a user clicks the AAA-Application Traffic Wizard link, the configuration utility displays error message of 'Unknown Error'. The browser is then frozen til the session times out.

Access Gateway

  • Issue ID 0340346: If you configure a session time-out setting, after users connect to Access Gateway, even though the session expires according to the value you enter, the actual process of closing the session takes longer.
  • Issue ID 0278218: If you configure an endpoint policy, the preauthentication policy runs as expected. When users try to log on with the Access Gateway Plug-in, however, occasionally the post-authentication policy does not work as expected and authentication fails.
    • Issue ID 0327433: If you configure a virtual server by using the Remote Access wizard and configure a Secure Ticket Authority (STA), the status of the server appears as UP. However, in the configuration utility, on the Home tab, under Alerts, a message states that the STA server is not configured. You must bind the server globally in order to clear the message.
  • Issue ID 0275079: When users access applications published on XenApp, each user consumes multiple Access Gateway licenses per application. Instead, one session ID should be shared across the applications the user accesses. As a result, users exceed their allocated license count and an SSL error occurs.
  • Issue ID 92543/0251596: After you configure Access Gateway to provide user connections through Citrix Receiver, when users right-click the Receiver icon in the notification area, the 'Log on' option does not appear. Users must connect by using the Web browser or they must right-click the Receiver icon. Then, depending on the version of Receiver they are using, they must click 'About' or 'Preferences' and 'Plug-in Status' or 'Advanced'. You can also enable the log on option to appear when users right-click the Receiver icon by adding the following settings in the registry:
    • Add the Receiver key (if the key does not already exist) under the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\
      • HKEY_LOCAL_MACHINE\Software\Citrix\
    • Add the Inventory key in the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
    • In the 'Inventory' key, configure the following 'REG_SZ' values:
      • VPNAddress. Provide the value as the Web address for the Access Gateway appliance; for example, https://<AccessGatewayFQDN>.
      • VPNPrompt1. Provide the value as 'UserName'.
      • VPNPrompt2. Provide the value as 'Password'.

        In addition, if you configure double-source authentication that requires authentication with LDAP plus RSA authentication, you need to also add the following as 'REG_SZ':

      • VPNPrompt3. Provide the value as 'Passcode'.
  • Issue ID 0261547: When you enable Access Gateway as a reverse proxy and you enable basic preauthentication and post- authentication scans, as well as encryption and client choices, when users log on with the Access Gateway Plug-in, the preauthentication scan passes, but the post-authentication scan fails.
  • Issue ID 0285995: If you configure Access Gateway to assign an intranet IP address to user devices that connect to Access Gateway, when users log on with the Access Gateway Plug-in, the secure DNS dynamic update does not occur and the intranet IP address is not registered with the DNS Server.
  • Issue ID 0288469: After you configure a virtual server to use the Access Gateway Plug-in for Java, when users log on with the Access Gateway Plug-in by using a browser that has a 64-bit Java Runtime Environment (JRE) installed, the plug-in fails to establish a connection.
  • Issue ID 0291264: If you create a Web Interface 5.4 site and enable authentication through Access Gateway, and you enable single sign-on with a smart card to the Web Interface that enables smart card pass-through, when users log on with the Access Gateway Plug-in, the users' desktops are not listed on the Web Interface.
  • Issue ID 0291821: If you create a Web Interface 5.4 site and enable authentication with a smart card through Access Gateway, and you configure the 'Single Sign-on Domain' on the 'Published Applications' tab using the format domainname.com instead of domainname, when users start a published application or desktop, authentication fails.
  • Issue ID 0292005: When users connect with clientless access and try to download a file larger than 1 gigabyte (GB) from the file share on the home page, as the file is downloading, if an upload is attempted, the download process fails but the upload continues.
  • Issue ID 0298971: When users log on with the Access Gateway Plug-in for Java and the Web Interface opens in Internet Explorer 9, if users do not turn on Compatibility View in Internet Explorer, when they click a published application, the following error appears: Resource shortcuts are not available.
  • Issue ID 0299515: If you configure an intranet IP address on Access Gateway, when users connect with the Access Gateway Plug-in on a computer running Windows XP Service Pack 3 and try to access a CIFS share hosted on a computer in the secure network, users receive an error that the share is inaccessible.
  • Issue ID 0300511: When users log on using clientless access and click a bookmark from the home page to open a Distributed File Share (DFS), if the target folder resides on a different computer than the computer where the domain DFS server resides, the share does not open.
  • Issue ID 0309017: When you configure a preauthentication and post-authentication policy with an expression to scan a user device for a file, Access Gateway does not check for expression syntax. As a result, Access Gateway accepts inappropriate syntax configuration and the scan fails.

AppExpert

  • Issue ID 0323436: The NetScaler configuration utility can display a maximum of 4500 bound patterns of a pattern set.

AppFlow

  • Issue ID 0333560 (nCore): AppFlow records generated by the NetScaler appliance might contain junk characters.

Application Firewall

  • Issue ID 0282932: If you use the Signature Editor to add a signature rule for a response-side check (such as the Credit Card or Safe Object check), in addition to one or more response patterns you must also add at least one request pattern. If you do not, then when you try to save the new signature rule, the configuration utility displays an error message and does not save the rule.
  • Issue ID 0284009: If sessionless URL closure is enabled, and Validate Referer Header is set to If Present, a spurious Referer header check error is generated and logged when a web form with an action URL is submitted. If blocking is enabled for the Start URL check, then requests that contain web forms with action URLs are blocked. To work around this issue, if you configure Sessionless URL Closure, set Validate Referer Header to Off.
  • Issue ID 0303044: Only QualysGuard WAS 1.0 scan reports are supported for importing as application firewall signature rules. WAS 2.0 scan reports are not supported.
  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.

Cache Redirection

  • Issue ID 0287688: If you set the 'L2Conn' parameter for a cache redirection virtual server before you finish setting up the cache redirection configuration (including the other participating entities, such as the load balancing virtual server and the services that should be bound to the load balancing virtual server), the NetScaler appliance sends clients the SYN-ACK segments that it receives from the cache or origin servers during connection establishment with those servers. Clients respond to the SYN-ACK segments with a TCP RESET. Consequently, the requests are dropped.

    Workaround: Enable the 'L2Conn' parameter for the cache redirection virtual server after you finish setting up the cache redirection configuration.

Cluster

  • Issue ID 0343514: The cluster instance view in the configuration utility does not display which node is the configuration coordinator.
  • Issue ID 0343137: The configuration utility does not display the "Add" button while configuring linksets.

Configuration Utility

  • Issue ID 92269/0251344: If you upgrade from an earlier build to a later build within release 9.2 or release 9.3, or upgrade from release 9.2 to release 9.3, or upgrade from an earlier release to release 10, the time zone settings may be lost on upgrade.

    Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.

  • Issue ID 0269337: If you use the Google Chrome browser, with the toolbars installed, to access the configuration utility, the toolbars distort the views.

    Workaround: Hide the toolbars in Chrome browser when you access the configuration utility.

  • Issue ID 0278002: If you use the configuration utility to enable or disable an extended ACL or ACL6, the utility does not warn you that the change does not take effect until you apply ACLs.
  • Issue ID 0278097: In the configuration utility, if you click 'Application Firewall' in the navigation pane, the scroll bar moves up and the subnodes of the Application Firewall node disappear. You have to scroll down to view the subnodes.
  • Issue ID 0303279: In the configuration utility, in the 'Rewrite Policies' pane, clicking 'Add' does not display the 'Create Rewrite Policy' dialog box but disables the main configuration utility window.
  • Issue ID 0307039: The expression builder dialog does not show the possible functions in the following scenarios:
    • When '.' is entered after the (<expression>)
    • When '.' is entered in the expression which is used as function parameter.
  • Issue ID 0323172: The NetScaler configuration utility cannot group the neighbors according to the cluster node to which they belong. This issue is observed only in a cluster setup.

    Workaround: You must use the 'show nd6' command to view the neighbors node-wise.

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.
  • Issue ID 0324797: The NetScaler configuration utility does not display the queue depth value for the configured priority queuing policies. This issue is observed only in a cluster setup.

    Workaround: You can view the queue depth of the policy by using the 'show pq policy' command on the command line interface.

  • Issue ID 0332839: If you access the configuration utility through Internet Explorer 8, the System > Settings > Configure TCP Parameters, dialog box has no spaces between field names and fields.
  • Issue ID 0333048: Using the Configuration Utility in Internet Explorer version 8, when you attempt to bind 250 or more VIP addresses to a VLAN, the Configuration Utility displays an unresponsive script error.
  • Issue ID 0333745: When you access the NetScaler configuration utility from a Mac machine, the keyboard short cut keys may be unresponsive. In the NetScaler configuration utility, short cut keys work differently in Java and HTML views. For example, in Java based views, short cut keys for the copy-paste functions are <CRTL C> and <CRTL V> and in HTML based views they are <CMD C> and <CMD V>.

    Workaround: Use the <CRTL key> short cut keys if the <CMD key> short cut keys are not working and vice-versa. For example, if <CRTL C> shortcut key is not working, use <CMD C> and vice-versa.

  • Issue ID 0333834: If the PDF reader plug-in is not set in your browser and you try to open an HTML document from the Downloads tab of the NetScaler configuration utility, you are prompted to open the document in Adobe Reader.
  • Issue ID 0334042: The configuration utility does not display a details panel for all the entities.

    Workaround: Click 'Edit' to display the details.

  • Issue ID 0334292: If you navigate to HTTP Compression > Policies or HTTP Compression > Actions, the 'Remove' button is disabled in the task pane.

    Workaround: Use the command line interface to remove the policy or action.

    Note: You can access the command line interface from the configuration utility. Navigate to System > Diagnostics > Command Line interface.
  • Issue ID 0335013: If no services are configured for a DNS view, and you use Windows Internet Explorer 9 to view the 'Create DNS View' dialog box, the 'Service(s) in this view' and 'Policy(s) in this view' lists in the dialog box are not rendered correctly. The display issue is resolved if at least one service is configured for the DNS view.
  • Issue ID 0335526: If you access the configuration utility through an Internet Explorer browser that has the Java Runtime Environment (JRE) disabled, an error occurs.

    Workaround: Make sure that at least one JRE is present and enabled under the Java Runtime Environment Settings, in the Java console, on the Java tab.

  • Issue ID 0335701: You cannot add an SSL service with the Clear Text Port option in the configuration utility, because the option is disabled.
  • Issue ID 0338513: When you log on to NetScaler configuration utility using Internet Explorer 8 or Internet Explorer 9, the web browser displays a blank screen as the browser is displaying the compatibility view.

    Workaround: Change to the standard view, in the Compatibility View Settings dialog box, by clearing the Display all websites in Compatibility View check box.

  • Issue ID 0342735: Users might not be able to enable or disable NTP synchronization using the configuration utility.

    Workaround: Use command-line interface to enable or disable NTP synchronization.

Documentation

  • Issue ID 0277923: The documentation for the Content Switching feature states that if a policy that is bound to a content switching virtual server evaluates to TRUE, and the policy's Goto expression specifies END, policy evaluation terminates at that policy. However, the documentation does not mention that, if the content switching virtual server has a default virtual server, the request is forwarded to the default load balancing virtual server when policy evaluation is terminated.

Domain Name System

  • Issue ID 0301348: Even though the NetScaler user interface allows you to create DNS policy labels, the DNS policy label functionality is not supported in this release.
  • Issue IDs 0330529 and 0322151: The following message might be displayed if you disable a virtual server-based DNS name server: 'ERROR: Name server does not exist. [nsnet_recvrpcioctl]'

Global Server Load Balancing

  • Issue IDs 0287825 and 0287827: If the master node and slave node in a Global Server Load Balancing (GSLB) configuration are running different NetScaler releases, the site synchronization process fails when the master node is collecting GSLB configuration information from the slave node. The issue is specific to NetScaler releases 9.2, 9.3, and 10. The issue occurs if one node (either the master or the slave) is running NetScaler release 10 and the other node is running NetScaler release 9.2 or 9.3.
  • Issue ID 0291053: The NetScaler appliance does not rewrite responses that are DNSSEC-enabled and/or sent over TCP. So, when a security-aware DNS server sends the NetScaler appliance a DNSSEC-enabled NXDOMAIN response, or when a DNS server sends the appliance an NXDOMAIN response over TCP, the appliance relays the negative response to the client and caches the negative response. For subsequent requests for the same non-existent domain, the appliance responds with the cached, DNSSEC-enabled response, even if the clients are security-oblivious or use UDP. This behavior is expected, and ensures that all clients receive the same response.
  • Issue ID 0326001: If a GSLB virtual server’s primary GSLB method is set to round trip time (RTT) and backup GSLB method is set to static proximity, or if the primary GSLB method is set to static proximity and backup GSLB method is set to RTT, and source IP persistence is enabled, when the primary GSLB method fails, the backup GSLB method also fails.

    Workaround: If you use RTT as the primary GSLB method, do not use static proximity as the backup GSLB method. Similarly, if you use static proximity as the primary GSLB method, do not use RTT as the backup GSLB method.

Load Balancing

  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the 'show lb persistentSessions' CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'client.tcp.payload(n)', and a request is received in multiple parts such that there is a delay between the parts and a FIN is sent from client before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91711/0250846: If the string (or 'token') that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000).BEFORE_STR('string2').AFTER_STR('string1') if the string that is enclosed by 'string1' and 'string2' is not larger than 64 KB.
  • Issue ID 94405/0258207: If you specify a persistence rule for a load balancing virtual server without specifying a persistence type or setting the load balancing method to TOKEN, the NetScaler appliance discards the rule without checking its validity. This behavior is by design.
  • Issue ID 0278377 (nCore): Cache policy labels cannot be bound to MYSQL or MSSQL virtual servers.

Load Balancing/SSL

  • Issue ID 0331621: While creating SSL or load balancing virtual servers with default responder action, the NetScaler appliance throws a 'No such resource' error. This issue is observed only in a cluster setup.

NetScaler SDX Appliance

  • Issue ID 0261232: If you set the date on the Management Service to an earlier date, the inventory and stats are not updated in the Management Service user interface.
    Workaround: Log on to the Management Service by using an SSH client, such as PuTTY. At the shell prompt, type:
    #/etc/rc.d/svmd restart
  • Issue ID 0337386: When restored from a backup, a NetScaler instance reverts to the release and build in which it was originally provisioned, even if the backup was taken from an upgraded configuration.

