Release Notes for NetScaler 10.1 Maintenance Releases

This document describes the enhancements, fixed issues, and known issues in the maintenance releases of Citrix NetScaler, Citrix NetScaler SDX, and Citrix NetScaler Insight Center.

Note:

Build 123.9

Release version: Citrix NetScaler, version 10.1 build 123.9

Replaces build: None

Release date: January 2014

Release notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

Support for ICA session timeout value in NetScaler Insight Center

  • ENH ID 0431957: You can now configure the ICA session timeout value for inactive sessions on the configuration tab of the NetScaler Insight Center.

CloudBridge Reports in HDX Insight

  • ENH ID 0432702: HDX Insight reports now include details about CloudBridge in an ICA session path.

NetScaler MPX 22040/22060/22080/22100/22120 Platform

  • ENH ID 0311561: The MPX 22040/22060/22080/22100/22120 platform now supports NetScaler release 10.1 build 123.x.

LCD Enhancement on the NetScaler MPX Appliance

  • ENH ID 0430690: If an LCD hardware failure is detected on a NetScaler MPX appliance, the appliance restarts. With this enhancement, the LCD application gracefully exits without restarting the appliance.

Bug Fixes

AppFlow

  • Issue ID 0430960: The NetScaler fails to respond if appflow logging is disabled on a VPN virtual server when ICA traffic flows through the NetScaler.

Application Firewall

  • Issue ID 0407347: By default, the application firewall's SQL Injection signatures patterns and security checks do not prevent SQL injection attacks that use the percent (%) or underscore (_) characters.
  • Issue ID 0423861: On a NetScaler MPX5500 appliance that has the application firewall enabled, and has logging enabled for at least one signature or security check, when that logging action is triggered the appliance might hang or crash.
  • Issue ID 0427717: If memory utilization is high on a NetScaler appliance that has the application firewall enabled and configured, URL redirect might fail, causing the appliance to crash.
  • Issue ID 0427857: The application firewall currently miscalculates memory limits on 12 GB, 2 vCPU NetScaler appliances. For example, when the appliance has 2 GB of memory available, the application firewall shows only 600 MB of available memory.
  • Issue IDs 0432276 and 0433057: The application firewall blocks XML requests that have empty bodies (zero content length), which causes autodiscover and other features that use such requests to fail.
  • Issue ID 0516714: If the NetScaler appliance sends a large amount of input data to the application firewall in a short time, the appliance can become unresponsive or fail. The appliance now sends input data in batches limited to sizes that do not cause this problem.

Configuration Utility

  • Issue ID 0382199: The comparison between the source IP address of the incoming packets and the configured NetScaler host-name address is unsuccessful because of an endian mismatch.
  • Issue ID 0414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.
  • Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.
  • Issue ID 0419409: If you navigate to Traffic Management > Load Balancing > Virtual Servers and click SSL Settings under the SSL Parameter tab on the Create Virtual Server dialogue box, the Enable Cipher Redirect check box is enabled by default.

Content Switching

  • Issue ID 0411116: In a cluster environment, if you run the bind cs vserver command with the argument type, the NetScaler appliance incorrectly reports a difference between the running configuration and the saved configuration.
  • Issue ID 0432272: Rebinding a content switching policy to a content switching virtual server might result in memory corruption, which might cause the NetScaler appliance to fail.

DataStream

  • Issue ID 0433383: If a MySQL client sends a query larger than 16 MB, the query is split into multiple MySQL packets. Only the first MySQL packet in a query is forwarded to the server, and the remaining packets are accumulated on the appliance. After some time the window size is reduced to zero and the client cannot send any more packets to the appliance.

Domain Name Sytem

  • Issue ID 0426093 (VPX): In DNSRewrite Policy, CLIENT.IP.SRC.MATCHES_LOCATION is an incorrect expression for a response from the DNS. NetScaler does not recognize this expression and hence might crash.

Global Server Load Balancing

  • Issue ID 0413367: On a NetScaler appliance that has GSLB configured, when you remove custom location entries from the GSLB database, the appliance crashes.

ICA AppFlow

  • Issue ID 0397109: On the NetScaler Insight Center dashboard, the source IP address displayed in the application launch records is incorrect
  • Issue ID 0429280: When NetScaler Gateway is deployed in a double hop setup, the NetScaler fails while processing the packets.
  • Issue ID 0430696: The NetScaler Gateway fails if AppFlow is enabled or disabled during ICA connections. The NetScaler Gateway might also fail if the NetScaler appliance receives an ICA parsing error.
  • Issue ID 0432039: During an ICA handshake, the version-length value that Mac receiver sends in UNICODE format is parsed incorrectly.
  • Issue ID 0433180: The NetScaler Insight Center dashboard displays incorrect Init Program and Client Version values for MAC or HTML receivers on different platforms.
  • Issue ID 0433511: The HDX Insight console displays unnecessary ICA user-session information and console messages.

Load Balancing

  • Issue ID 0398274: If you have configured a DNS auto-scaling service group and run the show server <server name> command to display the details of the server bound to this service group, the following incorrect entries appear:
    • an extra entity with an IP address 0.0.0.0
    • mode as POLICY
    • state as DOWN
  • Issue ID 0402996: The NetScaler appliance might fail while processing an NX domain message if you have configured an autoscaling service group on the appliance.
  • Issue ID 0406467: If you bind a content switching (CS) policy to a CS virtual server, specify a load balancing (LB) virtual server as the target virtual server, and then view the LB virtual server details in the configuration utility, the CS virtual server bindings incorrectly appear in the cache redirection virtual server section. However, if you use the command line to view the details of the virtual server (show lb vserver), the details appear in the correct section.
  • Issue ID 0410365: If you use NITRO to display the details of the load balancing monitors configured on a NetScaler appliance, the output for non-HTTP type monitors incorrectly displays a response code, user name, and password. These attributes are not applicable to non-HTTP type monitors.
  • Issue IDs 0418698 and 0431925: If you configure persistence on a virtual server that is configured for link load balancing, the NetScaler appliance might fail.
  • Issue ID 0422821: If you have configured an autoscaling service group on the NetScaler appliance, the states of some of these services are not updated, because command numbers are not updated. For example, a service state might appear as UP although the monitor has marked it as DOWN.
  • Issue ID 0429445: The NetScaler appliance fails under the following sequence of events:
    1. An IPv6 domain based service and an IPv6 address based service are configured on the appliance.
    2. Both the services are bound to a load balancing virtual server.
    3. The domain based service is UP when the address based service enters the UP state.
  • Issue ID 0438169: If you create a service of type SSL_BRIDGE and enable client IP address (CIP) on the service, the NetScaler appliance inserts an HTTP header with the client's IP address as its value. In an SSL_BRIDGE topology, you must not insert a header. With this fix, the appliance throws a warning and removes the CIP option for an SSL_BRIDGE service while saving the configuration.

Load Balancing/AAA-TM

  • Issue ID 0431917: On a NetScaler appliance that has the load balancing and AAA-TM features enabled, and that protects an application that uses 401 Basic authentication, if a client authenticates with a browser that does not support cookies, the appliance might experience repeated crashes or (for HA setups) repeated failovers. The cause is that the appliance does not receive the expected traffic management cookie, fails to reconnect to the existing session, and instead creates a new sesson each time the client connects to a protected resource. If a large number of authentication requests is sent within a short period of time, the abandoned sessions do not expire quickly enough and can therefore consume available memory.
  • Issue ID 0437407: On a NetScaler appliance that has the load balancing and AAA-TM features enabled, a request that contains an extraneous space in the URL might cause the appliance to crash. This issue occurs only with unauthenticated connections; the appliance processes the same request correctly over authenticated connections.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

NetScaler Insight Center

  • Issue ID 0405849: NetScaler entity names are case insensitive, but NetScaler Insight Center expects the virtual server names or policy names to be case sensitive.
  • Issue ID 0412129: The WAN jitter and DC jitter values are not displayed in the NetScaler Insight Center reports.
  • Issue ID 0424610: On the dashboard, the table that appears when you navigate to HDX Insight > Gateways might display a blank desktop name.
  • Issue ID 0439992: The HDX Insight dashboard displays the host delay as server side server-side NetScaler delay.

NetScaler SDX Appliance

  • Issue ID 0262505: When viewing the built-in or custom reports on the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: NO DATA TO CHART.
  • Issue ID 0424630: If you create an LACP channel with more than 8 member interfaces, or a static channel with more that 16 member interfaces, the following error message appears: "Channel Interface String Length: 185 is greater than maximum allowed length:128".
  • Issue ID 0430449: Even after you configure a short message service (SMS) server, you do not receive an SMS message when an alert is generated.
  • Issue ID 0431243: If a management channel exists on a NetScaler instance, you cannot trace the route of a packet from the Management Service to a NetScaler instance.
  • Issue ID 0431463: If you apply a license after modifying the SVM host name, the license application might fail.
  • Issue ID 0433054: Deletion of a management channel from the Management Service might not always succeed.

Networking

  • Issue ID 0408693: If you have configured more than ten ICMP extended ACLs, high CPU spikes might occur when you run the "apply ns acls" command either by using the configuration utility or the NetScaler command line.
  • Issue ID 0424243: If you have configured an extended ACL without specifying the optional parameter "source IP address", high CPU spikes might occur when you run the "apply ns acls" command either by using the configuration utility or the NetScaler command line.
  • Issue ID 0428819: If you have configured a TFTP load balancing virtual server with persistency option enabled, the NetScaler appliance might become unresponsive when the virtual server receives some traffic.
  • Issue ID 0431652: The NetScaler appliance might become unresponsive when traffic from a TFTP server matches a RNAT rule configured on the appliance.
  • Issue ID 0435697: When you reset a member interface of a LACP channel, Tx stalls might increment continuously.

Platform

  • Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported.
  • Issue ID 0428562: NetScaler does not display the correct daylight savings time for Israel.
  • Issue ID 0432687: On the MPX 22040/22060/22080/22100/22120 appliance, if the 10G ports are not populated, the appliance takes about 20 minutes to finish the restart process.

NetScaler SDX Appliance

  • Issue ID 0434738: A NetScaler SDX appliance intermittently stops processing traffic on interfaces that are part of an LACP link aggregation interface that is transmitting a small abount of traffic.
  • Issue ID 0430097: Descriptors in the NetScaler SDX SNMP MIB file include underscore characters, which are invalid. Only alphanumeric characters are supported.

SNMP

  • Issue ID 0435520: Net-SNMP does not handle the endOfMibView condition properly if the value of max-repetition is set to zero, which leads to memory allocation failure, and SNMPD fails to respond.

SSL

  • Issue ID 0431919: If a client sends a certain type of malformed message, which can make uninitialized resources available for subsequent handshakes, an SSL handshake that uses one of those resources causes a memory leak.
  • Issue ID 0432375: If the SSL handshake uses the TLSv1.1 or TLSv1.2 protocol and you have bound an RC4 cipher to the SSL virtual server, downloading a large file might take an unusually long time.
  • Issue ID 0434737: If you create a certificate revocation list (CRL), enable refresh, and specify the method as HTTP or LDAP, CRL refresh does not happen.

System

  • Issue ID 0382647: The stat system -detail command does not display the number of CPUs.
  • Issue IDs 0411627, 0430646, and 0430652: On the System > Diagnostics page, when you select Saved v/s running, the configuration utility displays a difference between the running and saved configurations, even if there is no difference.
  • Issue ID 0418028: The nsnetsvc process size increases when the stat command is executed.
  • Issue ID 0432612: The NetScaler appliance forwards unprocessed packets to the load balancing virtual servers without selecting a service, because of an HTTP out-of-order packet processing issue. Instead of being dropped, these connections queue up at the virtual servers. The appliance fails to respond while processing these connections.

