Release Notes for NetScaler 10.1 Maintenance Releases

This document describes the enhancements, fixed issues, and known issues in the maintenance releases of Citrix NetScaler, Citrix NetScaler SDX, and Citrix NetScaler Insight Center.

Note:

Build 128.8

Release version: Citrix NetScaler , version 10.1 build 128.8

Replaces build: None

Release date: July 2014

Release Notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Bug Fixes

AAA-TM

  • Issue ID 317157: AAA-TM now supports relative URLs as form Action URLs in forms-based SSO logon forms. You do not have to specify an absolute path to the web form when configuring forms-based SSO.

AppFlow

  • Issue ID 478480: If a browser executes the JavaScript that is inserted into the response of the main page, it sends a special request intended for the NetScaler ADC. AppFlow records for this request must not be generated. While handling this behavior, the logic in one part of the code assumes that the AppFlow records must not be sent, but another part of the code assumes that the records must be sent. As a result, the NetScaler ADC fails to respond.

CloudBridge Connector

  • Issue ID 460193, 444265, 451886, 474654: The Internet Key Exchange Daemon (IKED) might fail after the NetScaler ADC is restarted.

DNS

  • Issue ID 462862: Statistics do not appear correctly for a DNS load balancing virtual server.

  • Issue ID 422509: CNAME Record Caching

    NetScaler ADC when deployed in a proxy mode does not always send the query for an address record to the back-end server. This happens when for an answer to a query for an address record, a partial CNAME chain is present in the cache. Under few conditions, ADC caches the partial CNAME record and serves the query from the cache.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-tmg-dns-caching-cname-record-con.html

ICA AppFlow

  • Issue ID 458122: When appflow is enabled, Multi-Stream ICA connections do not work if an appflow policy is bound to a VPN virtual server and appflow logging is enabled on the VPN virtual server.

Integrated Caching

  • Issue ID 466452, 469584, 469588, 470925: While revalidating cached objects, the integrated caching feature performs some incorrect accounting of the cache size. This causes the NetScaler appliance to crash.

  • Issue ID 427479, 463589, 482725, 502413: The output of the "stat cache -d" command displays an incorrect value for the utilized memory parameter.

Load Balancing

  • Issue ID 478949: The NetScaler ADC fails if requests requiring IP fragmentation are forwarded to a virtual server that is configured for sessionless load balancing in IP mode.

NetScaler Gateway

  • Issue ID 485042: On a multi-core appliance, if session propagation to one core fails, NetScaler Gateway fails.

  • Issue ID 468145, 473867: Attempts to connect to the NetScaler Gateway from a Windows-based computer fails with the error 1008 when Transport Security Layer (TLS) block ciphers are configured and TLS 1.2 is enabled on NetScaler Gateway.

  • Issue ID 470059: If you disable authentication on NetScaler Gateway, endpoint analysis scan can occasionally be bypassed.

  • Issue ID 374296: If you configure load balancing virtual servers and the Secure Ticket Authority (STA) with the same fully qualified domain name (FQDN), attempts to bind the STA to the NetScaler Gateway virtual server fail.

  • Issue ID 464956, 470873, 471478, 474012: If the Domain Name Server (DNS) configuration is not available, users receive an "Internal error 500" message after successfully logging on to NetScaler Gateway.

  • Issue ID 461225: When users log on with clientless access and then open the Access Interface, the order of files that appear in Personal File Shares differs from the order of files on the file share server.

  • Issue ID 461279: When users upgrade the NetScaler Gateway Plug-in from Version 10.1.122.17 or later to the latest Version 10.1 Maintenance Release on a computer that includes an installation of Citrix Receiver, the automatic upgrade fails.

  • Issue ID 463871: If you bind SAML and LDAP authentication polices to the virtual server for two-factor authentication, after authenticating with SAML which is primary authentication type the LDAP user name populates automatically. If the first logon attempt to LDAP fails, user names are case-sensitive and must be entered again exactly as it appears after SAML authentication. For example, if the user name is populated as JohnDoe@xyzz.com and the user types johndoe@xyzz.com during the subsequent attempt, log on fails.

NetScaler Insight Center

  • Issue ID 474159, 475853: If you enable and then disable AppFlow on a NetScaler ADC, the ADC fails while sending the ICA AppFlow records.

  • Issue ID 459668: A memory corruption issue causes a NetScaler ADC with AppFlow for ICA enabled to fail.

  • Issue ID 482748: If you enable AppFlow for ICA traffic on a NetScaler ADC, the NetScaler ADC might fail because of an internal memory re-use and dependency issue.

NetScaler SDX Appliance

  • Issue ID 480054: The backup of an SDX appliance was failing with an error "username missing". The root cause for this was that the migration from 9.3.x was failing because of duplicate database entries. Going forward, the Management Service will remove the duplicate database entries resulting in a successful migration.

  • Issue ID 463820, 480347: Management Service gives an error when an SDX administrator tries to bind a management channel while provisioning or modifying a NetScaler instance.

  • Issue ID 436286: If a VPX is using an interface A and a channel is created on Management Service using interface A and interface B then this channel should also get added to the VPX. But if the Interface B is already shared to its maximum limit, that is no free VFs are left on interface B then that channel will not be added to the VPX.

  • Issue ID 480581: The NSIP modify action from the Management Service results in inconsistent state if the "Save Config" command from the Management Service to VPX takes a long time to respond. This happens because the connection might time-out. The issue has been fixed by increasing the time-out values.

  • Issue ID 481835: If a management channel modify request is sent through Nitro and a data interface is added in the member interface list, then the request succeeds and makes management channel inconsistent.

  • Issue ID 482603: For a case under the following conditions, when:

    1. A VLAN is present on XenServer on management interfaces (normally ETH0 and ETH1 on most platforms)

    2. A management channel created from Management Service is present on SDX, and

    3. A VPX is using this management channel.

    Then, If the management channel is deleted from Management Service, then post deletion the VPX may be seen with the VLAN present on its management interfaces.

  • Issue ID 482122: On creating a LACP channel, interface MAC address is altered and the new MAC address will be persistent even after the unbind operation.

  • Issue ID 483430: Set operation on a channel may lead to channel MAC address becoming zero on a VPX running on an SDX appliance.

Networking

  • Issue ID 414407, 485512: The default speed for an LACP channel is set to NONE instead of AUTO.

  • Issue ID 477507: If you have configured active FTP with random source port option enabled for an FTP virtual server, the NetScaler ADC might not handle data connections properly for this FTP server and (NetScaler) might become unresponsive.

Platform

  • Issue ID 311561: The MPX 22040/22060/22080/22100/22120 platform now supports NetScaler release 9.3 build 65.x.

SSL

  • Issue ID 474417, 474413: The version displayed in syslog is SSLv2.0 even though the session is negotiated using TLSv1.2.

  • Issue ID 414388, 345883, 349858, 428257, 428259: In rare cases, if the random number generated for the DH key exchange has a leading zero, DH negotiation fails because of a hardware limitation.

System

  • Issue ID 481442: When different TCP profiles are bound to a virtual server and to the services that are bound to that virtual server, and one of the profiles has window scaling as ENABLED and the other has it as DISABLED, NetScaler sometimes considers that window scaling is ENABLED. The expectation in such a case is that NetScaler considers window scaling as DISABLED.

  • Issue ID 478895: The "show ns runningConfig" command may produce partial output if invoked while another "show ns runningConfig" command, from the same or other admin session is in progress.

  • Issue ID 452240: The Monupload process monitors the power supply and sends a "show techsupport" bundle as soon as a power failure is observed. This behavior is now modified to upload the bundle only in case the power supply does not recover in a 1 minute.

Known Issues and Workarounds

AAA-TM

  • Issue ID 332831: The rule (expression) in a AAA-TM policy can be from one to 1434 characters in length. If you enter a longer rule, AAA-TM displays an "invalid rule" error.

AppFlow

  • Issue ID 327439: AppFlow records generated by the NetScaler appliance cannot be seen on SPLUNK.

  • Issue ID 396892: The AppFlow exporter might not export the correct information. Therefore, the client IP address shown on the NetScaler Insight Center dashboard might be incorrect.

Application Firewall

  • Issue ID 372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 430014: During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:

    show appfw JSONContentType

    If the default content type is configured, the command output is similar to the following example:

    > show appfw JSONContentType

    1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX

    Done

    If it is not, the screen shows only the following:

    > show appfw JSONContentType

    Done

    To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:

    add appfw JSONContentType ^application/json$ -isRegex REGEX

    show appfw JSONContentType

  • Issue ID 283780: When you enable the sessionless URL closure feature, you must also enable the URL closure feature. If you do not enable URL closure, the sessionless URL closure feature does not work.

  • Issue ID 399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.

    For example, if you had two sets of custom signatures, named "custom_signatures" and "custom_signatures_2", that were based on copies of the default signatures file, you would update the signatures on your NetScaler ADC by issuing the following commands:

    > update appfw signatures "*Default Signatures"

    > update appfw signatures "custom_signatures"

    > update appfw signatures "custom_signatures_2"

  • Issue ID 423150: The application firewall PCI-DSS report does not contain information on the "SQLInjectionCheckSQLWildChars" parameter.

  • Issue ID 427798: A NetScaler ADC that has the application firewall feature enabled might reset the connection after a protected web server issues an HTTP 204 response.

  • Issue ID 443673: Signature Bindings Not Shown in PCI-DSS Report

    The Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as "not set".

  • Issue ID 451014: On a NetScaler ADC that has the application firewall enabled and the HTML SQL injection feature configured to block, when the ADC detects an SQL violation on a page with a web form, a second violation might be generated for the Form Action URL. This is expected behavior. To avoid unexpected blocks, when you configure a relaxation for a web form, be sure to include a relaxation for the Form Action URL as well.

  • Issue ID 464641: If the application firewall receives a multipart POST request with a Content-Type header that contains a charset, it blocks that request as malformed.

  • Issue ID 466329: If the application firewall blocks a request because of a limiting policy, such as a maximum upload size limit on a web form, the blocking action is not logged. If a custom redirect page has been configured for that web page, the application firewall does not display it.

  • Issue ID 472476, 418036: When a user attempts to upload a file to a server that is protected by the application firewall, the file upload fails. The underlying cause is that the application firewall included an invalid character in the MIME boundary when encoding the file.

  • Issue ID 364134: In the configuration utility, when you perform the Show Bindings operation, globally bound auditing syslog policies do not appear under Application Firewall. This issue occurs only in a cluster setup.

    Workaround: Display the bindings in the command line interface, by using the "show system global" command.

  • Issue ID 489691: If a user request triggers an application firewall policy that is bound to the APPFW_BYPASS profile, the application firewall might fail to generate an SNMP alarm.

CloudBridge Connector

  • Issue ID 440781: When the state of a cloudbridge connector tunnel is DOWN, there is a delay in displaying the related log messages (from the /tmp/iked.debug file) on the Create CloudBridge Connector page of the configuration utility.

Configuration Utility

  • Issue ID 388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 414807: The Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, displays an error if more than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers, or if more than one service is bound to the service group.

  • Issue ID 353015: Load balancing virtual servers that are used by AppExpert applications are displayed in nodes other than the AppExpert node. For example, they are displayed in the Available Virtual Servers list in the "Create Persistency Group" dialog box (Load Balancing > Persistency Groups > Add and in the "Create Persistency Group" dialog box list that appears when you click the "Name" button in the list "Create Content Switching Action" dialog box "Content Switching > Actions > Add).

  • Issue ID 278002, 273176, 389874: If you use the configuration utility to enable or disable an extended ACL or ACL6, the utility does not warn you that the change does not take effect until you apply ACLs.

  • Issue ID 469755: If you open the NetScaler ADC configuration utility on multiple browser tabs, and if you disable a feature on one of the tabs, the other tabs are not automatically refreshed.

    Workaround: Manually refresh the tabs.

  • Issue ID 374437: If, when using the configuration utility to configure the NetScaler appliance, you press "Alt+Tab" to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press "Alt+Tab" a second time.

  • Issue ID 375277, 322602, 334465, 396405, 412455, 419503, 438382, 438534, 438796, 441853, 446387, 448361: If a NetScaler connection from a client is closed without the client logging out, the session created for that connection remains active until the configured timeout period elapses. If this happens frequently, after about the 20th occurrence the user might get a "Connection limit to CFE exceeded" error message.

  • Issue ID 459703: In a high availability setup, if you run the "add ssl certkey" command on the primary node, and if the certificate and key files are not present on the secondary node, the command fails on the secondary node. However, an error message is not displayed in the configuration utility.

  • Issue ID 490130: When you use the configuration utility to create a FIPS key, the FIPS wizard fails to respond

  • Issue ID 389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 483226: The key filename property of Import FIPS key (Configuration > Traffic Management > SSL > FIPS > FIPS keys >Action > Import > Key Filename) fails if you provide an incomplete filepath, folder1/folder2/rsa.key, where folder1 and folder2 are the folders within the nsconfig/ssl path.

    Workaround: Provide the complete file path nsconfig/ssl/folder1/folder2/rsa.key, or provide only the file name, rsa.key.

  • Issue ID 414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.

  • Issue ID 456428: The IP Bindings tab on the Create VLAN and Configure VLAN pages does not display IP addresses that are in the same subnet as the management IP (NSIP) address.

  • Issue ID 470941: You cannot use the configuration utility to add signatures to an existing application firewall policy.

    Workaround: Use the command line interface .

Content Switching

  • Issue ID 501856: An invalid HTTP request that spans multiple TCP segments that is sent to a content switching virtual server can cause the NetScaler to skip the load balancing decision and initiate a connection from the SNIP to the content switching virtual server. This can cause the NetScaler appliance to crash.

Content Switching/Load Balancing

  • Issue ID 399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

DNS

  • Issue ID 458244: If DNS caching is enabled and the NetScaler ADC receives a query that is not cached, it forwards the query to the name server. It sends the response from the server to the client and also caches the records in the Answer, Authority, and Additional sections of the DNS response. The response from the server can have the AA bit set or unset.

    - If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache with the AA bit unset and TTL decremented.

    - If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache with the AA bit set and the original TTL.

  • Issue ID 458313: When NetScaler is configured as DNS proxy and it receives a DNSSEC query with Checking Disbaled (CD) bit set, it does not pass the bit as is to the server at the back end. It instead turns the bit off. This impacts deployments where the NetScaler is load balancing DNSSEC aware resolver. The impact is that the resolver will check the DNSSEC signatures even if the client had not requested to do so by setting the CD bit.

Documentation

  • Issue ID 407185: Live migration of a NetScaler virtual machine running on a Linux-KVM host is not supported.

High Availability

  • Issue ID 471294: When upgrading HA nodes that have Web Interface on NetScaler (WIonNS) to build 126.x, the updates made in the Webinterface.conf file are over-written by the previous version of the file. This is due to the rolling upgrade of HA nodes or due to the file sync operation between HA nodes.

    To avoid this issue, use the following steps when upgrading the HA nodes:

    1. Before upgrading, run the command: "set ns param -internaluserlogin DISABLED"

    2. Upgrade the secondary HA node to NetScaler 10.1 Build 126.x release.

    3. Force failover to make the upgraded node as the primary node.

    4. Upgrade the other HA node to NetScaler 10.1 Build 126.x release.

    5. Restore the previously disabled "internaluserlogin" parameter to enabled using the command: "set ns param -internaluserlogin ENABLED".

    6. Save the configurations.

    Note: Before upgrade sync files between the HA nodes by using CLI command: "sync ha files all".

Integrated Caching

  • Issue ID 440107, 440389: When a selector-based content group has been configured, the NetScaler ADC can fail when a policy associated with this content group is matched and the response status is "404 Not Found".

Load Balancing

  • Issue ID 455133: If the FQDN is not resolvable, you might notice high CPU utilization on the NetScaler ADC.

  • Issue ID 441776: The NetScaler ADC might fail or become unresponsive if the FTP virtual server name exceeds 32 characters and L2Conn is enabled on the virtual server.

  • Issue ID 460040: A Storefront service on a NetScaler ADC is not marked as DOWN even though all the storefront services bound to the StoreFront server are manually brought down.

  • Issue ID 464952: If a DNS autoscale service group is bound to a virtual server, the "show lb vserver" command output displays one extra service bound to the virtual server.

  • Issue ID 277862: With a NetScaler Web 2.0 Push configuration in streaming mode, if the length of the response from the server is in the range of 10^n - 2^4n bytes, where n=1, 2, 3, and so on (for example, 1-15, 100-255, and 1000-4095 bytes), the push virtual server adds a byte to the response that it sends to the client. As a result, after the first response, subsequent updates sent on the same connection are lost.

NetScaler Gateway

  • Issue ID 392389: When users log on with the NetScaler Gateway Plug-in, when WiFi roaming occurs, intermittent ICMP requests time out and users cannot access network resources.

  • Issue ID 393357: If Pre-authentication scan is configured on NetScaler and users launch NetScaler Gateway plugin when browser is already opened then users intermittently get redirected to "Internal error" page.

  • Issue ID 411152: When you use the Set Up NetScaler for XenApp/XenDesktop wizard in NetScaler, apply optimization settings, and bind the cache policy globally, when users log on with the NetScaler Gateway Plug-in and open Citrix Receiver, the applications and desktops do not appear. The following message appears: There are no apps or desktops assigned to you at this time. Citrix recommends disabling the optimization settings.

  • Issue ID 411851: If you configure a NetScaler Gateway virtual server, enable ICA proxy and enable the Use Source IP (USIP) mode globally, when users connect and use StoreFront to open an application, NetScaler Gateway uses the client IP address as the source IP address when contacting the STA server and the application fails to open. If you disable USIP mode, the same behavior occurs unless you restart the NetScaler Gateway appliance. To avoid the issue, you need to configure a service on NetScaler for the STA server and disable USIP on that service.

  • Issue ID 400171: If you configure Group Extraction, you cannot bind an LDAP authentication policy to the virtual server. However, if an LDAP authentication policy was bound to the virtual server before configuring Group Extraction, you can enable authentication on the virtual server.

  • Issue ID 400050: The NetScaler Gateway Plug-in for Java does not compress network traffic even when compression is configured on the NetScaler Gateway.

  • Issue ID 397625: To configure two-factor authentication with SAML authentication, you must configure the secondary authentication policy in the primary cascade.