Networking

  • Issue ID 0276933: When you change the next hop parameter of a PBR for IPv4 traffic, the new hop is taken into account even if you have not applied the PBRs.
  • Issue ID 0283035 and 0299716: In a cluster setup, the 'bind vlan' command throws an error when interface and IP address are specified together.
  • Issue ID 0288450: The 'show lacp' command does not display the lacp configurations. This issue is observed only in a cluster setup.
  • Issue ID 0316144: In a cluster setup, the Precision Time Protocol (PTP) time across cluster nodes will not be synchronized when PTP packets are dropped due to backplane switch or if the physical resources are over-committed in a virtual environment.
    Workaround:
    • Disable PTP using the command 'set ptp -state disable' and configure NTP to synchronize the time across the cluster nodes.
    • If the backplane switch is like the Extreme switch, disable the multicast PTP packets from reaching the CPU by using the following command (this might cause some relevant features, such as routing, from not working):

      ipmcforwarding to-cpu off ports 41-48 <backplane-interfaces>

Rewrite

  • Issue ID 0305831: The man pages for add and set rewrite action do not include xpath_html (xp<delimiter>xpath expression<delimiter>) as a search expression.

SSL

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 0283661: In a cluster setup, if you add an SSL certificate on the configuration coordinator, and immediately execute the add certkey command, the command succeeds on the configuration coordinator but might fail on the other cluster nodes if the certificates on the configuration coordinator are not synchronized with the other cluster nodes before the command is executed.

    Workaround: Copy the certkey under /nsconfig/ssl/ folder on all the cluster nodes or confirm that the certificates are synchronized before executing the add certkey command on the configuration coordinator.

XML API

  • Issue ID 0321005: The API to set the hostname for a NetScaler appliance is changed to include the owner node parameter for a cluster node.

Build 70.7

Release version: Citrix® NetScaler® release 10 build 70.7

Replaces build: None

Release date: September 2012

Release notes version: 4.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (nCore and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Changes and Fixes

AAA Application Traffic

  • Issue ID 0327114: On a NetScaler appliance with NetScaler 10 build 69.4 nc installed, if you use the configuration utility to configure authentication on a load-balancing virtual server, the following error message appears:

    No Authentication Host specified

    The configuration utility then removes the authentication host from the configuration. This behavior occurs regardless of whether you are configuring authentication host settings on the virtual server for the first time, or modifying existing authentication host settings on the virtual server.

Access Gateway

  • Issue ID 0308733: If you configure Access Gateway with additional appliances in which global server load balancing (GSLB) is enabled, when users log on with the Access Gateway Plug-in, occasionally the connection times out, a time-out error appears, such as 'Your Citrix Access Gateway session timed-out and you are not connected,' and the session disconnects.
  • Issue ID 0319901: If you enable Integrated Caching and Web Interface on Netscaler on an Access Gateway appliance, and then change the URL for the Web Interface, Access Gateway might fail.
  • Issue ID 0320210: When users connect with the Access Gateway Plug-in on a computer running Windows XP, the Group Policy Object is not applied.
  • Issue ID 0321425: If you configure a virtual server with a default authentication type by using the Access Gateway wizard, if Access Gateway restarts, the configuration is not maintained and authentication fails.
  • Issue ID 0329621: If you configure an endpoint policy and bind the policy to a virtual server, the preauthentication policy is not working as expected. Users with devices that meet the requirements may not be able to log on to Access Gateway.

AppFlow

  • Issue ID 0288343: You can now configure the source IP address (SNIP or MIP address), to be used for AppFlow traffic. When you add an Appflow collector by using the add appflow collector command, you can use the -netprofile option to associate a netprofile to which the source IP address is bound. By default, the Appflow exporter takes NSIP address as the source IP address if you do not specify the -netprofile option.
    > add appflow collector <col_name> -IPAddress <IP_addr> [-netprofile {netprofile_name}]
  • Issue ID 0311033 (nCore): AppFlow records can now log X-Forwarded-For HTTP header information. You can enable the logging with the set appflow param -httpXForwardedFor ENABLED command or by using the configuration utility.
  • Issue ID 0313091: AppFlow records might not display the start time of the current transaction. Instead, they display the start time of the previous transaction due to reuse of connections.
  • Issue ID 0320239 (nCore): HTTP method names might be occasionally truncated in the AppFlow records.

Application Firewall

  • Issue ID 0299940: The change profile type command does not work correctly.
    • If you try to change a profile type to Web 2.0, the profile type remains HTML.
    • If you try to change a profile type to XML, the Profile Type field disappears completely.

    When you use the configuration utility to change the profile type, the profile type is actually changed correctly, but the display is incorrect. When you use the NetScaler command line, the actual profile type is set as shown above.

  • Issue ID 0302294: Learned relaxations are sometimes not removed from the review list after they have been deployed. To manually remove a learned relaxation that has already been deployed, in the Manage Learned Rules dialog box select the relaxation and then click Skip.
  • Issue ID 0329539 (nCore): On a NetScaler appliance with the application firewall enabled, occasionally the NetScaler appliance crashes when retrieving a page from a protected web site that sets one or more cookies.
  • Issue ID 0330642: On a NetScaler appliance with both the Application Firewall and Integrated Caching features enabled, the NetScaler appliance might experience occasional resets when its memory fills up. The cause is a small memory leak.
  • Issue ID 0331112 (nCore): In the NetScaler 9.3 58.2.nc build, when applying the HTML or XML SQL Injection check the application firewall does not transform special strings even when Transformation is enabled. This issue was fixed in build 58.4.nc.

Cache Redirection

  • Issue ID 0328353: When you use the configuration utility to bind a cache redirection policy to a cache redirection virtual server, the policy is added to the content switching (CSW) policy tab instead of cache redirection (CRD) policy tab. If you try to resolve this issue by using the CR virtual server wizard, the following error message appears: 'Please specify Target.'
  • Issue ID 0330033: Tabs for filter/compression policy bindings are not displayed for a cache redirection virtual server, and it is not possible to bind those policies to a cache redirection virtual server.
  • Issue ID 0330139: If you use the configuration utility to unset a cache virtual server for a cache redirection virtual server, the process fails and the following error message appears: invalid argument.

Call Home

  • Issue ID 0311617: When upgrading the NetScaler appliance to 10.70 or a later build, the appliance prompts you to enable the Call Home feature.

Cloud Gateway

  • Issue ID 0327119: When you create policy rules from the configuration utility, an error occurs and the policies are not configured.

Configuration Utility

  • Issue ID 0298686 (nCore): If the details pane contains too may records to display on one screen, the header row moves off the screen if you scroll down.
  • Issue ID 0311358: The NetScaler configuration utility fails to load when accessed from Internet Explorer version 7 browser running on Windows 2003 or Windows XP.
  • Issue ID 0314769: When the certificate used to sign the JAR files expires, the application's digital signature cannot be verified. An error is displayed when the user tries to access the NetScaler GUI.
  • Issue ID 0319061: The configuration utility does not throw the 'Feature not supported' prompt when configuring the following unsupported features on a NetScaler cluster: Bridge groups, Network Bridge, VMAC6, and FIS.
  • Issue ID 0322821: When the SRADV (Static Route Advertisement) mode is ON, the static routes which are not explicitly disabled for advertisement will be advertised using all the routing protocols. However, the advertised protocols column for route in the configuration utility does not show any protocol list. This issue is observed only in a cluster setup.
  • Issue ID 0322894: The configuration utility displays an inappropriate error message when adding a forwarding session that has an invalid subnet mask. This issue is observed only in a cluster setup.
  • Issue ID 0322914: When the IP is not resolved for a hostname based SNMP manager, the 'Resolved IP' column of the SNMP Manager table is shown as blank instead of 'Unresolved IP'. This issue is observed only in a cluster setup.
  • Issue ID 0323175: The configuration utility displays a negative value for the index of the data set or pattern set, when the index is set to its maximum value. The command line interface displays the correct value.
  • Issue ID 0325400: After adding a local authentication policy by using the configuration utility, the request profile field is showing blank. By default, the request profile must be Local. This issue is observed only in a cluster setup.
  • Issue ID 0326018: The dashboard does not display the Precision Time Protocol (PTP) counters for the cluster node. This issue is observed only in a cluster setup.
  • Issue ID 0326354: In System > Settings > Change global system settings, regardless of the base threshold value configured for surge protection, the value is displayed as 0. This issue is observed only in a cluster setup.
  • Issue ID 0326413: An error occurs if you use the NetScaler configuration utility to configure a large preauthentication policy (for example, a policy with 900 characters).
  • Issue ID 0327136: The configuration utility does not allow you to set the 'Max Clients' parameter of a service to its maximum value of 4294967294. This issue is observed only in a cluster setup.
  • Issue ID 0327551: In the configuration utility, all features appear to be enabled even when the features are disabled.
  • Issue ID 0328660: In the configuration utility, when you view the virtual server persistence sessions, a persistence type setting of DIAMETER is displayed as SOURCE IP.
  • Issue ID 0328715: In the configuration utility, the details of the monitor bound to a service do not include response codes for a monitor of type DIAMETER.
  • Issue ID 0328747: In the Reporting tool, when users try to generate 'system entities statistics' report for GSLB domains, the GSLB domain names configured on the appliance might not be displayed in the entities list.
  • Issue ID 0328844: While configuring the OCSP responder through the configuration utility, the default value of the HTTP response timeout is erroneously taken as 0ms. The default value of the HTTP response timeout must be 2000ms. This issue is observed only in a cluster setup.
  • Issue ID 0329154: In System > Auditing > Recent audit messages, when you set number of audit messages to be displayed to 256 (maximum allowed value), a 'Value entered is out of range' error message is displayed on clicking Refresh. This issue is observed only in a cluster setup.
  • Issue ID 0329826: If you use the configuration utility to view the license for features, warning messages are seen for the features that are licensed but not supported. This issue is observed only in a cluster setup.
  • Issue ID 0331158: When you access NetScaler configuration utility from Internet Explorer 8 or Internet Explorer 9, the web browser displays only a grey bar at the top of the screen as the browser is displaying the compatibility view.
  • Issue ID 0331604: If you access a load balancing virtual server after a NOPOLICY is bound to it, the configuration utility might display the following error: 'no such policy exists'
  • Issue ID 0332795: On systems that have JRE 1.6.0_24 and 1.7.0_06, the configuration utility cannot load the Java applet. Therefore, you cannot perform any operations on the configuration utility.
  • Issue ID 0332876: When you use the configuration utility to change the password of a user, the Change Password dialog displays encrypted password in the Password and Confirm Password fields.
  • Issue ID 0333026: On a system running the Windows 7, 64-bit operating system, the configuration utility cannot load the Java applet. Therefore, you cannot perform any operations on the configuration utility.

Content Switching

  • Issue ID 0230903: The content switching feature now supports the ability to bind a policy to multiple virtual servers or policy labels. To support multiple policy bind functionality, the target load balancing virtual server is specified in the action and attached to the policy. This enhancement enables you to reuse an existing policy by binding it to the virtual servers. You can also combine multiple policies in a policy label and apply the policy label to the virtual server.
  • Issue ID 0330045: The configuration changes made by using the bind cs vserver and bind cs policylabel commands are not saved in the configuration file. Therefore, the CS policy bindings are lost the first time the NetScaler appliance is restarted after an upgrade to release 10.
  • Issue ID 0330290: You cannot use the configuration utility to bind a content switching policy to a content switching virtual server if the policy is configured with only a domain value. The bind fails, and the following error message appears: 'Priority cannot be specified for URL-based content switching policy.'
  • Issue ID 0331029: If you use the configuration utility to open a content switching virtual server that has a default policy bound to it, the process fails and the following error message appears: No Such Resource.

DataStream

  • Issue ID 0323442: The DataStream feature does not support dynamic stored procedures. Consequently, dynamic stored procedures fail if they use the sp_prepexec and sp_prepare stored procedures.

Global Server Load Balancing

  • Issue ID 0324486: When creating a local GSLB site in the NetScaler configuration utility, if you set the Trigger Monitors option to MEPDOWN, the GSLB site does not appear in the details pane until after you click 'Refresh'.
  • Issue ID 0326364: Even though a GSLB virtual server is configured with the static proximity method, and some requests match a DNS policy whose action uses a DNS view to restrict matching requests to only a subset of the bound services, the NetScaler appliance uses the round robin method to load balance requests across all of the GSLB services that are bound to the GSLB virtual server. The issue can occur if the locations that correspond to the source IP addresses in the DNS requests are not found in the location database.
  • Issue ID 0328911: When configuring monitoring for a GSLB service by using the NetScaler configuration utility, if you include monitors that cannot be used with GSLB services (for example, ARP monitors) along with monitors that can be used with GSLB services (for example, TCP monitors), the configuration utility displays an error message for the invalid monitor bindings, but the valid bindings succeed. When you unbind an invalid monitor from the service, the message 'Error' is displayed. No further information is provided in the message.

Integrated Caching

  • Issue ID 0329485: When the NetScaler appliance responds to a byte range request, it might get into an infinite loop for one specific request, which might cause the appliance to fail.

Load Balancing

  • Issue ID 0314738: If you issue the 'force HA sync -force' command when HA synchronization is disabled on both nodes, the services on the secondary node are marked as DOWN. The services remain in that state until after a failover. When a failover occurs, the failover of some services might be delayed by a few seconds while monitors learn the actual states of those services. Until the monitors learn and correct the states, new connections to those services might be rejected. Consequently, you might also observe a brief period of outage following a failover.
  • Issue ID 0323317: The configuration commands for binding views to GSLB services are not shown in the output of the show ns runningConfig or show gslb runningConfig commands. Additionally, the configuration commands are lost during a reboot or upgrade.
  • Issue ID 0323891: The NetScaler CLI and configuration utility display incorrect values for the following counters, which are used for monitoring services, including GSLB services :
    • Total number of monitoring probes sent
    • Total number of failed probes
    • Current number of failed probes
  • Issue ID 0324061: When you configure a SIP-UDP load balancing virtual server by using the NetScaler command-line interface, the default setting for persistence type is CALLID. However, when you use the configuration utility to configure a SIP-UDP virtual server, the default setting for persistence type is NONE.
  • Issue ID 0324576: The automatic domain based service group scaling option (the autoScale parameter) has been moved from the bind serviceGroup command to the add serviceGroup command. The possible values of the parameter have changed from YES and NO to DNS and DISABLED, respectively.
    To configure a service group to scale automatically, using the NetScaler command line, at the NetScaler command prompt, type the following command:
    add serviceGroup <serviceGroupName>@ <serviceType> -autoScale DNS

    To configure a service group to scale automatically, using the NetScaler configuration utility, go to Load Balancing > Service Groups > Add. In the Create Service Group dialog box, on the Advanced tab, from the Auto Scale Mode list, select DNS.