Known Issues and Workarounds

Application Firewall

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.
  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0411152: When you use the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings makes applications and desktops unavailable when StoreFront is accessed through a VPN.

    Workaround: Do not apply the optimization settings.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

High Availability

  • Issue ID 0416573: On the secondary node of a high availability (HA) configuration, if the HA propagation and HA synchronization options are disabled and Stay secondary is enabled, you cannot disable the Stay secondary option after upgrading the node.

Integrated Caching

  • Issue ID 0440107: When there is a selector-based content group configured, the NetScaler can crash when a policy that has this content group associated to it is satisfied and when the response status is "404 Not Found".

Load Balancing

  • Issue ID 0407493: In a high availability setup, if an autoscaling service group with more than 4000 members is removed, failover occurs.
  • Issue IDs 0420827 and 0434537: If a NetScaler appliance receives a request for which a session does not already exist, the appliance creates a session and designates one of the packet engines (PEs) as the session owner. Subsequent requests that belong to that session might not always arrive at and be handled by the owner PE (for example, PE1). If such a request arrives at another PE (for example PE2), that PE (PE2) gets the information from the owner PE (PE1). Now, the cached session is present in PE2 and the owned session is present in PE1. Because of a timing issue, the information in PE1 is cleared before the cached entry in PE2. As a result, different session entries are created for the same client on PE1 and PE2.
  • Issue ID 0421411: If you rename an autoscaling service group, the NetScaler appliance might fail.

NetScaler Insight Center

  • Issue ID 0324010: A higher than normal load on NetScaler Insight Center or on the database can cause the afdecoder subsystem to stop functioning. As a result, NetScaler Insight Center is unable to connect to the database.
    Workaround: Restart the appliance by running the following command on the command line interface:
    #/etc/rc.d/analyticsd restart
  • Issue ID 0331944: If no devices have been added to the inventory, the Getting Started wizard is displayed. You cannot access the Configuration tab.
  • Issue ID 0333555 and 346171: After you enable appflow on some virtual servers, even though no error message appears, the Insight column does not display a check box indicating that the feature is enabled.

    Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0414155: If you move columns and refresh the page, the column ordering is sometimes reset to default.
  • Issue ID 0414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on VMware ESX server from build 118.7 or 119.7 to 120.13 or later builds is not supported. However, upgrade from build 120.13 to later builds is supported.

    Workaround: To upgrade to 120.13 or later builds, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .

  • Issue ID 0421657: If the ICMP port used to verify the network reachability of a NetScaler appliance from NetScaler Insight Center is blocked, the internal routing in NetScaler Insight Center is disrupted and the HDX Insight node is not displayed on the dashboard.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create, modify or delete an LACP channel, one of the member interfaces might temporarily stop transmitting. The NetScaler instance might intermittently show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: Log on to the Netscaler instance and execute the following command on the interface that is shown as Error-disabled: enable interface <interface_id> (eg.. enable interface 1/1)

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0396252: If you specify secure-only access on a NetScaler instance, single sign-on to that instance from the Management Service user interface is not successful.
  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.
  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.
  • Issue ID 0430121: The Management Service intermittently dumps a stat core when BlueCat VMs are provisioned on the SDX appliance.
  • Issue ID 0434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or by using the Start HA files synchronization dialog box in the configuration utility.
    Workaround: Add the following extended ACL on each of the nodes of the HA configuration:
    add acl <aclname> - srcIP <NSIP of the peer node> - protocol TCP -destport 22
    For example, for an HA configuration in which the primary node’s NSIP address is 198.51.100.9 and the secondary node’s NSIP address is 198.51.100.27, you would run the following command on the primary node:
    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22
    and the following command on the secondary node:
    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.
    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)
    This change affects the following platforms:
    • MPX 11500/13500/14500/16500/18500/20500
    • MPX 17550/19550/20550/21550
    • MPX 8200/8400/8600
    • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies rather than classic policies.
  • Issue ID 0425465: After changing the time zone on a NetScaler appliance, you must reboot the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under the System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0396628: With large number of configuration entries in the ns.conf file, the commands in the /nsconfig/rc.netscaler file might not be applied after the appliance is restarted.
  • Issue ID 0430071: ISIS packets are dropped at the Nexus 1000V distributed virtual switch (DVS), which has no option to enable promiscuous mode. However, this issue is not observed when the virtual machines are connected through the ESX virtual switch with promiscuous mode ON.
  • Issue ID 0430154: On the NetScaler 1000V, transmit congestion is experienced on virtual interfaces in high traffic conditions.

System/Application Firewall

  • Issue ID 0437307: On a NetScaler appliance that is not configured to use jumbo frames and that protects a server that is configured to use jumbo frames, if the application firewall is enabled and at least one profile is configured, the appliance might become unresponsive for a period of time and then reset the connection.

Web Interface

  • Issue ID 0397150: On a NetScaler appliance, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later: bindservicegroup_state2 unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.

Build 122.17

Release version: Citrix NetScaler, version 10.1 build 122.17

Replaces build: None

Release date: November 2013

Release notes version: 4.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

Support for NetScaler VPX Virtual Appliance on XenServer 6.2

  • ENH ID 0439509: The NetScaler VPX virtual appliance now supports XenServer version 6.2 only on a non-SDX appliance. On the NetScaler SDX appliance, only the XenServer versions available for download on www.citrix.com under NetScaler downloads are supported. XenServer 6.1.1 is the latest supported version on the NetScaler SDX appliance.

NetScaler SDX 22040/22060/22080/22100/22120 Platform

  • ENH ID 0353415: The SDX 22040/22060/22080/22100/22120 platform now supports NetScaler release 10.1 build 122.x.

RAID Controller Support on NetScaler SDX 22040/22060/22080/22100/22120 Platform

  • ENH ID 0353415: NetScaler SDX platform supports a Redundant Array of Independent Disks (RAID) controller, which can support up to eight physical disks.

QSFP+ Cable Support on NetScaler MPX Appliances

  • ENH ID 0427155: NetScaler MPX appliances now support Cisco QSFP+ cables (part number L45593-D178-C30).

Multi-interface Support for BlueCat DNS/DHCP Server Virtual Machines

  • ENH ID 0413839: Management Service now supports assigning interfaces explicitly for high availability and service along with the management for BlueCat DNS/DHCP Server virtual machines.

Percentile Icon in NetScaler Insight Center

  • ENH ID 0418196: The top-right corner of the page now displays a percentile icon, which you can click to display percentile values and the highest and lowest values for a selected metric.

New Information in HDX Insight Center reports

  • ENH ID 0392016: HDX Insight reports now include details about session reconnects, client-side retransmissions, and server-side retransmissions.

Active Sessions Reports in HDX Insight

  • ENH ID 0398322: HDX Insight now provides a report about active sessions, grouped by server IP and gateway IP address.

Customize the display of columns in NetScaler Insight Center

  • ENH ID 0423207: You can now select which columns to show in the tables in the NetScaler Insight Center graphical user interface (GUI), and you can rearrange the columns. Each user can make his or her changes persistent across his or her sessions.

Changes

NetScaler Insight Center

  • Issue ID 0409634: All the metrics except bandwidth and hits display the average values.

System

  • Issue ID 0365828: Before reusing a server connection in the reuse pool, the NetScaler appliance checks the connection's idletimeout and reusepool values, and closes the connection if either value is exceeded. The appliance also checks the reuse pool for idle connections, and closes them, more frequently than specified by the zombie timer interval.

Bug Fixes

AppFlow

Issue ID 0430591: A Nitro call used by NetScaler Insight Center to fetch the license information from a NetScaler appliance affects the performance of the appliance.

Application Firewall

  • Issue IDs 0391317 and 0423289: On a NetScaler appliance with both the application firewall and integrated caching enabled, a memory leak might occur.

  • Issue ID 0422639: On a NetScaler appliance with the application firewall enabled, web forms submitted with URL-encoded double-byte character (Chinese, Japanese, or Korean) inputs might generate a Form Field consistency check violation. The reason is that the application firewall counts bytes instead of characters when validating web form input, causing some double-byte input to exceed the form field maxlength attribute.

  • Issue IDs 0422919 and 0423289: On a NetScaler appliance with the application firewall enabled and configured, if a protected web site contains a multipart web form, a memory leak causes a small amount of memory to be consumed and not released each time the application firewall processes the web form. Repeated processing of requests and responses can gradually consume available memory.

Command Line Interface

  • Issue ID 0420596: After a user logs on to a NetScaler appliance through the CLI, the set cli mode-disabledFeatureAction NONE command is automatically executed, and the following error message appears:

    ERROR: Not authorized to execute this command.

Configuration Utility

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings creates an erroneous condition.

  • Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you created are not cleared and you cannot access the wizard again.

  • Issue ID 0426594: The NetScaler configuration utility is not compatible with JRE version 7.45.

  • Issue ID 0429652: If a SureConnect policy is bound to a virtual server and you upgrade the NetScaler appliance to version 10.1, build 120.13, the policy is not displayed when you navigate to Traffic Management > Virtual Servers > <virtual server name>.

  • Issue ID 0430094: When you navigate to System > Diagnostics and, under Utilities, click TraceRoute and Run, the utility uses the default value for Packet Length(44) and displays the error message:

    Packet length must be greater than 47.

  • Issue ID 0431045: When you use the configuration utility to add a new NetScaler IP address or subnet mask, the qwerty keyboard does not allow you to enter a value greater than 249 for the last octet.

Content Switching

  • Issue ID 0394856: If a content switching virtual server with a large number of existing connections is removed, flushing all the PCBs takes time. If any traffic destined for the virtual server is received during this time, the appliance fails.

Documentation

  • Issue ID 0370607: The configuration utility procedures in the NetScaler 10.1 documentation have not been updated to reflect the new top-level nodes.

Domain Name System

  • Issue ID 0412530: If a NetScaler appliance responds to a DNSSEC-enabled request from its cache, and this response is immediately followed by a response from the server to an earlier query that could not be addressed from the NetScaler cache, the appliance drops the response from the server instead of forwarding it. However, the memory associated with the response packet is not freed. As more such requests are received, the memory on the appliance is gradually exhausted.

High Availability

  • Issue IDs 0420089 and 0425486: The synchronization of files in an HA setup stops working after the nsinternal user is disabled.

ICA AppFlow

  • Issue ID 0417274: The NetScaler appliance fails while processing ICA traffic if you have disabled AppFlow logging on the VPN virtual server (set vpn vserver -appflowlog disable).

Load Balancing

  • Issue IDs 0393613 and 0427971: If the first octet of the IP address of a service has a value of 6 (6.x.x.x), and the service is bound to a virtual server that is configured for persistence, the NetScaler appliance fails when it tries to direct a request to that service.

  • Issue IDs 0399446 and 0416718: In some cases, if you configure a domain-based IPv6 service on the NetScaler appliance, the appliance might become unresponsive.

  • Issue ID 0417630: In a high availability setup, after you upgrade the secondary node and make it the new primary, the process of file synchronization from the new secondary (old primary) node with the new primary node overwrites some of the updated data on the new primary. Specifically, the new monitoring scripts delivered as part of the upgrade on the new primary node are overwritten. As a result, the monitoring scripts might fail.

  • Issue ID 0424780: The stat servicegroup command incorrectly displays the svrttfb (server-time-to-first-byte) value as zero.

Load Balancing/AAA-TM

  • Issue ID 0426421: On a NetScaler SDX with AAA and SAML enabled and configured, occasionally the NetScaler appliance crashes and generates a core dump during SAML authentication.