  • Issue ID 399405: Java Plug-in: Intranet Application fails to connect if AG VIP is running on non default port

  • Issue ID 398693: Installing and uninstalling the NetScaler Gateway Plug-in can take a long time. This is due to multiple entries of the Citrix Virtual Adapter in the registry.

  • Issue ID 346729: If you apply the Citrix Receiver theme to the NetScaler Gateway logon page, the layout appears garbled on computers running Windows XP Service Pack 3 with Internet Explorer 7 browsers.

  • Issue ID 368229: The running configuration does not include group extraction policies bound to the NetScaler Gateway virtual server.

  • Issue ID 376303, 394800: If you configure an intranet IP address, when users log on by using clientless access and then open SharePoint 2007, when they try to open a folder with Windows Explorer, a blank page appears.

  • Issue ID 385318: If you have configured a proxy server and you configure NetScaler Gateway to route traffic through the proxy server, when users log off from a clientless access session, a 403 error occurs.

  • Issue ID 384998: If you configure NetScaler Gateway as a high availability pair and if there is a failover from the primary to the secondary appliance, the ICA connection to published apps that are already open on the user device is reestablished. If users attempt to open more applications from the Web Interface, the applications fail to open and user receive an error message

  • Issue ID 373991: On an nCore appliances, when users attempt to access the subnet IP address through the VPN tunnel over HTTP, a 401 Access Denied error message appears. Connecting to the subnet IP address works if users make the attempt by using HTTPS.

  • Issue ID 374890: If you configure the appliance with NetScaler Gateway and Application Firewall, logon attempts by unauthorized users appear in the logs. When an authorized user logs on and then attempts to access a network resource to which users are explicitly denied, the access attempt does not appear in the logs and users receive a 403 error.

NetScaler Insight Center

  • Issue ID 385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name "(user-id@domain-name)".

  • Issue ID 409634: All the metrics except bandwidth and hits display the average values.

  • Issue ID 414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.

  • Issue ID 424673: Upgrading NetScaler Insight Center on a VMware ESX server from build 118.7 or 119.7 to build 120.13 or later is not supported. However, upgrading from build 120.13 to later builds is supported.

    Workaround: To upgrade to build 120.13 or later build, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .

  • Issue ID 414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off:

    The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.

  • Issue ID 446120: In some instances, the bar line on a graph appears outside the time points on the x-axis.

  • Issue ID 394526: In the Dashboard > Web Insight > Applications page, the values shown when you select "Response Time" from the drop-down list can be incorrect.

  • Issue ID 397236: On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.

  • Issue ID 368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.

  • Issue ID 399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.

  • Issue ID 386911: When launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.

  • Issue ID 379876, 424686, 437964: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.

  • Issue ID 486792: If you enable AppFlow  for ICA traffic on a NetScaler ADC, and if there is a large number of sessions, the ADC might fail because of an internal memory re-use and dependency issue.
  • Issue ID 475981: A NetScaler ADC fails when it receives ICA traffic from metro receiver client.
  • Issue ID 504990: The NetScaler ADC fails, if AppFlow is enabled and it receives an ICA command whose length is more than 2048 bytes.The NetScaler ADC fails, if AppFlow is enabled and it receives an ICA command whose length is more than 2048 bytes.

NetScaler SDX Appliance

  • Issue ID 369650, 442942, 468381: Configuring of Enforced VLAN by providing VLAN number in the VLAN ID field is not supported on SDX Rome 1G port.

    Workaround: Use the Allowed VLAN feature which has the same functionality as Enforced VLAN.

  • Issue ID 434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.

  • Issue ID 384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

NetScaler VPX Appliance

  • Issue ID 405164: On a NetScaler VPX instance running on a Linux-KVM platform, dynamic routing protocols OSPF and ISIS fail to run on the platforms MacVTap interfaces.

    Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).

  • Issue ID 405383, 360482: A NetScaler VPX instance might fail to restart on a Linux-KVM virtualization platform using processors that do not support the constant_tsc CPU feature.

Networking

  • Issue ID 383958, 411806: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

  • Issue ID 318684: In an HA configuration in INC mode where both the nodes run the OSPF routing protocol, the secondary node drops all the L3 traffic that has the destination that was advertised by the secondary node.

  • Issue ID 371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the "sync HA files" command from the NetScaler command line or by using the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each node of the HA configuration:

    > add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary nodes NSIP address is 198.51.100.9 and the secondary nodes NSIP address is 198.51.100.27, you would run the following commands:

    On the primary node:

    > add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22

    On the secondary node:

    > add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22

Platform

  • Issue ID 402111: VLAN tagging is not supported on Netscaler-VPX operating on MacVTap-Bridge, MacVTap-Private, MacVTap-VEPA, MacVTap-Passthrough interface Modes.

  • Issue ID 402113: L2 mode is not supported on Netscaler VPX instances running on a Linux-KVM host.

  • Issue ID 407184: LACP is not supported on Netscaler VPX instances operating in Bridge, MacVTap-Bridge, MacVTap-Private, or MacVTap-VEPA interface mode.

  • Issue ID 385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

  • Issue ID 381000: On some NetScaler appliances, the following four sensor readings are no longer available. The "stat system -detail" command displays a value of 0.

    - Intel CPU Vtt Power (Volts)

    - Voltage Sensor2 (Volts)

    - Temperature 0 (Celsius)

    - Temperature 1 (Celsius)

    This change affects the following platforms:

    - MPX 11500/13500/14500/16500/18500/20500

    - MPX 17550/19550/20550/21550

    - MPX 8200/8400/8600

    - MPX 5550/5650/5750

Policies

  • Issue ID 422967: If a wildcard virtual server (** IP address and port values) that accepts both IPv4 and IPv6 packets uses a listen policy of CLIENT.IP.PROTOCOL.EQ(ICMP) to capture ICMP traffic, it also captures IPv6 packets in which the second byte of the source IPv6 address has a value of 01).

    Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP.

    !CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)

  • Issue ID 390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies rather than classic policies.

  • Issue ID 425465: After changing the time zone on a NetScaler appliance, you must restart the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.

Reporting

  • Issue ID 368982: After you import a custom data source, the charts for the counters under "System entities statistics" are inaccurate, because of issues in the third party charting engine.

SDX

  • Issue ID 432899, 435206: If you create channels on SDX and use these channels in VPXs and then take a backup of the appliance to restore either the complete appliance or selected instances, then channels are not restored and instances may fail.

SSL

  • Issue ID 455821: An SSL chip is disabled at the third reinitialization attempt. That is, the maximum reinitialization limit is 2. Earlier, this limit was 5.

  • Issue ID 402423: In a cluster setup, if you include the "cipherdetails" option in the "show ssl service" or "show ssl vserver" command, an incorrect message appears. This is only a display issue.

    For example,

    > sh ssl service svc1 -cipherDetails

    ERROR: No such resource [serviceName, svc1]

  • Issue ID 343395: On a NetScaler MPX or SDX appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 494093: If session reuse is enabled on the NetScaler and a network error occurs, the NetScaler attempts to clear the session information so that it is not reused for a subsequent session request from the same client. In rare cases, the NetScaler might fail during this cleanup process.

System

  • Issue ID 377618, 341460, 351127, 364015: When the management CPU is running at close to 100% of capacity, the aggregator might not be able to process some of the statistics requests from clients, such as requests from the configuration utility, the CLI, and SNMP. If the aggregator fails to respond within the timeout period, the client returns following error:

    Invalid response from the aggregator [Device not Configured]

  • Issue ID 449234, 457629: In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

Web Interface

  • Issue ID 397150: On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 363145: The following APIs are not available in version 10.1 or later:

    - bindservicegroup_state2

    - unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.


Build 127.10

Release version: Citrix NetScaler , version 10.1 build 127.10

Replaces build: None

Release date: June 2014

Release Notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Bug Fixes

Application Firewall Issues

  • Issue ID 472094: Any application firewall profile that has either the "AlwaysExceptFirstRequest" or the "AlwaysExceptStartURLs" option enabled cannot be viewed in the configuration utility. These options are available from the command line only. When upgrading to either the current 10.1 maintenance release or the 10.5 beta release of the NetScaler operating system from any previous release, any profile which had the "always" option enabled has that option changed to "AlwaysExceptStartURLs." Profiles that have the "if_present" or "OFF" options enabled are not affected.
  • Issue IDs 456650, 313950: A NetScaler ADC that is configured as an HA pair, and that has the application firewall feature enabled, might experience repeated failovers from the primary to the secondary node when processing HTML traffic with large tag attribute values.
  • Issue ID 455284: NetScaler ADCs that are configured as an HA pair with the application firewall enabled might become unresponsive or reboot when the application firewall is processing a large web form.

AAA Application Traffic Issues

  • Issue ID 317157: AAA-TM now supports relative URLs as form Action URLs in forms-based SSO logon forms. You do not have to specify an absolute path to the web form when configuring forms-based SSO.

Content Switching Issues

  • Issue ID 460259: The output of the "stat cs vserver -fullValues" command now displays the number of requests per second. In earlier builds, the output displayed the total number of requests.

Configuration Utility Issues

  • Issue IDs 473832, 474471: The configuration utility might display the following error message when you create a monitor by navigating to Traffic Management > Load balancing > Monitors and click Add: Error creating view. Model must not be null
  • Issue ID 0448851: The System > Cluster > Manage Cluster screen allows a user to create a cluster without providing a Cluster IP address.
  • Issue ID 403766: In the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings creates an error condition.
  • Issue ID 409057: The Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, displays a distorted view of the published resources when you apply the application firewall settings in the Security section.
  • Issue ID 446373: For MPX and VPX Netscalers, you can edit ifalias from the Graphical User Interface properly. If you are using Cluster VPX, you can only edit ifalias using the command line interface and not the Graphical User Interface.

DataStream Issues

  • Issue ID 415485: Support for SQL Server High-Availability (HA) Group Deployment

    The NetScaler ADC now supports AlwaysOn Availability group deployment in database specific load balancing for MSSQL 2012.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-dbproxy-db-specific-lb-for-mssql-2012-tsk.html.

Integrated Caching Issues

  • Issue IDs 466452, 469584, 469588, 470925: While revalidating cached objects, the integrated caching feature performs some incorrect accounting of the cache size. This causes the NetScaler appliance to crash.

GSLB Issues

  • Issue ID 465500: GSLB static proximity stops working, if you remove the custom records after the database ideal times out. If you have not removed the custom records, then it starts to work when a new connection request is made.

Load Balancing Issues

  • Issue ID 475980: The NetScaler ADC does not set the mandatory flag in a Route-Record AVP. As a result, some diameter implementations might reject the AVP.
  • Issue ID 471938: In a deployment with multiple MAC-mode virtual servers, some changes in the configuration can result in a MAC-mode virtual server failing to serve traffic. Changes that can cause the problem include:
    • Disabling and enabling the interface through which the MAC of a service is learnt.
    • Removing virtual servers or clearing their configurations.
    • Changes caused by high availability failovers.

NetScaler Insight Center Issues

  • Issue ID 450474: On the dashboard, when you navigate to Web Insight > Devices > (device record) and click on HTTP Request Methods, HTTP Response Status, Operating Systems, or User Agents, and then from the bread crumb navigation click Application from the respective drop down list, the graph does not display any details.

NetScaler Gateway Issues

  • Issue ID 474027: If you configure the Green Bubble theme and if users do not meet the domain requirements when changing their passwords, users do not receive an error message. Instead, the logon page appears. With this fix, the error message appears to users.
  • Issue IDs 460997, 477547: If a configuration change occurs while being referred in the processing engine, NetScaler Gateway fails.
  • Issue IDs 456179, 462881, 466862: If proxy settings are configured on the user device and the NetScaler Gateway URL is in the proxy bypass list, users cannot establish a VPN connection with the NetScaler Gateway Plug-in for Windows.
  • Issue ID 440623: When users log on, preauthenication might not synchronize between processes. When this occurs, NetScaler Gateway fails.
  • Issue ID 412237: If users connect to a domain-based server by using clientless access, NetScaler Gateway fails occasionally.

NetScaler SDX Appliance Issues

  • Issue ID 475099: Configuring a wrong DNS IP address was slowing internal communication between Management Service and XenServer. With the current release, the DNS look up will be ignored for internal communication.
  • Issue ID 456703: When an interface other than 0/1 and 0/2 is being used for management on a VPX and later if that interfaces is made part of a channel creation from SVM, then that channel will not be pushed to this VPX and manual steps will be required to achieve the same.

    A user can delete such channels (made out of data interfaces and used for VPX management) from SVM which will leave the VPX in unmanageable state.

Networking Issues

  • Issue ID 477507: If you have configured active FTP with random source port option enabled for an FTP virtual server, the NetScaler ADC might not handle data connections properly for this FTP server and (NetScaler ) might become unresponsive.
  • Issue IDs 475466, 475462, 486447: RNAT configuration might be lost in a NetScaler ADC after you restart it.
  • Issue ID 457119: In a high availability (HA) configuration, the secondary node might forward BOOTP and DHCP related traffic using a configured VMAC address instead of interface's MAC address.
  • Issue ID 438557: The NetScaler appliance might consume excessive CPU cycles when processing ACL rules.
  • Issue IDs 469033, 467726: In a high availability configuration, you might lose your VLAN configuration if you upgrade the secondary node to build 125.x from builds: 122.17, 123.11,124.13.
  • Issue ID 448316: The NetScaler ADC might not remove the session information of an FTP connection from its memory while closing the connection. When the NetScaler ADC allocates the same memory block for a connection related to a UDP DNS service, the NetScaler ADC becomes unresponsive.

SSL Issues

  • Issue IDs 460918, 474003: Next Protocol Negotiation (NPN) TLS extension cannot be explicitly enabled or disabled. It is automatically enabled when SPDY is enabled on a HTTP profile, and disabled when SPDY is disabled.
  • Issue IDs 459688, 446760: If you use the configuration utility to configure FIPS appliances in a high availability setup, FIPS keys are not exported or imported between the nodes, because the option to enable secure information management (SIM) is not available.

System Issues

  • Issue IDs 451285, 441843, 457850: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
  • Issue ID 450398: The NetScaler nstrace utility does not filter out all IPv6 packets when a IPv4 only filter is entered.
  • Issue IDs 450054, 450787, 453207, 453481, 459354: When the NetScaler has application firewall disabled but SSO enabled, and if the NetScaler memory is less, all unused memory (appfw memory) is not recovered. This leads to an erroneous value for the "ActualInUse" memory counter.
  • Issue IDs 455041, 478635, 484981: The NetScaler system backup tar file does not include the following files:
    • /nsconfig/ns.conf
    • /nsconfig/Zebos.conf
    • /nsconfig/rc.netscaler
    • /nsconfig/snmpd.conf
    • /var/log/wicmd.log
    • /nsconfig/nsbefore.sh
    • /nsconfig/nsafter.sh
  • Issue ID 478895: The "show ns runningConfig" command may produce partial output if invoked while another "show ns runningConfig" command, from the same or other admin session is in progress. Workaround: Re-execute the "show ns runningConfig" command to fetch the entire running configuration.

Known Issues and Workarounds

Application Firewall Issues

  • Issue ID 399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named "custom_signatures" and "custom_signatures_2", that were based on copies of the default signatures file, you would update the signatures on your NetScaler ADC by issuing the following commands:

    > update appfw signatures "*Default Signatures"

    > update appfw signatures "custom_signatures"

    > update appfw signatures "custom_signatures_2"

  • Issue ID 451014: On a NetScaler ADC that has the application firewall enabled and the HTML SQL injection feature configured to block, when the ADC detects an SQL violation on a page with a web form, a second violation might be generated for the Form Action URL. This is expected behavior. To avoid unexpected blocks, when you configure a relaxation for a web form, be sure to include a relaxation for the Form Action URL as well.
  • Issue ID 466329: If the application firewall blocks a request because of a limiting policy, such as a maximum upload size limit on a web form, the blocking action is not logged. If a custom redirect page has been configured for that web page, the application firewall does not display it.
  • Issue ID 443673: Signature Bindings Not Shown in PCI-DSS ReportThe Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as "not set".
  • Issue ID 372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 364134: In the configuration utility, when you perform the Show Bindings operation, globally bound auditing syslog policies do not appear under Application Firewall. This issue occurs only in a cluster setup.Workaround: Display the bindings in the command line interface, by using the "show system global" command.
  • Issue ID 430014: During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:

    show appfw JSONContentTypeIf the default content type is configured, the command output is similar to the following example:

    > show appfw JSONContentType

    1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX

    Done

    If it is not, the screen shows only the following:

    > show appfw JSONContentType

    Done

    To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:

    add appfw JSONContentType ^application/json$ -isRegex REGEX

    show appfw JSONContentType

AppFlow Issues

  • Issue ID 396892: The AppFlow exporter might not export the correct information. Therefore, the client IP address shown on the NetScaler Insight Center dashboard might be incorrect.
  • Issue ID 478480: If a browser executes the JavaScript that is inserted into the response of the main page, it sends a special request intended for the NetScaler ADC. AppFlow records for this request must not be generated. While handling this behavior, the logic in one part of the code assumes that the AppFlow records must not be sent, but another part of the code assumes that the records must be sent. As a result, the NetScaler ADC fails to respond.

CloudBridge Connector

  • Issue ID 440781: When the state of a cloudbridge connector tunnel is DOWN, there is a delay in displaying the related log messages (from the /tmp/iked.debug file) on the Create CloudBridge Connector page of the configuration utility.

Content Switching

  • Issue ID 501856: An invalid HTTP request that spans multiple TCP segments that is sent to a content switching virtual server can cause the NetScaler to skip the load balancing decision and initiate a connection from the SNIP to the content switching virtual server. This can cause the NetScaler appliance to crash.

Configuration Utility

  • Issue ID 374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 459703: In a high availability setup, if you run the “add ssl certkey†command on the primary node, and if the certificate and key files are not present on the secondary node, the command fails on the secondary node. However, an error message is not displayed in the configuration utility.
  • Issue ID 388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 482135: Java Runtime Environment (JRE) does not work on Internet Explorer version 10.Workaround: Press F12 and set the Document Mode and Browser mode to Internet Explorer 9.
  • Issue ID 483226: The key filename property of Import FIPS key (Configuration > Traffic Management > SSL > FIPS > FIPS keys >Action > Import > Key Filename) fails if you provide an incomplete filepath, folder1/folder2/rsa.key, where folder1 and folder2 are the folders within the nsconfig/ssl path.

    Workaround: Provide the complete file path nsconfig/ssl/folder1/folder2/rsa.key, or provide only the file name, rsa.key.