  • Issue ID 0329191 (nCore): If an AppExpert application that was used to load user configuration to the NetScaler appliance is removed, the appliance becomes unavailable.
  • Issue ID 0330276: The virtual router IDs (VRIDs) that are configured on the NetScaler appliance are not available in the Virtual Router ID list in the Create IP and Configure IP dialog boxes (Network > IPs > Add/Open). Consequently, you cannot use the configuration utility to bind a VRID to a virtual server.

Monitoring

  • Issue ID 0320571: The state of a service is shown as UP even when the service is down. Consequently, the NetScaler appliance continues to forward requests to that service, and clients do not receive responses to their requests.

NetScaler SDX Appliance

  • Issue ID 0326655: If you upgrade the Management Service from an earlier build to build 56.x or 57.x, restarting the appliance while data migration is in progress might corrupt your data contents.
  • Issue ID 0326663: In release 9.3, the upgrade process fails if you attempt to upgrade the Management Service from build 48.6 to build 56.5 or 57.5.
  • Issue ID 0326878: The Management Service shows duplicate entries for NetScaler VPX instances because of intermittent database connection failures. This is only a display issue. However, if a VPX instance is configured with an external authentication server for the nsroot (administrator) user, the authentication server might show several authentication failures.
  • Issue ID 0327984: You can now apply a hotfix for XenServer from the Management Service. On the Configuration tab, expand Management Service, and then click XenServer Files. In the details pane, click Hotfixes, and then click Upload. After uploading the hotfix to the appliance, click Apply. If an error occurs in the process of applying the hotfix, an error message displays the cause of the problem.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in release 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2

    Perform a warm reboot for the above change to take effect.

  • Issue ID 0328540: After you install the initial NetScaler virtual appliance, if you try to save the configuration and licenses are not present on the appliance, the appliance becomes unresponsive. Restart the appliance and load the licenses. Restart the appliance again for the changes to take effect. Then save the configuration.
  • Issue ID 0329966: After you install the initial NetScaler virtual appliance (.xva image) for build 69.4, if you run the 'save config' command and licenses are not present on the appliance, the appliance becomes unresponsive. Restart the appliance and load the licenses. Restart the appliance again for the changes to take effect. Then run the 'save config' command.

Networking

  • Issue ID 0321868: BGP does not advertise default route to the peer, with default-originate flag, if the state of a learnt default route toggles.
  • Issue ID 0324432: The NetScaler appliance forwards (L3 mode) certain response packets with IP header checksum value 0xFFFF, which is an invalid value according to RFC 1624. As a result, the router drops these packets.
  • Issue ID 0330118: OSPF maximum age link-state advertisements (LSAs) are not removed from the NetScaler appliance because the maximum age walker processes suspended indefinitely.
  • Issue ID 0330165: After upgrading the Netscaler appliance to 10.69.4 build, the appliance does not learn a ARP entry from a ARP reply packet, if the MAC addresses in the Ethernet header (Source MAC) and ARP header(Sender MAC) of the ARP reply packet are different.

Platform

  • Issue ID 0276184: NetScaler release 10 build 70.x is supported on the new MPX 8200/8400/8600 platforms.

Policy

  • Issue ID 0291487: NetScaler appliances running version 9.2 build 52.1 or later and have a large number (in the hundreds) of policy bindings can experience performance issues on 'save ns config' and 'show config' operations. This can lead to interruption in services.
  • Issue ID 0322964: Removed the 'unset audit syslogPolicy' and 'unset audit nslogPolicy' commands from NetScaler release 10 build 70 onwards.
  • Issue ID 0324700: Removed the 'unset filter policy' command from NetScaler release 10 build 70 onwards.

Responder

  • Issue ID 0324200 (nCore): On a NetScaler appliance with the responder feature configured to redirect requests from authenticated members of a particular group to a custom web page, the redirections sometimes fail. The reason is that, when the responder feature is invoked before the AAA session is completely established (as is the case when a user selects a choice after initial logon), the user's AAA session is not transferred from one core to the other. Responder therefore fails to identify the user as a member of the targeted group.
  • Issue ID 0330133: On a NetScaler appliance with the responder feature enabled and a respondWith response configured, if a user sends a request with a large Content-Length header, the NetScaler appliance might appear to hang. The cause of the apparent hang is that the NetScaler appliance expects a request of the specified Content-Length, and waits for the rest of the request before responding to it.

Rewrite

  • Issue ID 0301481: On a NetScaler appliance that has a response-side rewrite policy configured and bound to a load balancing virtual server, a request sent to the virtual server might trigger a sequence of events that causes the NetScaler appliance to fail.

SSL

  • Issue ID 0327173: The ciphers bound to an SSL virtual server are not displayed in the configuration utility.

System

  • Issue ID 0271783: If you configure an RNAT rule and enable the TCP proxy option for RNAT, the NetScaler appliance functions as a proxy for internal clients and maintains separate client-side and server-side connections. In certain scenarios, this behavior might result in a service type mismatch between the client-side and server-side connections, and the appliance might reboot with a core dump.
  • Issue IDs 0306352 and 0332253: When using the configuration utility or SSH to log on to the appliance, the "Connection limit to CFE exceeded" message might be displayed. This message is displayed if an earlier session was closed without logging out of the session.
  • Issue ID 0306660 (nCore): You can now use the 'set ns tcpparam connFlushIfNoMem <connFlushIfNoMem>' command on a NetScaler appliance to close existing connections if memory is not available for a new connection. When using this command, you must specify the type of connection to be closed. By default, this feature is disabled on the appliance.
  • Issue IDs 0312893 and 0331073: When you run the 'show run' command, the NetScaler appliance might fail even if the you have permission to run the command.
  • Issue ID 0325665: An unrelated error code is displayed on executing the ‘set filter prebodyinjection/postbodyinjection’ commands.
  • Issue ID 0323190: In rare cases, the NetScaler appliance fails when some pages are recovered from the free queue before the page table scan is complete.
  • Issue ID 0327118: In the configuration utility, the minimum and maximum values allowed for number of audit messages is incorrect. The maximum and minimum values displayed are 255 and 0, but the correct values are 256 and 1.
  • Issue ID 0330336 (nCore): IPv6 addresses might occasionally be captured in the audit log, even though IPv6 addresses are not configured.

Web Interface

  • Issue ID 0306731: If the Rewrite feature is not enabled, the Enable access through receiver client option for a Web Interface(WI) site does not work. This is because the functionality of the option depends on some rewrite policies on the appliance.
  • Issue ID 0315502: The Configuration Utility displays an error message when you try to disable the Web Interface feature.
  • Issue ID 0315951: If the Responder feature is not enabled, the Make Site Path Case Insensitive option for a Web Interface(WI) site does not work. This is because the functionality of the option depends on some Responder polies on the appliance.
  • Issue ID 0324373: In the Web Interface (WI) configuration wizard, for a WI site in gateway direct mode, the state of the Enable Access through Receiver Client option is shown selected even when there are no rewrite policies bound to the selected Access Gateway virtual server.
  • Issue ID 0331904: In the Web Interface (WI) configuration wizard, the Enable Access through Receiver Client option remain selected even when you try to clear the option.

Known Issues and Workarounds

AAA Application Traffic

  • Issue ID 0303507: NetScaler automatic domain join is failing with Likewise 6.1. If you attempt to create a Kerberoes authentication action, the attempt fails with the following error message:

    LsaAdJoinDomain (40041) Invalid parameter

    To work around this issue, at the NetScaler command line open a Unix shell, adn then type the following command to manually join the domain:

    /opt/likewise/bin/domainjoin-cli join <DOMAINNAME> <DomainUserName>

    Note: You must issue this command after each reboot.
  • Issue ID 0310205: If you attempt to kill a user session by using the username parameter with either the NetScaler command line 'kill session' command or the configuration utility, the session is not terminated on either the NetScaler appliance or the client.
  • Issue ID 0327446: On an Outlook for Web Access (OWA) 2010 server that is protected by AAA-TM with single sign-on (SSO) enabled, when a user who uses the Firefox or Chrome browsers logs off, some OWA 2010 images do not appear.
  • Issue ID 0334363: In the Citrix NetScaler configuration utility, when a user clicks the AAA-Application Traffic Wizard link, the configuration utility displays error message of 'Unknown Error'. The browser is then frozen til the session times out.

Access Gateway

  • Issue ID 0249975: When users log on with the Access Gateway Plug-in, the 'File Transfer' tab on the Access Interface is available, but the 'File Transfer option' is not available if users right-click the Access Gateway icon in the notification area.
  • Issue ID 92543/0251596: After you configure Access Gateway to provide user connections through Citrix Receiver, when users right-click the Receiver icon in the notification area, the Log on option does not appear. Users must connect by using the Web browser or they must right-click the Receiver icon, click Preferences, and then click Plug-in status. You can also enable the log on option to appear when users right-click the Receiver icon by adding the following settings in the registry:
    • Add the Receiver key (if the key does not already exist) under the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\
      • HKEY_LOCAL_MACHINE\Software\Citrix\
    • Add the Inventory key in the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
    • In the 'Inventory key', configure the following 'REG_SZ' values:
      • VPNAddress. Provide the value as the Web address for the Access Gateway appliance; for example, https://<AccessGatewayFQDN>.
      • VPNPrompt1. Provide the value as 'UserName'.
      • VPNPrompt2. Provide the value as 'Password'.

        In addition, if you configure double-source authentication that requires authentication with LDAP plus RSA authentication, you need to also add the following as 'REG_SZ':

      • VPNPrompt3. Provide the value as '*Passcode'.
  • Issue ID 0261547: When you enable Access Gateway as a reverse proxy and you enable basic preauthentication and post- authentication scans, as well as encryption and client choices, when users log on with the Access Gateway Plug-in, the preauthentication scan passes, but the post-authentication scan fails.
  • Issue ID 0275079: When users access applications published on XenApp, each user consumes multiple Access Gateway licenses per application. Instead, one session ID should be shared across the applications the user accesses. As a result, users exceed their allocated license count and an SSL error occurs.
  • Issue ID 0278218: If you configure an endpoint policy, the preauthentication policy runs as expected. When users try to log on with the Access Gateway Plug-in, however, occasionally the post-authentication policy does not work as expected and authentication fails.
  • Issue ID 0285995: If you configure Access Gateway to assign an intranet IP address to user devices that connect to Access Gateway, when users log on with the Access Gateway Plug-in, the secure DNS dynamic update does not occur and the intranet IP address is not registered with the DNS Server.
  • Issue ID 0288469: After you configure a virtual server to use the Access Gateway Plug-in for Java, when users log on with the Access Gateway Plug-in by using a browser that has a 64-bit Java Runtime Environment (JRE) installed, the plug-in fails to establish a connection.
  • Issue ID 0291264: If you create a Web Interface 5.4 site and enable authentication through Access Gateway, and you enable single sign-on with a smart card to the Web Interface that enables smart card pass-through, when users log on with the Access Gateway Plug-in, the users' desktops are not listed on the Web Interface.
  • Issue ID 0291821: If you create a Web Interface 5.4 site and enable authentication with a smart card through Access Gateway, and you configure the 'Single Sign-on Domain' on the 'Published Applications' tab using the format domainname.com instead of domainname, when users start a published application or desktop, authentication fails.
  • Issue ID 0292005: When users connect with clientless access and try to download a file larger than 1 gigabyte (GB) from the file share on the home page, as the file is downloading, if an upload is attempted, the download process fails but the upload continues.
  • Issue ID 0298971: When users log on with the Access Gateway Plug-in for Java and the Web Interface opens in Internet Explorer 9, if users do not turn on Compatibility View in Internet Explorer, when they click a published application, the following error appears: Resource shortcuts are not available.
  • Issue ID 0299515: If you configure an intranet IP address on Access Gateway, when users connect with the Access Gateway Plug-in on a computer running Windows XP Service Pack 3 and try to access a CIFS share hosted on a computer in the secure network, users receive an error that the share is inaccessible.
  • Issue ID 0300511: When users log on using clientless access and click a bookmark from the home page to open a Distributed File Share (DFS), if the target folder resides on a different computer than the computer where the domain DFS server resides, the share does not open.
  • Issue ID 0309017: When you configure a preauthentication and post-authentication policy with an expression to scan a user device for a file, Access Gateway does not check for expression syntax. As a result, Access Gateway accepts inappropriate syntax configuration and the scan fails.
  • Issue ID 0319607: If an authentication server and Access Gateway reside in the same domain, the appliance may fail.
  • Issue ID 0327433: If you configure a virtual server by using the Remote Access wizard and configure a Secure Ticket Authority (STA), the status of the server appears as UP. However, in the configuration utility, on the Home tab, under Alerts, a message states that the STA server is not configured. You must bind the server globally in order to clear the message.

AppExpert

  • Issue ID 0323436: The NetScaler configuration utility can display a maximum of 4500 bound patterns of a pattern set.

AppFlow

  • Issue ID 0333560 (nCore): AppFlow records generated by the NetScaler appliance might contain junk characters.

Application Firewall

  • Issue ID 0282932: If you use the Signature Editor to add a signature rule for a response-side check (such as the Credit Card or Safe Object check), in addition to one or more response patterns you must also add at least one request pattern. If you do not, then when you try to save the new signature rule, the configuration utility displays an error message and does not save the rule.
  • Issue ID 0284009: If sessionless URL closure is enabled, and Validate Referer Header is set to If Present, a spurious Referer header check error is generated and logged when a web form with an action URL is submitted. If blocking is enabled for the Start URL check, then requests that contain web forms with action URLs are blocked. To work around this issue, if you configure Sessionless URL Closure, set Validate Referer Header to Off.
  • Issue ID 0303044: Only QualysGuard WAS 1.0 scan reports are supported for importing as application firewall signature rules. WAS 2.0 scan reports are not supported.

Cache Redirection

  • Issue ID 0287688: If you set the L2Conn parameter for a cache redirection virtual server before you finish setting up the cache redirection configuration (including the other participating entities, such as the load balancing virtual server and the services that should be bound to the load balancing virtual server), the NetScaler appliance sends clients the SYN-ACK segments that it receives from the cache or origin servers during connection establishment with those servers. Clients respond to the SYN-ACK segments with a TCP RESET. Consequently, the requests are dropped.

    Workaround: Enable the L2Conn parameter for the cache redirection virtual server after you finish setting up the cache redirection configuration.

CloudBridge

  • Issue ID 0334949: If you use configuration utility to remove an IPv4 tunnel for CloudBridge from a NetScaler appliance, the remove process succeeds but the following Java exception is displayed: 'ClassNotFoundException'.