  • Issue ID 0431206: On a NetScaler appliance with AAA enabled and configured, a user whose account is bound to over 100 groups might be unable to execute NetScaler commands at the command line despite having the appropriate permissions to do so. To work around this issue, do not bind a single user account to more than 99 groups.

NetScaler Insight Center

  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for the Total Application Launch count.
  • Issue ID 0399329: Even when Appflow is disabled for a virtual server, you can still clear the configurations on the NetScaler Insight Center by selecting the Clear AppFlow Configurations from the Action list.
  • Issue ID 0403665: If the values for certain metrics are zero, the graphs display these values incorrectly.

NetScaler SDX Appliance

  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

  • Issue ID 0414851: The format of the APPFW CSRF TAG syslog message is not in the expected format. As a result, Command Center displays incorrect values, under AppFirewall Recent Logs, in some fields for this type of AppFirewall syslog message.

  • Issue ID 0424588: If a NetScaler instance is created with a Management VLAN using the 0/1 or 0/2 interface, the guest VMs fail to start after provisioning, because the guest VMs use the VLAN networks instead of physical network while assigning the interface.

  • Issue ID 0420630: The SNMP responses are not as specified by the RFC 4001.

Networking

  • Issue ID 0416941: After unbinding a netprofile from a NetScaler Gateway virtual server, the netprofile cannot be removed from the NetScaler appliance.

Policies

  • Issue ID 0410624: When a filter policy is globally bound to a NetScaler, application firewall or compression or authorization policies that are bound to a content switching virtual server are not saved in the running configuration. However, these bindings are displayed when you run the show cs vserver command.

  • Issue ID 0429232: After upgrading to NetScaler 10.1, policies that were globally bound to the NetScaler are also being bound at a virtual server level.

Rewrite

  • Issue ID 0418252: On a NetScaler appliance with Rewrite enabled and configured, a newly-created Rewrite policy that is bound to a content-switching virtual server might not be saved either in the running configuration or in the saved configuration.

SNMP

  • Issue IDs 0413733, 0413871, and 0421055: SNMPD fails to respond if it receives a packet with a NULL community string.

SPDY

  • Issue IDs 0406948 and 0429211: The NetScaler appliance sometimes fails when a TCP connection is closed from a SPDY client while some streams are still active.

System

  • Issue IDs 0417793, 0421214, 0421329, and 0423099: The NetScaler appliance stops sending TCP DUP ACKs when it receives out of order packets. This might result in latency between the client and the appliance, or the appliance and the server, with reduced throughput for some traffic patterns.

  • Issue ID 0419553: When the NetScaler appliance receives invalid Selective Acknowledgment (SACK) blocks from the client, it attempts to send old data that has already been cleared. As a result, the appliance stops responding.

  • Issue ID 0420781: The NetScaler appliance does not forward the complete request to the server if the request requires more than one packet. As a result, the transaction fails.

  • Issue ID 0430176: The NetScaler appliance intermittently resets TCP connections that originate from the NetScaler FreeBSD shell and are destined for NetScaler-owned IP addresses (for example, a SNIP or VIP address). The resets affect applications such as LDAP.

SSL

  • Issue ID 0423905: If a malformed packet is received from a client, the NetScaler appliance closes the connection and releases the resources used for that connection to the common pool. In some cases, some of these resources are not cleaned before returning to the pool and a bad resource might be reused for a future request. In such cases, the SSL handshake for that future request fails.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability force failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.
  • Issue ID 0396892: Sometimes, the AppFlow exporter may not export the correct information due to which the client IP address is displayed incorrectly on the NetScaler Insight Center dashboard.

Application Firewall

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing & Virtual Servers pane.

  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0411152: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings results in the unavailability of applications/desktops on accessing StoreFront through VPN.

    Workaround: Do not apply the optimization settings.

  • Issue ID 0414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.

  • Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.

    Workaround: Do not cancel the wizard during the first setup. If you want to change some configuration, go through the entire flow, click Done, and then return to the wizard and click the Edit link to update the required configuration.

  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

High Availability

  • Issue ID 0416573: On the secondary node of a high availability (HA) configuration, if the HA propagation and HA synchronization options are disabled and Stay secondary is enabled, you cannot disable the Stay secondary option after upgrading the node.

ICA AppFlow

  • Issue ID 0433511: The console displays ICA user session information, and displaying the information can be undesirable.

    Workaround: Open the /etc/syslog.conf file and change the line *.err;kern.debug;auth.notice;mail.crit/dev/console to kern.err;kern.debug;auth.notice;mail.crit/dev/console

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

NetScaler Insight Center

  • Issue ID 0324010: A higher than normal load on NetScaler Insight Center or on the database can cause the afdecoder subsystem to stop functioning. As a result, NetScaler Insight Center is unable to connect to the database.
    Workaround: Restart the appliance by running the following command on the command line interface:
    #/etc/rc.d/analyticsd restart
  • Issue ID 0331944: If no devices have been added to the inventory, the Getting Started wizard is displayed. You cannot access the Configuration tab.
  • Issue ID 0333555 and 346171: After you enable appflow on some virtual servers, even though no error message appears, the Insight column does not display a check box indicating that the feature is enabled.

    Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405849: NetScaler entity names are case insensitive, but NetScaler Insight Center expects the virtual server names or policy names to be case sensitive.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405936: After the NetScaler upgrade or downgrade operation, NetScaler Insight Center does not report any data on the dashboard.

    Workaround: Restart the NetScaler Insight Center appliance.

  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0412129: The WAN jitter and DC jitter values are not displayed in the NetScaler Insight Center reports.
  • Issue ID 0414155: If you move columns and refresh the page, the column ordering is sometimes reset to default.
  • Issue ID 0414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors.
  • Issue ID 0417415: If you add a NetScaler appliance to a NetScaler Insight Center setup while ICA sessions are enabled, NetScaler Insight Center does not report the existing ICA sessions. It reports only the ICA sessions initiated after the appliance is added.
  • Issue ID 0424610: On the dashboard, the table that appears when you navigate to HDX Insight > Gateways might display a blank desktop name.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on VMware ESX server from build 118.7 or 119.7 to 120.13 or later builds is not supported. However, upgrade from build 120.13 to later builds is supported.

    Workaround: To upgrade to 120.13 or later builds, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .

  • Issue ID 0421657: If the ICMP port used to verify the network reachability of a NetScaler appliance from NetScaler Insight Center is blocked, the internal routing in NetScaler Insight Center is disrupted and the HDX Insight node is not displayed on the dashboard.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: After using the Management Service to create a channel, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0396252: If you specify secure-only access on a NetScaler instance, single sign-on to that instance from the Management Service user interface is not successful.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.

  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

  • Issue ID 0423068: The Management Service allows deleting a channel that is part of an NSVLAN on any NetScaler instance. If you delete such a channel, the NetScaler instance is not reachable over the management network.

  • Issue ID 0424630: If you create an LACP channel with more than 8 member interfaces, or a static channel with more that 16 member interfaces, the following error message appears: "Channel Interface String Length: 185 is greater than maximum allowed length:128".

  • Issue ID 0430121: The Management Service intermittently dumps a stat core when BlueCat VMs are provisioned on the SDX appliance.

  • Issue ID 0430449: Even after you configure a short message service (SMS) server, you do not receive an SMS message when an alert is generated.

  • Issue ID 0431243: If a management channel exists on a NetScaler instance, you cannot trace the route of a packet from the Management Service to a NetScaler instance.

  • Issue ID 0431463: If you apply a license after modifying the SVM host name, the license application might fail.

    Workaround: Reboot the Management Service after changing the host name, and then try applying the license again.

  • Issue ID 0433054: Deletion of a management channel from the Management Service might not always succeed.

    Workaround: Try deleting the management channel again from Management Service.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or use the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each of the nodes of the HA configuration:

    add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node’s NSIP address is 198.51.100.9 and the secondary node’s NSIP address is 198.51.100.27, you would run the following command on the primary node:
    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 
    and the following command on the secondary node:
    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.

    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)
    This change affects the following platforms:
    • MPX 11500/13500/14500/16500/18500/20500
    • MPX 17550/19550/20550/21550
    • MPX 8200/8400/8600
    • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

  • Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:

    • Release 10.1 starting build 112.15 or later

    • Release 10 build 74 or later

    • Release 9.3 build 62.4 or later

    • Release 9.3.e build 59.5003.e or later

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.
    Note: Citrix encourages the use of default syntax policies rather than classic policies.
  • Issue ID 0425465: After changing the time zone on a NetScaler appliance, you must reboot the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under the System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0382647: The stat system -detail command does not display the number of CPUs.

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

Web Interface

  • Issue ID 0397150: On a NetScaler appliance, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user tying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2
    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.

Build 121.10

Release version: Citrix NetScaler, version 10.1 build 121.10

Replaces build: None

Release date: October 2013

Release notes version: 4.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

NetScaler MPX 22040/22060/22080/22100/22120 Platform

  • ENH ID 0311561: NetScaler release 10.1 build 121.x is supported on the MPX 22040/22060/22080/22100/22120 platform.

Support for ECDHE Ciphers

  • ENH ID 0329257: The Citrix NetScaler MPX 22040/22060/22080/22100/22120 appliances now support the ECDHE cipher group. This group contains the following ciphers:
    • TLS1-ECDHE-RSA-RC4-SHA
    • TLS1-ECDHE-RSA-DES-CBC3-SHA
    • TLS1-ECDHE-RSA-AES128-SHA
    • TLS1-ECDHE-RSA-AES256-SHA

    Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.

Kerberos SSO

  • ENH ID 0361257: The AAA-TM Kerberos functionality now supports single sign-on (SSO) with all supported authentication mechanisms. The CAC (Smart Card) and SAML SSO mechanisms are supported in all cases, regardless of the authentication method that the client uses to log onto the NetScaler appliance. The HTTP-Basic, HTTP-Digest, Forms-based, and NTLM (versions 1 and 2) SSO mechanisms are also supported if the client uses either HTTP-Basic or Forms-Based authentication to log onto the NetScaler appliance.

    You can configure Kerberos SSO to work in one of two ways: by impersonation or by delegation. To configure Kerberos SSO by impersonation, you must have the user's password or client certificate. To configure impersonation using a client certificate, the user must also have a properly-configured version of the Citrix Receiver installed on his or her personal computer. To configure Kerberos SSO by delegation, you must have the delegated user's credentials in one of the following formats: the user's password, the keytab configuration that includes an encrypted password, or the client cert and the matching CA certificate.

    To configure Kerberos SSO, first configure your NetScaler appliance to manage traffic to the web application servers that users will access through SSO. Next, configure AAA-TM for your preferred authentication method. Verify that the NetScaler appliance can communicate with your LDAP Active Directory (AD) server and your Kerberos server.

    What you do next depends on whether you want to configure Kerberos SSO by Impersonation or by Delegation. Follow the instructions in the appropriate section below.

    Configuring Kerberos SSO by Impersonation

    To configure Kerberos SSO by Impersonation, enable integrated authentication on each web application server. After you have done this, create and configure the NetScaler KCD account that will impersonate users.

