This document describes the changes, fixed issues, and known issues in the maintenance releases of the Citrix® NetScaler®, Citrix® NetScaler® SDX, and Citrix® Access Gateway® software.
Release version: Citrix® NetScaler®, version 10 build 73.5
Replaces build: None
Release date: January 2013
Release notes version: 2.0
Language supported: English (US)
To create a new administrator profile, log on to the Management Service and, on the Configuration tab, navigate to NetScaler > Admin Profiles. In the details pane, click Add. In the Create NetScaler Admin Profile dialog box, type the new profile name and password. Then navigate to NetScaler > Instances and select the instance to which you want to bind the new profile. Click Modify to open the Modify NetScaler wizard and, from the Admin Profile list, select the new profile. You do not need to restart the instance for this change to take effect.
You can also lose connectivity to XenServer by changing the password on XenServer instead of from the Management Service. To restore connectivity, you can now change the password for XenServer from the Management Service.
To change the password, log on to the Management Service and, on the Configuration tab, navigate to System > Users. Select the nsroot user, and then click Modify. In the Modify System User dialog box, type the same password that you specified when you were logged directly on to XenServer.
For a load balancing virtual server with L2 Conn enabled and l2connMethod parameter of the set l4 parameter command is set to Channel or Vlan or VlanChannel, a client MAC address change no longer causes the NetScaler appliance to create a new session entry. Instead, the appliance updates the existing session entry with the new MAC address. This update resolves issues (especially with MBF) that were caused by the appliance using the old session entry instead of the new one.
LsaAdJoinDomain (40041) Invalid parameter
To work around this issue, at the NetScaler command line open a Unix shell, and then type the following command to manually join the domain:
/opt/likewise/bin/domainjoin-cli join <DOMAINNAME> <DomainUserName>
Workaround: Enable the L2Conn parameter for the cache redirection virtual server after you finish setting up the cache redirection configuration.
Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.
Workaround: Hide the toolbars in Chrome browser when you access the configuration utility.
Workaround: You must use the 'show nd6' command to view the neighbors node-wise.
Workaround: Use the <CRTL key> short cut keys if the <CMD key> short cut keys are not working and vice-versa. For example, if <CRTL C> shortcut key is not working, use <CMD C> and vice-versa.
Workaround: Click 'Edit' to display the details.
Workaround: Make sure that at least one JRE is present and enabled under the Java Runtime Environment Settings, in the Java console, on the Java tab.
Workaround: Change to the standard view, in the Compatibility View Settings dialog box, by clearing the Display all websites in Compatibility View check box.
Workaround: If you click outside and return to the browser window, you will be able to select the fields in the configuration views.
Workaround: If you use RTT as the primary GSLB method, do not use static proximity as the backup GSLB method. Similarly, if you use static proximity as the primary GSLB method, do not use RTT as the backup GSLB method.
Workaround: Log on to the Management Service by using an SSH client, such as PuTTY. At the shell prompt, type: #/etc/rc.d/svmd restart
ipmcforwarding to-cpu off ports 41-48 <backplane-interfaces>
Workaround: Copy the certkey under /nsconfig/ssl/ folder on all the cluster nodes or confirm that the certificates are synchronized before executing the add certkey command on the configuration coordinator.
Release version: Citrix® NetScaler®, version 10 build 72.5
Replaces build: None
Release date: November 2012
Release notes version: 4.0
Language supported: English (US)
You can also, for a content switching policy that uses a default syntax rule, specify the target load balancing virtual server when binding the policy to a content switching virtual server, as you would in earlier releases, without the need for a separate action. For domain-based and URL-based policies, an action is not available, and you continue to specify the name of the target load balancing virtual server when binding the policy to a content switching virtual server.
For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-map/ns-cs-basicconfig-actions-tsk.html.
LsaAdJoinDomain (40041) Invalid parameter
To work around this issue, at the NetScaler command line open a Unix shell, and then type the following command to manually join the domain:
/opt/likewise/bin/domainjoin-cli join <DOMAINNAME> <DomainUserName>
In addition, if you configure double-source authentication that requires authentication with LDAP plus RSA authentication, you need to also add the following as 'REG_SZ':
Workaround: Disable Chrome PDF and install the Adobe Acrobat Reader plugin for Chrome.