Cluster

  • Issue ID 0332594: The RIP (Routing Information Protocol) and Cache Redirection features cannot be enabled in a NetScaler cluster setup.

Configuration Utility

  • Issue ID 0251344: If you upgrade from an earlier build to a later build within release 9.2 or release 9.3, or upgrade from release 9.2 to release 9.3, or upgrade from an earlier release to release 10, the time zone settings may be lost on upgrade.

    Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.

  • Issue ID 0269337: If you use the Google Chrome browser, with the toolbars installed, to access the configuration utility, the toolbars distort the views.

    Workaround: Hide the toolbars in Chrome browser when you access the configuration utility.

  • Issue ID 0278002: If you use the configuration utility to enable or disable an extended ACL or ACL6, the utility does not warn you that the change does not take effect until you apply ACLs.
  • Issue ID 0278097: In the configuration utility, if you click Application Firewall in the navigation pane, the scroll bar moves up and the subnodes of the Application Firewall node disappear. You have to scroll down to view the subnodes.
  • Issue ID 0307039: The expression builder dialog does not show the possible functions in the following scenarios:
    • When '.' is entered after the (<expression>)
    • When '.' is entered in the expression which is used as function parameter.
  • Issue ID 0319070: The Setup wizard is not launched automatically if a mapped IP (MIP) address or a Subnet IP (SNIP) address is not configured on the NetScaler appliance.
  • Issue ID 0323172: The NetScaler configuration utility cannot group the neighbors according to the cluster node to which they belong. This issue is observed only in a cluster setup.

    Workaround: You must use the 'show nd6' command to view the neighbors node-wise.

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.
  • Issue ID 0324797: The NetScaler configuration utility does not display the queue depth value for the configured priority queuing policies. This issue is observed only in a cluster setup.

    Workaround: You can view the queue depth of the policy by using the 'show pq policy' command on the command line interface.

  • Issue ID 0332839: If you access the configuration utility through Internet Explorer 8, the 'System' > 'Settings' > 'Configure TCP Parameters,' dialog box has no spaces between field names and fields.
  • Issue ID 0333048: Using the Configuration Utility in Internet Explorer version 8, when you attempt to bind 250 or more VIP addresses to a VLAN, the Configuration Utility displays an unresponsive script error.
  • Issue ID 0333834: If the PDF reader plug-in is not set in your browser and you try to open an HTML document from the Downloads tab of the NetScaler configuration utility, you are prompted to open the document in Adobe Reader.
  • Issue ID 0333836: If you have configured global server load balancing by using the GSLB wizard, Wizard for Citrix XenApp, or Wizard for Citrix XenDesktop, and you attempt to view the GSLB Visualizer, Prefuse information might be logged to the Java console. However, you can view the GSLB Visualizer, and the functionality is not affected.
  • Issue ID 0334042: The configuration utility does not display a details panel for all the entities.

    Workaround: Select the entity and click 'Open' to display the details.

  • Issue ID 0333745: When you access the NetScaler configuration utility from a Mac machine, the keyboard short cut keys may be unresponsive. In the NetScaler configuration utility, short cut keys work differently in Java and HTML views. For example, in Java based views, short cut keys for the copy-paste functions are <CRTL C> and <CRTL V> and in HTML based views they are <CMD C> and <CMD V>.

    Workaround: Use the <CRTL key> short cut keys if the <CMD key> short cut keys are not working and vice-versa. For example, if <CRTL C> shortcut key is not working, use <CMD C> and vice-versa.

  • Issue ID 0334280: After you rename a compression policy, the new name might not be reflected in the configuration utility.

    Workaround: Refresh the page to see the renamed policy.

  • Issue ID 0334284: If you navigate to HTTP Compression > Policies and click 'Policy Manager' in the task pane, the following error message might appear: No such policy exists.

    Workaround: Refresh the page and try again.

  • Issue ID 0334292: If you navigate to HTTP Compression > Policies or HTTP Compression > Actions, the Remove button is disabled in the task pane.

    Workaround: Use the command line interface to remove the policy or action.

    Note: You can access the command line interface from the configuration utility. Navigate to System > Diagnostics > Command Line interface.
  • Issue ID 0334773: In the Synchronize GSLB Configuration dialog box, the Command parameter is unavailable when the Synchronization Option parameter is set to its default value (automatic synchronization).
  • Issue ID 0335008: The exception 'netscape.javascript.JSException' is logged to the Java console when you create a DNS key by using the NetScaler configuration utility. However, the DNS key is created, and there is no loss in functionality.
  • Issue ID 0335013: If no services are configured for a DNS view, and you use Windows Internet Explorer 9 to view the Create DNS View dialog box, the 'Service(s) in this view' and 'Policy(s) in this view' lists in the dialog box are not rendered correctly. The display issue is resolved if at least one service is configured for the DNS view.
  • Issue ID 0335235: The NetScaler configuration utility does not show globally bound AppFlow policies in the policy manager. This issue is observed only in a cluster setup.
  • Issue ID 0335701: You cannot add an SSL service with the Clear Text Port option in the configuration utility, because the option is disabled.
  • Issue ID 0335719: The exception “netscape.javascript.JSException” is logged to the Java console when you sign a DNS zone by using the NetScaler configuration utility, and the browser’s status bar does not report the status of the zone-signing operation. However, the zone is signed, and there is no loss in functionality.
  • Issue ID 0333577: When configuring the Transformation URL Profile, an error occurs if you set Priority to a value higher than 2147483647 (maximum allowed value).
  • Issue ID 0335526: If you access the configuration utility through an Internet Explorer browser that has the Java Runtime Environment (JRE) disabled, an error occurs.

    Workaround: Make sure that at least one JRE is present and enabled under the Java Runtime Environment Settings, in the Java console, on the Java tab.

  • Issue ID 0335913: In a cluster setup, you cannot enable a server entry that is disabled, because the Enable button is unavailable. However, you can disable a server entry by using the NetScaler command line interface.
  • Issue ID 0338513: When you log on to NetScaler configuration utility from Internet Explorer 8 or Internet Explorer 9, the web browser displays a blank screen as the browser is displaying the compatibility view.

    Workaround: Change to the standard view, in the 'Compatibility View Settings' dialog box, by clearing the 'Display all websites in Compatibility View' check box.

Documentation

  • Issue ID 0277923: The documentation for the Content Switching feature states that if a policy that is bound to a content switching virtual server evaluates to TRUE, and the policy's Goto expression specifies END, policy evaluation terminates at that policy. However, the documentation does not mention that, if the content switching virtual server has a default virtual server, the request is forwarded to the default load balancing virtual server when policy evaluation is terminated.

Domain Name System

  • Issue IDs 0268748 and 0333310: In a cluster setup, if you save the configuration and reboot an appliance, the default name-server records for the thirteen root servers, and their associated address records, become unavailable. If you need them, you have to add them manually after you perform a reboot.
  • Issue ID 0301348: Even though the NetScaler user interface allows you to create DNS policy labels, the DNS policy label functionality is not supported in this release.
  • Issue ID 0330529: The following message might be displayed if you disable a virtual server-based DNS name server: 'ERROR: Name server does not exist. [nsnet_recvrpcioctl]'

Global Server Load Balancing

  • Issue ID 0287825 and 0287827: If the master node and slave node in a Global Server Load Balancing (GSLB) configuration are running different NetScaler releases, the site synchronization process fails when the master node is collecting GSLB configuration information from the slave node. The issue is specific to NetScaler releases 9.2, 9.3, and 10. The issue occurs if one node (either the master or the slave) is running NetScaler release 10 and the other node is running NetScaler release 9.2 or 9.3.
  • Issue ID 0291053: The NetScaler appliance does not rewrite responses that are DNSSEC-enabled and/or sent over TCP. So, when a security-aware DNS server sends the NetScaler appliance a DNSSEC-enabled NXDOMAIN response, or when a DNS server sends the appliance an NXDOMAIN response over TCP, the appliance relays the negative response to the client and caches the negative response. For subsequent requests for the same non-existent domain, the appliance responds with the cached, DNSSEC-enabled response, even if the clients are security-oblivious or use UDP. This behavior is expected, and ensures that all clients receive the same response.
  • Issue ID 0326001: If a GSLB virtual server’s primary GSLB method is set to round trip time (RTT) and backup GSLB method is set to static proximity, or if the primary GSLB method is set to static proximity and backup GSLB method is set to RTT, and source IP persistence is enabled, when the primary GSLB method fails, the backup GSLB method also fails.

    Workaround: If you use RTT as the primary GSLB method, do not use static proximity as the backup GSLB method. Similarly, if you use static proximity as the primary GSLB method, do not use RTT as the backup GSLB method.

Load Balancing

  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the 'show lb persistentSessions' CLI command displays an internal representation of thepersistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'client.tcp.payload(n)', and a request is received in multiple parts such that there is a delay between the parts and a FIN is sent from client before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91711/0250846: If the string (or 'token') that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000).BEFORE_STR('string2').AFTER_STR('string1') if the string that is enclosed by 'string1' and 'string2' is not larger than 64 KB.
  • Issue ID 94405/0258207: If you specify a persistence rule for a load balancing virtual server without specifying a persistence type or setting the load balancing method to TOKEN, the NetScaler appliance discards the rule without checking its validity. This behavior is by design.
  • Issue ID 0318310: While creating a load balancing monitor, you cannot specify a send string that has a length of more than 76 characters. This issue is observed only in a cluster setup.
  • Issue ID 0331621: While creating SSL or load balancing virtual servers with default responder action, the NetScaler appliance throws a 'No such resource' error. This issue is observed only in a cluster setup.

NetScaler SDX Appliance

  • Issue ID 0261232: If you set the date on the Management Service to an earlier date, the inventory and stats are not updated in the Management Service user interface.

    Workaround: Log on to the Management Service by using an SSH client, such as PuTTY. At the shell prompt, type : #/etc/rc.d/svmd restart

  • Issue ID 0337386: When restored from a backup, a NetScaler instance reverts to the release and build in which it was originally provisioned, even if the backup was taken from an upgraded configuration.

Networking

  • Issue ID 0276933: When you change the next hop parameter of a PBR for IPv4 traffic, the new hop is taken into account even if you have not applied the PBRs.
  • Issue ID 0283035 and 0299716: In a cluster setup, the 'bind vlan' command throws an error when interface and IP address are specified together.
  • Issue ID 0288450: The 'show lacp' command does not display the lacp configurations. This issue is observed only in a cluster setup.
  • Issue ID 0316144: In a cluster setup, the Precision Time Protocol (PTP) time across cluster nodes will not be synchronized when PTP packets are dropped due to backplane switch or if the physical resources are over-committed in a virtual environment.
    Workaround:
    • Disable PTP using the command 'set ptp -state disable' and configure NTP to synchronize the time across the cluster nodes.
    • If the backplane switch is like the Extreme switch, disable the multicast PTP packets from reaching the CPU by using the following command (this might cause some relevant features, such as routing, from not working):

      ipmcforwarding to-cpu off ports 41-48 <backplane-interfaces>

Rewrite

  • Issue ID 0305831: The man pages for add and set rewrite action do not include xpath_html (xp<delimiter>xpath expression<delimiter>) as a search expression.

SSL

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 0283661: In a cluster setup, if you add an SSL certificate on the configuration coordinator, and immediately execute the add certkey command, the command succeeds on the configuration coordinator but might fail on the other cluster nodes if the certificates on the configuration coordinator are not synchronized with the other cluster nodes before the command is executed.

    Workaround: Copy the certkey under /nsconfig/ssl/ folder on all the cluster nodes or confirm that the certificates are synchronized before executing the add certkey command on the configuration coordinator.

System

  • Issue ID 0338244: The CallHome feature checks for compact flash drive and hard disk drive errors every six minutes instead of every six hours. If any errors are found, the appliance's data is uploaded to the Citrix Technical Support server.

Build 69.4

Release version: Citrix® NetScaler®, version 10 build 69.4

Replaces build: None

Release date: August 2012

Release notes version: 3.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all build types (nCore and nCore VPX) of Citrix NetScaler and Citrix Access Gateway.

Enhancements

Smart Card Authentication for Web Interface Site using Access Gateway (Issue ID 0287639)

The NetScaler appliance now supports smart card authentication for web interface on NetScaler through Access Gateway. On using this enhancement, you can configure a web interface site that can be accessed by logging into an Access Gateway virtual server by using a smart card. To use this enhancement, you must upgrade the NetScaler to the latest build and install the new web interface tar file 'nswi-1.5.tgz'. For more information, see the 'Using Smart Card Authentication for Web Interface on NetScaler' topic in the 'Web Interface' chapter of the Citrix NetScaler Administration Guide.

Automatically Populating the Default Value of a Virtual Server on a Web Interface Site (Issue ID 0300470)

While modifying a web interface site configured in Direct mode, the default value for the virtual server is now automatically populated with one of the load balancing virtual servers configured during the creation of the web interface site.

Case Sensitivity on the Web Interface Wizard (Issue ID 0246466)

An option 'Make Site Path Case Insensitive' on the web interface wizard has been introduced. When you enable this option, the NetScaler appliance ignores case sensitivity in the site name part of the URL request for a web interface site configured on the NetScaler appliance.

Multiple Binding of Content Switching PI Policies to Content Switching Virtual Servers and Policy-labels (Issue ID 67323/0230903)

The multiple policy binding feature enables you to bind a policy to multiple virtual servers or policy labels. Earlier, you could bind a policy only to a single virtual server or policy label and to reuse an existing policy, you needed to create a copy of the same policy with a different name before attaching it to another virtual server. With the multiple policy binding feature, you can reuse an existing policy for multiple virtual servers.

Global State Update Option for Content Switching (Issue ID 0274449)

You can now enable the state update option globally for content switching virtual servers configured on the NetScaler appliance. If a specific virtual server's local state update option is set to DISABLED, that setting is overridden by a global ENABLED setting. However, a local setting of ENABLED overrides a global setting of DISABLED for the state update option. As shown in the following table, state update is not disabled for a virtual server unless both the global and local options are set to DISABLED.

Global state update setting Virtual server state update setting Effective state update setting on the virtual server
ENABLED ENABLED Enabled
ENABLED DISABLED Enabled
DISABLED ENABLED Enabled
DISABLED DISABLED Disabled
To configure the state update option globally by using the NetScaler command line, at the NetScaler command prompt, type the following command:
set cs parameter [-stateupdate ( ENABLED | DISABLED )]
To configure the state update option globally by using the NetScaler configuration utility
  1. In the navigation pane, click 'Content Switching'.
  2. In the details pane, click 'Configure Content Switching parameter'.
  3. In the 'Set Content Switching Parameters' dialog box, select the 'State Update' check box.
  4. Click 'OK'.