    To create the KCD account for SSO by impersonation with a password

    At the NetScaler command prompt, type the following command:
    add aaa kcdaccount <accountname> -realmStr <realm>
    For each variable, substitute the following values:
    • accountname - The KCD account name.
    • realm - The domain assigned to Kerberos SSO.
    Example:
    add aaa kcdAccount kcdaccount1 -realmStr EXAMPLE.COM

    To create the KCD account for SSO by impersonation with a client certificate

    At the NetScaler command prompt, type the following command:
    add aaa kcdAccount <accountname> -cacert <cacert>
    For each variable, substitute the following values:
    • accountname - The KCD account name.
    • cacert - The full path and name of the CA certificate file on the NetScaler appliance.
    Example:
    add aaa kcdAccount kcdaccount1 -cacert <path to certificate>
    Configuring Kerberos SSO by Delegation
    To configure Kerberos SSO by Delegation, next create an account (the Kerberos Service Account, or KSA) on the AD server for the NetScaler appliance to use as the delegated user. Next, in the KSA account Properties dialog box, Delegation tab, enable the following options: "Trust this user for delegation to specified services only" and "Use any Authentication protocol." Finally, add the HTTP service and any other services that Kerberos SSO will manage to the services list, which is located on the Properties tab beneath the two settings.

    After you configure the NetScaler account on AD, enable integrated authentication on each web application server. Finally, create and configure the NetScaler KCD account that will serve as the delegated user.

    To create the KCD account for SSO by delegation with a password

    At the NetScaler command prompt, type the following commands:
    add aaa kcdaccount <accountname> -delegatedUser root -kcdPassword <password> - realmStr <realm>
    For each variable, substitute the following values:
    • accountname - The KCD account name.
    • password - The password for the KCD account.
    • realm - The domain assigned to Kerberos SSO.

    Example (UPN format):

    Example (UPN format):
    add aaa kcdaccount kcdaccount1 -delegatedUser root -kcdPassword passsword1 -realmStr EXAMPLE.COM
    Example (SPN format):
    add aaa kcdAccount kcdaccount1 -realmStr EXAMPLE.COM -delegatedUser "host/kcdvserver.example.com" -kcdPassword password1

    To create the KCD account for SSO by delegation with a keytab file

    First, on the AD server, use the ktpass utility to create the appropriate keytab file. Next, use the file transfer utility of your choice to copy the keytab file from the AD server to the NetScaler appliance, and put it in /nsconfig/krb under the filename kcdvserver.keytab.

    Next, at the NetScaler command prompt, type the following command:
    add aaa kcdaccount <accountname> -keytab <keytab>
    Example:
    add aaa kcdaccount kcdaccount1 -keytab kcdvserver.keytab

    Finally, verify that the new KCD account has the proper keytab file and virtual server principle associated with it:

    To verify the KCD account on the NetScaler appliance
    sh kcdAccount <accountname>

    To create the KCD account for SSO by delegation with a client cert

    At the NetScaler command prompt, type the following commands:
    add aaa kcdaccount <accountname> -realmStr <realm> -delegatedUser <spnuser> -usercert <cert> -cacert <cacert>
    For each variable, substitute the following values:
    • accountname - The KCD account name.
    • realm - The domain assigned to Kerberos SSO.
    • spnuser - The username in SPN format.
    • usercert - The full path and name of the user client certificate file on the NetScaler appliance.
    • cacert - The full path and name of the CA certificate file on the NetScaler appliance.
    Example:
    add aaa kcdaccount kcdaccount1 -realmStr EXAMPLE.COM -delegatedUser "host/kcdvserver.example.com" -usercert /certs/usercert -cacert /cacerts/cacert

NetScaler Insight Center Table Data Changes

  • ENH ID 0404805: NetScaler Insight Center now saves the following:

    Granular Data

    Time to purge

    7 seconds data

    6 min

    5 minutes data

    65 minutes

    Hourly data

    25 hours

    Daily data

    8 days

    Weekly data

    5 weeks

Increased Limits on the Number of Service Groups

  • ENH ID 0406355: You can now configure up to 8K (8192) service groups on a NetScaler appliance. The earlier limit was 4K (4096) service groups.

Bug Fixes

AAA Application Traffic

  • Issue ID 0418200: On a NetScaler appliance that has AAA configured with SSL certificate set to "optional" and at least one authentication policy, when Android users attempt to authenticate, the Android Receiver client generates the following error: "invalid server certificate". This error is caused by improper cookie handling by the Android Receiver client.

Application Firewall

  • Issue ID 0416714: When the NetScaler appliance sends large amounts of input data to the application firewall at once, the appliance can hang or crash. The appliance has now been programmed to send input data in batches limited to sizes that do not cause hangs or crashes to occur.

AppFlow

  • Issue ID 0418296: A newly added HTTP header prevents parsing of the HTTP request.

Command Line Interface

  • Issue ID 0379234: The show ns runningConfig command displays the current time instead of the time at which the configuration was last modified.

Configuration Utility

  • Issue IDs 0361970, 0387024, 0397473, and 0400307: When a NetScaler session expires, a session expiry message appears in the graphical user interface, and the user has to manually enter the IP address or the domain name of the NetScaler appliance in the address bar to log back on.

  • Issue ID 0409605: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, the compression feature is not enabled on the appliance and for the service groups.

  • Issue ID 0413087: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, if you configure XenDesktop and later edit the Xen Farm settings to have only XenApp, the XenDesktop bound to the Web Interface site of type Xenappservices in not modified. Therefore, published resources of both, XenApp and XenDesktop, are displayed when accessing the Web Interface site through Receivers.

  • Issue ID 0414361: When you click the Edit link to update the configurations specified in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, an error is displayed when you try to apply the optimization settings.

  • Issue ID 0414760: When editing the Xen Farm settings in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, load balancing configuration is lost if you switch from XenApp or XenDesktop to Both or from Both to XenApp or XenDesktop. This issue is observed only when Web Interface on NetScaler is the integration point.

  • Issue ID 0414807: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, an error is displayed if:

    • More than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers.
    • More than one service is bound to the service group.
  • Issue ID 0420349: Unable to access ICA connections through the graphical user interface

Global Server Load Balancing

  • Issue ID 0408374: If a configuration has a large number of GSLB services and add location file command is used to add the location database, then not all the services may be assigned a location from the database.

  • Issue ID 0421837: When GSLB vserver is configured with RTT or Static Proximity as load balancing method or SOURCEIPHASH as the persistence type, the NetScaler appliance might restart because of invalid memory access.

High Availability

  • Issue IDs 0357841 and 0408502: In an high availability configuration, for a connection to an FTP virtual server with stateful connection failover option enabled, if the FTP control connection is closed before the passive mode FTP data connection is opened, the secondary node may become unresponsive.

ICA AppFlow

  • Issue ID 0414137: NetScaler appliance might fail if AppFlow is enabled and the user tries to access a XenApp/Xendesktop farm under certain network conditions that result in split data packets.
  • Issue IDs 0423840 and 0426203: When you enable HDX Insight on a VPN server and try to launch an application from the XenApp server, the NetScaler appliance might fail as it copies the data to an invalid memory location.

Load Balancing

  • Issue ID 0409055: If you run a custom health monitoring script that does not require an argument, the NetScaler appliance sends an incorrect timeout to the script. As a result, the script continues to run for longer than expected. After some time, the maximum limit for the number of scripts allowed on the appliance is reached and new scripts cannot be run.

  • Issue ID 0417101 (MPX 9500): Oracle database monitor fills the console window with DONE and DEEP_FLD_LEN messages.

  • Issue ID 0410711: When diameter traffic hits a diameter load balancing virtual server which has persistency enabled, and that single packet contains multiple full requests and a partial request, the NetScaler fails to recognize the partial request and therefore sends the partial request to the server. This results in an invalid packet being sent to the server and the NetScaler sends 5XXX code to the client.

Monitoring

  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.

Multipath TCP Support

  • Issue ID 0401793: MPTCP does not support IPv6 addresses.

  • Issue ID 0409426: The NetScaler appliances does not acknowledge the subflow FIN when it comes with the MPTCP DATA_FIN.

  • Issue ID 0412833: While using MPTCP, the NetScaler cannot adequately handle overlapping data sequence maps.

  • Issue ID 0414182: The NetScaler appliance must not send MPTCP control signals such as DATA_FIN or FAST_CLOSE when the NetScaler has already sent a subflow FIN.

  • Issue ID 0419184: While using MPTCP, the NetScaler appliance crashes when trying to free an already freed TCP session.

NetScaler Insight Center

  • Issue ID 0416889: In some cases, NetScaler Insight Center reports incorrect values for XenApp launch count.

NetScaler SDX Appliance

  • Issue ID 0413123: When you display the running configuration of a NetScaler instance in the Service Management interface, the double quotation marks (") are replaced with HTML code (;quot &).

Networking

  • Issue ID 0404849: The NetScaler appliance might restart if it receives a duplicate IPv6 fragment within a very short time after receiving the original fragment.

SNMP

  • Issue ID 0413733, 0413871, and 0421055: SNMPD fails to respond if it receives a packet with a NULL community string.

SSL

  • Issue ID 0408393: If any entity is added as part of user interactive process on command line for SSL Certificates and the operation is aborted in between using CTRL+C, then again carrying out the same operation causes the NetScaler command line to crash.

System

  • Issue IDs 0216272 and 0358540: In an high availability setup, after a forced failover, the sync operation fails to sync the -establishClientConnection parameter setting.

  • Issue IDs 0375425, 0399769, 0401111, 0408648, 0413721, and 0414273: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.

  • Issue ID 0401526: On a NetScaler appliance, an invalid HTTP range request results in a large amount of memory usage and the following error appears: "ERROR: Communication error with the packet engine."

  • Issue ID 0405532 :TCP buffering bypasses as the calculated 'usable system memory' is less than the configured threshold value.

  • Issue ID 0411613: The NetScaler appliance can crash when there are split ICA frames that span 2 CGP frames with other CGP packets in between.

  • Issue ID 0412681: If changes are made in the nsconfig/resolv.conf file, the appliance fails to override the default DNS configurations.

  • Issue ID 0415623: If you specify an invalid IPv4 address in a command that can accept either IPv4 or IPv6 address, the NetScaler shell exits automatically due to memory corruption.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability force failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.

Application Firewall

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.

  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml.

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0411152: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings results in the unavailability of applications/desktops on accessing StoreFront through VPN.

    Workaround: Do not apply the optimization settings.

  • Issue ID 0414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.

  • Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.

    Workaround: Do not cancel the wizard during the first setup. If you want to change some configuration, go through the entire flow, click Done, and then return to the wizard and click the Edit link to update the required configuration.

  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Documentation

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

Multipath TCP Support

  • Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.

  • Issue ID 0400819: MPTCP does not support FTP data connections.

  • Issue ID 0400861: Virtual servers to which a listen policy is bound accept connections from the first subflow only.

  • Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.

NetScaler Insight Center

  • Issue ID 0331944: When there are no devices added in the inventory, the welcome screen is displayed for the configuration tab along with the dashboard tab which makes it unable to perform any basic configurations.
  • Issue ID 0333555 and 346171: After you enable appflow on some virtual servers, even though no error message appears, the check box does not appear in the Insight column .

    Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405849: NetScaler entity names are case insensitive, but NetScaler Insight Center expects the virtual server names or policy names to be case sensitive.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405936: After the NetScaler upgrade or downgrade operation, NetScaler Insight Center does not report any data on the dashboard.

    Workaround: Restart the NetScaler Insight Center appliance.

  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0412129: The WAN jitter and DC jitter values are not displayed in the NetScaler Insight Center reports.
  • Issue ID 0414155: If you move columns and refresh the page, the column ordering is sometimes reset to default.
  • Issue ID 0414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.
  • Issue ID 0417415: If you add a NetScaler appliance to a NetScaler Insight Center setup while ICA sessions are enabled, NetScaler Insight Center does not report the existing ICA sessions. It reports only the ICA sessions initiated after the appliance is added.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: After using the Management Service to create a channel, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.