Workaround: Enable the L2Conn parameter for the cache redirection virtual server after you finish setting up the cache redirection configuration.
Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.
Workaround: Hide the toolbars in Chrome browser when you access the configuration utility.
Workaround: You must use the 'show nd6' command to view the neighbors node-wise.
Workaround: You can view the queue depth of the policy by using the 'show pq policy' command on the command line interface.
Workaround: Use the <CRTL key> short cut keys if the <CMD key> short cut keys are not working and vice-versa. For example, if <CRTL C> shortcut key is not working, use <CMD C> and vice-versa.
Workaround: Click 'Edit' to display the details.
Workaround: Make sure that at least one JRE is present and enabled under the Java Runtime Environment Settings, in the Java console, on the Java tab.
Workaround: Change to the standard view, in the Compatibility View Settings dialog box, by clearing the Display all websites in Compatibility View check box.
Workaround: If you click outside and return to the browser window, you will be able to select the fields in the configuration views.
Workaround: If you use RTT as the primary GSLB method, do not use static proximity as the backup GSLB method. Similarly, if you use static proximity as the primary GSLB method, do not use RTT as the backup GSLB method.
Workaround: Log on to the Management Service by using an SSH client, such as PuTTY. At the shell prompt, type : #/etc/rc.d/svmd restart
ipmcforwarding to-cpu off ports 41-48 <backplane-interfaces>
Workaround: Copy the certkey under /nsconfig/ssl/ folder on all the cluster nodes or confirm that the certificates are synchronized before executing the add certkey command on the configuration coordinator.
Release version: Citrix® NetScaler® release 10 build 71.6
Replaces build: None
Release date: October 2012
Release notes version: 1.0
Language supported: English (US)
LsaAdJoinDomain (40041) Invalid parameter
To work around this issue, at the NetScaler command line open a Unix shell, and then type the following command to manually join the domain:
/opt/likewise/bin/domainjoin-cli join <DOMAINNAME> <DomainUserName>
In addition, if you configure double-source authentication that requires authentication with LDAP plus RSA authentication, you need to also add the following as 'REG_SZ':
Workaround: Enable the 'L2Conn' parameter for the cache redirection virtual server after you finish setting up the cache redirection configuration.
Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.
Workaround: Hide the toolbars in Chrome browser when you access the configuration utility.
Workaround: You must use the 'show nd6' command to view the neighbors node-wise.
Workaround: You can view the queue depth of the policy by using the 'show pq policy' command on the command line interface.
Workaround: Use the <CRTL key> short cut keys if the <CMD key> short cut keys are not working and vice-versa. For example, if <CRTL C> shortcut key is not working, use <CMD C> and vice-versa.
Workaround: Click 'Edit' to display the details.
Workaround: Use the command line interface to remove the policy or action.
Workaround: Make sure that at least one JRE is present and enabled under the Java Runtime Environment Settings, in the Java console, on the Java tab.
Workaround: Change to the standard view, in the Compatibility View Settings dialog box, by clearing the Display all websites in Compatibility View check box.
Workaround: Use command-line interface to enable or disable NTP synchronization.
Workaround: If you use RTT as the primary GSLB method, do not use static proximity as the backup GSLB method. Similarly, if you use static proximity as the primary GSLB method, do not use RTT as the backup GSLB method.
#/etc/rc.d/svmd restart
ipmcforwarding to-cpu off ports 41-48 <backplane-interfaces>
Workaround: Copy the certkey under /nsconfig/ssl/ folder on all the cluster nodes or confirm that the certificates are synchronized before executing the add certkey command on the configuration coordinator.
Release version: Citrix® NetScaler® release 10 build 70.7
Replaces build: None
Release date: September 2012
Release notes version: 4.0
Language supported: English (US)
No Authentication Host specified
The configuration utility then removes the authentication host from the configuration. This behavior occurs regardless of whether you are configuring authentication host settings on the virtual server for the first time, or modifying existing authentication host settings on the virtual server.