Support for Load Balancing Diameter Traffic (Issue ID 86737/0246690)

You can now load balance Diameter traffic. The Diameter protocol is a next generation Authentication, Authorization, and Accounting (AAA) signaling protocol mainly used on mobile devices such as laptops and mobile phones. It is a peer-to-peer protocol as opposed to the traditional client-server model that is used by most other protocols. For more information, see the 'Configuring Diameter Load Balancing' topic in the Load Balancing' chapter of the Citrix NetScaler Traffic Management Guide.

Stateless Connection Failover Supported for IPv6 (Issue ID 0276300)

You can now bind an IPv6 service to a load balancing virtual server with connection failover set to stateless.

Options for Branch IP Address in the Load Balancing wizard for Branch Repeater (Issue ID 0275289)

In the 'Load Balancing wizard for Branch Repeater', when specifying a branch whose traffic is to be accelerated, you can specify either the primary IP address or the accelerated pair A (apA) IP address of a Branch Repeater appliance.

NetScaler SDX - System Health Monitoring (Issue ID 0291018)

A supplemental software pack supports system health monitoring on the NetScaler SDX appliance for hardware and software components, disks, fan, voltage, temperature, and power supply sensors, and interfaces. For more information about this enhancement, see the 'System Health Monitoring' chapter in the Citrix NetScaler SDX Administration Guide. To install the supplemental software pack, see http://support.citrix.com/article/ctx132877.

New Health Monitoring Gadget on the NetScaler SDX Appliance (Issue ID 0313835)

You can now view the top 25 critical health monitoring events in the Health Monitoring gadget on the Home tab in the Management Service user interface. Select an event to view details or to delete the event.

Session Management for Communication with NetScaler Instances (Issue ID 0287133)

All HTTP and HTTPS communication between the Management Service and a NetScaler VPX Instance is now through a persistent session. A session ID is associated with each VPX instance and all HTTP and HTTPS communication between the Management Service and the instance uses this session ID.

Session Management for Communication with XenServer (Issue ID 0303527)

With XenServer version 6.0 and later, HTTP communication between the Management Service and XenServer is now over a persistent session. All HTTP communication between the Management Service and XenServer uses one session ID. For earlier versions of XenServer, basic authentication (user name and password) is used.

SNMP Support on the NetScaler SDX Appliance (Issue ID 94071/0257902)

You can now configure a Simple Network Management Protocol (SNMP) agent on the Citrix NetScaler SDX appliance to generate asynchronous events, which are called traps. For more information about this enhancement, see the 'SNMP' chapter in the Citrix NetScaler SDX Administration Guide.

Installing a Supplemental Pack for XenServer (Issue ID 0303515)

You can now install the NetScaler SDX supplemental packs from the Management Service without manually opening an ssh connection to XenServer. To install this pack, on the configuration tab, in the navigation pane, expand Management Service, and then click XenServer Files. In the details pane, click 'Supplemental Packs'. You can upload the supplemental pack to the SDX appliance and also download it to create a backup on your client.

Change Management on the NetScaler SDX Appliance (Issue ID 0291024)

You can now track any changes to the configuration on a NetScaler VPX instance from the Management Service. To view these changes, on the configuration tab, in the navigation pane, expand NetScaler, and then click Change Management. The details pane lists the device name with IP address, date and time when it was last updated, and whether there is a difference between the saved configuration and running configuration. Select a device to view its running configuration, saved configuration, revision history of configuration changes, and difference between the configuration before and after an upgrade. You can download the configuration of a NetScaler VPX instance to your client. By default, the Management Service polls all the instances every 24 hours but you can change this interval by clicking Configure Poll Interval in the details pane.

Configuring Tagged VLANs on the NetScaler SDX Appliance (Issue IDs 0278369 and 0284146)

You can now configure a tagged VLAN, without configuring an NSVLAN, at the time of provisioning a NetScaler instance. For more information about this enhancement, see the 'Provisioning NetScaler Instances' chapter in the Citrix NetScaler SDX Administration Guide.

Cloud Bridge CLI Commands Simplified (Issue ID 0307496)

Simplified the Cloud Bridge CLI commands for configuring IPSec Tunnel.

Filtering out Connection Table using CSW/LB vserver Policy Expressions (Issue ID 0302889)

Added policy expressions for the 'show connectiontable' command to filter out connections of a specific content switching or load balancing virtual server.

For example: show connectiontable CONNECTION.LB_VSERVER.NAME.EQ("v1")

Configuration Utility Simplified (Issue ID 0306109)

Simplified the configuration utility to ease the process to connect to the cloud service providers.

Application Firewall - Learning from Trusted Clients/Networks Only (Issue ID 86758/0246711)

You can now configure the application firewall learning feature to learn from trusted clients or networks only, instead of learning from all traffic that it processes. By restricting learning to trusted clients, you can prevent attacks against your protected web sites and web services from being learned as normal use and therefore not blocked. Currently trusted learning can be configured only from the NetScaler command line.

To configure the application firewall to learn from trusted clients or networks only, first enable the trusted learning feature. Next, add your trusted clients and networks. To add a trusted client, add the client's IP. IPv4 and IPv6 IPs are both supported. You can use a prefix of /0 after the IP, but that is not necessary. To add a trusted network, add the network in CIDR format.

To enable and configure trusted learning, at the NetScaler command line type the following commands:
set appfw profile <profileName> -enabletrustedLearning (on|off)
bind appfw profile <profileName> -trustedLearningClients (<ip_addr>|<ipv6_addr>|<cidr/prefix>) -state (enabled|disabled) [-comment <comment>]

For <profileName>, substitute the name of the application firewall profile that you want to associate with these trusted learning settings. If you want to add a trusted client or network to the configuration but not configure the application firewall to learn from it yet, set state to disabled. You can add an optional comment to document which client or network you added and why.

The following commands enable trusted learning, add a trusted client at 10.178.16.34, and add a trusted network at 10.102.30.0/24.
set appfw profile TestProfile -enabletrustedLearning on
bind appfw profile TestProfile -trustedLearningClients 10.178.16.34 -state enabled -comment "Trusted client"
bind appfw profile TestProfile - trustedLearningClients 10.102.30.0/24 -state enabled -comment "Trusted network"

New TACACS+ Configuration Parameter (Issue ID 0257671)

If you configure a TACACS+ server for authentication, when users without the appropriate permissions enter a command, the command does not execute, but the command is recorded in an accounting log. A new configuration parameter corrects this behavior.

New Syntax for Binding Content Switching Policies and Load Balancing Virtual Servers to a Content Switching Virtual Server (Issue ID 0291791)

For the 'bind cs vserver command', the 'targetVserver' parameter is now deprecated. If you attempt to set the parameter, the following warning appears: “Warning: Argument deprecated [targetVserver].”

This release introduces the 'lbvserver' parameter, for binding the default load balancing virtual server to the content switching virtual server, and the 'targetLBVserver' parameter, for binding other load balancing virtual servers through content switching policies.

In the NetScaler configuration utility, there are no changes in how you bind a default load balancing virtual server or a load balancing virtual server that is not the default.

To specify a default load balancing virtual server by using the NetScaler command line, at the NetScaler command prompt, type the following command:
bind cs vserver <csvservername> -lbvserver <targetVservername>
To specify a load balancing virtual server other than the default virtual server by using the NetScaler command line, at the NetScaler command prompt, type the following command:
bind cs vserver <csvservername> -policyName <policyname> [-priority <positive_integer>] -targetLBVserver <targetVservername>

Application Firewall Profile Comment Support (Issue ID 0291927)

You can now add a comment to an archived application firewall profile to describe the contents and state of the archive more fully. The comment can be from 1 to 255 characters in length, and can contain letters, numbers, and most punctuation. In the configuration utility, you add a comment on the Export Application Firewall Profile dialog box, in the Comments text box. At the NetScaler command line, you add a comment by typing the following command:
archive appfw profile -comment "<string>"

For <string>, substitute the comment.

Rich policy support for SIP-UDP (Issue ID 0309107)

RULE based persistence now support SIP based policies as part of rule based persistence for SIP-UDP virtual servers. You can configure SIP based policies using the add lb vserver command. For example, the following code shows how to configure RULE based persistence for SIP-UDP virtual server:
add lb vserver sipvip1 SIP_UDP 10.102.27.68 5060 -persistenceType RULE -lbMethod CALLIDHASH -rule sip.req.method -cltTimeout 120
Note: Only SIP request based policies are supported, rate limiting policies cannot be configured as part of the rule.

Option to Save the Config in Remote GSLB Sites after Config Synchronization (Issue ID 0287324)

The new Save Configuration option specifies that all participating nodes automatically save their configurations after synchronization. The master saves its configuration immediately before synchronization begins. Slave nodes save their configurations after the synchronization process is complete. A slave node saves its configuration only if it is successfully updated to match the master node's configuration. If synchronization fails on a slave node, you must manually investigate the cause of the failure and take corrective action.

To specify the option when using the NetScaler configuration utility to synchronize GSLB configurations, select the Save Configuration check box in the Save GSLB Configuration dialog box. If using the CLI, specify the saveConfig option for the sync gslb config command. The saveConfig option is mutually exclusive with the command's preview option.

SAML IDP and SP-Initiated Logouts Support for AAA-TM (Issue ID 0286268)

Support for SAML IDP- and SP-initiated logouts has been added to AAA-TM. An SP-initiated logout is performed when a user logs out of a AAA-TM session, but not when a user's AAA-TM session times out or when the 'kill aaa sessions' command is used. An IDP-initiated logout is performed when the IDP sends a 'clear session' request to the NetScaler appliance.

Searching NetScaler Entities in the Configuration Utility

You can use the 'Search' functionality to search for NetScaler entities displayed in the details or the data pane of the NetScaler configuration utility. If you want to perform string matching operations that are more complex than the operations that you perform with the simple CONTAINS search, you can use regular expressions.

Support for AES Ciphers on SSLv3 (Issue ID 0302510)

The following AES ciphers are now supported on the SSLv3 protocol.
  1. Cipher Name: TLS1-AES-256-CBC-SHA

    Description: TLSv1 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

  2. Cipher Name: TLS1-AES-128-CBC-SHA

    Description: TLSv1 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1

  3. Cipher Name: TLS1-DHE-DSS-AES-256-CBC-SHA

    Description: TLSv1 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1

  4. Cipher Name: TLS1-DHE-DSS-AES-128-CBC-SHA

    Description: TLSv1 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1

  5. Cipher Name: TLS1-DHE-RSA-AES-256-CBC-SHA

    Description: TLSv1 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

  6. Cipher Name: TLS1-DHE-RSA-AES-128-CBC-SHA

    Description: TLSv1 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1

  7. Cipher Name: TLS1-ADH-AES-128-CBC-SHA

    Description: TLSv1 Kx=DH Au=None Enc=AES(128) Mac=SHA1

  8. Cipher Name: TLS1-ADH-AES-256-CBC-SHA

    Description: TLSv1 Kx=DH Au=None Enc=AES(256) Mac=SHA1

Changes

Compression

  • Issue ID 0299887: The output of the 'show cmp global' command is now similar to the output of the 'show' commands that you use for viewing global bindings for other types of default syntax policies. The 'show cmp global' command continues to display all the globally bound classic policies along with their priority values. But, for default syntax policies, the command displays only those global bind points to which policies are bound, along with a count of the number of policies that are bound to each of them.

    To view the details for a given global bind point, you can specify the bind point as the argument to the 'type' parameter. When you specify a global bind point, the command displays all the policies that are bound to the bind point, along with their priorities and Goto expressions. Classic policy bindings are not displayed if you specify a global bind point.

    Example:

    > sh cmp global -type RES_DEFAULT

    Advanced Policies:

    1. Policy Name: ns_adv_nocmp_xml_ie

      Priority: 8700

      GotoPriorityExpression:END

    2. Policy Name: ns_adv_nocmp_mozilla_47

      Priority: 8800

      GotoPriorityExpression: END

    3. . . .

      Done

      >

Load Balancing

  • Issue ID 0302112: The use of SIP rate limiting expressions for rewrite policies is disabled to prevent the NetScaler from becoming unavailable.

SSL

  • Issue ID 0316577: The SSL crypto card instrumentation is enhanced to provide more information on error status during initialization and at runtime.
  • Issue ID 0325800: There are changes to the 'add ssl cipher' and 'bind ssl cipher' commands in NetScaler release 10 build 69.4. Now, there are two commands to create a cipher group and bind ciphers to this cipher group. The command to bind an SSL cipher to a virtual server or service has also changed. For more information about these changes, see http://support.citrix.com/article/CTX134118.

XML API

  • Issue ID 0299194: The following XML APIs related to ACL and PBR features are deprecated:
    • unsetnspbr6_icmptype
    • unsetnspbr6_nexthopval
    • setnspbr_state
    • setnsacl_state
    • setnspbr6_state
    • setnsacl6_state

Bug Fixes

AAA Application Traffic

  • Issue ID 0288572: On a NetScaler appliance with AAA-TM enabled and Kerberos/NTLM authentication configured, Likewise support fails to start, and the following error message is displayed: /libexec/ld-elf.so.1: Shared object 'libkrb5support.so' not found, required by 'libgssapi_krb5.so'
  • Issue ID 0307258: When you create a AAA-TM profile by using the configuration utility, the configuration utility displays the global persistency settings as the settings that it assigned to the profile. However, instead of actually deriving the persistency values from the global persistency settings, it sets persistency for the profile to zero (0). You can verify this issue by typing the following command at the NetScaler command line:
    show tm sessionaction <profileName>

    You can fix the persistency settings for any AAA-TM profile that is affected by this issue by typing the following command at the NetScaler command line:

    set tm sessionAction <profileName> -persistentCookie ENABLED -persistentCookieValidity <positive_integer>
    For <positive_integer>, substitute the number of minutes that the persistency cookie is to remain valid. Then, use the 'show tm sessionaction' command to verify your changes.
  • Issue ID 0313931: On a NetScaler appliance that has AAA-TM enabled, if a user takes more than four minutes to finish authenticating and the AAA session expires, the user is unable to authenticate. When the user clicks the 'click here' link to return to the logon page, instead of being redirected to the logon page, the user is redirected to the 'Expired Session' page repeatedly.
  • Issue ID 0314561: On a NetScaler appliance with AAA-TM enabled and single sign-on (SSO) configured, if a user who uses the Google Chrome browser takes more than four minutes to authenticate and the session expires, the browser displays a blank page instead of the Session Expired page.
  • Issue ID 0322445: On a NetScaler appliance that has AAA-TM enabled and a load balancing virtual server configured to support 401 basic authentication, if a user sends a GET request that does not contain a Host header, the NetScaler appliance crashes.