  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

  • Issue ID 0424588: If a NetScaler instance is created with a Management VLAN using the 0/1 or 0/2 interface, the guest VMs fail to start post provisioning, because the guest VMs use the VLAN networks instead of physical network while assigning the interface.

    Workaround:
    1. Remove the NetScaler instances whose management ports are in tagged VLAN.

    2. Logon to the XenServer shell prompt and remove all the VLAN networks.

    3. Create the guest VM instances first, and then create the NetScaler instances.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or use the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each of the nodes of an HA configuration:

    add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node’s NSIP address is 198.51.100.9 and the secondary node’s NSIP address is 198.51.100.27, you would run the following command on the primary node:
    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 
    and the following command on the secondary node:
    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.

    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)

    This change affects the following platforms:

    • MPX 11500/13500/14500/16500/18500/20500
    • MPX 17550/19550/20550/21550
    • MPX 8200/8400/8600
    • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

  • Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:

    • Release 10.1 starting build 112.15 or later

    • Release 10 build 74 or later

    • Release 9.3 build 62.4 or later

    • Release 9.3.e build 59.5003.e or later

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.
    Note: Citrix encourages the use of default syntax policies rather than classic policies.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0382647: The stat system -detail command does not display the number of CPUs.

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

  • Issue IDs 0417793, 0421214, 0421329, and 0423099: The NetScaler appliance stops sending TCP DUP ACKs when it receives out of order packets. This might result in latency between the client and the appliance, or the appliance and the server, with reduced throughput for some traffic patterns.

Web Interface

  • Issue ID 0397150: On a NetScaler appliance, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user tying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later: bindservicegroup_state2 unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.


Build 120.13

Release version: Citrix NetScaler, version 10.1 build 120.13

Replaces build: None

Release date: September 2013

Release notes version: 6.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

DNS64

  • ENH ID 0318404: The NetScaler DNS64 feature responds with a synthesized DNS AAAA record to an IPv6 client sending an AAAA request for an IPv4-only domain. The DNS64 feature is used with the NAT64 feature to enable seamless communication between IPv6-only clients and IPv4-only servers. DNS64 enables discovery of the IPv4 domain by the IPV6 only clients, and NAT64 enables communication between the clients and servers.

    For synthesizing an AAAA record, the NetScaler appliance fetches a DNS A record from a DNS server. The DNS64 prefix is a 96-bit IPv6 prefix configured on the NetScaler appliance. The NetScaler appliance synthesizes the AAAA record by concatenation of the DNS64 Prefix (96 bits) and the IPv4 address (32 bits).

Setting Up NetScaler for XenApp/XenDesktop

  • ENH ID 0345912: The NetScaler now provides a wizard that simplifies the task of setting up a NetScaler appliance for a XenApp/XenDesktop deployment. For more information, see Setting Up NetScaler for XenApp/XenDesktop.

New Subnet Mask Field for the SNIP Address in the First-time Setup Wizard

  • ENH ID 0413542: The first-time setup wizard now has separate subnet mask fields for the NetScaler IP (NSIP) and subnet IP (SNIP) addresses.

Upgrade Progress

  • ENH ID 0346988: When you upgrade a NetScaler VPX instance on an SDX appliance, a new window, Upgrade Progress, shows the status of the upgrade operation, including any error messages. This feature is also available for SecureMatrixGSB and Websense Protector virtual machines.

Support for 8 Channels

  • ENH ID 0401113: The SDX SVM now allows you to configure 8 channels on a VPX instance.

Bug Fixes

AAA Application Traffic

  • Issue ID 0401000: When AAA is configured by authentication profile on a NetScaler appliance that has content switching enabled, users can use the Microsoft Internet Explorer or Mozilla Firefox browsers to log on, but might not be permitted to access all resources that they should be able to access. Users who log on using the Google Chrome browser do not experience this problem. The underlying cause was that authentication level is checked only once per connection rather than at each request.

Application Firewall

  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.

Configuration Utility

  • Issue ID 0361970: When a NetScaler session expires, a session expiry message appears in the graphical user interface, and the user has to manually enter the IP address or the domain name of the NetScaler appliance in the address bar to log back on.

Domain Name System

  • Issue ID 0401451: The NetScaler appliance, configured to function as DNS forwarder or DNS resolver, may becomes unresponsive whenever it receives UDP DNS truncated response from a name server.

Load Balancing

  • Issue ID 0390545 (nCore): A NetScaler nCore appliance uses multiple CPU cores (Packet Engines) for packet handling. Every session on the appliance is owned by a packet engine (PE). If the appliance receives a request for which a session does not already exist, a session is created, and one of the PEs is designated as the owner of that session. Subsequent requests that belong to that session might not always arrive at and be handled by the owner PE. During the time that the PE gets details about the session from the owner PE, the packet is corrupted.

  • Issue ID 0398327: You can now bind a StoreFront monitor to a service group. Each member of a service group is now monitored by using the member's IP address.

    The -hostname parameter is no longer required and is deprecated.

    To determine whether to use HTTP (the default) or HTTPS to send monitor probes, you must now use the -secure parameter. If your current StoreFront monitor configuration uses HTTP, you only have to remove the hostname parameter.

    To use HTTPS, set the -secure option to Yes.

    Example:
    add lb monitor storefront_ssl STOREFRONT -storename myStore -storefrontacctservice YES -secure yes
  • Issue ID 0409028: If you unbind a load balancing (LB) monitor from its service, all the connections to the configured destination IP address (destip) and port (destport) of the LB monitor are closed. In a typical L3 Direct Server Return (DSR) deployment mode, the destip and destport of the LB monitor are actually the IP address and port of the virtual server. Therefore, in a typical L3 DSR deployment, if you unbind an LB monitor from its service, all the existing connections to the virtual server are closed. The same behavior is observed if you delete a service.

Monitoring

  • Issue ID 0406391: If you bind monitors to services, and then bind a DoS or SureConnect policy to one of these services, save the configuration, and restart the appliance, you lose information about monitors bound to any services created after the service to which you bound the policy was created. Also, if you run the show ns runningConfig command before restarting the appliance, the monitor binding information does not appear.

Multipath TCP Support

  • Issue ID 0399708: Syncookie cannot be disabled on a TCP profile that has MPTCP enabled.

  • Issue ID 0399938: The NetScaler appliance might not respond when TCP buffering and MPTCP is enabled.

  • Issue ID 0400888: The NetScaler appliance does not respond when using client IP insertion with MPTCP.

  • Issue ID 0401105: MPTCP transactions of a TCP profile with Selective ACKnowledgement and window scaling might not respond.

NetScaler Insight Center

  • Issue ID 0369664: For an Active session, data is sent to the AppFlow collector even if the policy rule is changed to FALSE when the session is active.
  • Issue ID 0395022: On the Dashboard > HDX Insight > Users page, the Active Apps count is not updated instantly on the left pane.
  • Issue ID 0402458: If the memory usage on the NetScaler Insight Center reaches the maximum limit, the appliance fails to respond to further memory-allocation requests by other modules and becomes unresponsive.
  • Issue ID 0402727: If you have installed NetScaler Insight Center virtual appliance on ESX, then the console may display watchdog timeout errors or the Graphical User Interface (GUI) may freeze sometimes.
  • Issue ID 0402959: In certain situations, the NetScaler appliance incorrectly interprets the compression buffer size negotiation between the client and the server, and enabling AppFLow on the ICA connection causes the appliance to fail when the connection is used to launch an application or desktop. This problem most commonly occurs when a CloudBridge appliance or any WAN optimization device is placed between the client and the NetScaler appliance.
  • Issue ID 0405818/ 0405273: On the Dashboard > Users page, ICA RTT values displayed on the graph in the left panel do not match the values displayed below the graph, or there is a delay in the updating the values.
  • Issue ID 0408495: During installation of a virtual NetScaler Insight Center on VMware ESX, NetScaler Insight allocates only 14 GB of space in the var directory, even though the OVF file specifies 120 GB.
  • Issue ID 0411107: In a mixed XenApp/XenDesktop server farm, if the XenApp and XenDesktop versions are older than 6.5 and 5.0 respectively, the applications fail to launch because the NetScaler appliance incorrectly parses the ICA packets.
  • Issue ID 0413016/0414140 : NetScaler appliance may fail to respond when AppFlow is enabled on the NetScaler Insight Center and the user tries to access the XenApp/XenDesktop farm.
  • Issue ID 0414844: HDX Insight does not support XenApp versions earlier than 6.5.
  • Issue ID 0415812: If a CloudBridge appliance is placed between the client and a NetScaler appliance, and AppFlow is enabled for ICA traffic, the XenApp/XenDesktop applications fail to launch and the NetScaler appliance fails.
  • Issue ID 0413657: In some situations, the NetScaler appliance fails after parsing ICA traffic incorrectly.

NetScaler SDX Appliance

  • Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of NetScaler instance Modify NetScaler Wizard.

  • Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.

  • Issue ID 0405115: SSL certificate installation on a NetScaler instance from the SDX Management Service fails during validation if the SSL certificate does not have an associated key file.

  • Issue ID 0405921: The SVM restore operation of NetScaler instances fail as the SVM shuts down the NetScaler instances that are still being provisioned.

  • Issue ID 0410416: After the SDX appliance restarts, NetScaler VPX instances on the appliance cannot send packets tagged with VLAN IDs through an LACP channel.

Networking

  • Issue ID 0401303: When the conditions specified in an ACL rule includes the operator !=, the NetScaler appliance may not properly filter packets based on the ACL rule.

  • Issue ID 0402123: The NetScaler appliance might not send the received IPv6 fragments to the appropriate packet engine for processing, which might result in the NetScaler appliance becoming unresponsive.

  • Issue ID 0404861: If the NetScaler appliance has redundant L2 connectivity with a switch, the NetScaler appliance may mark its link-local IPv6 addresses as duplicate during the DAD (Duplicate address detection) process.

  • Issue ID 0405190: When IP fragments are received on a load balancing virtual server with client timeout parameter set to zero, the NetScaler appliance might dump core and then restart.

Platform

  • Issue ID 0409202: The NetScaler license is not processed if the configuration file (ns.conf) contains multiple instances of the host name, or if the host name in the ns.conf file is different from the host name in the rc.conf file. With this fix, if the ns.conf file contains multiple host names, only the name set by the set ns hostname command is used. Also, the host name in ns.conf no longer takes precedence over the host name in rc.conf.

Rewrite

  • Issue ID 0401455: Modifying the content with more than one callout results in incorrect computation of the content length. This issue is not observed if all the callouts use GET requests.

System

  • Issue ID 0353546: When you try to add a second name-based SNMP manager, you get an error message that says an SNMP manger with that name already exists.

  • Issue ID 0391632: The output of the stat commands specified with -fullValues option is aligned incorrectly.

  • Issue ID 0391754: On a NetScaler MPX system, the SNMP count for the system's hardware memory and the show system memory display are incorrect. The amount of memory shown is larger than the actual amount.

  • Issue ID 0401111: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.

  • Issue ID 0402677: The NetScaler appliance might fail to respond if an ICMP error occurs when TCP buffering and integrated caching are enabled on the appliance.

  • Issue ID 0407868: Remote monitoring of a high capacity appliance, such as a NetScaler MPX 22000, might indicate a drop in performance even though performance remains robust. The apparent problem is the result of a pause in the stream of monitoring data, not an actual drop in throughput.

  • Issue ID 0407974: A session is not freed when port allocation fails. The session is getting matched and the NetScaler fails when it tries to access other linked sessions which are NULL.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability force failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.