  • Issue IDs 374304 and 377460: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a "No such resource" error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button instead of pressing the ENTER key on the keyboard.

  • Issue ID 414807: The Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, displays an error if more than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers, or if more than one service is bound to the service group.
  • Issue ID 414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.
  • Issue ID 469755: If you open the NetScaler ADC configuration utility on multiple browser tabs, and if you disable a feature on one of the tabs, the other tabs are not automatically refreshed.

    Workaround: Manually refresh the tabs.

DNS

  • Issue ID 458244: If DNS caching is enabled and the NetScaler ADC receives a query that is not cached, it forwards the query to the name server. It sends the response from the server to the client and also caches the records in the Answer, Authority, and Additional sections of the DNS response. The response from the server can have the AA bit set or unset.
    • If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache with the AA bit unset and TTL decremented.
    • If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache with the AA bit set and the original TTL.

Integrated Caching

  • Issue IDs 440107 and 440389: When a selector-based content group has been configured, the NetScaler ADC can fail when a policy associated with this content group is matched and the response status is "404 Not Found".

High Availability

  • Issue ID 471294: When upgrading HA nodes that have Web Interface on NetScaler (WIonNS) to build 126.x, the updates made in the Webinterface.conf file are over-written by the previous version of the file. This is due to the rolling upgrade of HA nodes or due to the file sync operation between HA nodes.To avoid this issue, use the following steps when upgrading the HA nodes:
    1. Before upgrading, run the command: "set ns param -internaluserlogin DISABLED"
    2. Upgrade the secondary HA node to NetScaler 10.1 Build 126.x release.
    3. Force failover to make the upgraded node as the primary node.
    4. Upgrade the other HA node to NetScaler 10.1 Build 126.x release.
    5. Restore the previously disabled "internaluserlogin" parameter to enabled using the command: "set ns param -internaluserlogin ENABLED".
    6. Save the configurations.
    Note: Before upgrade sync files between the HA nodes by using CLI command: "sync ha files all".

Load Balancing

  • Issue ID 399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.
  • Issue ID 441776: The NetScaler ADC might fail or become unresponsive if the FTP virtual server name exceeds 32 characters and L2Conn is enabled on the virtual server.

NetScaler Insight Center

  • Issue ID 385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name "(user-id@domain-name)".
  • Issue ID 399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 386911: When launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 446120: In some instances, the bar line on a graph appears outside the time points on the x-axis.
  • Issue ID 394526: In the Dashboard > Web Insight > Applications page, the values shown when you select "Response Time" from the drop-down list can be incorrect.
  • Issue ID 424673: Upgrading NetScaler Insight Center on a VMware ESX server from build 118.7 or 119.7 to build 120.13 or later is not supported. However, upgrading from build 120.13 to later builds is supported.Workaround: To upgrade to build 120.13 or later build, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .
  • Issue ID 368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 409634: All the metrics except bandwidth and hits display the average values.
  • Issue ID 397236: On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off:The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.
  • Issue ID 414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue IDs 379876, 437964, and 424686: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 486792: If you enable AppFlow  for ICA traffic on a NetScaler ADC, and if there is a large number of sessions, the ADC might fail because of an internal memory re-use and dependency issue.
  • Issue ID 482748: If you enable AppFlow for ICA traffic on a NetScaler ADC, the NetScaler ADC might fail because of an internal memory re-use and dependency issue.
  • Issue ID 475981: A NetScaler ADC fails when it receives ICA traffic from metro receiver client.

NetScaler Gateway

  • Issue ID 397625: To configure two-factor authentication with SAML authentication, you must configure the secondary authentication policy in the primary cascade.
  • Issue ID 398693: Installing and uninstalling the NetScaler Gateway Plug-in can take a long time. This is due to multiple entries of the Citrix Virtual Adapter in the registry.
  • Issue ID 373991: On an ncore appliances, when users attempt to access the subnet IP address through the VPN tunnel over HTTP, a 401 Access Denied error message appears. Connecting to the subnet IP address works if users make the attempt by using HTTPS.
  • Issue ID 400171: If you configure Group Extraction, you cannot bind an LDAP authentication policy to the virtual server. However, if an LDAP authentication policy was bound to the virtual server before configuring Group Extraction, you can enable authentication on the virtual server.
  • Issue ID 385318: If you have configured a proxy server and you configure NetScaler Gateway to route traffic through the proxy server, when users log off from a clientless access session, a 403 error occurs.
  • Issue ID 411152: When you use the Set Up NetScaler for XenApp/XenDesktop wizard in NetScaler, apply optimization settings, and bind the cache policy globally, when users log on with the NetScaler Gateway Plug-in and open Citrix Receiver, the applications and desktops do not appear. The following message appears: There are no apps or desktops assigned to you at this time. Citrix recommends disabling the optimization settings.
  • Issue ID 346729: If you apply the Citrix Receiver theme to the NetScaler Gateway logon page, the layout appears garbled on computers running Windows XP Service Pack 3 with Internet Explorer 7 browsers.
  • Issue ID 400050: The NetScaler Gateway Plug-in for Java does not compress network traffic even when compression is configured on the NetScaler Gateway.
  • Issue ID 392389: When users log on with the NetScaler Gateway Plug-in, when WiFi roaming occurs, intermittent ICMP requests time out and users cannot access network resources.
  • Issue ID 368229: The running configuration does not include group extraction policies bound to the NetScaler Gateway virtual server.
  • Issue ID 374890: If you configure the appliance with NetScaler Gateway and Application Firewall, logon attempts by unauthorized users appear in the logs. When an authorized user logs on and then attempts to access a network resource to which users are explicitly denied, the access attempt does not appear in the logs and users receive a 403 error.
  • Issue ID 411851: If you configure a NetScaler Gateway virtual server, enable ICA proxy and enable the Use Source IP (USIP) mode globally, when users connect and use StoreFront to open an application, NetScaler Gateway uses the client IP address as the source IP address when contacting the STA server and the application fails to open. If you disable USIP mode, the same behavior occurs unless you restart the NetScaler Gateway appliance. To avoid the issue, you need to configure a service on NetScaler for the STA server and disable USIP on that service.
  • Issue IDs 376303 and 394800: If you configure an intranet IP address, when users log on by using clientless access and then open SharePoint 2007, when they try to open a folder with Windows Explorer, a blank page appears.
  • Issue ID 384998: If you configure NetScaler Gateway as a high availability pair and if there is a failover from the primary to the secondary appliance, the ICA connection to published apps that are already open on the user device is reestablished. If users attempt to open more applications from the Web Interface, the applications fail to open and user receive an error message

Networking

  • Issue ID 399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.
  • Issue ID 475462: The NetScaler appliance might not properly processes ACL based RNAT rules.
  • Issue ID 371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the "sync HA files" command from the NetScaler command line or by using the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each node of the HA configuration:

    > add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary nodes NSIP address is 198.51.100.9 and the secondary nodes NSIP address is 198.51.100.27, you would run the following commands:

    On the primary node:

    > add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22

    On the secondary node:

    > add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22

  • Issue IDs 383958 and 411806: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

NetScaler SDX Appliance

  • Issue ID 384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.
  • Issue IDs 369650, 468381 and 442942: Configuring of Enforced VLAN by providing VLAN number in the VLAN ID field is not supported on SDX Rome 1G port.

    Workaround: Use the Allowed VLAN feature which has the same functionality as Enforced VLAN.

Platform

  • Issue ID 407185: Live migration of a NetScaler virtual machine running on a Linux-KVM host is not supported.
  • Issue ID 402113: L2 mode is not supported on Netscaler VPX instances running on a Linux-KVM host.
  • Issue ID 407184: LACP is not supported on Netscaler VPX instances operating in Bridge, MacVTap-Bridge, MacVTap-Private, or MacVTap-VEPA interface mode.
  • Issue ID 381000: On some NetScaler appliances, the following four sensor readings are no longer available. The "stat system -detail" command displays a value of 0.
    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)This change affects the following platforms:
      • MPX 11500/13500/14500/16500/18500/20500
      • MPX 17550/19550/20550/21550
      • MPX 8200/8400/8600
      • MPX 5550/5650/5750
  • Issue ID 402111: VLAN tagging is not supported on Netscaler-VPX operating on MacVTap-Bridge, MacVTap-Private, MacVTap-VEPA, MacVTap-Passthrough interface Modes.
  • Issue ID 385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policy

  • Issue ID 422967: If a wildcard virtual server (** IP address and port values) that accepts both IPv4 and IPv6 packets uses a listen policy of CLIENT.IP.PROTOCOL.EQ(ICMP) to capture ICMP traffic, it also captures IPv6 packets in which the second byte of the source IPv6 address has a value of 01).

    Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP.!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)

  • Issue ID 425465: After changing the time zone on a NetScaler appliance, you must restart the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.
  • Issue ID 390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies rather than classic policies.

Reporting

  • Issue ID 368982: After you import a custom data source, the charts for the counters under "System entities statistics" are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 343395: On a NetScaler MPX or SDX appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue ID 494093: If session reuse is enabled on the NetScaler and a network error occurs, the NetScaler attempts to clear the session information so that it is not reused for a subsequent session request from the same client. In rare cases, the NetScaler might fail during this cleanup process.

System

  • Issue ID 476304: On SDX systems, sometime while creating/deleting or modifying a LACP channel, TX stalls are seen on some of the member interfaces.
  • Issue ID 430154: On a NetScaler 1000V instance, transmit congestion occurs on virtual interfaces in high traffic conditions.
  • Issude IDs 377618, 341460, 364015 and 351127: When the management CPU is running at close to 100% of capacity, the aggregator might not be able to process some of the statistics requests from clients, such as requests from the configuration utility, the CLI, and SNMP. If the aggregator fails to respond within the timeout period, the client returns following error:

    Invalid response from the aggregator [Device not Configured]

  • Issue IDs 449234, 457629: In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

VPX

  • Issue ID 405164: On a NetScaler VPX instance running on a Linux-KVM platform, dynamic routing protocols OSPF and ISIS fail to run on the platforms MacVTap interfaces.Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).
  • Issue IDs 405383 and 360482: A NetScaler VPX instance might fail to restart on a Linux-KVM virtualization platform using processors that do not support the constant_tsc CPU feature.

Web Interface

  • Issue ID 397150: On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2
    • unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.

Build 126.12

Release version: Citrix NetScaler , version 10.1 build 126.12

Replaces build: None

Release date: May 2014

Release Notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Changes

Caching Stored Procedures and SQL Queries Issues

  • Issue ID 0453973: If connection multiplexing is disabled in a database profile, stored procedures and SQL batch queries are not cached, despite caching being enabled for the profile. With this enhancement, you can enable caching, if connection multiplexing is disabled, by setting the new "enableCachingConMuxOFF" parameter in the profile.

    At the command prompt, type:

    add dbProfile <name> –conMultiplex DISABLED -enableCachingConMuxOFF ENABLED

    or

    set dbProfile <name> -enableCachingConMuxOFF ENABLED

    In the configuration utility, select "Enable caching when connection multiplexing OFF".

SNMP Issues

  • Issue ID 0418044: A new SNMP OID, vsvrEstablishedConn (1.3.6.1.4.1.5951.4.1.3.1.1.71) is available for current client connections in the ESTABLISHED state at the vserver level.

Bug Fixes

Application Firewall Issues

  • Issue ID 0407347: By default, the application firewall's SQL Injection signatures patterns and security checks do not prevent SQL injection attacks that use the percent (%) or underscore (_) characters. To work around this issue, add the percent and underscore characters to each signatures object as SQL special characters.
  • Issue ID 0424879: A user with a web proxy that allows the user to modify the HTTP header can on rare occasions bypass certain security checks when sending content that would normally be blocked. For example, a user might bypass the HTML and XML SQL injection checks when sending an SQL special symbol to a protected web application, as long as the special symbol is not combined with an SQL command. A user might also be able to send a modified cookie by intercepting and including all cookies that the application firewall sent to the user, including the NetScaler cookie. Finally, the user might be able to use a web form to upload a script and save that script as a different file type. It does not appear that this technique can be used to cause an actual security breach.
  • Issue IDs 0443207, 0355620: If an attacker includes an SQL special character that is not followed by an SQL keyword in web form data filtered by the application firewall, the application firewall does not block the request because it classifies a special character that does not include a keyword as a false positive.
  • Issue ID 0457454: After automatic update of the application firewall signature rules, custom signature rules with versions lower than the current signatures are automatically disabled.

AppFlow Issues

  • Issue IDs 0441332, 0401672, 0357422: If HTML Injection is enabled, the NetScaler ADC injects JavaScript into the response to obtain client-side page-load time and client-side page-render time details. The JavaScript triggers a special request that is intended only for the NetScaler ADC, but the NetScaler ADC creates an additional request by forwarding the request to the server.

Cluster Issues

  • Issue ID 0455148: In some cases, the MSR routes remain in DOWN state since probing ownership is incorrectly being distributed across the cluster. MSR in cluster needs spotted SNIPs and probing ownership must be with the local node alone.

Configuration Utility Issues

  • Issue IDs 0447077, 0460857: If you create a monitor by using the graphical user interface and choose the default browse option to select the in-built monitor scripts from the /nsconfig/monitors folder, the folder does not display any scripts to choose..
  • Issue ID 0448851: The System > Cluster > Manage Cluster screen allows a user to create a cluster without providing a Cluster IP address.
  • Issue ID 0460413: On a NetScaler SDX graphical user interface, an nsroot user cannot change the passwords of other configured user accounts.

Compression Issues

  • Issue ID 0456734: The output of the "show cmp parameter" command incorrectly displays the label as "Disable External Cache" instead of "Enable External Cache".
  • Issue ID 0456734: The output of the "show cmp parameter" command incorrectly displays the label as "Disable External Cache" instead of "Enable External Cache".

Command Line Interface Issues

  • Issue ID 0436772: When you run the command show techsupport to generate a tar of system configuration data, in certain scenarios, the NetScaler ADC might ignore to collect certain large files.
  • Issue ID 0436772: When you run the command show techsupport to generate a tar of system configuration data, in certain scenarios, the NetScaler ADC might ignore to collect certain large files.

DataStream Issues

  • Issue ID 0451036: NTLM authentication is now supported on all Windows clients.

Load Balancing Issues

  • Issue IDs 0369369, 0252157, 0438593: In NetScaler deployments where a load balancing virtual server is deployed behind another virtual server, the count of the number of request bytes is inadvertently doubled.
  • Issue ID 0434925: If you add a server with a name that contains an IP address and a string, and then use that server to add a service, the error message “service already exists” appears.
  • Issue IDs 0441973 and 0442098: If you bind policies in one of the following orders of priority, and then run the “show running config” or the “save config” command, the command runs repeatedly:
    • Syslog, nslog, syslog
    • Nslog, syslog, nslog
  • Issue ID 0456632: If a user tries to use a long URL (more than 1024 bytes) to access a protected resource for the first time (that is, without a valid cookie), the NetScaler ADC returns a 500 error.
  • Issue ID 0454497: When the primary virtual IP address is down and no backup is configured, spillover persistence fails to decrement the session allocation counter. This leads the NetScaler appliance to believe that sessions are alive and therefore reject new client requests.

NetScaler Insight Center Issues

  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0451609: If a NetScaler ADC is deployed in transparent mode for HDX Insight, Citrix Receiver fails to launch the applications or desktops if use source IP (USIP) is enabled and use subnet IP (USNIP) is disabled.
  • Issue ID 0452989: If a NetScaler ADC is deployed in transparent mode for HDX Insight, Citrix Receiver fails to launch the applications or desktops if the appflow policy is not bound to a global bind point.
  • Issue ID 0456449: On the Dashboard > Web Insight > Applications page, the report for a specific application does not display the client type and client version details.
  • Issue ID 0453764: On the dashboard, HDX Insight reports do not display the active sessions and also displays an incorrect value for session launch count.

NetScaler SDX Appliance Issues

  • Issue ID 0449247: If appliance inventory is going on at the same time when channel is being created, then it may happen that channel is created on the VPX but it is not visible from the SVM.
  • Issue ID 0456884: When you click on a NetScaler IP address in the SVM GUI, the NetScaler configuration utility opens without prompting for logon credentials. Log on is done through single sign on (SSO).
  • Issue ID 0460329: If you are using the NetScaler SDX 8015/ 8400/8600 10G platform, no interfaces are shown in the interface list when an LACP channel is being created.
  • Issue ID 0455601: There existed an issue with disk configuration file for NSSDX-22000 and NSSDX-22000T systems. The Local Storage partition was configured as sda3 instead of sda4 for these systems.
  • Issue ID 0460376: Management service was showing wrong alert for power supply status with the message that "One of the two power supplies is not working".

Networking Issues

  • Issue ID 0452434: In a high availability configuration in INC mode, net profile and IPset commands propagate to the secondary node.
  • Issue IDs 0469033, 0467726: In a high availability configuration, you might lose your VLAN configuration if you upgrade the secondary node to build 125.x from builds: 122.17, 123.11,124.13.

Platform Issues

  • The LCD display on the front of every NetScaler SDX appliance, except SDX 11500/13500/14500/16500/18500/20500 and SDX 11515/11520/11530/11540/11542 displays a booting message when the appliance is started or restarted.

    The LCD has a neon backlight. Normally, the backlight glows steadily. When there is an active alert, it blinks rapidly. When the appliance shuts down, the backlight remains on for one minute and then automatically turns off.

    Note: The LCD screen on a NetScaler SDX appliance displays the base model number for that platform. To view the licensed model number of the appliance, log on to the Management Service and check the licensed model number on the top left corner of the screen. For example, if you have purchased an SDX 11515 license, the LCD screen displays SDX 11500, and the Management Service screen displays NetScaler SDX (11515).

    On some SDX platforms, the LCD backlight might not work. Therefore, the display might not be clear.

SSL Issues

  • Issue ID 0437018: On a Nitrox-2 chip based platform, if you bind cipher groups, such as HIGH and AES, to your virtual server, the unsupported ECDHE cipher might also be bound. This cipher does not cause any problems. To remove it, you must unbind the cipher group.
  • Issue IDs 0451698, 0446674, 0452080: In a high availability setup, the force ha sync command appends the DEFAULT cipher group to the user-defined ciphers on the virtual server of the secondary node.