Access Gateway

  • Issue ID 90726/0249979: If you configure client certificate-based expressions for preauthentication or post-authentication scans and if users log on with a client certificate on an nCore Access Gateway model MPX 7500 appliance or higher, the scan fails and users cannot log on. This issue does not occur on the MPX 5500 appliance.
  • Issue ID 0289662: If you disable split tunneling, When users log on with the Access Gateway Plug-in and try to make a Voice over Internet Protocol (VoIP) call to a mobile phone by using Cisco Unified Personal Communicator application, the call does not connect.
  • Issue ID 0289686: If users connect with the Access Gateway Plug-in for Mac and then log off from the Web Interface, if users log on again within five minutes, the connection fails. This only occurs if you enable ICA proxy in Access Gateway.
  • Issue ID 0290220: When users log on to Access Gateway with the Access Gateway Plug-in for Mac OS X, the home page is slow to appear or does not appear in the Web browser.
  • Issue ID 0290976: When you configure a post authentication policy on Access Gateway and configure the policy to redirect the connection to the Web Interface if the endpoint analysis fails, when users log on with the Access Gateway Plug-in, if the user device fails the endpoint analysis scan, users receive the Access Gateway logon page instead of the Web Interface.
  • Issue ID 0299406: If you configure a policy to restrict access to certain files, when users log on with clientless access and try to access the file, Access Gateway fails.
  • Issue ID 0300221: When users log on to an nCore Access Gateway model MPX 7500 or higher, if there is high memory usage, the Access Gateway might fail. This issue does not occur on the MPX 5500.
  • Issue ID 0301060: When you configure address pools, enable intranet IP addresses, and disable spillover, when users log on with the Access Gateway Plug-in and then try to log on from a second user device, the Transfer Login page appears. However, the message appears incorrectly as text only on a blank page. When users click 'Cancel', the button is disabled, rather than redirecting users to the logon page again.
  • Issue ID 0301338: If a user password is longer than 31 characters, when users try to log on through the 'Access Gateway Plug-in logon' dialog box rather than through a Web browser, logon fails. A message appears stating that the user name and password are invalid.
  • Issue ID 0301557: If users connect with the Access Gateway Plug-in and two network adapters have active connections on the user device, DNS resolution does not occur and users cannot access internal resources. If users disable one network adapter, users can then access internal resources.
  • Issue ID 0301799: Access Gateway might not release all user sessions, which results in maximum usage of the licenses. When this occurs, users cannot log on and you must restart Access Gateway.
  • Issue ID 0302268: After the preauthentication scan passes and users log on, if an internal processing error occurs, Access Gateway fails.
  • Issue ID 0302490: If users log on with Receiver for Chromebook through Access Gateway, when users log off, Access Gateway does not release the session. Users must close the Web browser to log on again.
  • Issue ID 0303265: If servers in the internal network return a UDP packet with zero length, Access Gateway fails.
  • Issue ID 0306346: When users log on to the configuration utility, the following issues occur:
    • When using an Internet Explorer 8 Web browser, a blank page appears.
    • When using a Firefox 11 Web browser, many features in the navigation tree do not appear.
    • When using a Google Chrome Web browser, the only features that appear in the navigation tree are System, Network, DNS, SSL, VPN, and AppExpert.
  • Issue ID 0320493: If your authentication policies include the rules REQ.SSL.CLIENT.CERT.EXISTS and REQ.SSL.CLIENT.CERT.NOTEXISTS, and users log on with a smart card, the following might occur:
    • If smart card authentication fails, users are redirected to the Web Interface and prompted again for the smart card credentials.
    • If users do not enter smart card credentials, they are redirected to the Web Interface and prompted for their user name and password in order to authenticate with RADIUS.

AppFlow

  • IssueID 0301461 (nCore): If you enable the 'clientTrafficOnly' parameter when the AppFlow feature is enabled, the NetScaler appliance fails. By default, the 'clienttrafficonly' parameter is disabled.
  • Issue ID 0302578 (nCore): If you enable AppFlow when the NetScaler device is in transparent mode, or when the load balancing virtual servers use wildcards for the IP address and port to dynamically learn the backend services, the NetScaler device fails.

Application Firewall

  • Issue ID 51944/0219171: Imported application firewall objects -- such as WSDLs and XML Schemas -- cannot be removed from the NetScaler appliance by using the 'clear config' command. You must explicitly remove these objects. To remove an imported object by using the NetScaler command line, open a Unix shell and type 'rm <objectFilename>'. To remove an imported object by using the configuration utility, select the object, and then click Remove.
  • Issue ID 85151/0245424: You can now add a comment to an application firewall profile to describe it more fully. The comment can be from 1 to 255 characters in length, and can contain letters, numbers, and most punctuation. In the configuration utility, you add a comment on the Create Application Firewall Profile dialog box or Configure Application Firewall Profile dialog box, General tab, in the Comments text box. At the NetScaler command line, you add a comment by typing the following command:

    set appfw profile -comment "<string>"

    For <string>, substitute the comment.

  • Issue ID 87741/0247559: Handling of half-width and double-width characters by the HTML SQL Injection check transformation feature has been modified to ensure that these characters are identified as special characters, preventing inappropriate blocking and transformation.
  • Issue ID 0284784: When a web site sends a MIME-encoded web form to a user with the MIME boundary enclosed in double quotations, and the user returns the web form as a POST request, the application firewall resets the connection with a reset code of 9845.
  • Issue ID 0291389: When you configure an audit policy to send the application firewall logs to a remote Syslog server, the logs do not contain the profile name and URL of the connection that generated the log, and field names and values are incorrect. If you configure the audit policy to create local logs, the missing information is included in the logs.
  • Issue ID 0300223: In the configuration utility, 'Application Firewall Profiles' pane, when you import a profile, the configuration utility is not automatically refreshed, giving the impression that the import failed. The profile is actually imported successfully. To see it in the Profiles list, click 'Refresh'.
  • Issue ID 0300383: On a NetScaler classic build that has the application firewall learning feature enabled, under heavy load the configuration utility can become unavailable and the NetScaler can freeze or hang.
  • Issue ID 0300465: When upgrading from the NetScaler 9.3 to the NetScaler 10 release, all signature rules, SQL special strings, and SQL keywords are now automatically upgraded to the new schema.
  • Issue IDs 0301817 and 0302295: Local safe object signature rules work only if the Location is set to HTTP_RESP_BODY, and maxLength is defined.
  • Issue ID 0302282: If a local safe object signature rule is defined, and the signatures object is bound to a profile, the safe object check is not run on traffic that is processed through that profile.
  • Issue ID 0302368: In the 'Manage Learned Rules' dialog box, you might not be able to deploy or remove certain learned relaxations that contain special characters.
  • Issue ID 0303057: If a log for a Transform action has missing parameters, the fields that contain those parameters are not clickable in the Syslog Viewer, and that log cannot be deployed to create a new rule or relaxation.
  • Issue ID 0307082: When the NetScaler appliance sends an HTTP/1.0 100-Continue response on behalf of a protected web server, it now also sets the TCP Push flag in the response packet. This change resolves certain performance issues that might have been encountered when enabling the application firewall for some XML-based web services.
  • Issue ID 0307542: If a hostname greater than 93 characters in length is assigned to a NetScaler appliance that has the application firewall enabled, the application firewall learning feature crashes.
  • Issue ID 0309289: When a client sends a chunked POST request to an application firewall-protected web server, the request might not be correctly transmitted to the web server, resulting in a failed connection.
  • Issue ID 0319787: On a NetScaler appliance with the application firewall feature enabled, the comment stripping feature does not correctly parse web pages that have an HTML comment that is terminated with two hyphens, a space, two more hyphens, and a greater-than symbol (-- -->). In other words, you cannot have a string consisting of two hyphens and a space immediately preceding the usual comment termination string (-->). If you do, the comment stripping feature does not detect the final two hyphens and greater-than symbol as a comment terminator. The comment stripping feature therefore strips all content that follows the missed comment terminator.
  • Issue ID 0320145: If a user requests a URL from an application-firewall protected web site, and the requested web page has embedded URL links that contain hash (#) characters, the request might trigger a Start URL check violation. If blocking is enabled for the Start URL check, the request might be blocked.

Cluster

  • Issue ID 0276162: Cluster commands are not propagated from the configuration coordinator to other nodes, when you log on to the cluster IP address using the Password Authentication mechanism. However, the commands are propagated when you log on to the cluster IP address using the Keyboard Interactive mechanism.
  • Issue ID 0290504: You cannot form a cluster of NetScaler appliances by using the configuration utility, if you are accessing the configuration utility over a secure channel (https instead of http.)
  • Issue ID 0302924: In the configuration utility, the NetScaler appliances that are added to the cluster by using the 'Discover NetScalers' option, are not automatically saved and rebooted.
  • Issue ID 0318723: When a new node joins the cluster or an existing node is rebooted, the ACL, ACL6, SIMPLEACL, and SIMPLEACL6 configurations with TTL value are not automatically synchronized on that node.

Command Line Interface

  • Issue ID 0262838: The CLI man page for the set dns parameter command has the following errors:
    • It displays 'ENABLED' as the default value for the 'cacheRecords' parameter. The possible values are only 'YES' and 'NO', and the default value is 'YES'.
    • It displays NS_FOUR as the default value for the 'resolutionOrder' order parameter. The possible values are only 'OnlyAQuery', 'OnlyAAAAQuery', 'AThenAAAAQuery', and 'AAAAThenAQuery'. The default value is 'OnlyAQuery'.

Configuration Utility

  • Issues IDs 0244945, 0245825, and 0273344: When viewed in Internet Explorer version 8 or 9, the Dashboard page has several display issues (for example, excessive scroll bars, inconsistent column width, horizontal scroll bar missing from the Vserver view).
  • Issue ID 0299883: When users access NetScaler using the configuration utility, the following issues are observed:
    • When you select a policy on the DNS Policies page, the Global Bindings button becomes inactive.
    • On the 'Virtual Servers' page, under 'Load Balancing', the header bar in the details pane moves off the page if you scroll down.
    • The configuration difference command produces an error message: Secondary NS not found.
  • Issue ID 0300376: If you create an SSL service by modifying an existing virtual server and set some parameters in the 'Advanced' tab, the service is not created. The service is created if you do not set any advanced parameters or do not click the 'Advanced' tab.
  • Issue ID 0302742: If you use the configuration utility to bind a compression policy (for example, app_cmp) to an AppExpert application, the following error message appears: Policy 'app_cmp' cannot be inserted. It does not have expression with advanced syntax.
  • Issue ID 0303492: Creating an IP entity does not update the table that displays information about the configured IP addresses.
  • Issue ID 0303494: Cache update causes issues with removal of an IP object.
  • Issue ID 0303495: If you remove an IP object, cache-update issues cause Internet explorer to display unknown error.
  • Issue ID 0303504: You cannot use the numeric keypad to specify values in the following text boxes:
    • Destination IP Address, in either the 'Create SNMP Trap Destinations' or the 'Configure Trap Destinations' dialog box.
    • IP Address, in the Create SNMP Managers dialog box.
  • Issue ID 0303910: The Configuration page does not load if accessed from Internet Explorer 9 on a client machine running JRE 1.6 build 14.
  • Issue ID 0308459: In 'Enable/disable service group member' view, the 'Enable' and 'Disable' buttons are inactive when the state of a service group member is one of the following - 'GOING OUT OF SERVICE', 'DOWN WHEN GOING OUT OF SERVICE' or 'GOING OUT OF SERVICE (graceful)'.
  • Issue ID 0314258: When you modify any PBR rule from the configuration utility, the NetScaler appliance changes the APPLIED status of the PBR to NOTAPPLIED.
  • Issue ID 0323197: An HTTP monitor with extended 'respCode' range cannot be configured through the configuration utility. If it is configured through the CLI, an error occurs when it is viewed in the configuration utility.
  • Issue ID 0323890: An error occurs when a user tries to remove the monitors from a load balancing service by using the 'Remove' button in the configuration utility's Configure Service window.

Content Switching

  • Issue ID 0308757: A TCP content switching virtual server with a wildcard port fails to respond to clients with a SYN-ACK. Consequently, the content switching functionality fails for the virtual server.

DataStream

  • Issue ID 0303980: A monitor of type MSSQL becomes unavailable if you replace the existing query with a shorter query.

HTML Injection

  • Issue ID 0302088: When HTML Injection is enabled for web forms that use the 'GET' method, ES monitoring does not function properly.

Integrated Caching

  • Issue ID 0288716 (Cluster): In cases, where there is a delay in processing the cache invalidation request originating from other cluster nodes, if the client sends a request before the cache invalidation request is processed on the node, the cache will serve old content.

Load Balancing

  • Issue ID 89129/0248646: For non-HTTP load balancing virtual servers for which rule based persistence has been configured, the appliance does not automatically refresh the session time-out setting during a file download. Therefore, if the download is not completed before the session times out (and another request does not arrive before the session times out), the time-out setting is not refreshed, and requests that arrive during what would otherwise have been the extended time-out interval are forwarded to whatever server is selected by the configured load balancing method.

    A consequence of this behavior is failure to accelerate some Repeater Plug-in connections in a WAN optimization configuration. If a persistence session that was created for a request from a Repeater Plug-in expires before the complete response is sent to the client, the next request from the Repeater Plug-in is sent to a different Branch Repeater appliance and is therefore not accelerated. When that happens, the Branch Repeater graphical user interface indicates that the reason for the connection not being accelerated is 'Not enough room left in the TCP packet header to append unit specific options (5).'

  • Issue ID 0278377 (nCore): Cache policy labels cannot be bound to MYSQL or MSSQL virtual servers.
  • Issue ID 0285672: When using load balancing of Branch Repeaters in a cluster setup, there is no response from the server and the request hangs.
  • Issue ID 0289339: Service group members that are configured to scale automatically are not synchronized correctly with the secondary appliance in a high availability pair. The issue can lead to appliance failure during a failover event.
  • Issue ID 0304847: In the load balancing monitor structure in the XML API, the 'flags' field is now deprecated.
  • Issue ID 0305045: The WI-Extended monitor sends probes to port 80 regardless of the port number for which it is configured.
  • Issue ID 0309954: A GSLB virtual server becomes unavailable if you use the same IP address as the public IP address for both a local and a remote GSLB service, bind monitors to the services, and then bind the services to the virtual server.
  • Issue ID 0318838: A NetScaler policy or action fails if it uses a SIP expression that is based on the Contact header. For example, a rewrite action does not work if it is configured to rewrite the Contact header.