Application Firewall

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

  • Issue ID 0361793 (nCore and nCore VPX): The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.

  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0409605: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, the compression feature is not enabled on the appliance and for the service groups.

    Workaround: Enable compression on the appliance by using the enable ns feature CMP command. Also, enable compression for the service groups by using the set servicegroup <name> -CMP on command.

  • Issue ID 0411152: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings results in the unavailability of applications/desktops on accessing StoreFront through VPN.

    Workaround: Do not apply the optimization settings.

  • Issue ID 0413087: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, if you configure XenDesktop and later edit the Xen Farm settings to have only XenApp, the XenDesktop bound to the Web Interface site of type Xenappservices in not modified. Therefore, published resources of both, XenApp and XenDesktop, are displayed when accessing the Web Interface site through Receivers.

  • Issue ID 0414361: When you click the Edit link to update the configurations specified in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, an error is displayed when you try to apply the optimization settings.

    Workaround: Edit the XenFarm section (no actual changes required), click Continue and then apply the optimization settings.

  • Issue ID 0414422: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.

  • Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.

    Workaround: Do not cancel the wizard during the first setup. If you want to change some configuration, go through the entire flow, click Done, and then return to the wizard and click the Edit link to update the required configuration.

  • Issue ID 0414760: When editing the Xen Farm settings in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, load balancing configuration is lost if you switch from XenApp or XenDesktop to Both or from Both to XenApp or XenDesktop. This issue is observed only when Web Interface on NetScaler is the integration point.

  • Issue ID 0414807: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, an error is displayed if:

    • More than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers.
    • More than one service is bound to the service group.
  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Documentation

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.

    Workaround:
    1. Create a monitor of type CiTRIX-wi-EXTENDED.
    2. Set the script name.
    3. Set the site path.
    For example,
    add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
    set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
    set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp

Multipath TCP Support

  • Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.

  • Issue ID 0400819: MPTCP does not support FTP data connections.

  • Issue ID 0400861: Virtual servers to which a listen policy is bound accept connections from the first subflow only.

  • Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.

  • Issue ID 0401793: MPTCP does not support IPv6 addresses.

NetScaler Insight Center

  • Issue ID 0331944: When there are no devices added in the inventory, the welcome screen is displayed for the configuration tab along with the dashboard tab which makes it unable to perform any basic configurations.
  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0403665: If the values for certain metrics are zero, the graphs display these values incorrectly.
  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405849: NetScaler entity names are case insensitive, but NetScaler Insight Center expects the virtual server names or policy names to be case sensitive.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405936: After the NetScaler upgrade or downgrade operation, NetScaler Insight Center does not report any data on the dashboard.

    Workaround: Restart the NetScaler Insight Center appliance.

  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0412129: The WAN jitter and DC jitter values are not displayed in the NetScaler Insight Center reports.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on VMware ESX from build 118.7 or 119.7 to 120.13 is not supported.

    Workaround: To upgrade to build 120.13, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: After using the Management Service to create a channel, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.

  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or use the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each of the nodes of an HA configuration:

    add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node’s NSIP address is 198.51.100.9 and the secondary node’s NSIP address is 198.51.100.27, you would run the following command on the primary node:
    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 
    and the following command on the secondary node:
    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

  • Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:

    • Release 10.1 starting build 112.15 or later

    • Release 10 build 74 or later

    • Release 9.3 build 62.4 or later

    • Release 9.3.e build 59.5003.e or later

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies rather than classic policies.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

  • Issue ID 0411613: The NetScaler appliance can crash when there are split ICA frames that span 2 CGP frames with other CGP packets in between.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2

    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.


Build 119.7

Release version: Citrix NetScaler, version 10.1 build 119.7

Replaces build: None

Release date: July 2013

Release notes version: 5.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

Multipath TCP Support

  • ENH ID 0320221: NetScaler appliances now support Multipath TCP (MPTCP). MPTCP is a TCP/IP protocol extension that identifies and uses multiple paths available between hosts to maintain the TCP session. You have to enable MPTCP on a TCP profile and bind it to a virtual server. When MPTCP is enabled, the virtual server functions as an MPTCP gateway and converts MPTCP connections with the clients to TCP connections that it maintains with the servers.

    For more information, see MPTCP (Multi-Path TCP).

Call Home Proxy Mode Support

  • ENH ID 0311623: Call Home can now upload your NetScaler appliance's data to the Citrix TaaS server through a proxy server.

    For more information, see Configuring Call Home.

Custom HTTP Headers Support using Web Server Logging

  • ENH ID 0329710: The NetScaler can now export values of custom HTTP headers to the NSWL client. You can configure up to a maximum of two HTTP request header names and two HTTP response header names.

    For more information, see Exporting Custom HTTP Headers.

Backing Up and Restoring a NetScaler Appliance

Checking Content Type of Responses

  • ENH ID 0236218: When configuring the Safe Commerce (credit card) check, you can now configure the application firewall to check the MIME/type of HTTP responses and skip responses that are not of the appropriate content type for Safe Commerce filtering. You can use this configuration option to prevent false positives.

    To enable MIME/type checking, at the NetScaler command line type the following command:

     bind appfw profile <name> -inspectResContentType <type>

    For <name>, substitute the name of the profile. For <type>, substitute a string that matches the MIME/type. For example, to check for and skip PDF content sent to the library profile, you would type the following:

     bind appfw profile library -inspectResContentType "text/PDF"

    To disable a MIME/type rule that you have previously enabled, use the unbind command:

     unbind appfw profile <name> -inspectResContentType <type>

Enterprise License Support for AppFlow

  • ENH ID 0395659: AppFlow can now export ICA records from NetScaler appliances that have enterprise licenses. This ensures that HDX insight reports for NetScaler appliances with enterprise licenses are now available on the NetScaler Insight Center.

New Metrics Support for NetScaler Insight Center

  • ENH ID 0400867: HDX Insight reports now include details about Client Side NS Latency, Server Side NS Latency and Host Delay.

Enabling or Disabling the Recursion Available Flag

  • ENH ID 0403114: An option Recursion Available is added for the load balancing virtual servers of type DNS and DNS TCP to control the RA (Recursion Available) flag in all the DNS responses from these virtual servers.

Bug Fixes

AAA Application Traffic

  • Issue ID 0387049: When importing a keytab while setting up a KCD account, AAA might fail to extract the SPN from the keytab, causing the import to fail.

Application Firewall

  • Issue ID 0403027: The application firewall includes an extraneous line break in the hidden field that it adds to forms as part of the form field consistency check. This line break is not javascript-compliant and can cause issues with javascript-enhanced forms.

Cache Redirection

  • Issue ID 0401148: The NetScaler cache fails to respond to a request in which an absolute URL does not include a slash (/) after the host name.

Configuration Utility

  • Issue ID 0372535: The pagination count on the page listing SSL policies that can be bound does not display the correct values.

Global Server Load Balancing

  • Issue ID 0385305: In a GSLB setup, if you perform auto synchronization and the configuration file in your local site contains the add locationFile command, the command is not synchronized to the remote location.

Load Balancing

  • Issue ID 0351870: If you change the load balancing group of a virtual server that has a large number of SSL sessions, the appliance might fail.

  • Issue ID 0383402: If a virtual server is UP because the service(s) are in Transition Out-Of-Service (TROFS) state, the clients do not respond due to requests being queued at the virtual server rather than at the services. Instead, the client must issue 503 or RST.

  • Issue ID 0401118: On a NetScaler appliance or VPX that is configured for load balancing in an environment that includes a Microsoft SQL server database, when a client sends a large number of long queries to the MSSQL database, the appliance or VPX might hang or crash.

Load Balancing/AAA-TM

  • Issue ID 0402472: If you attempt to create a KCD service account on a NetScaler appliance or virtual appliance that has AAA-TM enabled and integrated caching disabled, a buffer overflow might load the appliance or cause it to fail.

NetScaler Insight Center

  • Issue ID 0332854: Unable to add the IP address in the inventory which contains the number 255 in any quadrant.
  • Issue ID 0400545: The help page on the Graphical User Interface (GUI) displays incorrect information for enabling data collection.
  • Issue ID 0400665: The HDX Insight node is not displayed for Enterprise licenses of NetScaler appliances.
  • Issue ID 0400900: The load time and render time metrics are not displayed for standard or enterprise licenses of NetScaler appliances.
  • Issue ID 0405177: During an ICA session, the NetScaler appliance fails to respond when you access it's invalid memory space.
  • Issue ID 0403134/0403195: During an ICA session, the NetScaler appliance fails to respond due to a NULL pointer access.

NetScaler SDX Appliance

  • Issue ID 0400409: If you modify a NetScaler instance from the Management Service, binding 1/x and 10/x interfaces to an L2 VLAN fails.

  • Issue ID 0400607: If you create a static channel, you cannot use the Management Service to remove more than one member interface at a time from the channel.

Networking

  • Issue ID 0366321: The Network Visualizer does not display the bound IP addresses of a configured VLAN.

  • Issue ID 0402068: With Random source port selection for Active FTP enabled on the NetScaler appliance, when an FTP server initiates a connection from the standard TCP port number 20, the NetScaler appliance uses a random port instead of port 20 for the client side data connection.

  • Issue ID 0402123: The NetScaler appliance might not send the received IPv6 fragments to the appropriate packet engine for processing, which might result in the NetScaler appliance becoming unresponsive.

Policies

  • Issue ID 0391238: When an HTTP callout is configured with a virtual server that has a widcard port, the NetScaler appliance fails to respond the first time the callout is triggered.

SSL

  • Issue ID 0400084: An attempt to establish an HTTPS connection to a NetScaler FIPS appliance through a Chrome browser fails, because the browser sends a SPDY-NPN extension by default, and the NetScaler FIPS appliance does not support the NPN extension.

  • Issue ID 0400649: In the NetScaler configuration utility, the FipsKey parameter does not appear in the Install certificate dialog box. As a result, you cannot add a certificate-key pair on an MPX FIPS appliance by using the configuration utility.

System

  • Issue ID 0390257: SNMP returns incorrect values for the ifOutOctets and ifInOctets counters.

  • Issue ID 0394724: The SNMP module allocates memory for all OIDs in an SNMP request and queues them for further processing. With a large number of SNMP requests (each request with possibly hundreds of OIDs), the result can be a memory shortage that in turn leads to memory allocation failures.

  • Issue ID 0395735: The NetScaler appliance dumps a core when you create a cluster or a high availability setup on an appliance that has a TFTP load balancing virtual server.

  • Issue ID 0404094: If the SNMP service has the NSI_NS_SERVICE flag set, and you clear the configuration, the NetScaler appliance crashes.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability force failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.

Application Firewall

  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:

    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

  • Issue ID 0361793: (nCore and nCore VPX) The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing; Virtual Servers pane.

  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed. Workaround : Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching

  • Issue ID 0399575: When configuring load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Documentation

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

    • Issue ID 0401451: The NetScaler appliance, configured to function as DNS forwarder or DNS resolver, may becomes unresponsive whenever it receives UDP DNS truncated response from a name server.

Load Balancing

  • Issue ID 0398327: Monitoring of StoreFront servers fails if they are part of a cluster and the StoreFront monitor is bound to the entire service group. The StoreFront monitor probe fails because individual members have different host names.

    Workaround: If the StoreFront servers are part of a cluster, Citrix recommends that you add them as individual services instead of as members of a service group.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.