System Issues

  • Issue IDs 0335202, 0341155, 0404099, 0248103: When web server logging and audit logging are enabled on the NetScaler, the TCP current clients counter goes to negative values and shows a very large value in the stat or the SNMP OID.
  • Issue IDs 0396628, 0402205: With large number of configuration entries in the ns.conf file, the commands in the /nsconfig/rc.netscaler file might not be applied after the appliance is restarted.
  • Issue IDs 0401111, 0414273, 0413721, 0408648, 0399769, 0375425, 0460731, 0424726, 0408267: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
  • Issue ID 0432612: The NetScaler ADC forwards unprocessed packets to the load balancing virtual servers without selecting a service, because of an HTTP out-of-order packet processing issue. Instead of being dropped, these connections queue up at the virtual servers. The ADC fails to respond while processing these connections.
  • Issue ID 0446300: The NetScaler ADC might fail during an nstrace operation.
  • Issue IDs 441843, 457850, 451285: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
  • Issue ID 0453108: The NetScaler appliance drops a connection if it receives 255 back-to-back old packets (re-transmissions). The limit is configurable and the default value has been increased.
  • Issue ID 0453811: The state of services for which NATPCB is allocated starts flapping because of NATPCB allocation failure.
  • Issue ID 0450580: High CPU usage is observed when evaluating listen policy named expressions on a virtual server that picks up every packet.

VPX Issues

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might occur in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:

    sysctl netscaler.ns_vpx_halt_method=2

    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:

    sysctl netscaler.ns_vpx_halt_method=2

Web Interface Issues

  • Issue ID 0450811: In a high availability setup, if the failover operation is performed twice, a user trying to launch an application is unable to proceed after the AGESSO.jsp page appears. If the domain controller is configured for x number of logon retries, and the user refreshes the page x number of times, the account is locked. With this fix, the user is able to launch the application. However, if an application is launched immediately after failover, and the launch takes longer than usual (about 75 seconds), a session error page might appear, in which case the user has to log on again.
  • Issue ID 0456120: Upgrading a NetScaler ADC from release 10 to release 10.1 deletes a set of customized options of the add wi site command.
  • Issue ID 0458113: Neither the CLI nor the configuration utility allows a user to configure a pre-login message of more than 255 characters.

Known Issues and Workarounds

Application Firewall Issues

  • Issue ID 0364134: In the configuration utility, when you perform the Show Bindings operation, globally bound auditing syslog policies do not appear under Application Firewall. This issue occurs only in a cluster setup. Display the bindings in the command line interface, by using the show system global command.
  • Issue ID 0466329: If the application firewall blocks a request because of a limiting policy, such as a maximum upload size limit on a web form, the blocking action is not logged. If a custom redirect page has been configured for that web page, the application firewall does not display it.
  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0430014: During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:
    show appfw JSONContentType
    If the default content type is configured, the command output
    is similar to the following example:
    > show appfw JSONContentType
    1)
    JSONContenttypevalue: "^application/json$" IsRegex: REGEX
    Done
    If
    it is not, the screen shows only the following:
    > show appfw JSONContentType
    Done
    To add the default content type to the configuration, after upgrading to
    10.1 (121.1), log onto the NetScaler command line, and then type the following
    commands to configure the default content type and verify the
    configuration:
    add appfw JSONContentType ^application/json$ -isRegex REGEX
    show appfw JSONContentType
  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signatues file, you would update the signatures on your NetScaler ADC by issuing the following commands: update appfw signatures "*Default Signatures" update appfw signatures "custom_signatures" update appfw signatures "custom_signatures_2".
  • Issue ID 0451014: On a NetScaler ADC that has the application firewall enabled and the HTML SQL injection feature configured to block, when the ADC detects an SQL violation on a page with a web form, a second violation might be generated for the Form Action URL. This is expected behavior. To avoid unexpected blocks, when you configure a relaxation for a web form, be sure to include a relaxation for the Form Action URL as well.

AppFlow Issues

  • Issue ID 0396892: The AppFlow exporter might not export the correct information. Therefore, the client IP address shown on the NetScaler Insight Center dashboard might be incorrect.

CloudBridge Connector Issues

  • Issue ID 0440781: When the state of a cloudbridge connector tunnel is DOWN, there is a delay in displaying the related log messages (from the /tmp/iked.debug file) on the Create CloudBridge Connector page of the configuration utility.

Content Switching/Load Balancing Issues

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Configuration Utility Issues

  • Issue ID 0361793 (nCore and nCore VPX): The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing> Virtual Servers pane.
  • Issue IDs 0374304, 0377460: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml.

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.
  • Issue ID 0414807: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, an error is displayed if:
    • More than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers.
    • More than one service is bound to the service group.
  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings creates an erroneous condition.
  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.
  • Issue ID 0411152: When you use the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings makes applications and desktops unavailable when StoreFront is accessed through a VPN.

    Workaround: Do not apply the optimization settings.

DNS Issues

  • Issue ID: 0458244: If DNS caching is enabled and the NetScaler ADC receives a query that is not cached, it forwards the query to the name server. It sends the response from the server to the client and also caches the records in the Answer, Authority, and Additional sections of the DNS response. The response from the server can have the AA bit set or unset.
    • If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache with the AA bit unset and TTL decremented.
    • If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache with the AA bit set and the original TTL.

High Availability Issues

  • Issue ID 0443588: In a High Availability configuration, after you remove an HA configuration from one of the two nodes, if you confirm the following prompt message, "Do you want to remove ha node from remote system also ?”, an error message might get displayed and the HA configuration is not removed from the remote node.
  • Issue ID 0471294: When upgrading HA nodes that have Web Interface on NetScaler (WIonNS) to build 126.x, the updates made in the Webinterface.conf file are over-written by the previous version of the file. This is due to the rolling upgrade of HA nodes or due to the file sync operation between HA nodes.
    To avoid this issue, use the following steps when upgrading the HA nodes:
    1. Before upgrading, run the command: "set ns param –internaluserlogin DISABLED".
    2. Upgrade the secondary HA node to NetScaler 10.1 Build 126.x release.
    3. Force failover to make the upgraded node as the primary node.
    4. Upgrade the other HA node to NetScaler 10.1 Build 126.x release.
    5. Restore the previously disabled " internaluserlogin" parameter to enabled using the command: "set ns param –internaluserlogin ENABLED"
    6. Save the configurations.
    Note: Before upgrade sync files between the HA nodes by using CLI command: "sync ha files all".

ICA AppFlow Issues

  • Issue ID 0458122: When appflow is enabled, Multi-Stream ICA connections do not work if an appflow policy is bound to a VPN virtual server and appflow logging is enabled on the VPN virtual server.
  • Issue ID 0456440: On the Dashboard > HDX Insight > Desktops page, the report for a specific user displays the desktop record for that user, but it does not include the desktop records for all users.

Integrated Caching Issues

  • Issue IDs 0440107, 0440389: When a selector-based content group has been configured, the NetScaler ADC can fail when a policy associated with this content group is matched and the response status is "404 Not Found".

Load Balancing Issues

  • Issue ID 0441776: The NetScaler ADC might fail or become unresponsive if the FTP virtual server name exceeds 32 characters and L2Conn is enabled on the virtual server.

NetScaler Insight Center Issues

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0446120: In some instances, the bar line on a graph appears outside the time points on the x-axis.
  • Issue IDs 0379876, 0424686, 0437964: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: When launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • issue ID 0397236: On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0409634: All the metrics except bandwidth and hits display the average values.
  • Issue ID 414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.
  • Issue ID 414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on a VMware ESX server from build 118.7 or 119.7 to build 120.13 or later is not supported. However, upgrading from build 120.13 to later builds is supported.

    Workaround: To upgrade to build 120.13 or later build, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .

  • Issue ID 0324010: A higher than normal load on NetScaler Insight Center or on the database can cause the afdecoder subsystem to stop functioning. As a result, NetScaler Insight Center is unable to connect to the database.

    Workaround: Restart the appliance by running the following command on the command line interface:

    #/etc/rc.d/analyticsd restart

  • Issue ID 0331944: If no devices have been added to the inventory, the Getting Started wizard is displayed. You cannot access the Configuration tab.
  • Issue IDs 0333555 and 346171: After you enable appflow on some virtual servers, even though no error message appears, the Insight column does not display a check box indicating that the feature is enabled.

    Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a Notepad.

  • Issue IDs 0388096 and 0423109: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue IDs 0388563 and 0438710: The following behavior is seen during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    --- The applications stop functioning, but are visible on the browser.

    --- The Citrix Receiver displays a dialog box, with a message stating that the connection is disconnected.

    --- When you click OK on the dialog box, the applications are not displayed anymore.

    --- If you launch any fresh applications without re-login, all the previously launched applications will resume with the previous status.

  • Issue ID 0388875: When you navigate to Configuration > Inventory and click on a NetScaler IP address, only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0402105: The following error can occur when you use an IE8 browser to access NetScaler Insight Center from XenDesktop 5.6 or XenApp 6.5:

    " Object does not support this property or method."

  • Issue IDs 0404100 and 0404822: The VPN option on the View drop- down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server that has the lowest priority.
  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 421657: If the ICMP port used to verify the network reachability of a NetScaler appliance from NetScaler Insight Center is blocked, the internal routing in NetScaler Insight Center is disrupted and the HDX Insight node is not displayed on the dashboard.

NetScaler SDX Appliance Issues

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.
  • Issue ID 0434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.
  • Issue ID 0456703: When an interface other than 0/1 and 0/2 is being used for management on a VPX and later if that interfaces is made part of a channel creation from SVM, then that channel will not be pushed to this VPX and manual steps will be required to achieve the same. A user can delete such channels (made out of data interfaces and used for VPX management) from SVM which will leave the VPX in unmanageable state.
  • Issue ID 0423068: The Management Service allows deleting a channel that is part of an NSVLAN on any NetScaler instance. If you delete such a channel, the NetScaler instance is not reachable over the management network.
  • Issue ID 0430121: The Management Service intermittently dumps a stat core when BlueCat VMs are provisioned on the SDX appliance.

Networking Issues

  • Issue ID 0371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or by using the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each node of the HA configuration: add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22. For example, for an HA configuration in which the primary node’s NSIP address is 198.51.100.9 and the secondary node’s NSIP address is 198.51.100.27, you would run the following command on the primary node: add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 and the following command on the secondary node: add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22

  • Issue IDs 0383958, 0411806: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform Issues

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.
    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)
    This change affects the following platforms:
    • MPX 11500/13500/14500/16500/18500/20500
    • MPX 17550/19550/20550/21550
    • MPX 8200/8400/8600
    • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.
  • Issue ID 0402111: VLAN tagging is not supported on Netscaler-VPX operating on MacVTap-Bridge, MacVTap-Private, MacVTap-VEPA, MacVTap-Passthrough interface Modes.
  • Issue ID 0402113: L2 mode is not supported on Netscaler VPX running on a Linux-KVM host.
  • Issues ID 0407184: LACP is not supported on Netscaler VPX instances operating in Bridge, MacVTap-Bridge, MacVTap-Private, or MacVTap-VEPA interface mode.
  • Issue ID 0407185: Live migration of a NetScaler virtual machine running on a Linux-KVM host is not supported.

Policy Issues

  • Issue ID 0425465: After changing the time zone on a NetScaler appliance, you must restart the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.

Policies Issues

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.
    Workaround: Use the CLI to define classic SSL policies.
    Note: Citrix encourages the use of default syntax policies rather than classic policies.
  • Issue ID 0422967: If a wildcard virtual server (** IP address and port values) that accepts both IPv4 and IPv6 packets uses a listen policy of CLIENT.IP.PROTOCOL.EQ(ICMP) to capture ICMP traffic, it also captures IPv6 packets in which the second byte of the source IPv6 address has a value of 01).

    Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP. ‘!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)’ .

Reporting Issues

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under the System entities statistics are inaccurate, because of issues in the third party charting engine.

Signature Bindings Not Shown in PCI-DSS Report Issues

  • Issue ID 0443673: The Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as “not set”.

SSL Issues

  • Issue ID 0343395: On a NetScaler MPX or SDX appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue IDs 0459688, 0446760: If you use the configuration utility to configure FIPS appliances in a high availability setup, FIPS keys are not exported or imported between the nodes, because the option to enable secure information management (SIM) is not available.

    Workaround: Use the command line to enable SIM. For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-tmg-fips-configure-fips-ha-tsk.html.

  • Issue ID 0469556: In rare cases, in which an unusually large number of new SSL requests are received, freeing an SSL session takes longer than expected. As a result, after some time available memory is exhausted.

System Issues

  • Issue IDs 0377618, 0351127, 0364015: When the management CPU is running at close to 100% of capacity, the aggregator might not be able to process some of the statistics requests from clients, such as requests from the configuration utility, the CLI, and SNMP. If the aggregator fails to respond within the timeout period, the client returns following error: Invalid response from the aggregator [Device not Configured] .
  • Issue ID 0430154: On a NetScaler 1000V instance, transmit congestion occurs on virtual interfaces in high traffic conditions.
  • Issue ID 0455041: The NetScaler system backup tar file does not include the following files:

    /nsconfig/ns.conf

    /nsconfig/Zebos.conf

    /nsconfig/rc.netscaler

    /nsconfig/snmpd.conf

    /var/log/wicmd.log

    /nsconfig/nsbefore.sh

    /nsconfig/nsafter.sh

  • Issue IDs 449234, 457629: In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

  • Issue ID 478895: The "show ns runningConfig" command may produce partial output if invoked while another "show ns runningConfig" command, from the same or other admin session is in progress. Workaround: Re-execute the "show ns runningConfig" command to fetch the entire running configuration.

System/Application Firewall Issues

  • Issue ID 0437307: On a NetScaler ADC that is not configured to use jumbo frames and that protects a server that is configured to use jumbo frames, if the application firewall is enabled and at least one profile is configured, the ADC might become unresponsive for a period of time and then reset the connection.

VPX Issues

  • Issue ID 0405164: On a NetScaler VPX instance running on a Linux-KVM platform, dynamic routing protocols OSPF and ISIS fail to run on the platform’s MacVTap interfaces.

    Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).

  • Issue IDs 0405383, 0360482: A NetScaler VPX instance might fail to restart on a Linux-KVM virtualization platform using processors that do not support the constant_tsc CPU feature.
  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might occur in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:

    sysctl netscaler.ns_vpx_halt_method=2

    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:

    sysctl netscaler.ns_vpx_halt_method=2

Web Interface Issues

  • Issue ID 0397150: On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API Issues

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later: bindservicegroup_state2 unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.

Build 125.9

Release version: Citrix NetScaler, version 10.1 build 125.9

Replaces build: 125.8

Release date: April 2014

Release notes version: 5.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Changes

Platform

  • Issue ID 0419237: The 10G ixgbe (ix) driver on the NetScaler appliance now supports the following Active Optical Cables (AOCs):
    • Finisar FCBG110SD1C03
    • Avago AFBR-7CAR03Z

SSL

  • Issue ID 0376153: You can now set a limit to the number of disabled SSL chips after which the appliance restarts. At the command prompt, type:
    set ssl parameter -cryptodevDisableLimit

    A chip is marked disabled after the third failed reinitialization attempt.

  • Issue ID 0455821: An SSL chip is disabled at the third reinitialization attempt. That is, the maximum reinitialization limit is 2. Earlier, this limit was 5.

Bug Fixes

Application Firewall

  • Issue ID 0428852: On a NetScaler ADC with limited CPU and memory, if the application firewall is enabled, out-of-memory errors might accumulate in the NetScaler log, causing rapid rotation of log files.
  • Issue IDs 0436100 & 0447536: On a NetScaler ADC that has the application firewall enabled and the Form Field Consistency check or Field Formats check enabled, a memory leak might cause the ADC to become unresponsive, requiring a manual restart. The underlying issue is a failure to process certain types of web form content properly. Appliances or VPX instances that have limited CPU and memory are especially likely to experience this issue.
  • Issue ID 0445552: On a NetScaler ADC HA pair configured to use the Citrix VPN, single sign-on, and the Application Firewall, a memory page issue might cause the primary ADC to reboot, failing over to the secondary ADC.
  • Issue ID 0448610: On a NetScaler ADC that has the application firewall enabled and an XML or Web 2.0 profile configured, if a response-side check (such as the Credit Card or Safe Object check) is enabled along with at least one XML-based check, Lotus Notes webmail does not load correctly. Specifically, the frame that should contain the user's inbox is blank.
  • Issue IDs 0448961, 0449223, 0449851, & 0450070: When using CVPN or the application firewall credit card or safe object security checks, memory issues might cause the Netscaler ADC to become unresponsive or restart.
  • Issue IDs 0446304, 0447206, 0444746, 0444810, 0448814, 0449393, 0449396, 0451162, 0451860, 0452078, and 0452427: If you use the single sign on (SSO) feature on your NetScaler ADC or NetScaler Gateway, it might become unresponsive or restart.
  • Issue ID 0450939: On a NetScaler ADC that has the application firewall enabled and an XML or Web 2.0 profile configured, if any XML security checks are enabled, certain web content does not load correctly.
  • Issue IDs 0452846, 0453768, 0456263, 0459327, and 046450: On a NetScaler ADC that has the application firewall enabled, when a Google Chrome user opens a large PDF file on a protected web server, the ADC might become unresponsive. The same file, if downloaded with Internet Explorer or Mozilla Firefox, causes no problems. The cause is a loop in a backup queue.
  • Issue ID 0453111: On a NetScaler ADC that has the application firewall enabled, and that has either limited available memory or a small memory cache configured, a memory page issue might cause the ADC to become unresponsive or reboot.

AAA Application Traffic

  • Issue ID 0382693: Currently AAA supports Kerberos authentication only with Datastream Windows Authentication. AAA does not support fallback to NTLM if Kerberos authentication fails.
  • Issue ID 0435529: When the NetScaler ADC is configured to use AAA with SAML authentication, and it receives a response from the IDP, it reformats the response in standard SAML format. (This process is sometimes called "canonicalizing" the response.) The ADC might not reformat SAML <samlp: response> namespace prefix tags correctly, because it expects <saml: assertion> format. In that case, digest verification fails.
  • Issue ID 0441290: When performing Kerberos authentication or authorization, instead of accepting the hostname that the user provided in the request, AAA-TM now performs a DNS lookup on the hostname IP, and uses the canonical FQDN for that IP when constructing a server SPN.
  • Issue ID 0453125: AAA-TM now supports the use of RFC822 name-based (SAN) client certificates to authenticate users. SAN client certificates work in exactly the same way as other client certificates. To configure the NetScaler ADC to use SAN client certificate authentication, follow the client certificate authentication instructions in the AAA-TM documentation.