> add appflow collector <col_name> -IPAddress <IP_addr> [-netprofile {netprofile_name}]
When you use the configuration utility to change the profile type, the profile type is actually changed correctly, but the display is incorrect. When you use the NetScaler command line, the actual profile type is set as shown above.
add serviceGroup <serviceGroupName>@ <serviceType> -autoScale DNS
To configure a service group to scale automatically, using the NetScaler configuration utility, go to Load Balancing > Service Groups > Add. In the Create Service Group dialog box, on the Advanced tab, from the Auto Scale Mode list, select DNS.
sysctl netscaler.ns_vpx_halt_method=2
Perform a warm reboot for the above change to take effect.
LsaAdJoinDomain (40041) Invalid parameter
To work around this issue, at the NetScaler command line open a Unix shell, adn then type the following command to manually join the domain:
/opt/likewise/bin/domainjoin-cli join <DOMAINNAME> <DomainUserName>
In addition, if you configure double-source authentication that requires authentication with LDAP plus RSA authentication, you need to also add the following as 'REG_SZ':
Workaround: Enable the L2Conn parameter for the cache redirection virtual server after you finish setting up the cache redirection configuration.
Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.
Workaround: Hide the toolbars in Chrome browser when you access the configuration utility.
Workaround: You must use the 'show nd6' command to view the neighbors node-wise.
Workaround: You can view the queue depth of the policy by using the 'show pq policy' command on the command line interface.
Workaround: Select the entity and click 'Open' to display the details.
Workaround: Use the <CRTL key> short cut keys if the <CMD key> short cut keys are not working and vice-versa. For example, if <CRTL C> shortcut key is not working, use <CMD C> and vice-versa.
Workaround: Refresh the page to see the renamed policy.
Workaround: Refresh the page and try again.
Workaround: Use the command line interface to remove the policy or action.
Workaround: Make sure that at least one JRE is present and enabled under the Java Runtime Environment Settings, in the Java console, on the Java tab.
Workaround: Change to the standard view, in the 'Compatibility View Settings' dialog box, by clearing the 'Display all websites in Compatibility View' check box.
Workaround: If you use RTT as the primary GSLB method, do not use static proximity as the backup GSLB method. Similarly, if you use static proximity as the primary GSLB method, do not use RTT as the backup GSLB method.
Workaround: Log on to the Management Service by using an SSH client, such as PuTTY. At the shell prompt, type : #/etc/rc.d/svmd restart
ipmcforwarding to-cpu off ports 41-48 <backplane-interfaces>
Workaround: Copy the certkey under /nsconfig/ssl/ folder on all the cluster nodes or confirm that the certificates are synchronized before executing the add certkey command on the configuration coordinator.
Release version: Citrix® NetScaler®, version 10 build 69.4
Replaces build: None
Release date: August 2012
Release notes version: 3.0
Language supported: English (US)
The NetScaler appliance now supports smart card authentication for web interface on NetScaler through Access Gateway. On using this enhancement, you can configure a web interface site that can be accessed by logging into an Access Gateway virtual server by using a smart card. To use this enhancement, you must upgrade the NetScaler to the latest build and install the new web interface tar file 'nswi-1.5.tgz'. For more information, see the 'Using Smart Card Authentication for Web Interface on NetScaler' topic in the 'Web Interface' chapter of the Citrix NetScaler Administration Guide.
While modifying a web interface site configured in Direct mode, the default value for the virtual server is now automatically populated with one of the load balancing virtual servers configured during the creation of the web interface site.
An option 'Make Site Path Case Insensitive' on the web interface wizard has been introduced. When you enable this option, the NetScaler appliance ignores case sensitivity in the site name part of the URL request for a web interface site configured on the NetScaler appliance.
The multiple policy binding feature enables you to bind a policy to multiple virtual servers or policy labels. Earlier, you could bind a policy only to a single virtual server or policy label and to reuse an existing policy, you needed to create a copy of the same policy with a different name before attaching it to another virtual server. With the multiple policy binding feature, you can reuse an existing policy for multiple virtual servers.