    Workaround:
    1. Create a monitor of type CiTRIX-wi-EXTENDED.
    2. Set the script name.
    3. Set the site path.
    For example,
    add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
    set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
    set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp
  • Issue ID 0406391: If you bind monitors to services, and then bind a DoS or SureConnect policy to one of these services, save the configuration, and restart the appliance, you lose information about monitors bound to any services created after the service to which you bound the policy was created. Also, the monitor binding information does not appear if you run the show ns runningConfig command before restarting the appliance.

Multipath TCP Support

  • Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.

  • Issue ID 0399708: Syncookie cannot be disabled on a TCP profile that has MPTCP enabled.

  • Issue ID 0399938: The NetScaler appliance might not respond when TCP buffering and MPTCP is enabled.

  • Issue ID 0400819: MPTCP does not support FTP data connections.

  • Issue ID 0400861: Virtual servers with listenPolicy specified, accept connections from the first subflow only.

  • Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.

  • Issue ID 0400888: The NetScaler appliance does not respond when using client IP insertion with MPTCP.

  • Issue ID 0401105: MPTCP transactions of a TCP profile with Selective ACKnowledgement and window scaling might not respond.

  • Issue ID 0401793: MPTCP does not support IPv6 addresses.

NetScaler Insight Center

  • Issue ID 0331944: When there are no devices added in the inventory, the welcome screen is displayed for the configuration tab along with the dashboard tab which makes it unable to perform any basic configurations.
  • Issue ID 0369664: In HDX Insight mode, data is sent to the AppFlow collector even if the policy rule is set to FALSE.

    Workaround: Start the session again.

  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: In transparent mode, when you launch XenApp through Citrix Receiver (standard edition), the app launch duration is shown as zero.
  • Issue ID 0388875: If the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, and the page size is set to 25, only the first 25 virtual servers are shown. The list does not continue on another page.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0395022: On the Dashboard > HDX Insight > Users page, the Active Apps count is not updated instantly on the left pane.

    Workaround: The correct value is displayed in the Dashboard > HDX Insight > Applications page.

  • Issue ID 0397236 :On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports display session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0402458: If the analytics decoding process requires more than 100% of RAM memory, the system fails to respond to further memory-allocation requests by other modules.
  • Issue ID 0402727: If you have installed NetScaler Insight Center virtual appliance on ESX, then the console may display watchdog timeout errors or the Graphical User Interface (GUI) may freeze sometimes.
  • Issue ID 0403665: If the values for certain metrics are zero, the graphs display these values incorrectly.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0405818/ 0405273: On the Dashboard > Users page, ICA RTT values displayed on the graph in the left panel do not match the values displayed below the graph, or there is a delay in the updating the values.
  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0405849: Sometimes, the commands used in the NetScaler Insight Center command line interface are case sensitive.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405936 : If the NetScaler Insight Center virtual appliance remains inactive for a longer duration, the data will not be logged.

    Workaround: Restart the appliance by running the following command on the command line interface:

    #/etc/rc.d/analyticsd restart
  • Issue ID 0408495: During installation of a virtual NetScaler Insight Center on VMware ESX, NetScaler Insight allocates only 14 GB of space in the var directory, even though the OVF file specifies 120 GB.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: After creating a channel by using the Management Service, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable on the network.

  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

  • Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of the NetScaler instance's Modify wizard.

    Workaround: Modify the NetScaler instance and remove the nonexistent channel from the VLAN settings page.

  • Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.

  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613 : In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or use the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each of the nodes of an HA configuration:

    add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node’s NSIP is 198.51.100.9 and the secondary node’s NSIP is 198.51.100.27, you would run the following command on the primary node:
    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 
    and the following command on the secondary node:
    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while configuring an extended ACL by using the configuration utility, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies over classic policies.

Reporting

  • Issue ID 0368982: After you have imported a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2

    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.


Build 118.7

Release version: Citrix NetScaler, version 10.1 build 118.7

Replaces build: None

Release date: June 2013

Release notes version: 3.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

NetScaler VPX Support on Microsoft Hyper-V and VMware ESX virtualization platforms

The NetScaler VPX virtual appliance is supported on Microsoft Hyper-V Server 2012 and VMware ESX 5.1 virtualization platforms.

Oracle Monitor Support

ENH ID 0364085: You can now create a load balancing monitor for an Oracle DBMS server by using the new Oracle-ECV monitor type. The supported data types are BINARY_DOUBLE, BINARY_FLOAT, CHAR, DATE, INTERVALDS, INTERVALYM, NUMBER, NVARCHAR, TIMESTAMP, TIMESTAMP_WITH_LOCAL_TIME_ZONE, and TIMESTAMP_WITH_TIME_ZONE.

You can configure the monitor by using the NetScaler command line or the configuration utility.

To create and configure an Oracle-ECV monitor at the command line, type:
 add lb monitor <monitorName> oracle-ecv [ parameters... ]
Example:
add lb monitor oracle-monitor5 ORACLE-ECV -userName hr -database xe -sqlQuery 
"select Name from testlb" -evalRule "ORACLE.RES.ATLEAST_ROWS_COUNT(1)"
Where:
  • username is the name of the database user.
  • database is the database for query
  • sqlQuery is the query to be sent to server
  • evalrule is the rule to be evaluated against the response
Note: Database user has to be configured using add db user hr -password passwd

To create or configure an Oracle-ECV monitor by using the configuration utility, navigate to Traffic Management => Load Balancing => Monitors, and then click Add to create the monitor or select an existing monitor and then click Open to configure the monitor.

The new expressions that support the Oracle-ECV monitor are as follows:
  • ORACLE.RES.ATLEAST_ROWS_COUNT(n) Determines whether the query response contains at least the specified number of rows.
  • ORACLE.RES.ROW(i).NUM_ELEM(j).eq(n) Determines whether the value located at the specified row and column is equal to the specified number. You can substitute other valid numeric operations for "eq". ORACLE.RES.ROW(i).IS_NULL_ELEM(j) Determines whether the value located at the specified row and column is NULL.
  • ORACLE.RES.ROW(i).TEXT_ELEM(j).eq("pattern") Determines whether the value located at the specified row and column matches the specified pattern. You can substitute other valid text operations for "eq".

NetScaler and XenMobile Solution for Enterprise Mobility

ENH ID 0365382: Citrix NetScaler deployed with XenMobile Mobile Device Management (MDM) provides the ability to scale, ensure high availability for apps, and maintain security.

Use the XenMobile MDM Setup wizard on the NetScaler configuration utility to configure the following two deployment scenarios:
  • Load balance XenMobile Device Managers (MDM servers): In this scenario, the NetScaler appliance sits between the client and the XenMobile MDM servers to load balance encrypted data from mobile devices to the XDM servers.
  • Load balance MS Exchange servers with email filtering: In this scenario, the NetScaler appliance sits between the client and the XNC and CAS servers. All requests from the client devices go to the NetScaler appliance, which then communicates with the XNC to retrieve information about the device. Based on the response from the XNC, the NetScaler either forwards the request from a whitelisted device to the backend server, or drops the connection from a blacklisted device.

For more information, see the "NetScaler and XenMobile Solution for Enterprise Mobility" deployment guide.

Low Encryption Licenses for Russia

ENH ID 0349674: A NetScaler MPX appliance for customers in Russia initially ships with a low encryption license. After proper authorization from the Russian agency, customers can upgrade to a Standard, Enterprise, or Platinum software edition, which enables high-encryption SSL performance on the appliance.

First Time User Wizard Changes

The look and feel of the first time user wizard has changed.

Provisioning Third-Party Instances on a NetScaler SDX Appliance

You can now provision the following third-party virtual machines (instances):
  • ENH ID 0329072: SECUREMATRIX® GSB—Provides a highly secure password system that eliminates the need to carry any token devices.
  • ENH ID 0329072: Websense® Protector—Allows enterprises to deploy a data loss prevention (DLP) solution to protect sensitive enterprise information.
  • ENH ID 0349549: BlueCat DNS/DHCP Server—Provides a DNS, DHCP, and IP Address Management software solution for enterprises.
Important: You must upgrade to XenServer version 6.1.0 before provisioning a third-party instance on the SDX appliance.

Upgrading the XenServer Software

ENH ID 0322368: You must upgrade the NetScaler SDX appliance to XenServer version 6.1.0 to enable functionality of some features, such as LACP and third-party virtual machines. The process of upgrading the XenServer software involves uploading the build file of the target build to the Management Service, and then upgrading the XenServer software.

Configure Link Aggregation from the Management Service

ENH ID 0257892: You can now configure link aggregation from the Management Service at the time of provisioning a NetScaler instance, or later by modifying an instance. An aggregated link is also known as a channel. The interfaces that form part of a channel are not listed in the Network Settings view shown when you add or modify a NetScaler instance. Instead of the interfaces, the channels are listed.

NetScaler Insight Center

  • ENH ID 0341904: NetScaler Insight Center supports clearing AppFlow configurations from a virtual server.
  • ENH ID 0381072: NetScaler Insight Center supports sending syslog messages to an external syslog server.
  • ENH ID 0388409: On the Dashboard > HDX Insight > Users > <user name> page, the application and gateway reports display the active applications by default.
  • ENH ID 0392732: The HTML Injection feature is now available for Web Insight data collection on platinum licenses of NetScaler 10.0 appliances and on all licenses of NetScaler 10.1 appliances.

Changes and Fixes

AAA Application Traffic

  • Issue ID 0372362: When KCD is configured with a content switching virtual server, the NetScaler appliance might hang or crash. The cause is a GET request with multiple authorization headers. (Only one authorization header is expected.)
  • Issue ID 0387076: On a NetScaler appliance with AAA enabled and KCD single sign-on configured, after several single sign-on requests are successfully authenticated, the virtual server principle can unexpectedly become blank. When this happens, subsequent authentication requests fail.
  • Issue ID 0390037: After authentication, if AAA generates the URL redirect, it rewrites the query portions of certain URLs into base 8 ASCII string equivalents instead of passing on the original strings.
  • Issue ID 0391105: A NetScaler appliance that has AAA-TM configured for authentication with a RADIUS Server might generate intermittent logon failures with the error message HTTP/1.1 Internal Server Error 6.

Application Firewall

  • Issue ID 0351544: The application firewall now supports sessionless cookie proxying on NetScaler cluster configurations that do not use the spotted VIP feature.

Application Firewall Signatures

  • Issue ID 0376437: To improve performance, when processing buffer overflow signatures the application firewall now evaluates PCRE regular expressions only when the minLength parameter is set.
  • Issue ID 0384103: You can now configure the JSON content types for your application firewall in the Manage JSON Content Types dialog box in the global settings. The dialog box is nearly identical to the Manage XML Content Types dialog box.
  • Issue ID 0390804: If you configure an application firewall profile but do not bind any signatures to it, the NetScaler appliance becomes unresponsive or fails if a user sends a request with a JSON body to a web site protected by that profile.

Cluster

  • Issue ID 0370814: A newly added node cannot synchronize the cluster configuration, because it cannot establish a connection to the cluster configuration coordinator. This issue might arise if the configuration coordinator rpcNode password on the new node is not the same as that on the configuration coordinator.

Configuration Utility

  • Issue ID 0360163: You cannot configure a GSLB service for which a server is not configured on the NetScaler appliance. The configuration utility displays the message Server must be specified.
  • Issue ID 0369583: If you use the configuration utility to view a Responder action, the Responder Actions page is reloaded.
  • Issue ID 0369900: When search results do not fit onto one page, duplicate records might appear on the second and subsequent pages.
  • Issue ID 0387554: On NetScaler appliances that run the cluster OS, user-defined control policies are not listed in the control flow and therefore do not appear in the Policy Manager. After these policies are bound to Global or an appropriate bind point, they are listed in the data flow.