Command Line Interface

  • Issue ID 0441505: A response policy bound to a VPN virtual server is no longer bound to the virtual server after you restart the NetScaler ADC.

Configuration Utility

  • Issue ID 0443850: If you use the configuration utility to create a NetScaler-owned IP address, and provide the OSPF LSA Type1 area value, the Type1 area value is not displayed when you click on the created IP address to view or edit the details.
  • Issue ID 0446549: After you set the SSO Domain (Single Sign-on Domain) value, the value is not displayed on the configuration utility when you navigate to Security > AAA Application Traffic > Settings > Change Global Settings.
  • Issue ID 0447077: If you create a monitor by using the graphical user interface and choose the default browse option to select the in-built monitor scripts from the /nsconfig/monitors folder, the folder does not display any scripts to choose.
  • Issue ID 0449229: The configuration utility includes an option to enable Net Profile when you create a StoreFront monitor, but that option should not be enabled for a StoreFront monitor.

Content Switching

  • Issue ID 0428991: The NetScaler appliance fails in the following scenario:
    1. Create a content switching virtual server (CS1) and bind a policy (P1) to it.
    2. Rename the virtual server (CS1) to CS2.
    3. Create another content switching virtual server named CS1 and bind P1 to the new CS1.
    4. Send traffic to virtual server CS1.
  • Issue ID 0445561: If an HTTP content switching virtual server is bound to an SSL virtual server that has a backup SSL virtual server, the following error message appears:

    ERROR: The backup vserver of the target vserver is not compatible with the CS vserver.

  • Issue ID 0449261: You must bind only a load balancing (LB) virtual server as the default or target LB virtual server to a content switching (CS) virtual server. Global server load balancing (GSLB), cache redirection (CR), virtual private network (VPN), and CS virtual servers must not be bound to a CS virtual sever as the default or target virtual server.

ICA AppFlow

  • Issue ID 0430696: The NetScaler Gateway fails if AppFlow is enabled or disabled during ICA connections. The NetScaler Gateway might also fail if the NetScaler appliance receives an ICA parsing error.
  • Issue ID 0445959: The NetScaler ADC might fail if the EUEM channel data that is part of the ICA traffic flow is split across multiple frames in such a way that the first frame contains only 1 byte.
  • Issue ID 0445550: With some WYSE clients, NetScaler ADC fails while processing the ICA connections if the ICA frame is fragmented across several CGP frames (more than three 3 frames).

Integrated Caching

  • Issue ID 0427598: The NetScaler appliance fails to respond when it receives multiple byte-range requests for the same objects at almost the same time and where the starting range of byte-range is greater than 1MB.
  • Issue IDs 0436298 and 0434877: When refreshing a cache object for a conditional GET to an expired object, the memory is deducted two times but is returned only once when the cache cell goes away. This causes the memory that is used for a content group to slowly increase and finally reach the maximum memory that a content group can use. The NetScaler appliance is therefore unable to cache objects for that content group.

Load Balancing

  • Issue ID 0451670: The configuration for the NetScaler Web 2.0 Push feature is not saved in the configuration (ns.conf) file. As a result, if you run the show running config command, the push configuration is not shown.
  • Issue ID 0452648: In direct server return mode, the NetScaler ADC does not send a RST flag to the client after the idle timeout has expired.

NetScaler SDX Appliance

  • Issue ID 0445598: On a NetScaler SDX appliance running Management Service version 10.1, build 119.7, manually initiated backup operations fail, and a User name missing error message appears.
  • Issue ID 0446985: On NetScaler SDX appliance, the NetScaler instances do not start when the total number of interfaces and SSL cores is more than 26.
  • Issue ID 0447773: If the administrative password for the Management Service contains an ampersand character (&), communication between Management Service and XenServer is affected, and errors occur during provisioning or modification of the instances.
  • Issue ID 0456884: When you click on NetScaler IP address in SVM GUI, it opens the NetScaler configuration utility without prompting for log in credentials. Log in is carried out using Single Sign On (SSO).

Networking

  • Issue ID 0448738: On a NetScaler ADC configured for link load balancing with RNAT, access to external sites fails intermittently.
  • Issue ID 0449175: In a High Availability configuration, if you set the maxFlips, maxFlipTime or syncvlan parameter of the set HA node command, the NetScaler ADC adds a duplicate entry of the add HA node command to the running configuration.

NITRO API

  • Issue ID 0444986: When importing an AppExpert template that has back end services configured, the NetScaler ADC reports a protocol mismatch error even if other service parameters (service name, IP address and port) are not the same.

Policies

  • Issue ID 0430148: Error messages displayed during policy binding are shown as hexadecimal code instead of the corresponding warning message.

SNMP

  • Issue ID 0407594: The aggregateBWUseHigh and aggregateBWUseNormal SNMP traps are frequently generated even though the bandwidth is less than the set value for the alarm.

SSL

  • Issue ID 0436205: If you add a certificate revocation list (CRL) with refresh enabled, the appliance might perform a core dump and restart.

System

  • Issue ID 0447623: When a client’s MPTCP token is invalid in the C2C steered MP_CAPABLE final ACK, the packet is dropped silently without flushing out the RSS filter. This filter is never deleted. If the client reuses the same 4-tuple as the filter, the incoming packet may go into the steering loop between the PEs. This will lead to very high CPU utilization.
  • Issue ID 447618: The NetScaler VPX appliance is now supported on VMware vSphere Hypervisor (ESXi) versions 5.1 and 5.5. This means that a NetScaler virtual instance can be instantiated on the 5.1 or 5.5 versions of the ESXi hypervisor.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.
  • Issue ID 0396892: Sometimes, the AppFlow exporter may not export the correct information due to which the client IP address is displayed incorrectly on the NetScaler Insight Center dashboard.

Application Firewall

  • Issue ID 0364134: In the configuration utility, when you perform the Show Bindings operation, globally bound auditing syslog policies do not appear under Application Firewall. This issue occurs only in a cluster setup.

    Workaround: Display the bindings in the command line interface, by using the show system global command.

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.
    For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signatues file, you would update the signatures on your NetScaler ADC by issuing the following commands:
    update appfw signatures "*Default Signatures"
    update appfw signatures "custom_signatures"
    update appfw signatures "custom_signatures_2"
  • Issue ID 0430014: During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:

    show appfw JSONContentType

    If the default content type is configured, the command output is similar to the following example:
    > show appfw JSONContentType 
    1) JSONContenttypevalue: "^application/json$"
    IsRegex: REGEX
    Done
    If it is not, the screen shows only the following:
    > show appfw JSONContentType
    Done
    To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:
    add appfw JSONContentType ^application/json$ -isRegex 
    REGEX
    show appfw JSONContentType
  • Issue ID 0443673: The Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as "not set".

Configuration Utility

  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.
  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml.

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0411152: When you use the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings makes applications and desktops unavailable when StoreFront is accessed through a VPN.

    Workaround: Do not apply the optimization settings.

  • Issue ID 0448851: The System > Cluster > Manage Cluster screen allows a user to create a cluster without providing a Cluster IP address.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Domain Name System

  • Issue ID 0458244: If DNS caching is enabled and the NetScaler ADC receives a query that is not cached, it forwards the query to the name server. It sends the response from the server to the client and also caches the records in the Answer, Authority, and Additional sections of the DNS response. The response from the server can have the AA bit set or unset.
    • If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache with the AA bit unset and TTL decremented.
    • If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache with the AA bit set and the original TTL.

High Availability

  • Issue ID 0443588: In a High Availability configuration, after you remove an HA configuration from one of the two nodes, if you confirm the following prompt message "Do you want to remove ha node from remote system also ?”, an error message might get displayed and the HA configuration is not removed from the remote node.

Integrated Caching

  • Issue ID 0440107: When a selector-based content group has been configured, the NetScaler ADC can fail when a policy associated with this content group is matched and the response status is "404 Not Found".

Load Balancing

  • Issue ID 0441776: The NetScaler ADC might fail or become unresponsive if the FTP virtual server name exceeds 32 characters and L2Conn is enabled on the virtual server.

NetScaler Insight Center

  • Issue ID 0324010: A higher than normal load on NetScaler Insight Center or on the database can cause the afdecoder subsystem to stop functioning. As a result, NetScaler Insight Center is unable to connect to the database.
    Workaround: Restart the appliance by running the following command on the command line interface:
    #/etc/rc.d/analyticsd restart
  • Issue ID 0331944: If no devices have been added to the inventory, the Getting Started wizard is displayed. You cannot access the Configuration tab.
  • Issue ID 0333555 and 346171: After you enable AppFlow on some virtual servers, even though no error message appears, the Insight column does not display a check box indicating that the feature is enabled.

    Workaround: Refresh the screen. If AppFlow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable AppFlow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a Notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The graphs display overlapping time values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error can occur when you use an IE8 browser to access NetScaler Insight Center from XenDesktop 5.6 or XenApp 6.5:

    Object does not support this property or method.

  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, the clear AppFlow configurations (Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server that has the lowest priority.
  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on a VMware ESX server from build 118.7 or 119.7 to build 120.13 or later is not supported. However, upgrading from build 120.13 to later builds is supported.

    Workaround: To upgrade to 120.13 or later builds, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same.

  • Issue ID 0421657: If the ICMP port used to verify the network reachability of a NetScaler appliance from NetScaler Insight Center is blocked, the internal routing in NetScaler Insight Center is disrupted and the HDX Insight node is not displayed on the dashboard.
  • Issue ID 0446120: On the HDX Insight reports, the bar in the chart is sometimes shown at a location higher than the X axis.
  • Issue ID 0456449: On the Dashboard > Web Insight > Applications page, the report for a specific application does not display the client type and client version details.
  • Issue ID 0456440: On the Dashboard > HDX Insight > Desktops page, the report for a specific user displays the desktop record for that user, but it does not include the desktop records for all users.

NetScaler SDX Appliance

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.
  • Issue ID 0423068: The Management Service allows deleting a channel that is part of an NSVLAN on any NetScaler instance. If you delete such a channel, the NetScaler instance is not reachable over the management network.
  • Issue ID 0430121: The Management Service intermittently dumps a stat core when BlueCat VMs are provisioned on the SDX appliance.
  • Issue ID 0434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2
  • Issue ID 0405164: On a NetScaler VPX instance running on a Linux-KVM platform, dynamic routing protocols OSPF and ISIS fail to run on the platform's MacVTap interfaces.

    Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).

  • Issue ID 0405383: A NetScaler VPX instance might fail to restart on a Linux-KVM virtualization platform using processors that do not support the constant_tsc CPU feature.

Networking

  • Issue ID 0371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or by using the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each node of the HA configuration: add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node’s NSIP address is 198.51.100.9 and the secondary node’s NSIP address is 198.51.100.27, you would run the following command on the primary node: add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 and the following command on the secondary node: add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22

  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.
  • Issue ID 0469033: In a high availability configuration, you might lose your VLAN configuration if you upgrade the secondary node to build 125.9 from builds 122.17, 123.11, or 124.13.

Platform

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.
    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)
    This change affects the following platforms:
    • MPX 11500/13500/14500/16500/18500/20500
    • MPX 17550/19550/20550/21550
    • MPX 8200/8400/8600
    • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.
  • Issue ID 0402111: VLAN tagging is not supported on Netscaler-VPX operating on MacVTap-Bridge, MacVTap-Private, MacVTap-VEPA, MacVTap-Passthrough interface Modes.
  • Issue ID 0402113: L2 mode is not supported on Netscaler VPX running on a Linux-KVM host.
  • Issue ID 0407185: Live migration of a NetScaler virtual machine running on a Linux-KVM host is not supported.
  • Issue ID 0407184: LACP is not supported on Netscaler VPX instances operating in Bridge, MacVTap-Bridge, MacVTap-Private, or MacVTap-VEPA interface mode.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.
    Workaround: Use the CLI to define classic SSL policies.
    Note: Citrix encourages the use of default syntax policies rather than classic policies.
  • Issue ID 0422967: If a wildcard virtual server (** IP address and port values) that accepts both IPv4 and IPv6 packets uses a listen policy of CLIENT.IP.PROTOCOL.EQ(ICMP) to capture ICMP traffic, it also captures IPv6 packets in which the second byte of the source IPv6 address has a value of 01).

    Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP. ‘!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)’

  • Issue ID 0425465: After changing the time zone on a NetScaler appliance, you must restart the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under the System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On a NetScaler MPX or SDX appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue IDs 0414388 and 0345883: In rare cases, if the random number generated for the DH key exchange has a leading zero, DH negotiation fails because of a hardware limitation.

System

  • Issue ID 0377618: When the management CPU is running at close to 100% of capacity, the aggregator might not be able to process some of the statistics requests from clients, such as requests from the configuration utility, the CLI, and SNMP. If the aggregator fails to respond within the timeout period, the client returns following error:

    Invalid response from the aggregator [Device not Configured]

  • Issue ID 0396628: With large number of configuration entries in the ns.conf file, the commands in the /nsconfig/rc.netscaler file might not be applied after the appliance is restarted.
  • Issue ID 0432612: The NetScaler ADC forwards unprocessed packets to the load balancing virtual servers without selecting a service, because of an HTTP out-of-order packet processing issue. Instead of being dropped, these connections queue up at the virtual servers. The ADC fails to respond while processing these connections.
  • Issue ID 0446300: NetScaler might fail to respond when performing the nstrace operation.
  • Issue IDs 0441843, 0375425, 0399769, 0401111, 0408648, 0413721, and 0414273: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
  • Issue IDs 449234, 457629: In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

  • Issue ID 478895: The "show ns runningConfig" command may produce partial output if invoked while another "show ns runningConfig" command, from the same or other admin session is in progress. Workaround: Re-execute the "show ns runningConfig" command to fetch the entire running configuration.

System/Application Firewall

  • Issue ID 0437307: On a NetScaler ADC that is not configured to use jumbo frames and that protects a server that is configured to use jumbo frames, if the application firewall is enabled and at least one profile is configured, the ADC might become unresponsive for a period of time and then reset the connection.

Web Interface

  • Issue ID 0397150: On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2
    • unsetnslimitidentifier_selectorname

    Use unsetnslimitidentifier_selector instead.


Build 124.13

Release version: Citrix NetScaler, version 10.1 build 124.13

Replaces build: None

Release date: February 2014

Release notes version: 5.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

Support for ECDHE Ciphers

  • ENH ID 0453765: The Citrix NetScaler MPX 11515/11520/11530/11540/11542 appliances support the ECDHE cipher group. On the SDX 11515/11520/11530/11540/11542 appliances, the cipher group is supported only if an SSL chip is assigned to a VPX instance. This group contains the following ciphers:
    • TLS1-ECDHE-RSA-RC4-SHA
    • TLS1-ECDHE-RSA-DES-CBC3-SHA
    • TLS1-ECDHE-RSA-AES128-SHA
    • TLS1-ECDHE-RSA-AES256-SHA
    The following ECC curves are supported:
    • P_256
    • P_384
    • P_224
    • P_521
    Note: ECC curves 224 and 521 are not supported with TLS1.2 protocol.

NetScaler MPX 11515/11520/11530/11540/11542 Appliance

NetScaler SDX 11515/11520/11530/11540/11542 Appliance

Bug Fixes

AAA Application Traffic

  • Issue ID 0441755: When AAA-TM is configured to use SAML authentication, the redirect URL that the SAML virtual server returns appends the string "%00", a text-based form of the null value, to the original redirect URL. Most browsers handle the appended string properly, but newer Apple iOS and some Apple MacOS browsers fail to load the web page because of this string.

    Workaround: Create a Rewrite action and policy to strip off the "%00" string, and bind it to global. If you configure the gotoPriorityExpr for the policy to NEXT, and bind the policy with a priority of 1, it will run first, strip the null string from the end of all redirect URLs, and then continue policy evaluation with the next policy. This configuration should work without creating any problems with your existing policy evaluation flow.

    To create the necessary action and policy, and bind them to global, from the NetScaler command line you can type the following commands:

    add rewrite action act_stripFinalNull DELETE "HTTP.RES.HEADER(\"Location\").VALUE(\"%00\")"
    add rewrite policy pol_stripFinalNull "HTTP.RES.IS_VALID" act_stripFinalNull norewrite
    bind rewrite global pol_stripFinalNull 1 NEXT

Application Firewall

  • Issue ID 0405434: Apple iPhone and iPad users are unable to watch MP4 videos on web sites that are protected by the application firewall when either the form field consistency check or the credit card check is enabled, even if blocking is not enabled. The problem is specific to Apple iOS. Google Android smartphone or tablet users are able to watch MP4 content.

    Workaround: Add the following expression to the policy that invokes the application firewall:

    "HTTP.REQ.URL.REGEX_MATCH(re#.mp4$#).NOT"

    For example, to exempt URLs that contain the string ".mp4" from the policy pol_media.example.com, which calls the profile prfl_media.example.com, you would type the following command:

    add appfw policy pol_media-example.com "HTTP.REQ.URL.REGEX_MATCH(re#.mp4$#).NOT" prfl_media.example.com
  • Issue ID 0444471: On a NetScaler appliance or VPX that has the application firewall enabled and at least one profile that has the Safe Object security check enabled, the application firewall might generate an extremely large buffer file while checking responses for objects. The oversized buffer might cause performance problems or, in extreme cases, hang the system. To work around this issue, disable the Safe Object check.
  • Issue ID 0445552: On a NetScaler ADC HA pair configured to use the Citrix VPN, single sign-on, and the Application Firewall, a memory page issue might cause the primary ADC to reboot, failing over to the secondary ADC.
  • Issue IDs 0446304, 0447206, 0444746, 0444810, 0448814, 0449393, 0449396, 0451162, 0451860, 0452078, and 0452427: If you use the single sign on (SSO) feature on your NetScaler ADC or NetScaler Gateway, it might become unresponsive or reboot.

Configuration Utility

  • Issue ID 0405303: A large ns.conf file can make the configuration utility slow to respond. The large file also slows processing of the following commands:

    • show ns runningConfig
    • save config
  • Issue ID 0439603: If the Surge Protection feature is not licensed, you cannot use the configuration utility to modify the global system settings (System > Settings).

DataStream

  • Issue IDs 0441162 and 0439300: A pluggable authentication request causes the handshake to fail. A NetScaler ADC does not support pluggable authentication requests.