You can now enable the state update option globally for content switching virtual servers configured on the NetScaler appliance. If a specific virtual server's local state update option is set to DISABLED, that setting is overridden by a global ENABLED setting. However, a local setting of ENABLED overrides a global setting of DISABLED for the state update option. As shown in the following table, state update is not disabled for a virtual server unless both the global and local options are set to DISABLED.
Global state update setting | Virtual server state update setting | Effective state update setting on the virtual server |
ENABLED | ENABLED | Enabled |
ENABLED | DISABLED | Enabled |
DISABLED | ENABLED | Enabled |
DISABLED | DISABLED | Disabled |
set cs parameter [-stateupdate ( ENABLED | DISABLED )]
You can now load balance Diameter traffic. The Diameter protocol is a next generation Authentication, Authorization, and Accounting (AAA) signaling protocol mainly used on mobile devices such as laptops and mobile phones. It is a peer-to-peer protocol as opposed to the traditional client-server model that is used by most other protocols. For more information, see the 'Configuring Diameter Load Balancing' topic in the Load Balancing' chapter of the Citrix NetScaler Traffic Management Guide.
You can now bind an IPv6 service to a load balancing virtual server with connection failover set to stateless.
In the 'Load Balancing wizard for Branch Repeater', when specifying a branch whose traffic is to be accelerated, you can specify either the primary IP address or the accelerated pair A (apA) IP address of a Branch Repeater appliance.
A supplemental software pack supports system health monitoring on the NetScaler SDX appliance for hardware and software components, disks, fan, voltage, temperature, and power supply sensors, and interfaces. For more information about this enhancement, see the 'System Health Monitoring' chapter in the Citrix NetScaler SDX Administration Guide. To install the supplemental software pack, see http://support.citrix.com/article/ctx132877.
You can now view the top 25 critical health monitoring events in the Health Monitoring gadget on the Home tab in the Management Service user interface. Select an event to view details or to delete the event.
All HTTP and HTTPS communication between the Management Service and a NetScaler VPX Instance is now through a persistent session. A session ID is associated with each VPX instance and all HTTP and HTTPS communication between the Management Service and the instance uses this session ID.
With XenServer version 6.0 and later, HTTP communication between the Management Service and XenServer is now over a persistent session. All HTTP communication between the Management Service and XenServer uses one session ID. For earlier versions of XenServer, basic authentication (user name and password) is used.
You can now configure a Simple Network Management Protocol (SNMP) agent on the Citrix NetScaler SDX appliance to generate asynchronous events, which are called traps. For more information about this enhancement, see the 'SNMP' chapter in the Citrix NetScaler SDX Administration Guide.
You can now install the NetScaler SDX supplemental packs from the Management Service without manually opening an ssh connection to XenServer. To install this pack, on the configuration tab, in the navigation pane, expand Management Service, and then click XenServer Files. In the details pane, click 'Supplemental Packs'. You can upload the supplemental pack to the SDX appliance and also download it to create a backup on your client.
You can now track any changes to the configuration on a NetScaler VPX instance from the Management Service. To view these changes, on the configuration tab, in the navigation pane, expand NetScaler, and then click Change Management. The details pane lists the device name with IP address, date and time when it was last updated, and whether there is a difference between the saved configuration and running configuration. Select a device to view its running configuration, saved configuration, revision history of configuration changes, and difference between the configuration before and after an upgrade. You can download the configuration of a NetScaler VPX instance to your client. By default, the Management Service polls all the instances every 24 hours but you can change this interval by clicking Configure Poll Interval in the details pane.
You can now configure a tagged VLAN, without configuring an NSVLAN, at the time of provisioning a NetScaler instance. For more information about this enhancement, see the 'Provisioning NetScaler Instances' chapter in the Citrix NetScaler SDX Administration Guide.
Simplified the Cloud Bridge CLI commands for configuring IPSec Tunnel.
Added policy expressions for the 'show connectiontable' command to filter out connections of a specific content switching or load balancing virtual server.
For example: show connectiontable CONNECTION.LB_VSERVER.NAME.EQ("v1")
Simplified the configuration utility to ease the process to connect to the cloud service providers.