Content Switching

  • Issue ID 0397673: When you configure a content switching rule that is evaluated before the user authenticates with AAA-TM, and the rule is supposed to redirect users to a specific virtual server on the basis of the user name, the rule fails.

Documentation

  • Issue IDs 0395277 and 0395282: The PDF format of NetScaler product documentation is no longer packaged with the NetScaler MPX, VPX, and SDX software. NetScaler product documentation is available in HTML format on the eDocs product library web site. You can generate a PDF for any topic from eDocs.

    To access NetScaler documentation on eDocs, see http://support.citrix.com/proddocs/topic/netscaler/ns-gen-netscaler-wrapper-con.html.

Global Server Load Balancing

  • Issue ID 0394328: On a NetScaler appliance that has both a monitor and a GSLB view bound to a GSLB service, occasionally the view binding is not visible from the CLI and is not saved in ns.conf although the GSLB service is properly configured and UP.

Load Balancing

  • Issue ID 0376173: If two NetScaler appliances in a high-availability configuration have TCPB mode enabled globally, and you create a DNS TCP service, the service might be successfully created on the primary NetScaler appliance but fail on the secondary appliance.
  • Issue ID 0387253: When you create a new load balancing server on the configuration utility, occasionally a series of error messages appear indicating that the Load Balancing feature is not licensed, and you are unable to create the virtual server.
  • Issue ID 0391273: When you add a new server to an existing service group, the services in the group might be designated as DOWN even though monitoring probes succeed. To enable the services, unset the virtual server spillover method. They are then correctly designated as UP.

NetScaler Insight Center

  • Issue IDs 0377737 and 0365977: NetScaler Insight Center appliance fails to respond.
  • Issue ID 0378044: On the Configuration > Inventory > Application List page, the values for number of applications displayed and total number of applications can be incorrect.
  • Issue ID 0378652: The Page analysis button is in the wrong place and not functional on the Dashboard > Web Insight > URL page.
  • Issue ID 0381522: On the Dashboard > HDX Insight > Applications page, the Total Session Launch count displays an incorrect number of sessions launched.
  • Issue ID 0385895: The graph of user applications, which appears when you navigate to Dashboard > HDX Insight > Users <username> > <sessionID> >Applications > More <application name>, is incorrectly plotted.
  • Issue ID 0386543: No graph is plotted for users on the page that appears when you click the Dashboard > HDX Insight > Users <username> > <SessionID> > Applications > More button.
  • Issue ID 0387257: The introduction that appears when you log on to a new NetScaler Insight Center appliance provides only Web Insight information. It does not provide information about HDX Insight.
  • Issue ID 0388093: When the Dashboard tab displays reports, the text that appears when you on click the orange icon beside a metric does not accurately describe the licensing issue.
  • Issue ID 0388453: On the Configuration > Inventory > Application List page, after you right-click a VPN application and select Enable AppFlow, then clear the ICA check-box and click Enable AppFlow, AppFlow is shown enabled, but no data is collected and therefore no reports are displayed on the Dashboard > HDX Insight page.
  • Issue ID 0388650: NetScaler appliance crashes when AppFlow is enabled on the virtual servers from Netscaler Insight Center appliance.
  • Issue ID 0390581: On the Dashboard tab, in some cases, the breadcrumb navigation does not display any text for labels.
  • Issue ID 0391336: The HDX Insight node appears even if all NetScaler appliances have only standard licenses. The node is supposed to appear only when at least one appliance has an Enterprise or Platinum license.
  • Issue ID 0391477: You cannot enable Appflow on a VPN application for which you have specified an expression from the drop-down list.
  • Issue ID 0392515: Data collection cannot be enabled on virtual servers (load balancing, content switching, or VPN) that have space characters in their names.

NetScaler SDX Appliance

  • Issue ID 0385037: If the /var/mps/policy/mps_policy_backup.xml file is empty or corrupted, the appliance performs a core dump and the Management Service user interface is blank.

Networking

  • Issue ID 0359348: For an IPv6 load balancing virtual server that belongs to a traffic domain, and for which the persistence is set as cookieinsert, the NetScaler appliance does not insert the correct cookie in its response.

Platform

  • Issue ID 0360223: In certain cases, error messages on the console of an MPX 5550/5650 or MPX 8200/8400/8600 appliance continuously scroll if the physical registers are not correctly read.
  • Issue ID 0373125: The NetScaler hardware might sometimes report incorrect values for system health counters. The health counters are read over the SMBus, which is prone to reporting wrong or zero values.

SNMP

  • Issue ID 0246215: A new SNMP alarm, vridStateChange, indicates the change of the state of a VRID from backup to master in an active-active configuration. The NetScaler appliance in which the state of a VRID changes to master sends a trap message for each VIP address bound to that VRID to the configured SNMP managers, indicating that the NetScaler appliance is currently serving traffic for a particular VIP address bound to that VRID. If no VIP addresses are bound to that VRID, the appliance does not send any trap messages.

SSL

  • Issue ID 0392683: In some cases, parsing an incorrectly formatted client certificate might take more than a few seconds. The delay can trigger the monitoring logic to terminate the process and restart the appliance.

System

  • Issue ID 0384153: When selective acknowledgement (SACK) and partial buffering are enabled on the appliance, acknowledgements with incorrect TCP checksum are forwarded to the server.
  • Issue ID 0392293: The NetScaler wrongly advertises TCP buffer size to the client side when dynamic windows management is enabled and the service-side buffer size is greater than 40k. This issue is observed when two different TCP profiles are bound to the virtual server (buffer size is 8k) and the service (buffer size > 40k) and causes failure when the NetScaler is uploading files.

Known Issues and Workarounds

Application Firewall

  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.
  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.

    For example, if you have two sets of custom signatures named custom_signatures and custom_signatures_2 that are based on copies of the default signatures file, you would update the signatures on your NetScaler appliance by issuing the following commands:

    update appfw signatures "*Default Signatures"
    update appfw signatures "custom_signatures"
    update appfw signatures "custom_signatures_2"

Cluster

  • Issue ID 0395735: The NetScaler appliance dumps a core when creating a cluster or a high availability setup on an appliance that has a TFTP load balancing virtual server.

    Workaround: Make sure you delete existing TFTP load balancing virtual servers before creating the cluster or high availability setup.

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.
  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.
  • Issue ID 0372535: The pagination count on the page listing SSL policies that can be bound does not display the correct values.
  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 0387135: If you access the NetScaler configuration utility through Internet Explorer 8, an attempt to view more than 25 load balancing virtual servers per page results in an alert message about an unresponsive script.

    Workaround: Do not change the default pagination value (25). If you change the default pagination value and the appliance prompts you to stop running the script, choose to continue.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins in the Start screen, and therefore Java cannot run in the Start screen. For information, see http://www.java.com/en/download/faq/win8_faq.xml.

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching

  • Issue ID 0399575: When configuring load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you have a load balancing virtual server with a service type of HTTP, and assign a backup virtual server with a service type of TCP to it, any content switching action bound to it fails.

Documentation

  • Issue ID 0370607: The configuration utility procedures in the NetScaler 10.1 documentation have not been updated to reflect the new top-level nodes.

    See Configuration Utility Changes, for information on the new node structure.

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:
    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.
    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

Global Server Load Balancing

  • Issue ID 0385305: In a GSLB setup, if you perform auto synchronization and the configuration file in your local site contains the add locationFile command, the command is not synchronized to the remote location.

Load Balancing

  • Issue ID 0383402: If a virtual server is UP by virtue of the service(s) being in Transition Out-Of-Service State (TROFS), the clients do not respond (instead of issuing 503 or RST) due to requests being queued at the virtual server rather than at the services.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.
  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path argument are not explicitly set.
    Workaround:
    1. Create a monitor of type CiTRIX-wi-EXTENDED.
    2. Set the script name.
    3. Set the site path.
    For example,
    add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
    set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
    set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp

NetScaler Insight Center

  • Issue ID 0369664: In HDX Insight mode, data is sent to the AppFlow collector even when the policy rule is set to FALSE.

    Workaround: Start the session again.

  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: In transparent mode, when you launch XenApp through Citrix Receiver (standard edition), the app launch duration is shown as zero.
  • Issue ID 0388875: If the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, and the page size is set to 25, only the first 25 virtual servers are shown. The list does not continue on another page.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0395022: On the Dashboard > HDX Insight > Users page, the Active Apps count is not updated instantly on the left pane.

    Workaround: The correct value is displayed in the Dashboard > HDX Insight > Applications page.

  • Issue ID 0397236 :On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports display session termination records.
  • Issue ID 0400545: The help page on the Graphical User Interface (GUI) displays incorrect information for enabling data collection.

    Workaround: To view the details, click the help icon in the graphical user interface when the help page opens, click on the TOC tab and navigate to NetScaler Insight Center 10.1 > Enabling Data Collection.

  • Issue ID 0400665: The HDX Insight node is not displayed for Enterprise licenses of NetScaler appliances.
  • Issue ID 0400900: The load time and render time metrics are not displayed for Standard Licenses of NetScaler appliances.
  • Issue ID 0402727: If you have installed NetScaler Insight Center virtual appliance on ESX, then the console may display watchdog timeout errors or the Graphical User Interface (GUI) may freeze sometimes.
  • Issue ID 0408495: During installation of a virtual NetScaler Insight Center on VMware ESX, NetScaler Insight allocates only 14 GB of space in the var directory, even though the OVF file specifies 120 GB.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the status of the member interfaces might appear as Error-Disabled (in the command line) or DOWN (in the configuration utility) of the NetScaler instance.

    Workaround: After creating a channel by using the Management Service, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable on the network.
  • Issue ID 0399630: If a new interface is bound to an LACP channel by using the Management Service, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.
  • Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of the NetScaler instance modify wizard.

    Workaround: Modify the NetScaler instance and remove the non-existent channel from the VLAN settings page.

  • Issue ID 0400409: While modifying a NetScaler instance from the Management Service, binding 1/x and 10/x interfaces to an L2 VLAN fails.

    Workaround: Provision the NetScaler instance again.

  • Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.
  • Issue ID 0400607: If you create a static channel, you cannot use the Management Service to remove more than one member interface at a time from the channel.
  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on this channel, the third-party instance is not reachable on the network.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613: If you synchronize a high availability configuration with the network firewall mode set to BASIC on the current secondary node, the synchronization of configuration files from the primary to secondary node fails. The failure occurs with both the sync HA file command on the NetScaler command line and the Start HA files synchronization dialog box in the configuration utility.
    Workaround: Add the following extended ACL on each of the nodes of an HA configuration:
    add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node's NSIP address is 198.51.100.9 and the secondary node's NSIP address is 198.51.100.27, you would run the following command on the primary node:

    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22

    and the following command on the secondary node:

    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22

  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while configuring an extended ACL by using the configuration utility, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 error message that match a forwarding-session rule.

Platform

  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. You must use the CLI. However, you can use the configuration utility to bind and unbind classic SSL policies.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.
  • Issue ID 0400084: An attempt to establish an HTTPS connection to a NetScaler FIPS appliance through a Chrome browser fails, because the browser sends a SPDY-NPN extension by default, and the NetScaler FIPS appliance does not support the NPN extension.

    Workaround: Disable SPDY in the Chrome browser.

  • Issue ID 0400649: In the NetScaler configuration utility, the FipsKey parameter does not appear in the Install Certificate dialog box. As a result, you cannot add a certificate-key pair on an MPX FIPS appliance by using the configuration utility.

    Workaround: Use the command line interface.

System

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.
    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to 10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

  • Issue ID 0390257: SNMP returns incorrect values for the ifOutOctets and ifInOctets counters.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2
    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.
Back to top