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

High Availability

  • Issue ID 0416573: On the secondary node of a high availability (HA) configuration, if the HA propagation and HA synchronization options are disabled and Stay secondary is enabled, you cannot disable the Stay secondary option after upgrading the node.

Global Server Load Balancing

  • Issue ID 0434660: Adding GSLB site IP address with Traffic Domain setting was not supported. If you had a setup where GSLB site IP address was added with Traffic Domain, then NetScaler fails. Now, you cannot add a GSLB site IP address with Traffic Domain setting.

Load Balancing

  • Issue ID 0407493: In a high availability setup, if an autoscaling service group with more than 4000 members is removed, failover occurs.
  • Issue ID 0417872: If Edge mode is disabled, the state of the name-based service group member appears as UNKNOWN although the server represented by the service group member is reachable.
  • Issue IDs 0420827 and 0434537: If a NetScaler appliance receives a request for which a session does not already exist, the appliance creates a session and designates one of the packet engines (PEs) as the session owner. Subsequent requests that belong to that session might not always arrive at and be handled by the owner PE (for example, PE1). If such a request arrives at another PE (for example PE2), that PE (PE2) gets the information from the owner PE (PE1). Now, the cached session is present in PE2 and the owned session is present in PE1. Because of a timing issue, the information in PE1 is cleared before the cached entry in PE2. As a result, different session entries are created for the same client on PE1 and PE2 and source IP persistence might not work correctly.
  • Issue ID 0421411: If you rename an autoscaling service group, the NetScaler appliance might fail.
  • Issue ID 0429538: If you add a new service group, the SOAP API query for show servicegroup might fail.
  • Issue ID 0440406: If you have added a backup virtual server on release 9.x, the configuration is lost after you upgrade to release 10.1.
  • Issue ID 0433324: If you configure an HTTP_ECV monitor with a response string, and the response arrives in multiple packets, the NetScaler appliance might not parse the response correctly. As a result, a monitoring probe to the appliance fails and services are marked DOWN.

Load Balancing/Responder

  • Issue ID 0432790 (nCore, MPX15000): On a NetScaler MPX15000 appliance that has the load balancing and responder features enabled, and has a load balancing policy that includes both the SYS.CHECK_LIMIT and HTTP.REQ.BODY statements, a complex cascade of events might cause the appliance to restart repeatedly. To work around this issue, you can either rewrite the configuration to separate the SYS.CHECK_LIMIT and HTTP.REQ.BODY statements into two separate policies, or operate the NetScaler appliance on a single core.

Monitoring

  • Issue ID 0301570: Transparent monitors are now combined with the functionality of an ARP monitor. This avoids the need to bind a separate monitor to incorporate reachability as part of the health status. Without an ARP monitor, UP services could not transition to DOWN when the next hop failed.

NetScaler Insight Center

  • Issue ID 0414155: If you move columns and refresh the page, the column ordering is sometimes reset to default.
  • Issue ID 0424610: On the dashboard, the table that appears when you navigate toHDX Insight > Gateways might display a blank desktop name.
  • Issue ID 0439992: The HDX Insight dashboard displays the host delay as server-side NetScaler delay.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create, modify or delete an LACP channel, one of the member interfaces might temporarily stop transmitting. The NetScaler instance might intermittently show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: Log on to the Netscaler instance and execute the following command on the interface that is shown as Error-disabled: enable interface <interface_id> (eg.. enable interface 1/1)

  • Issue ID 0396252: If you specify secure-only access on a NetScaler instance, single sign-on to that instance from the Management Service user interface is not successful.
  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

Networking

  • Issue ID 0423856: For a load balancing configuration in which an IPv6 virtual server is used to load balance IPv6 servers, if the NetScaler appliance processes client’s final ACK of the TCP handshake and the first data packets in the same IO cycle, the appliance may not forward the data packets to the server causing the connection to fail.

Platform

  • Issue ID 0395280: The MPX 11515/11520/11530/11540/11542 platform now supports NetScaler release 10.1 build 124.x.
  • Issue ID 0435200: If you try to form a cluster of MPX 22040, MPX 22060, MPX 22080, MPX 22100, and MPX 22120 appliances, the appliance on which you issue the join cluster command performs a core dump and restarts. As a result, that appliance is not added to the cluster.

Policies

  • Issue ID 0414552: The NetScaler appliance may fail to respond if it does not have sufficient memory during the execution of an XML_DECRYPT function in a policy expression.
  • Issue ID 0442807: A memory leak in the XML_DECRYPT() policy function causes all of the NetScaler memory to be used up. This results in the unavailability of memory to perform other operations.

SSL

  • Issue ID 0235990: If you upgrade to this build, the number of SSL chips for which the status is shown as UP on an MPX 21550 platform with 36 chips is less than the actual number of chips that are UP. This is only a reporting issue.

System

  • Issue ID 0397587: The MPTCP data_ack signal is not sent in the subflow in which the MP_FAIL signal is sent.
  • Issue ID 0432728: A signed short integer overflow can occur during packet processing. Subsequent packets are corrupted.
  • Issue ID 0439579: If large number of small packets are sent through the packet processing pipeline, the packet engine enters a loop and restarts, causing a pitboss failure.
  • Issue ID 0435796: When Call Home is enabled, duplicate SNMP traps are generated for power supply unit (PSU) failures.
  • Issue ID 0436798: The NetScaler appliance might fail to respond if an ICMP error causes the packet engine to enter a loop and thereby resulting in a pitboss process failure.

Known Issues and Workarounds

AAA Application Traffic

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.
  • Issue ID 0396892: Sometimes, the AppFlow exporter may not export the correct information due to which the client IP address is displayed incorrectly on the NetScaler Insight Center dashboard.

Application Firewall

  • Issue ID 0364134: Globally bound auditing syslog policies under Application Firewall are not displayed when you perform the Show Bindings operation on the configuration utility. This issue is observed only in a cluster setup.

    Workaround: The bindings are visible in the command line interface by using the show system global command.

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"
  • Issue ID 0430014: When upgrading a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (121.1) is installed on new hardware or in a new VPS. To check whether your NetScaler appliance or VPX has the correct default setting, log onto the NetScaler command line and type the following command:
    show appfw JSONContentType

    If your NetScaler appliance has the default content type set, you should see the following response or something similar to it:

    > show appfw JSONContentType
    1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX
    Done

    If it does not, you will see the following response:

    > show appfw JSONContentType
    Done

    To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line and issue the following commands to configure the default content type, and then verify the configuration:

    add appfw JSONContentType ^application/json$ -isRegex REGEX
    show appfw JSONContentType

Configuration Utility

  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.
  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed. Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml
  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen. Workaround: Use the arrow keys on the keyboard to scroll the screen.
  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0411152: When you use the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings makes applications and desktops unavailable when StoreFront is accessed through a VPN.

    Workaround: Do not apply the optimization settings.

  • Issue ID 0446549: After you set the SSO Domain (Single Sign-on Domain) value, the value is not displayed on the configuration utility when you navigate to Security > AAA Application Traffic > Settings > Change Global Settings.
  • Issue ID 0447077: When you create a monitor using the graphical user interface and choose the default browse option to select the in-built monitor scripts from the /nsconfig/monitors folder, the folder does not display any scripts to choose.
  • Issue ID 0449229: The configuration utility includes an option to enable Net Profile when you create a StoreFront monitor, but that option should not be enabled for a StoreFront monitor.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

High Availability

  • Issue ID 0443588: In a High Availability configuration, after you remove an HA configuration from one of the two nodes, if you confirm the following prompt message "Do you want to remove ha node from remote system also ?”, an error message might get displayed and the HA configuration is not removed from the remote node.

Integrated Caching

  • Issue ID 0440107: When there is a selector-based content group configured, the NetScaler can crash when a policy that has this content group associated to it is satisfied and when the response status is "404 Not Found".

Load Balancing

  • Issue ID 0441776: The NetScaler appliance might fail or become unresponsive if the FTP virtual server name exceeds 32 characters and L2Conn is enabled on the virtual server.

NetScaler Insight Center

  • Issue ID 0324010: A higher than normal load on NetScaler Insight Center or on the database can cause the afdecoder subsystem to stop functioning. As a result, NetScaler Insight Center is unable to connect to the database.
    Workaround: Restart the appliance by running the following command on the command line interface:
    #/etc/rc.d/analyticsd restart
  • Issue ID 0331944: If no devices have been added to the inventory, the Getting Started wizard is displayed. You cannot access the Configuration tab.
  • Issue ID 0333555 and 346171: After you enable appflow on some virtual servers, even though no error message appears, the Insight column does not display a check box indicating that the feature is enabled.

    Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on VMware ESX server from build 118.7 or 119.7 to 120.13 or later builds is not supported. However, upgrade from build 120.13 to later builds is supported.

    Workaround: To upgrade to 120.13 or later builds, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .

  • Issue ID 0421657: If the ICMP port used to verify the network reachability of a NetScaler appliance from NetScaler Insight Center is blocked, the internal routing in NetScaler Insight Center is disrupted and the HDX Insight node is not displayed on the dashboard.
  • Issue ID 0446120: On the HDX Insight reports, the bar in the chart is sometimes shown at a location higher than the X axis.

NetScaler SDX Appliance

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface. Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.
  • Issue ID 0423068: The Management Service allows deleting a channel that is part of an NSVLAN on any NetScaler instance. If you delete such a channel, the NetScaler instance is not reachable over the management network.
  • Issue ID 0430121: The Management Service intermittently dumps a stat core when BlueCat VMs are provisioned on the SDX appliance.
  • Issue ID 0434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or by using the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each of the nodes of the HA configuration: add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node’s NSIP address is 198.51.100.9 and the secondary node’s NSIP address is 198.51.100.27, you would run the following command on the primary node: add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 and the following command on the secondary node: add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22

  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.
    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius) This change affects the following platforms:
      • MPX 11500/13500/14500/16500/18500/20500
      • MPX 17550/19550/20550/21550
      • MPX 8200/8400/8600
      • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.
    Workaround: Use the CLI to define classic SSL policies.
    Note: Citrix encourages the use of default syntax policies rather than classic policies.
  • Issue ID 0425465: After changing the time zone on a NetScaler appliance, you must reboot the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.
  • Issue ID 0422967: For a ** virtual (with any IP address and port) which accepts both IPv4 and IPv6 packets, when trying to capture ICMP traffic by using a listen policy as "CLIENT.IP.PROTOCOL.EQ(ICMP)", it also captures certain IPv6 packets (more precisely packets where the second byte of the source IPv6 address has "01").

    Workaround: First use an expression that filters the IPv4 traffic and then use an expression that reads the protocol value from the filtered IPv4 packets and checks if the protocol value matches ICMP.

    '!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)'

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under the System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue IDs 0414388 and 0345883: In rare cases, if the random number generated for the DH key exchange has a leading zero, DH negotiation fails because of a hardware limitation.
  • Issue ID 0436205: If you add a certificate revocation list (CRL) with refresh enabled, the appliance might perform a core dump and restart.

System

  • Issue ID 0396628: With large number of configuration entries in the ns.conf file, the commands in the /nsconfig/rc.netscaler file might not be applied after the appliance is restarted.
  • Issue ID 0432612: The NetScaler appliance forwards unprocessed packets to the load balancing virtual servers without selecting a service, because of an HTTP out-of-order packet processing issue. Instead of being dropped, these connections queue up at the virtual servers. The appliance fails to respond while processing these connections.
  • Issue ID 0446300: The NetScaler appliance might fail to respond when performing the nstrace operation.
  • Issue IDs 449234, 457629: In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

  • Issue ID 478895: The "show ns runningConfig" command may produce partial output if invoked while another "show ns runningConfig" command, from the same or other admin session is in progress. Workaround: Re-execute the "show ns runningConfig" command to fetch the entire running configuration.

System/Application Firewall

  • Issue ID 0437307: On a NetScaler appliance that is not configured to use jumbo frames and that protects a server that is configured to use jumbo frames, if the application firewall is enabled and at least one profile is configured, the appliance might become unresponsive for a period of time and then reset the connection.

Web Interface

  • Issue ID 0397150: On a NetScaler appliance, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2
    • unsetnslimitidentifier_selectorname

    Use unsetnslimitidentifier_selector instead.


Build 123.11

Release version: Citrix NetScaler, version 10.1 build 123.11

Replaces build: 123.9

Release date: March 2014

Release notes version: 7.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

Backend Client Hello Message Version Support

  • ENH ID 0378806: As part of the SSL handshake with the server, the NetScaler appliance now sends a Client Hello message on the basis of the version (for example SSLv3 or TLS1.0) that is configured on the appliance. Earlier, it sent an SSLv2 compliant Client Hello message to the server.

Support for ICA session timeout value in NetScaler Insight Center

  • ENH ID 0431957: You can now configure the ICA session timeout value for inactive sessions on the configuration tab of the NetScaler Insight Center.

CloudBridge Reports in HDX Insight

  • ENH ID 0432702: HDX Insight reports now include details about CloudBridge in an ICA session path.

New NetScaler MPX and SDX Appliances

Increased Throughput on the NetScaler MPX 5650 Appliance

LCD Enhancement on the NetScaler MPX Appliance

  • ENH ID 0430690: If an LCD hardware failure is detected on a NetScaler MPX appliance, the appliance restarts. With this enhancement, the LCD application gracefully exits without restarting the appliance.

    For more information, see LCD Display.

NetScaler VPX Setup for the Linux KVM Platform

  • ENH ID 0344349: The Citrix NetScaler VPX can now be hosted on Kernel-based Virtualization Machine (KVM). NetScaler VPX runs as a virtual appliance on Linux-KVM server. You can set up the NetScaler VPX on this platform either through the graphical Virtual Machine Manager (Virt-Manager) application or the vrish program.

    The host Linux operating system must be installed on suitable hardware by using virtualization tools such as KVM Module and QEMU. The number of virtual machines (VMs) that can be deployed on the hypervisor depends on the application requirement and the chosen hardware. After you provision a NetScaler virtual appliance, you can add additional interfaces.

    For more information, see Installing NetScaler Virtual Appliances on Linux-KVM Platform

Bug Fixes

AAA Application Traffic

  • Issue ID 0436493: On a NetScaler ADC that has AAA-TM enabled and Kerberos authentication configured, when you direct traffic through the ADC to a Microsoft SQL server, an error causes the ADC to restart.

AppFlow

  • Issue ID 0430960: The NetScaler fails to respond if appflow logging is disabled on a VPN virtual server when ICA traffic flows through the NetScaler.

Application Firewall

  • Issue ID 0407347: By default, the application firewall's SQL Injection signatures patterns and security checks do not prevent SQL injection attacks that use the percent (%) or underscore (_) characters.
  • Issue ID 0423861: On a NetScaler MPX5500 appliance that has the application firewall enabled, and has logging enabled for at least one signature or security check, when that logging action is triggered the appliance might hang or crash.
  • Issue ID 0427717: If memory utilization is high on a NetScaler appliance that has the application firewall enabled and configured, URL redirect might fail, causing the appliance to crash.
  • Issue ID 0427857: The application firewall currently miscalculates memory limits on 12 GB, 2 vCPU NetScaler appliances. For example, when the appliance has 2 GB of memory available, the application firewall shows only 600 MB of available memory.
  • Issue IDs 0432276 and 0433057: The application firewall blocks XML requests that have empty bodies (zero content length), which causes autodiscover and other features that use such requests to fail.
  • Issue IDs 0446304, 0447206, 0444746, 0444810, 0448814, 0449393, 0449396, 0451162, 0451860, 0452078, and 0452427: If you use the single sign on (SSO) feature on your NetScaler ADC or NetScaler Gateway, it might become unresponsive or reboot.
  • Issue IDs 0448961, 0449223, 0449851, and 0450070: When using CVPN or the application firewall credit card or safe object security checks, memory issues might cause the Netscaler ADC to become unresponsive or reboot.
  • Issue ID 0516714: If the NetScaler appliance sends a large amount of input data to the application firewall in a short time, the appliance can become unresponsive or fail. The appliance now sends input data in batches limited to sizes that do not cause this problem.

Configuration Utility

  • Issue ID 0382199: The comparison between the source IP address of the incoming packets and the configured NetScaler host-name address is unsuccessful because of an endian mismatch.
  • Issue ID 0405303: A large ns.conf file can make the configuration utility slow to respond. The large file also slows processing of the following commands:
    • show ns runningConfig
    • save config
  • Issue ID 0414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.
  • Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.
  • Issue ID 0419409: If you navigate to Traffic Management > Load Balancing > Virtual Servers and click SSL Settings under the SSL Parameter tab on the Create Virtual Server dialogue box, the Enable Cipher Redirect check box is enabled by default.

Content Switching

  • Issue ID 0411116: In a cluster environment, if you run the bind cs vserver command with the argument type, the NetScaler appliance incorrectly reports a difference between the running configuration and the saved configuration.
  • Issue ID 0432272: Rebinding a content switching policy to a content switching virtual server might result in memory corruption, which might cause the NetScaler appliance to fail.

DataStream

  • Issue ID 0433383: If a MySQL client sends a query larger than 16 MB, the query is split into multiple MySQL packets. Only the first MySQL packet in a query is forwarded to the server, and the remaining packets are accumulated on the appliance. After some time the window size is reduced to zero and the client cannot send any more packets to the appliance.

Domain Name Sytem

  • Issue ID 0385524: NetScaler caches partial response in the following two conditions:
    1. When the response contains more number of resource records for same domain than the limit mentioned in documents. In such a condition, NetScaler caches response till the maximum limit.
    2. When the response contains invalid RDATA, for example, 0.0.0.0 in address record (A record). In such a condition, NetScaler caches resource record till the invalid resource record.

    In such conditions, when NetScaler received a query for the same domain, it replied with a partil response. Going forward, NetScaler will not cache partial response and in such conditions the queries are directed to the back end server.

  • Issue ID 0426093 (VPX): In DNSRewrite Policy, CLIENT.IP.SRC.MATCHES_LOCATION is an incorrect expression for a response from the DNS. NetScaler does not recognize this expression and hence might crash.

Global Server Load Balancing

  • Issue ID 0413367: On a NetScaler appliance that has GSLB configured, when you remove custom location entries from the GSLB database, the appliance crashes.