You can now configure the application firewall learning feature to learn from trusted clients or networks only, instead of learning from all traffic that it processes. By restricting learning to trusted clients, you can prevent attacks against your protected web sites and web services from being learned as normal use and therefore not blocked. Currently trusted learning can be configured only from the NetScaler command line.
To configure the application firewall to learn from trusted clients or networks only, first enable the trusted learning feature. Next, add your trusted clients and networks. To add a trusted client, add the client's IP. IPv4 and IPv6 IPs are both supported. You can use a prefix of /0 after the IP, but that is not necessary. To add a trusted network, add the network in CIDR format.
set appfw profile <profileName> -enabletrustedLearning (on|off)
bind appfw profile <profileName> -trustedLearningClients (<ip_addr>|<ipv6_addr>|<cidr/prefix>) -state (enabled|disabled) [-comment <comment>]
For <profileName>, substitute the name of the application firewall profile that you want to associate with these trusted learning settings. If you want to add a trusted client or network to the configuration but not configure the application firewall to learn from it yet, set state to disabled. You can add an optional comment to document which client or network you added and why.
set appfw profile TestProfile -enabletrustedLearning on
bind appfw profile TestProfile -trustedLearningClients 10.178.16.34 -state enabled -comment "Trusted client"
bind appfw profile TestProfile - trustedLearningClients 10.102.30.0/24 -state enabled -comment "Trusted network"
If you configure a TACACS+ server for authentication, when users without the appropriate permissions enter a command, the command does not execute, but the command is recorded in an accounting log. A new configuration parameter corrects this behavior.
For the 'bind cs vserver command', the 'targetVserver' parameter is now deprecated. If you attempt to set the parameter, the following warning appears: “Warning: Argument deprecated [targetVserver].”
This release introduces the 'lbvserver' parameter, for binding the default load balancing virtual server to the content switching virtual server, and the 'targetLBVserver' parameter, for binding other load balancing virtual servers through content switching policies.
In the NetScaler configuration utility, there are no changes in how you bind a default load balancing virtual server or a load balancing virtual server that is not the default.
bind cs vserver <csvservername> -lbvserver <targetVservername>
bind cs vserver <csvservername> -policyName <policyname> [-priority <positive_integer>] -targetLBVserver <targetVservername>
archive appfw profile -comment "<string>"
For <string>, substitute the comment.
add lb vserver sipvip1 SIP_UDP 10.102.27.68 5060 -persistenceType RULE -lbMethod CALLIDHASH -rule sip.req.method -cltTimeout 120
The new Save Configuration option specifies that all participating nodes automatically save their configurations after synchronization. The master saves its configuration immediately before synchronization begins. Slave nodes save their configurations after the synchronization process is complete. A slave node saves its configuration only if it is successfully updated to match the master node's configuration. If synchronization fails on a slave node, you must manually investigate the cause of the failure and take corrective action.
To specify the option when using the NetScaler configuration utility to synchronize GSLB configurations, select the Save Configuration check box in the Save GSLB Configuration dialog box. If using the CLI, specify the saveConfig option for the sync gslb config command. The saveConfig option is mutually exclusive with the command's preview option.
Support for SAML IDP- and SP-initiated logouts has been added to AAA-TM. An SP-initiated logout is performed when a user logs out of a AAA-TM session, but not when a user's AAA-TM session times out or when the 'kill aaa sessions' command is used. An IDP-initiated logout is performed when the IDP sends a 'clear session' request to the NetScaler appliance.
You can use the 'Search' functionality to search for NetScaler entities displayed in the details or the data pane of the NetScaler configuration utility. If you want to perform string matching operations that are more complex than the operations that you perform with the simple CONTAINS search, you can use regular expressions.
Description: TLSv1 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
Description: TLSv1 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
Description: TLSv1 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
Description: TLSv1 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
Description: TLSv1 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
Description: TLSv1 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
Description: TLSv1 Kx=DH Au=None Enc=AES(128) Mac=SHA1
Description: TLSv1 Kx=DH Au=None Enc=AES(256) Mac=SHA1
To view the details for a given global bind point, you can specify the bind point as the argument to the 'type' parameter. When you specify a global bind point, the command displays all the policies that are bound to the bind point, along with their priorities and Goto expressions. Classic policy bindings are not displayed if you specify a global bind point.