NetScaler SDX Appliance

  • Issue ID 88556/0248194: When provisioning a NetScaler instance, if you have entered invalid NetScaler settings for any of the IP address, Netmask, or Gateway parameters, you cannot modify the values for those parameters.
  • Issue ID 90586/0249864: Log on to the Management Service user interface fails after 25 days.
  • Issue ID 0289151: If you provision a NetScaler VPX instance with approximately 12288MB (12GB) of memory and then upgrade the instance, the upgrade operation fails and the following error message appears:

    ERROR: NetScaler on nCore VPX requires minimum 2 Gigabytes and 2 CPUs to start.

  • Issue ID 0310014: If you have provisioned a NetScaler VPX instance running release 9.3 on a NetScaler SDX appliance running release 10, and the instance is restarted, the existing session between the Management Service and the VPX instance expires and an error message appears if you try to modify any settings on that instance after it restarts.
  • Issue ID 0313155: NTP synchronization might fail if you add a new NTP server by using the Management Service user interface because the default contents of the ntp.conf file are not flushed.

NetScaler VPX Appliance

  • Issue ID 0302377: If you install a NetScaler VPX virtual appliance on Microsoft Server 2008 R2 by using Hyper-V Manager, or if you install a NetScaler VPX virtual appliance on VMware ESX 3.5 or 4.0, you are not prompted to specify the IP address, subnet mask, and gateway. The appliance starts with the default IP address of 192.168.100.1.

Networking

  • Issue ID 0243105: When there are ECMP routes for a prefix, for every new route addition or deletion, the NetScaler appliance withdraws all the UP routes and adds them back again to its routing table. This results in a period of time when there are no routes to the prefix.
  • Issue ID 0277297: NetScaler APIs do not display some of the attributes that are displayed in the output of 'show connectiontable -detail full' command.
  • Issue ID 0300820: When the NetScaler appliance receives an unpredicted flow of SYNs, it blocks the connect system calls used by OSPF daemon. This causes delay in sending out the hello packets resulting in adjacency failure.
  • Issue ID 0302613: When an OSPF connection times out, the NetScaler appliance removes and applies back the router configuration. This causes an adjacency flap which momentary drops all the advertised routes.
  • Issue ID 0305420: If the NetScaler appliance receives any traffic which hits a virtual server of type ANY then only for the first packet of this traffic the TTL value set to 255 and for the remaining packets, belonging the same session, the TTL value remains same. This applies to even fragment packets, where only for the first fragment of the packet the TTL value is set to 255 and for the remaining fragments the TTL value is unchanged.
  • Issue ID 0311243: When a virtual server, which has a listen policy bound to it, receives IPv4 fragments of a request that evaluates the policy to TRUE, the NetScaler appliance becomes unresponsive while performing service lookup on the received IPv4 fragments
  • Issue ID 0312412: The command 'sh ip ospf <1-65535> database', in the VTYSH command prompt, displays the database for all the OSPF processes instead of just for the process id specified.
  • Issue ID 0318668: A virtual server of type ANY drops the IPv6 ECHO reply if the ECHO request didn't pass through the appliance and the related IPv6 to IPv4 mapping is not present in appliance.

Platform

  • Issue ID 0275149 (nCore): On a NetScaler appliance that has LACP configured and interface speed set to AUTO, if the link speed on one of the interfaces in a channel is reduced after autonegotiation with the device at the other end, the interface is treated as DOWN by the LACP channel on the peer device. However, the NetScaler appliance does not identify the new reduced link speed and continues to treat the interface as UP.

Policy

  • Issue ID 0291487: NetScaler appliances running version 9.2 build 52.1 or later and have a large number (in the hundreds) of policy bindings can experience performance issues on 'save ns config' and 'show config' operations. This can lead to interruption in services.
  • Issue ID 0291975: The SYS.VSERVER('<vserver_name>').THROUGHPUT expression returns an incorrect throughput value.
  • Issue ID 0311268: You cannot add a rule of the form 'HTTP.REQ/RES.BODY(<num>).CONTAINS(<string2>)' where <string2> has the property that its length is greater than the length of <string1>. <string1> is already existing string in the already configured policy expression 'HTTP.REQ/RES.BODY(<num>).CONTAINS(<string1>)'.

    For example, the second command provided below might not succeed if there exists some request for which the evaluation of rule in cs_example is in progress.

    -> add cs policy cs_example -rule 'HTTP.REQ.BODY(1000).CONTAINS("MyLengthIs12")
    -> add cs policy cs_example_break -rule 'HTTP.REQ.BODY(1000).CONTAINS("MyLengthIsBIG15")

Reporting

  • Issue ID 0313793: You can now include period (.), colon (,), and hyphen (-) special characters in report titles.

SNMP

  • Issue ID 0309930: The SNMP OID for vsvrCurSslVpnUsers is getting counter values only from core 0.

SSL

  • Issue ID 0316577: The SSL crypto card instrumentation is enhanced to provide more information on error status during initialization and at runtime.

Stream Analytics

  • Issue ID 0307283: NetScaler supports a maximum of 500 stream session records. Stream records beyond the maximum supported value are not tracked. The statistics command, 'stat stream identifier', displays a maximum 500 stream records.

System

  • Issue ID 93169/0257092 (nCore): NetScaler nCore appliances now support keep-alive for TCP connections. When this feature is enabled, with the default settings, the appliance probes any TCP connection that has been idle for 15 minutes. If the appliance does not receive a response from the peer within 75 seconds, it sends a second probe. If no response to that probe is received within 75 seconds, the appliance sends a third, final probe. If no response to the final probe is received within 75 seconds, the appliance resets the connection.
    By default, this feature is disabled. In addition to enabling the feature, you can change the default values for connection idle time, number of probes to send to the peer, and the interval at which to send probes. In the CLI, use the following command to change the default settings:
    set ns tcpProfile <name> [-KA ENABLED ] [-KAconnIdleTime <positive_integer>] [-KAmaxProbes <positive_integer>] [-KAprobeInterval <positive_integer>].

    In the configuration utility, you can change the settings in the System > Profiles > TCP Profiles > Add TCP Profile or Configure TCP Profile dialog box.

  • Issue ID 0270163: When the NetScaler appliance runs processes such as gzip, the usage of the management CPU increases. Hence, high CPU usage alerts may get generated even though the packet engines are not actively processing packets.
  • Issue ID 0275501: A user can view all of the virtual servers configured on the NetScaler appliance, even though the user is bound to a command policy that has a condition for restricting the user to view only a set of virtual servers.
  • Issue ID 0285015: Requests buffers larger than 24KB lead to buffer overflow and result in the web log module not working.
  • Issue ID 0302004: For load balancing virtual servers that have SOURCEIP persistence configured, client IP header insertion might fail for HTTP CONNECT requests sent to that virtual server.
  • Issue ID 0319417: Server response in which the HTTP header spans more than 16 nsbs is reset even if the 'drop invalid requests' flag is disabled.

Web Interface

  • Issue ID 86538/0246528: The following dialog boxes under 'Upload Plugins' available in the 'Web Interface' pane of the configuration utility do not work as expected:
    • Windows Client
    • Linux Client
    • Macintosh Client
  • Issue ID 0322207: In a high availability setup, delays in Apache Tomcat start-up might prevent the propagation of web interface configurations to the secondary appliance. As a result, the web interface configurations are not available when the secondary appliance becomes primary.

XML

  • Issue ID 0304314: SOAP requests that do not conform to a WSDL are not handled properly by the XML validation module.

Known Issues and Workarounds

AAA Application Traffic

  • Issue ID 0303507: NetScaler automatic domain join is failing with Likewise 6.1. If you attempt to create a Kerberoes authentication action, the attempt fails with the following error message:

    LsaAdJoinDomain (40041) Invalid parameter

    To work around this issue, at the NetScaler command line open a Unix shell, adn then type the following command to manually join the domain:

    /opt/likewise/bin/domainjoin-cli join <DOMAINNAME> <DomainUserName>

    Note: You must issue this command after each reboot.
  • Issue ID 0310205: If you attempt to kill a user session by using the username parameter with either the NetScaler command line 'kill session' command or the configuration utility, the session is not terminated on either the NetScaler appliance or the client.
  • Issue ID 0327114: On a NetScaler appliance with NetScaler 10 build 69.4 nc installed, if you use the configuration utility to configure authentication on a load-balancing virtual server, the following error message appears:

    No Authentication Host specified

    The configuration utility then removes the authentication host from the configuration. This behavior occurs regardless of whether you are configuring authentication host settings on the virtual server for the first time, or modifying existing authentication host settings on the virtual server.

Access Gateway

  • Issue ID 90722/0249975: When users log on with the Access Gateway Plug-in, the 'File Transfer' tab on the Access Interface is available, but the 'File Transfer option' is not available if users right-click the Access Gateway icon in the notification area.
  • Issue ID 92543/0251596: After you configure Access Gateway to provide user connections through Citrix Receiver, when users right-click the Receiver icon in the notification area, the Log on option does not appear. Users must connect by using the Web browser or they must right-click the Receiver icon, click Preferences, and then click Plug-in status. You can also enable the log on option to appear when users right-click the Receiver icon by adding the following settings in the registry:
    • Add the Receiver key (if the key does not already exist) under the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\
      • HKEY_LOCAL_MACHINE\Software\Citrix\
    • Add the Inventory key in the following registry locations:
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
      • HKEY_CURRENT_USER\Software\Citrix\Receiver
    • In the 'Inventory key', configure the following 'REG_SZ' values:
      • VPNAddress. Provide the value as the Web address for the Access Gateway appliance; for example, https://<AccessGatewayFQDN>.
      • VPNPrompt1. Provide the value as 'UserName'.
      • VPNPrompt3. Provide the value as '*Password'.
  • Issue ID 0261547: When you enable Access Gateway as a reverse proxy and you enable basic preauthentication and post- authentication scans, as well as encryption and client choices, when users log on with the Access Gateway Plug-in, the preauthentication scan passes, but the post-authentication scan fails.
  • Issue ID 0275079: When users access applications published on XenApp, each user consumes multiple Access Gateway licenses per application. Instead, one session ID should be shared across the applications the user accesses. As a result, users exceed their allocated license count and an SSL error occurs.
  • Issue ID 0285995: If you configure Access Gateway to assign an intranet IP address to user devices that connect to Access Gateway, when users log on with the Access Gateway Plug-in, the secure DNS dynamic update does not occur and the intranet IP address is not registered with the DNS Server.
  • Issue ID 0288469: After you configure a virtual server to use the Access Gateway Plug-in for Java, when users log on with the Access Gateway Plug-in by using a browser that has a 64-bit Java Runtime Environment (JRE) installed, the plug-in fails to establish a connection.
  • Issue ID 0291264: If you create a Web Interface 5.4 site and enable authentication through Access Gateway, and you enable single sign-on with a smart card to the Web Interface that enables smart card pass-through, when users log on with the Access Gateway Plug-in, the users' desktops are not listed on the Web Interface.
  • Issue ID 0291821: If you create a Web Interface 5.4 site and enable authentication with a smart card through Access Gateway, and you configure the 'Single Sign-on Domain' on the 'Published Applications' tab using the format domainname.com instead of domainname, when users start a published application or desktop, authentication fails.
  • Issue ID 0292005: When users connect with clientless access and try to download a file larger than 1 gigabyte (GB) from the file share on the home page, as the file is downloading, if an upload is attempted, the download process fails but the upload continues.
  • Issue ID 0298971: When users log on with the Access Gateway Plug-in for Java and the Web Interface opens in Internet Explorer 9, if users do not turn on Compatibility View in Internet Explorer, when they click a published application, the following error appears: Resource shortcuts are not available.
  • Issue ID 0299515: If you configure an intranet IP address on Access Gateway, when users connect with the Access Gateway Plug-in on a computer running Windows XP Service Pack 3 and try to access a CIFS share hosted on a computer in the secure network, users receive an error that the share is inaccessible.
  • Issue ID 0300511: When users log on using clientless access and click a bookmark from the home page to open a Distributed File Share (DFS), if the target folder resides on a different computer than the computer where the domain DFS server resides, the share does not open.
  • Issue ID 0308733: If you configure Access Gateway with additional appliances in which global server load balancing (GSLB) is enabled, when users log on with the Access Gateway Plug-in, occasionally the connection times out, a time-out error appears, such as 'Your Citrix Access Gateway session timed-out and you are not connected,' and the session disconnects.
  • Issue ID 0309017: When you configure a preauthentication and post-authentication policy with an expression to scan a user device for a file, Access Gateway does not check for expression syntax. As a result, Access Gateway accepts inappropriate syntax configuration and the scan fails.
  • Issue ID 0319607: If an authentication server and Access Gateway reside in the same domain, the appliance may fail.
  • Issue ID 0319901: If you enable Integrated Caching and Web Interface on Netscaler on an Access Gateway appliance, and then change the URL for the Web Interface, Access Gateway might fail.

AppExpert

  • Issue ID 0323436: The NetScaler configuration utility can display a maximum of 4500 bound patterns of a pattern set.

Application Firewall

  • Issue ID 0284009: If sessionless URL closure is enabled, and Validate Referer Header is set to If Present, a spurious Referer header check error is generated and logged when a web form with an action URL is submitted. If blocking is enabled for the Start URL check, then requests that contain web forms with action URLs are blocked. To work around this issue, if you configure Sessionless URL Closure, set Validate Referer Header to Off.
  • Issue ID 0299940: The change profile type command does not work correctly.
    • If you try to change a profile type to Web 2.0, the profile type remains HTML.
    • If you try to change a profile type to XML, the Profile Type field disappears completely.

    When you use the configuration utility to change the profile type, the profile type is actually changed correctly, but the display is incorrect. When you use the NetScaler command line, the actual profile type is set as shown above.

  • Issue ID 0301813: When deploying a learned Cross-Site Request Forgery relaxation from the Syslog Viewer, the configuration utility does not deploy the relaxation, but displays the following error message: 'CSRF Tag validation failed'.
  • Issue ID 0302294: Learned relaxations are sometimes not removed from the review list after they have been deployed. To manually remove a learned relaxation that has already been deployed, in the Manage Learned Rules dialog box select the relaxation and then click 'Skip'.
  • Issue ID 0303044: Only QualysGuard WAS 1.0 scan reports are supported when importing signature rules. WAS 2.0 scan reports are not supported.