ICA AppFlow

  • Issue ID 0397109: On the NetScaler Insight Center dashboard, the source IP address displayed in the application launch records is incorrect
  • Issue ID 0429280: When NetScaler Gateway is deployed in a double hop setup, the NetScaler fails while processing the packets.
  • Issue ID 0430696: The NetScaler Gateway fails if AppFlow is enabled or disabled during ICA connections. The NetScaler Gateway might also fail if the NetScaler appliance receives an ICA parsing error.
  • Issue ID 0432039: During an ICA handshake, the version-length value that Mac receiver sends in UNICODE format is parsed incorrectly.
  • Issue ID 0433180: The NetScaler Insight Center dashboard displays incorrect Init Program and Client Version values for MAC or HTML receivers on different platforms.
  • Issue ID 0433511: The HDX Insight console displays unnecessary ICA user-session information and console messages.

Integrated Caching

  • Issue ID 0434877: Once the memory limit for a content group is reached, the memory of the resulting object flush is not handled properly. As a result, no objects are stored after the content groups memory limit is reached.

Load Balancing

  • Issue ID 0398274: If you have configured a DNS auto-scaling service group and run the show server <server name> command to display the details of the server bound to this service group, the following incorrect entries appear:
    • an extra entity with an IP address 0.0.0.0
    • mode as POLICY
    • state as DOWN
  • Issue ID 0402996: The NetScaler appliance might fail while processing an NX domain message if you have configured an autoscaling service group on the appliance.
  • Issue ID 0406467: If you bind a content switching (CS) policy to a CS virtual server, specify a load balancing (LB) virtual server as the target virtual server, and then view the LB virtual server details in the configuration utility, the CS virtual server bindings incorrectly appear in the cache redirection virtual server section. However, if you use the command line to view the details of the virtual server (show lb vserver), the details appear in the correct section.
  • Issue ID 0410365: If you use NITRO to display the details of the load balancing monitors configured on a NetScaler appliance, the output for non-HTTP type monitors incorrectly displays a response code, user name, and password. These attributes are not applicable to non-HTTP type monitors.
  • Issue IDs 0418698 and 0431925: If you configure persistence on a virtual server that is configured for link load balancing, the NetScaler appliance might fail.
  • Issue ID 0422821: If you have configured an autoscaling service group on the NetScaler appliance, the states of some of these services are not updated, because command numbers are not updated. For example, a service state might appear as UP although the monitor has marked it as DOWN.
  • Issue ID 0429445: The NetScaler appliance fails under the following sequence of events:
    1. An IPv6 domain based service and an IPv6 address based service are configured on the appliance.
    2. Both the services are bound to a load balancing virtual server.
    3. The domain based service is UP when the address based service enters the UP state.
  • Issue ID 0438169: If you create a service of type SSL_BRIDGE and enable client IP address (CIP) on the service, the NetScaler appliance inserts an HTTP header with the client's IP address as its value. In an SSL_BRIDGE topology, you must not insert a header. With this fix, the appliance throws a warning and removes the CIP option for an SSL_BRIDGE service while saving the configuration.

Load Balancing/AAA-TM

  • Issue ID 0431917: On a NetScaler appliance that has the load balancing and AAA-TM features enabled, and that protects an application that uses 401 Basic authentication, if a client authenticates with a browser that does not support cookies, the appliance might experience repeated crashes or (for HA setups) repeated failovers. The cause is that the appliance does not receive the expected traffic management cookie, fails to reconnect to the existing session, and instead creates a new sesson each time the client connects to a protected resource. If a large number of authentication requests is sent within a short period of time, the abandoned sessions do not expire quickly enough and can therefore consume available memory.
  • Issue ID 0437407: On a NetScaler appliance that has the load balancing and AAA-TM features enabled, a request that contains an extraneous space in the URL might cause the appliance to crash. This issue occurs only with unauthenticated connections; the appliance processes the same request correctly over authenticated connections.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

NetScaler Insight Center

  • Issue ID 0405849: NetScaler entity names are case insensitive, but NetScaler Insight Center expects the virtual server names or policy names to be case sensitive.
  • Issue ID 0412129: The WAN jitter and DC jitter values are not displayed in the NetScaler Insight Center reports.
  • Issue ID 0424610: On the dashboard, the table that appears when you navigate to HDX Insight > Gateways might display a blank desktop name.
  • Issue IDs 0437475 and 0439088: In certain scenarios, if data sent from the XenApp server to the client receiver is delayed because of network congestion or increased network latency, the client re-transmits the ICA magic string, which causes the Netscaler Gateway to fail. This failure happens because the NetScaler Gateway was not expecting two packets containing the magic string.
  • Issue ID 0439992: The HDX Insight dashboard displays the host delay as server side server-side NetScaler delay.

NetScaler SDX Appliance

  • Issue ID 0262505: When viewing the built-in or custom reports on the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: NO DATA TO CHART.
  • Issue ID 0424630: If you create an LACP channel with more than 8 member interfaces, or a static channel with more that 16 member interfaces, the following error message appears: "Channel Interface String Length: 185 is greater than maximum allowed length:128".
  • Issue ID 0430449: Even after you configure a short message service (SMS) server, you do not receive an SMS message when an alert is generated.
  • Issue ID 0431243: If a management channel exists on a NetScaler instance, you cannot trace the route of a packet from the Management Service to a NetScaler instance.
  • Issue ID 0431463: If you apply a license after modifying the SVM host name, the license application might fail.
  • Issue ID 0433054: Deletion of a management channel from the Management Service might not always succeed.

Networking

  • Issue ID 0408693: If you have configured more than ten ICMP extended ACLs, high CPU spikes might occur when you run the "apply ns acls" command either by using the configuration utility or the NetScaler command line.
  • Issue ID 0424243: If you have configured an extended ACL without specifying the optional parameter "source IP address", high CPU spikes might occur when you run the "apply ns acls" command either by using the configuration utility or the NetScaler command line.
  • Issue ID 0428819: If you have configured a TFTP load balancing virtual server with persistency option enabled, the NetScaler appliance might become unresponsive when the virtual server receives some traffic.
  • Issue ID 0431652: The NetScaler appliance might become unresponsive when traffic from a TFTP server matches a RNAT rule configured on the appliance.
  • Issue ID 0435697: When you reset a member interface of a LACP channel, Tx stalls might increment continuously.

NITRO API

  • Issue ID 0424553: For a service that is bound to a service group, NITRO cannot obtain the state of the service monitor.

Platform

  • Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported.
  • Issue ID 0428562: NetScaler does not display the correct daylight savings time for Israel.
  • Issue ID 0432687: On the MPX 22040/22060/22080/22100/22120 appliance, if the 10G ports are not populated, the appliance takes about 20 minutes to finish the restart process.

Policies

  • Issue ID 0417071: The NetScaler appliance might fail to respond in the event that a policy of the form HTTP.REQ.BODY(n).AFTER_STR(target-string) has a large value for "n" (for example, 40000) and when the appliance receives large requests in combination with requests with no content length.

NetScaler SDX Appliance

  • Issue ID 0434738: A NetScaler SDX appliance intermittently stops processing traffic on interfaces that are part of an LACP link aggregation interface that is transmitting a small abount of traffic.
  • Issue ID 0430097: Descriptors in the NetScaler SDX SNMP MIB file include underscore characters, which are invalid. Only alphanumeric characters are supported.

SNMP

  • Issue ID 0435520: Net-SNMP does not handle the endOfMibView condition properly if the value of max-repetition is set to zero, which leads to memory allocation failure, and SNMPD fails to respond.

SSL

  • Issue ID 0235990: If you upgrade to this build, the number of SSL chips for which the status is shown as UP on an MPX 21550 platform with 36 chips is less than the actual number of chips that are UP. This is only a reporting issue.
  • Issue ID 0431919: If a client sends a certain type of malformed message, which can make uninitialized resources available for subsequent handshakes, an SSL handshake that uses one of those resources causes a memory leak.
  • Issue ID 0432375: If the SSL handshake uses the TLSv1.1 or TLSv1.2 protocol and you have bound an RC4 cipher to the SSL virtual server, downloading a large file might take an unusually long time.
  • Issue ID 0434737: If you create a certificate revocation list (CRL), enable refresh, and specify the method as HTTP or LDAP, CRL refresh does not happen.

System

  • Issue ID 0382647: The stat system -detail command does not display the number of CPUs.
  • Issue IDs 0411627, 0430646, and 0430652: On the System > Diagnostics page, when you select Saved v/s running, the configuration utility displays a difference between the running and saved configurations, even if there is no difference.
  • Issue ID 0418028: The nsnetsvc process size increases when the stat command is executed.

Known Issues and Workarounds

AAA Application Traffic

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.
  • Issue ID 0396892: Sometimes, the AppFlow exporter may not export the correct information due to which the client IP address is displayed incorrectly on the NetScaler Insight Center dashboard.

Application Firewall

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.
  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0411152: When you use the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings makes applications and desktops unavailable when StoreFront is accessed through a VPN.

    Workaround: Do not apply the optimization settings.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

High Availability

  • Issue ID 0416573: On the secondary node of a high availability (HA) configuration, if the HA propagation and HA synchronization options are disabled and Stay secondary is enabled, you cannot disable the Stay secondary option after upgrading the node.

Integrated Caching

  • Issue ID 0440107: When there is a selector-based content group configured, the NetScaler can crash when a policy that has this content group associated to it is satisfied and when the response status is "404 Not Found".

Load Balancing

  • Issue ID 0407493: In a high availability setup, if an autoscaling service group with more than 4000 members is removed, failover occurs.
  • Issue IDs 0420827 and 0434537: If a NetScaler appliance receives a request for which a session does not already exist, the appliance creates a session and designates one of the packet engines (PEs) as the session owner. Subsequent requests that belong to that session might not always arrive at and be handled by the owner PE (for example, PE1). If such a request arrives at another PE (for example PE2), that PE (PE2) gets the information from the owner PE (PE1). Now, the cached session is present in PE2 and the owned session is present in PE1. Because of a timing issue, the information in PE1 is cleared before the cached entry in PE2. As a result, different session entries are created for the same client on PE1 and PE2 and source IP persistence might not work correctly.
  • Issue ID 0421411: If you rename an autoscaling service group, the NetScaler appliance might fail.
  • Issue ID 0440406: If you have added a backup virtual server on release 9.x, the configuration is lost after you upgrade to release 10.1.

NetScaler Insight Center

  • Issue ID 0324010: A higher than normal load on NetScaler Insight Center or on the database can cause the afdecoder subsystem to stop functioning. As a result, NetScaler Insight Center is unable to connect to the database.
    Workaround: Restart the appliance by running the following command on the command line interface:
    #/etc/rc.d/analyticsd restart
  • Issue ID 0331944: If no devices have been added to the inventory, the Getting Started wizard is displayed. You cannot access the Configuration tab.
  • Issue ID 0333555 and 346171: After you enable appflow on some virtual servers, even though no error message appears, the Insight column does not display a check box indicating that the feature is enabled.

    Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0414155: If you move columns and refresh the page, the column ordering is sometimes reset to default.
  • Issue ID 0414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on VMware ESX server from build 118.7 or 119.7 to 120.13 or later builds is not supported. However, upgrade from build 120.13 to later builds is supported.

    Workaround: To upgrade to 120.13 or later builds, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .

  • Issue ID 0421657: If the ICMP port used to verify the network reachability of a NetScaler appliance from NetScaler Insight Center is blocked, the internal routing in NetScaler Insight Center is disrupted and the HDX Insight node is not displayed on the dashboard.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create, modify or delete an LACP channel, one of the member interfaces might temporarily stop transmitting. The NetScaler instance might intermittently show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: Log on to the Netscaler instance and execute the following command on the interface that is shown as Error-disabled: enable interface <interface_id> (eg.. enable interface 1/1)

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0396252: If you specify secure-only access on a NetScaler instance, single sign-on to that instance from the Management Service user interface is not successful.
  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.
  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.
  • Issue ID 0423068: The Management Service allows deleting a channel that is part of an NSVLAN on any NetScaler instance. If you delete such a channel, the NetScaler instance is not reachable over the management network.
  • Issue ID 0430121: The Management Service intermittently dumps a stat core when BlueCat VMs are provisioned on the SDX appliance.
  • Issue ID 0434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or by using the Start HA files synchronization dialog box in the configuration utility.
    Workaround: Add the following extended ACL on each of the nodes of the HA configuration:
    add acl <aclname> - srcIP <NSIP of the peer node> - protocol TCP -destport 22
    For example, for an HA configuration in which the primary node’s NSIP address is 198.51.100.9 and the secondary node’s NSIP address is 198.51.100.27, you would run the following command on the primary node:
    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22
    and the following command on the secondary node:
    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.
    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)
    This change affects the following platforms:
    • MPX 11500/13500/14500/16500/18500/20500
    • MPX 17550/19550/20550/21550
    • MPX 8200/8400/8600
    • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies rather than classic policies.
  • Issue ID 0425465: After changing the time zone on a NetScaler appliance, you must reboot the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under the System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0396628: With large number of configuration entries in the ns.conf file, the commands in the /nsconfig/rc.netscaler file might not be applied after the appliance is restarted.
  • Issue ID 0430071: ISIS packets are dropped at the Nexus 1000V distributed virtual switch (DVS), which has no option to enable promiscuous mode. However, this issue is not observed when the virtual machines are connected through the ESX virtual switch with promiscuous mode ON.
  • Issue ID 0436798: The NetScaler appliance might fail to respond if an ICMP error causes the packet engine to enter a loop and thereby resulting in a pitboss process failure
  • Issue IDs 449234, 457629 : In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

System/Application Firewall

  • Issue ID 0437307: On a NetScaler appliance that is not configured to use jumbo frames and that protects a server that is configured to use jumbo frames, if the application firewall is enabled and at least one profile is configured, the appliance might become unresponsive for a period of time and then reset the connection.

Web Interface

  • Issue ID 0397150: On a NetScaler appliance, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later: bindservicegroup_state2 unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.

Build 122.17

Release version: Citrix NetScaler, version 10.1 build 122.17

Replaces build: 122.11

Release date: November 2013

Release notes version: 5.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

Support for Cisco QSPF+ Cables on NetScaler MPX Appliances

  • ENH ID 0427155: NetScaler MPX appliances now support Cisco QSPF+ cables (part number L45593-D178-C30).

    For more information, see Ports.

Support for NetScaler VPX Virtual Appliance on XenServer 6.2

  • ENH ID 0439509: The NetScaler VPX virtual appliance now supports XenServer version 6.2 only on a non-SDX appliance. On the NetScaler SDX appliance, only the XenServer versions available for download on www.citrix.com under NetScaler downloads are supported. XenServer 6.1.1 is the latest supported version on the NetScaler SDX appliance.

NetScaler SDX 22040/22060/22080/22100/22120 Platform

RAID Controller Support on NetScaler SDX 22040/22060/22080/22100/22120 Platform

  • ENH ID 0353415: NetScaler SDX platform supports a Redundant Array of Independent Disks (RAID) controller, which can support up to eight physical disks.

    For more information, see RAID.

Multi-interface Support for BlueCat DNS/DHCP Server Virtual Machines

  • ENH ID 0413839: Management Service now supports assigning interfaces explicitly for high availability and service along with the management for BlueCat DNS/DHCP Server virtual machines.

Percentile Icon in NetScaler Insight Center

  • ENH ID 0418196: The top-right corner of the page now displays a percentile icon, which you can click to display percentile values and the highest and lowest values for a selected metric.

New Information in HDX Insight Center reports

  • ENH ID 0392016: HDX Insight reports now include details about session reconnects, client-side retransmissions, and server-side retransmissions.

Active Sessions Reports in HDX Insight

  • ENH ID 0398322: HDX Insight now provides a report about active sessions, grouped by server IP and gateway IP address.

Customize the display of columns in NetScaler Insight Center

  • ENH ID 0423207: You can now select which columns to show in the tables in the NetScaler Insight Center graphical user interface (GUI), and you can rearrange the columns. Each user can make his or her changes persistent across his or her sessions.

Changes

NetScaler Insight Center

  • Issue ID 0409634: All the metrics except bandwidth and hits display the average values.

Monitor: Directory locations of script files for user monitors

  • Issue ID 0447105: Starting with release 10.1 build 122.17, the location of the script files for user monitors is changed.
    If you upgrade an MPX or VPX virtual appliance to release 10.1 build 122.17 or later, the changes are as follows:
    • A new directory named conflicts is created in /nsconfig/monitors/ and all the built-in scripts of the previous builds are moved to this directory.
    • All new built-in scripts are available in the /netscaler/monitors/ directory. All custom scripts are available in the /nsconfig/monitors/ directory.
    • You must save a new custom script in the /nsconfig/monitors/ directory.
    • After the upgrade is completed, if a custom script is created and saved in the /nsconfig/monitors/ directory with the same name as that of a built-in script, the script in the /netscaler/monitors/ directory takes priority. That is, the custom script is not run.
    If you provision a virtual appliance running release 10.1 build 122.17 or later, the changes are as follows:
    • All built-in scripts are available in the /netscaler/monitors/ directory
    • The directory /nsconfig/monitors/ is empty.
    • You must save a new custom script in the /nsconfig/monitors/ directory.

System

  • Issue ID 0365828: Before reusing a server connection in the reuse pool, the NetScaler appliance checks the connection's idletimeout and reusepool values, and closes the connection if either value is exceeded. The appliance also checks the reuse pool for idle connections, and closes them, more frequently than specified by the zombie timer interval.

Bug Fixes

AppFlow

Issue ID 0430591: A Nitro call used by NetScaler Insight Center to fetch the license information from a NetScaler appliance affects the performance of the appliance.

Application Firewall

  • Issue IDs 0391317 and 0423289: On a NetScaler appliance with both the application firewall and integrated caching enabled, a memory leak might occur.

  • Issue ID 0422639: On a NetScaler appliance with the application firewall enabled, web forms submitted with URL-encoded double-byte character (Chinese, Japanese, or Korean) inputs might generate a Form Field consistency check violation. The reason is that the application firewall counts bytes instead of characters when validating web form input, causing some double-byte input to exceed the form field maxlength attribute.

  • Issue IDs 0422919 and 0423289: On a NetScaler appliance with the application firewall enabled and configured, if a protected web site contains a multipart web form, a memory leak causes a small amount of memory to be consumed and not released each time the application firewall processes the web form. Repeated processing of requests and responses can gradually consume available memory.

Command Line Interface

  • Issue ID 0420596: After a user logs on to a NetScaler appliance through the CLI, the set cli mode-disabledFeatureAction NONE command is automatically executed, and the following error message appears:

    ERROR: Not authorized to execute this command.