Example:
> sh cmp global -type RES_DEFAULT
Advanced Policies:
show tm sessionaction <profileName>
You can fix the persistency settings for any AAA-TM profile that is affected by this issue by typing the following command at the NetScaler command line:
set tm sessionAction <profileName> -persistentCookie ENABLED -persistentCookieValidity <positive_integer>For <positive_integer>, substitute the number of minutes that the persistency cookie is to remain valid. Then, use the 'show tm sessionaction' command to verify your changes.
set appfw profile -comment "<string>"
For <string>, substitute the comment.
A consequence of this behavior is failure to accelerate some Repeater Plug-in connections in a WAN optimization configuration. If a persistence session that was created for a request from a Repeater Plug-in expires before the complete response is sent to the client, the next request from the Repeater Plug-in is sent to a different Branch Repeater appliance and is therefore not accelerated. When that happens, the Branch Repeater graphical user interface indicates that the reason for the connection not being accelerated is 'Not enough room left in the TCP packet header to append unit specific options (5).'
ERROR: NetScaler on nCore VPX requires minimum 2 Gigabytes and 2 CPUs to start.
For example, the second command provided below might not succeed if there exists some request for which the evaluation of rule in cs_example is in progress.
-> add cs policy cs_example -rule 'HTTP.REQ.BODY(1000).CONTAINS("MyLengthIs12")
-> add cs policy cs_example_break -rule 'HTTP.REQ.BODY(1000).CONTAINS("MyLengthIsBIG15")
set ns tcpProfile <name> [-KA ENABLED ] [-KAconnIdleTime <positive_integer>] [-KAmaxProbes <positive_integer>] [-KAprobeInterval <positive_integer>].
In the configuration utility, you can change the settings in the System > Profiles > TCP Profiles > Add TCP Profile or Configure TCP Profile dialog box.
LsaAdJoinDomain (40041) Invalid parameter
To work around this issue, at the NetScaler command line open a Unix shell, adn then type the following command to manually join the domain:
/opt/likewise/bin/domainjoin-cli join <DOMAINNAME> <DomainUserName>
No Authentication Host specified
The configuration utility then removes the authentication host from the configuration. This behavior occurs regardless of whether you are configuring authentication host settings on the virtual server for the first time, or modifying existing authentication host settings on the virtual server.
When you use the configuration utility to change the profile type, the profile type is actually changed correctly, but the display is incorrect. When you use the NetScaler command line, the actual profile type is set as shown above.
Workaround: Enable the L2Conn parameter for the cache redirection virtual server after you finish setting up the cache redirection configuration.
Workaround: Delete the time zone from the configuration (ns.conf), upgrade to the target build or release, and then reconfigure the time zone.
Workaround: Hide the toolbars in Chrome browser when you access the configuration utility.
Workaround: Restart the appliance manually by using the command line or the configuration utility.
Workaround: Use Internet Explorer version 8 and above.
Workaround: You can view the base threshold vale by using the 'show ns spParams' command.
Workaround: PTP counters can be viewed by using the 'stat cluster node' command.
Workaround: You can set the maximum value by using the “set service” command.
Workaround: You must explicitly set the HTTP response timeout in the configuration utility.
Workaround: Uninstall JRE 1.6.0_24 and 1.7.0_06 and install JRE 1.6.0_31.
This behavior is expected, and ensures that security-aware and security-oblivious clients receive the same response.
Workaround: If you use RTT or static proximity as the primary GSLB method, do not use the same method as the backup GSLB method.
Workaround: Log on to the Management Service by using an SSH client, such as PuTTY. At the shell prompt, type: #/etc/rc.d/svmd restart
Workaround: Bind the interface and IP address individually, by using separate 'bind vlan' commands.
ipmcforwarding to-cpu off ports 41-48 <backplane-interfaces>
Workaround: Enable the Responder feature before you select the Make Site Path Case Insensitive option for a WI site.