Cache Redirection

  • Issue ID 0287688: If you set the L2Conn parameter for a cache redirection virtual server before you finish setting up the cache redirection configuration (including the other participating entities, such as the load balancing virtual server and the services that should be bound to the load balancing virtual server), the NetScaler appliance sends clients the SYN-ACK segments that it receives from the cache or origin servers during connection establishment with those servers. Clients respond to the SYN-ACK segments with a TCP RESET. Consequently, the requests are dropped.

    Workaround: Enable the L2Conn parameter for the cache redirection virtual server after you finish setting up the cache redirection configuration.

  • Issue ID 0328353: When you use the configuration utility to bind a cache redirection policy to a cache redirection virtual server, the policy is added to the content switching (CSW) policy tab instead of cache redirection (CRD) policy tab. If you try to resolve this issue by using the CR virtual server wizard, the following error message appears: 'Please specify Target.'
  • Issue ID 0330033: Tabs for filter/compression policy bindings are not displayed for a cache redirection virtual server, and it is not possible to bind those policies to a cache redirection virtual server.
  • Issue ID 0330139: If you use the configuration utility to unset a cache virtual server for a cache redirection virtual server, the process fails and the following error message appears: invalid argument.

Configuration Utility

  • Issue ID 0251344: The time zone settings may be lost on the following upgrades:
    • From an earlier build to a later build within release 9.2 or release 9.3
    • From release 9.2 to release 9.3
    • From an earlier release to release 10

    Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.

  • Issue ID 0251463: When you click the Applications node in AppExpert, the configuration utility throws a null pointer exception. The issue occurs sporadically.
  • Issue ID 0269337: If you use the Google Chrome browser, with the toolbars installed, to access the configuration utility, the toolbars distort the views.

    Workaround: Hide the toolbars in Chrome browser when you access the configuration utility.

  • Issue ID 0278097: In the configuration utility, if you click Application Firewall in the navigation pane, the scroll bar moves up and the subnodes of the Application Firewall node disappear. You have to scroll down to view the subnodes.
  • Issue ID 0298686: If the details pane contains too may records to display on one screen, the header row moves off the screen if you scroll down.
  • Issue ID 0300506: On the MPX 17000 platform, if you use the configuration utility to upgrade from release 9.2 build 55.5 to release 10, the appliance does not restart automatically after the upgrade.

    Workaround: Restart the appliance manually by using the command line or the configuration utility.

  • Issue ID 0303279: In the configuration utility, in the Rewrite Policies pane, clicking Add does not display the Create Rewrite Policy dialog box but disables the main configuration utility window.
  • Issue ID 0311358: The NetScaler configuration utility fails to load when accessed from Internet Explorer version 7 browser running on Windows 2003 or Windows XP.

    Workaround: Use Internet Explorer version 8 and above.

  • Issue ID 0319061: The configuration utility does not throw the 'Feature not supported' prompt when configuring the following unsupported features on a NetScaler cluster: Bridge groups, Network Bridge, VMAC6, and FIS. This issue is observed only in a cluster setup.
  • Issue ID 0322821: When the SRADV (Static Route Advertisement) mode is ON, the static routes which are not explicitly disabled for advertisement will be advertised using all the routing protocols. However, the advertised protocols column for route in the configuration utility does not show any protocol list. This issue is observed only in a cluster setup.
  • Issue ID 0322894: The configuration utility displays an inappropriate error message when adding a forwarding session that has an invalid subnet mask. This issue is observed only in a cluster setup.
  • Issue ID 0322914: When the IP is not resolved for a hostname based SNMP manager, the 'Resolved IP' column of the SNMP Manager table is shown as blank instead of 'Unresolved IP'. This issue is observed only in a cluster setup.
  • Issue ID 0323175: The configuration utility displays a negative value for the index of the data set or pattern set, when the index is set to its maximum value. The command line interface displays the correct value.
  • Issue ID 0325400: After adding a local authentication policy by using the configuration utility, the request profile field is showing blank. By default, the request profile must be Local. This issue is observed only in a cluster setup.
  • Issue ID 0326354: In System > Settings > Change global system settings, regardless of the base threshold value configured for surge protection, the value is displayed as 0. This issue is observed only in a cluster setup.

    Workaround: You can view the base threshold vale by using the 'show ns spParams' command.

  • Issue ID 0326018: The dashboard does not display the Precision Time Protocol (PTP) counters for the cluster node. This issue is observed only in a cluster setup.

    Workaround: PTP counters can be viewed by using the 'stat cluster node' command.

  • Issue ID 0327136: The configuration utility does not allow you to set the 'Max Clients' parameter of a service to its maximum value of 4294967294. This issue is observed only in a cluster setup.

    Workaround: You can set the maximum value by using the “set service” command.

  • Issue ID 0327551: In the configuration utility, all features appear to be enabled even when the features are disabled.
  • Issue ID 0328660: In the configuration utility, when you view the virtual server persistence sessions, a persistence type setting of DIAMETER is displayed as SOURCE IP.
  • Issue ID 0328715: In the configuration utility, the details of the monitor bound to a service do not include response codes for a monitor of type DIAMETER.
  • Issue ID 0328844: While configuring the OCSP responder through the configuration utility, the default value of the HTTP response timeout is erroneously taken as 0ms. The default value of the HTTP response timeout must be 2000ms. This issue is observed only in a cluster setup.

    Workaround: You must explicitly set the HTTP response timeout in the configuration utility.

  • Issue ID 0329154: In System > Auditing > Recent audit messages, when you set number of audit messages to be displayed to 256 (maximum allowed value), a 'Value entered is out of range' error message is displayed on clicking Refresh. This issue is observed only in a cluster setup.
  • Issue ID 0329826: If you use the configuration utility to view the license for features, warning messages are seen for the features that are licensed but not supported. This issue is observed only in a cluster setup.
  • Issue ID 0332768: On Internet Explorer 8, the configuration utility does not show the pop-up for installing the JRE plugin.
  • Issue ID 0332795: On systems that have JRE 1.6.0_24 and 1.7.0_06, the configuration utility cannot load the Java applet. Therefore, you cannot perform any operations on the configuration utility.

    Workaround: Uninstall JRE 1.6.0_24 and 1.7.0_06 and install JRE 1.6.0_31.

  • Issue ID 0332876: When you use the configuration utility to change the password of a user, the Change Password dialog displays encrypted password in the Password and Confirm Password fields.
  • Issue ID 0333026: On a system running the Windows 7, 64-bit operating system, the configuration utility cannot load the Java applet. Therefore, you cannot perform any operations on the configuration utility.

Cloud Gateway

  • Issue ID 0327119: When you create policy rules from the configuration utility, an error occurs and the policies are not configured.

Content Switching

  • Issue ID 0330290: You cannot use the configuration utility to bind a content switching policy to a content switching virtual server if the policy is configured with only a domain value. The bind fails, and the following error message appears: 'Priority cannot be specified for URL-based content switching policy.'
  • Issue ID 0331029: If you use the configuration utility to open a content switching virtual server that has a default policy bound to it, the process fails and the following error message appears: No Such Resource.

Documentation

  • Issue ID 0277923: The documentation for the Content Switching feature states that if a policy that is bound to a content switching virtual server evaluates to TRUE, and the policy's Goto expression specifies END, policy evaluation terminates at that policy. However, the documentation does not mention that, if the content switching virtual server has a default virtual server, the request is forwarded to the default load balancing virtual server when policy evaluation is terminated.

Domain Name System

  • Issue ID 0291053: Under the following sequence of events, the NetScaler appliance sends the client a cached NXDOMAIN response instead of the IP addresses that are configured in the DNS action for response rewrite:
    1. A security-aware name server sends the appliance a DNSSEC-enabled NXDOMAIN response for a non-existent domain. The appliance, which is designed to not rewrite DNSSEC-enabled responses, relays the negative response to the client without modifying it. The appliance also caches the response.
    2. A client sends the appliance a request for the same domain, but it does not set the DNSSEC OK EDNS header bit.

    This behavior is expected, and ensures that security-aware and security-oblivious clients receive the same response.

  • Issue ID 0301348: Even though the NetScaler user interface allows you to create DNS policy labels, the DNS policy label functionality is not supported in this release.

Global Server Load Balancing

  • Issue IDs 0287825 and 0287827: If the master node and slave node in a Global Server Load Balancing (GSLB) configuration are running different NetScaler releases, the site synchronization process fails when the master node is collecting GSLB configuration information from the slave node. The issue is specific to NetScaler releases 9.2, 9.3, and 10. The issue occurs if one node (either the master or the slave) is running NetScaler release 10 and the other node is running NetScaler release 9.2 or 9.3.
  • Issue ID 0324486: When creating a local GSLB site in the NetScaler configuration utility, if you set the Trigger Monitors option to MEPDOWN, the GSLB site does not appear in the details pane until after you click Refresh.
  • Issue ID 0326001: If a GSLB virtual server's primary and backup GSLB methods are both set to round trip time (RTT) or static proximity and source IP persistence is enabled, when the primary GSLB method fails, the backup GSLB method also fails.

    Workaround: If you use RTT or static proximity as the primary GSLB method, do not use the same method as the backup GSLB method.

  • Issue ID 0328911: When configuring monitoring for a GSLB service by using the NetScaler configuration utility, if you include monitors that cannot be used with GSLB services (for example, ARP monitors) along with monitors that can be used with GSLB services (for example, TCP monitors), the configuration utility displays an error message for the invalid monitor bindings, but the valid bindings succeed. When you unbind an invalid monitor from the service, the message 'Error' is displayed. No further information is provided in the message.

Load Balancing

  • Issue ID 0248750: NetScaler now supports dynamic selection of a load balancing virtual server. The lb virtual server is identified at the run time using an expression in the content switching action.
  • Issue ID 90395/0249705: If the rule that is used for creating rule based persistence sessions is a compound expression, the 'show lb persistentSessions' CLI command displays an internal representation of the persistence parameter instead of the actual persistence parameter.
  • Issue ID 90875/0250110: On a TCP load balancing virtual server, if persistence is defined with the rule 'client.tcp.payload(n)', and a request is received in multiple parts such that there is a delay between the parts and a FIN is sent from client before the expected number of bytes (n), the NetScaler appliance creates an undesired session with the received number of bytes (which is less than n).
  • Issue ID 91711/0250846: If the string (or 'token') that is used for creating rule based persistence sessions for load balancing virtual servers is larger than 64 KB, the NetScaler appliance fails to create persistence sessions. For example, the appliance fails to create persistence sessions with the rule CLIENT.TCP.PAYLOAD(70000) because the token that is used is larger than 64 KB. However, the appliance creates persistence sessions successfully with a rule such as CLIENT.TCP.PAYLOAD(70000).BEFORE_STR('string2').AFTER_STR('string1') if the string that is enclosed by 'string1' and 'string2' is not larger than 64 KB.
  • Issue ID 94405/0258207: If you specify a persistence rule for a load balancing virtual server without specifying a persistence type or setting the load balancing method to TOKEN, the NetScaler appliance discards the rule without checking its validity. This behavior is by design.
  • Issue ID 0324061: When you configure a SIP-UDP load balancing virtual server by using the NetScaler command-line interface, the default setting for persistence type is CALLID. However, when you use the configuration utility to configure a SIP-UDP virtual server, the default setting for persistence type is NONE.
  • Issue ID 0330276: The virtual router IDs (VRIDs) that are configured on the NetScaler appliance are not available in the Virtual Router ID list in the Create IP and Configure IP dialog boxes (Network > IPs > Add/Open). Consequently, you cannot use the configuration utility to bind a VRID to a virtual server.

NetScaler SDX Appliance

  • Issue ID 0261232: If you set the date on the Management Service to an earlier date, the inventory and stats are not updated in the Management Service user interface.

    Workaround: Log on to the Management Service by using an SSH client, such as PuTTY. At the shell prompt, type: #/etc/rc.d/svmd restart

Networking

  • Issue ID 0276933: When you change the next hop parameter of a PBR for IPv4 traffic, the new hop is taken into account even if you have not applied the PBRs.
  • Issue ID 0299716: In a cluster setup, the 'bind vlan' command throws an error when interface and IP address are specified together.

    Workaround: Bind the interface and IP address individually, by using separate 'bind vlan' commands.

  • Issue ID 0316144: In a cluster setup, the Precision Time Protocol (PTP) time across cluster nodes will not be synchronized when PTP packets are dropped due to backplane switch or if the physical resources are over-committed in a virtual environment.
    Workaround:
    • Disable PTP using the command 'set ptp -state disable' and configure NTP to synchronize the time across the cluster nodes.
    • If the backplane switch is like the Extreme switch, disable the multicast PTP packets from reaching the CPU by using the following command (this might cause some relevant features, such as routing, from not working):

      ipmcforwarding to-cpu off ports 41-48 <backplane-interfaces>

Rewrite

  • Issue ID 0305831: The man pages for add and set rewrite action do not include xpath_html (xp<delimiter>xpath expression<delimiter>) as a search expression.

SSL

  • Issue ID 74279/0236509: The cipher TLS1-EXP1024-DES-CBC-SHA is not supported by the NetScaler appliance.
  • Issue ID 0327173: The ciphers bound to an SSL virtual server are not displayed in the configuration utility.

System

  • Issue ID 0325665: An unrelated error code is displayed on executing the 'set filter prebodyinjection/postbodyinjection' commands.
  • Issue ID 0327118: In the configuration utility, the minimum and maximum values allowed for number of audit messages is incorrect. The maximum and minimum values displayed are 255 and 0, but the correct values are 256 and 1.

Web Interface

  • Issue ID 0306731: If the Rewrite feature is not enabled, the Enable access through receiver client option for a Web Interface(WI) site does not work. This is because the functionality of the option depends on some rewrite policies on the appliance.
  • Issue ID 0315502: The Configuration Utility displays an error message when you try to disable the Web Interface feature.
  • Issue ID 0315951: If the Responder feature is not enabled, the Make Site Path Case Insensitive option for a Web Interface(WI) site does not work. This is because the functionality of the option depends on some Responder polies on the appliance.

    Workaround: Enable the Responder feature before you select the Make Site Path Case Insensitive option for a WI site.

  • Issue ID 0324373: In the Web Interface (WI) configuration wizard, for a WI site in gateway direct mode, the state of the Enable Access through Receiver Client option is shown selected even when there are no rewrite policies bound to the selected Access Gateway virtual server.
  • Issue ID 0331904: In the Web Interface (WI) configuration wizard, the Enable Access through Receiver Client option remain selected even when you try to clear the option.
Back to top