Configuration Utility

  • Issue ID 0426594: The NetScaler configuration utility is not compatible with JRE version 7.45.

  • Issue ID 0429652: If a SureConnect policy is bound to a virtual server and you upgrade the NetScaler appliance to version 10.1, build 120.13, the policy is not displayed when you navigate to Traffic Management > Virtual Servers > <virtual server name>.

  • Issue ID 0430094: When you navigate to System > Diagnostics and, under Utilities, click TraceRoute and Run, the utility uses the default value for Packet Length(44) and displays the error message:

    Packet length must be greater than 47.

  • Issue ID 0431045: When you use the configuration utility to add a new NetScaler IP address or subnet mask, the qwerty keyboard does not allow you to enter a value greater than 249 for the last octet.

Content Switching

  • Issue ID 0394856: If a content switching virtual server with a large number of existing connections is removed, flushing all the PCBs takes time. If any traffic destined for the virtual server is received during this time, the appliance fails.

Documentation

  • Issue ID 0370607: The configuration utility procedures in the NetScaler 10.1 documentation have not been updated to reflect the new top-level nodes.

Domain Name System

  • Issue ID 0412530: If a NetScaler appliance responds to a DNSSEC-enabled request from its cache, and this response is immediately followed by a response from the server to an earlier query that could not be addressed from the NetScaler cache, the appliance drops the response from the server instead of forwarding it. However, the memory associated with the response packet is not freed. As more such requests are received, the memory on the appliance is gradually exhausted.

High Availability

  • Issue IDs 0420089 and 0425486: The synchronization of files in an HA setup stops working after the nsinternal user is disabled.

ICA AppFlow

  • Issue ID 0417274: The NetScaler appliance fails while processing ICA traffic if you have disabled AppFlow logging on the VPN virtual server (set vpn vserver -appflowlog disable).

Load Balancing

  • Issue IDs 0393613 and 0427971: If the first octet of the IP address of a service has a value of 6 (6.x.x.x), and the service is bound to a virtual server that is configured for persistence, the NetScaler appliance fails when it tries to direct a request to that service.

  • Issue IDs 0399446 and 0416718: In some cases, if you configure a domain-based IPv6 service on the NetScaler appliance, the appliance might become unresponsive.

  • Issue ID 0417630: In a high availability setup, after you upgrade the secondary node and make it the new primary, the process of file synchronization from the new secondary (old primary) node with the new primary node overwrites some of the updated data on the new primary. Specifically, the new monitoring scripts delivered as part of the upgrade on the new primary node are overwritten. As a result, the monitoring scripts might fail.

  • Issue ID 0424780: The stat servicegroup command incorrectly displays the svrttfb (server-time-to-first-byte) value as zero.

Load Balancing/AAA-TM

  • Issue ID 0426421: On a NetScaler SDX with AAA and SAML enabled and configured, occasionally the NetScaler appliance crashes and generates a core dump during SAML authentication.

  • Issue ID 0431206: On a NetScaler appliance with AAA enabled and configured, a user whose account is bound to over 100 groups might be unable to execute NetScaler commands at the command line despite having the appropriate permissions to do so. To work around this issue, do not bind a single user account to more than 99 groups.

NetScaler Insight Center

  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for the Total Application Launch count.
  • Issue ID 0399329: Even when Appflow is disabled for a virtual server, you can still clear the configurations on the NetScaler Insight Center by selecting the Clear AppFlow Configurations from the Action list.
  • Issue ID 0403665: If the values for certain metrics are zero, the graphs display these values incorrectly.

NetScaler SDX Appliance

  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

  • Issue ID 0414851: The format of the APPFW CSRF TAG syslog message is not in the expected format. As a result, Command Center displays incorrect values, under AppFirewall Recent Logs, in some fields for this type of AppFirewall syslog message.

  • Issue ID 0424588: If a NetScaler instance is created with a Management VLAN using the 0/1 or 0/2 interface, the guest VMs fail to start after provisioning, because the guest VMs use the VLAN networks instead of physical network while assigning the interface.

  • Issue ID 0420630: The SNMP responses are not as specified by the RFC 4001.

Networking

  • Issue ID 0416941: After unbinding a netprofile from a NetScaler Gateway virtual server, the netprofile cannot be removed from the NetScaler appliance.

Policies

  • Issue ID 0410624: When a filter policy is globally bound to a NetScaler, application firewall or compression or authorization policies that are bound to a content switching virtual server are not saved in the running configuration. However, these bindings are displayed when you run the show cs vserver command.

  • Issue ID 0429232: After upgrading to NetScaler 10.1, policies that were globally bound to the NetScaler are also being bound at a virtual server level.

Rewrite

  • Issue ID 0418252: On a NetScaler appliance with Rewrite enabled and configured, a newly-created Rewrite policy that is bound to a content-switching virtual server might not be saved either in the running configuration or in the saved configuration.

SNMP

  • Issue IDs 0413733, 0413871, and 0421055: SNMPD fails to respond if it receives a packet with a NULL community string.

SPDY

  • Issue IDs 0406948 and 0429211: The NetScaler appliance sometimes fails when a TCP connection is closed from a SPDY client while some streams are still active.

System

  • Issue IDs 0417793, 0421214, 0421329, and 0423099: The NetScaler appliance stops sending TCP DUP ACKs when it receives out of order packets. This might result in latency between the client and the appliance, or the appliance and the server, with reduced throughput for some traffic patterns.

  • Issue ID 0419553: When the NetScaler appliance receives invalid Selective Acknowledgment (SACK) blocks from the client, it attempts to send old data that has already been cleared. As a result, the appliance stops responding.

  • Issue ID 0420781: The NetScaler appliance does not forward the complete request to the server if the request requires more than one packet. As a result, the transaction fails.

  • Issue ID 0430176: The NetScaler appliance intermittently resets TCP connections that originate from the NetScaler FreeBSD shell and are destined for NetScaler-owned IP addresses (for example, a SNIP or VIP address). The resets affect applications such as LDAP.

SSL

  • Issue ID 0423905: If a malformed packet is received from a client, the NetScaler appliance closes the connection and releases the resources used for that connection to the common pool. In some cases, some of these resources are not cleaned before returning to the pool and a bad resource might be reused for a future request. In such cases, the SSL handshake for that future request fails.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.
  • Issue ID 0396892: Sometimes, the AppFlow exporter may not export the correct information due to which the client IP address is displayed incorrectly on the NetScaler Insight Center dashboard.

Application Firewall

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing & Virtual Servers pane.

  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0411152: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings results in the unavailability of applications/desktops on accessing StoreFront through VPN.

    Workaround: Do not apply the optimization settings.

  • Issue ID 0414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.

  • Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.

    Workaround: Do not cancel the wizard during the first setup. If you want to change some configuration, go through the entire flow, click Done, and then return to the wizard and click the Edit link to update the required configuration.

  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

High Availability

  • Issue ID 0416573: On the secondary node of a high availability (HA) configuration, if the HA propagation and HA synchronization options are disabled and Stay secondary is enabled, you cannot disable the Stay secondary option after upgrading the node.

ICA AppFlow

  • Issue ID 0433511: The console displays ICA user session information, and displaying the information can be undesirable.

    Workaround: Open the /etc/syslog.conf file and change the line *.err;kern.debug;auth.notice;mail.crit/dev/console to kern.err;kern.debug;auth.notice;mail.crit/dev/console

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

NetScaler Insight Center

  • Issue ID 0324010: A higher than normal load on NetScaler Insight Center or on the database can cause the afdecoder subsystem to stop functioning. As a result, NetScaler Insight Center is unable to connect to the database.
    Workaround: Restart the appliance by running the following command on the command line interface:
    #/etc/rc.d/analyticsd restart
  • Issue ID 0331944: If no devices have been added to the inventory, the Getting Started wizard is displayed. You cannot access the Configuration tab.
  • Issue ID 0333555 and 346171: After you enable appflow on some virtual servers, even though no error message appears, the Insight column does not display a check box indicating that the feature is enabled.

    Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405849: NetScaler entity names are case insensitive, but NetScaler Insight Center expects the virtual server names or policy names to be case sensitive.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405936: After the NetScaler upgrade or downgrade operation, NetScaler Insight Center does not report any data on the dashboard.

    Workaround: Restart the NetScaler Insight Center appliance.

  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0412129: The WAN jitter and DC jitter values are not displayed in the NetScaler Insight Center reports.
  • Issue ID 0414155: If you move columns and refresh the page, the column ordering is sometimes reset to default.
  • Issue ID 0414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors.
  • Issue ID 0417415: If you add a NetScaler appliance to a NetScaler Insight Center setup while ICA sessions are enabled, NetScaler Insight Center does not report the existing ICA sessions. It reports only the ICA sessions initiated after the appliance is added.
  • Issue ID 0424610: On the dashboard, the table that appears when you navigate to HDX Insight > Gateways might display a blank desktop name.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on VMware ESX server from build 118.7 or 119.7 to 120.13 or later builds is not supported. However, upgrade from build 120.13 to later builds is supported.

    Workaround: To upgrade to 120.13 or later builds, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .

  • Issue ID 0421657: If the ICMP port used to verify the network reachability of a NetScaler appliance from NetScaler Insight Center is blocked, the internal routing in NetScaler Insight Center is disrupted and the HDX Insight node is not displayed on the dashboard.
  • Issue IDs 0437475 and 0439088: In certain scenarios, if data sent from the XenApp server to the client receiver is delayed because of network congestion or increased network latency, the client re-transmits the ICA magic string, which causes the Netscaler Gateway to fail. This failure happens because the NetScaler Gateway was not expecting two packets containing the magic string.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: After using the Management Service to create a channel, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0396252: If you specify secure-only access on a NetScaler instance, single sign-on to that instance from the Management Service user interface is not successful.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.

  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

  • Issue ID 0423068: The Management Service allows deleting a channel that is part of an NSVLAN on any NetScaler instance. If you delete such a channel, the NetScaler instance is not reachable over the management network.

  • Issue ID 0424630: If you create an LACP channel with more than 8 member interfaces, or a static channel with more that 16 member interfaces, the following error message appears: "Channel Interface String Length: 185 is greater than maximum allowed length:128".

  • Issue ID 0430121: The Management Service intermittently dumps a stat core when BlueCat VMs are provisioned on the SDX appliance.

  • Issue ID 0430449: Even after you configure a short message service (SMS) server, you do not receive an SMS message when an alert is generated.

  • Issue ID 0431243: If a management channel exists on a NetScaler instance, you cannot trace the route of a packet from the Management Service to a NetScaler instance.

  • Issue ID 0431463: If you apply a license after modifying the SVM host name, the license application might fail.

    Workaround: Reboot the Management Service after changing the host name, and then try applying the license again.

  • Issue ID 0433054: Deletion of a management channel from the Management Service might not always succeed.

    Workaround: Try deleting the management channel again from Management Service.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or use the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each of the nodes of the HA configuration:

    add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node’s NSIP address is 198.51.100.9 and the secondary node’s NSIP address is 198.51.100.27, you would run the following command on the primary node:
    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 
    and the following command on the secondary node:
    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.

    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)
    This change affects the following platforms:
    • MPX 11500/13500/14500/16500/18500/20500
    • MPX 17550/19550/20550/21550
    • MPX 8200/8400/8600
    • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

  • Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:

    • Release 10.1 starting build 112.15 or later

    • Release 10 build 74 or later

    • Release 9.3 build 62.4 or later

    • Release 9.3.e build 59.5003.e or later

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.
    Note: Citrix encourages the use of default syntax policies rather than classic policies.
  • Issue ID 0425465: After changing the time zone on a NetScaler appliance, you must reboot the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under the System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0382647: The stat system -detail command does not display the number of CPUs.

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

Web Interface

  • Issue ID 0397150: On a NetScaler appliance, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user tying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2
    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.

Build 121.10

Release version: Citrix NetScaler, version 10.1 build 121.10

Replaces build: None

Release date: October 2013

Release notes version: 4.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

NetScaler MPX 22040/22060/22080/22100/22120 Platform

Support for ECDHE Ciphers

  • ENH ID 0329257: The Citrix NetScaler MPX 22040/22060/22080/22100/22120 appliances now support the ECDHE cipher group. This group contains the following ciphers:
    • TLS1-ECDHE-RSA-RC4-SHA
    • TLS1-ECDHE-RSA-DES-CBC3-SHA
    • TLS1-ECDHE-RSA-AES128-SHA
    • TLS1-ECDHE-RSA-AES256-SHA

    Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.

    The following ECC curves are supported:

    • P_256
    • P_384
    • P_224
    • P_521

    By default all four curves are bound to an SSL virtual server.

Kerberos SSO

  • ENH ID 0361257: The AAA-TM Kerberos functionality now supports single sign-on (SSO) with all supported authentication mechanisms. The CAC (Smart Card) and SAML SSO mechanisms are supported in all cases, regardless of the authentication method that the client uses to log onto the NetScaler appliance. The HTTP-Basic, HTTP-Digest, Forms-based, and NTLM (versions 1 and 2) SSO mechanisms are also supported if the client uses either HTTP-Basic or Forms-Based authentication to log onto the NetScaler appliance.

    You can configure Kerberos SSO to work in one of two ways: by impersonation or by delegation. To configure Kerberos SSO by impersonation, you must have the user's password or client certificate. To configure impersonation using a client certificate, the user must also have a properly-configured version of the Citrix Receiver installed on his or her personal computer. To configure Kerberos SSO by delegation, you must have the delegated user's credentials in one of the following formats: the user's password, the keytab configuration that includes an encrypted password, or the client cert and the matching CA certificate.

    To configure Kerberos SSO, first configure your NetScaler appliance to manage traffic to the web application servers that users will access through SSO. Next, configure AAA-TM for your preferred authentication method. Verify that the NetScaler appliance can communicate with your LDAP Active Directory (AD) server and your Kerberos server.

    What you do next depends on whether you want to configure Kerberos SSO by Impersonation or by Delegation. Follow the instructions in the appropriate section below.

    Configuring Kerberos SSO by Impersonation

    To configure Kerberos SSO by Impersonation, enable integrated authentication on each web application server. After you have done this, create and configure the NetScaler KCD account that will impersonate users.

    To create the KCD account for SSO by impersonation with a password

    At the NetScaler command prompt, type the following command:
    add aaa kcdaccount <accountname> -realmStr <realm>
    For each variable, substitute the following values:
    • accountname - The KCD account name.
    • realm - The domain assigned to Kerberos SSO.
    Example:
    add aaa kcdAccount kcdaccount1 -realmStr EXAMPLE.COM

    To create the KCD account for SSO by impersonation with a client certificate

    At the NetScaler command prompt, type the following command:
    add aaa kcdAccount <accountname> -cacert <cacert>
    For each variable, substitute the following values:
    • accountname - The KCD account name.
    • cacert - The full path and name of the CA certificate file on the NetScaler appliance.
    Example:
    add aaa kcdAccount kcdaccount1 -cacert <path to certificate>
    Configuring Kerberos SSO by Delegation
    To configure Kerberos SSO by Delegation, next create an account (the Kerberos Service Account, or KSA) on the AD server for the NetScaler appliance to use as the delegated user. Next, in the KSA account Properties dialog box, Delegation tab, enable the following options: "Trust this user for delegation to specified services only" and "Use any Authentication protocol." Finally, add the HTTP service and any other services that Kerberos SSO will manage to the services list, which is located on the Properties tab beneath the two settings.

    After you configure the NetScaler account on AD, enable integrated authentication on each web application server. Finally, create and configure the NetScaler KCD account that will serve as the delegated user.

    To create the KCD account for SSO by delegation with a password

    At the NetScaler command prompt, type the following commands:
    add aaa kcdaccount <accountname> -delegatedUser root -kcdPassword <password> - realmStr <realm>
    For each variable, substitute the following values:
    • accountname - The KCD account name.
    • password - The password for the KCD account.
    • realm - The domain assigned to Kerberos SSO.

    Example (UPN format):

    Example (UPN format):
    add aaa kcdaccount kcdaccount1 -delegatedUser root -kcdPassword passsword1 -realmStr EXAMPLE.COM
    Example (SPN format):
    add aaa kcdAccount kcdaccount1 -realmStr EXAMPLE.COM -delegatedUser "host/kcdvserver.example.com" -kcdPassword password1

    To create the KCD account for SSO by delegation with a keytab file

    First, on the AD server, use the ktpass utility to create the appropriate keytab file. Next, use the file transfer utility of your choice to copy the keytab file from the AD server to the NetScaler appliance, and put it in /nsconfig/krb under the filename kcdvserver.keytab.

    Next, at the NetScaler command prompt, type the following command:
    add aaa kcdaccount <accountname> -keytab <keytab>
    Example:
    add aaa kcdaccount kcdaccount1 -keytab kcdvserver.keytab

    Finally, verify that the new KCD account has the proper keytab file and virtual server principle associated with it:

    To verify the KCD account on the NetScaler appliance
    sh kcdAccount <accountname>

    To create the KCD account for SSO by delegation with a client cert

    At the NetScaler command prompt, type the following commands:
    add aaa kcdaccount <accountname> -realmStr <realm> -delegatedUser <spnuser> -usercert <cert> -cacert <cacert>
    For each variable, substitute the following values:
    • accountname - The KCD account name.
    • realm - The domain assigned to Kerberos SSO.
    • spnuser - The username in SPN format.
    • usercert - The full path and name of the user client certificate file on the NetScaler appliance.
    • cacert - The full path and name of the CA certificate file on the NetScaler appliance.
    Example:
    add aaa kcdaccount kcdaccount1 -realmStr EXAMPLE.COM -delegatedUser "host/kcdvserver.example.com" -usercert /certs/usercert -cacert /cacerts/cacert

NetScaler Insight Center Table Data Changes

  • ENH ID 0404805: NetScaler Insight Center now saves the following:

    Granular Data

    Time to purge

    7 seconds data

    6 min

    5 minutes data

    65 minutes

    Hourly data

    25 hours

    Daily data

    8 days

    Weekly data

    5 weeks

Increased Limits on the Number of Service Groups

  • ENH ID 0406355: You can now configure up to 8K (8192) service groups on a NetScaler appliance. The earlier limit was 4K (4096) service groups.

Bug Fixes

AAA Application Traffic

  • Issue ID 0418200: On a NetScaler appliance that has AAA configured with SSL certificate set to "optional" and at least one authentication policy, when Android users attempt to authenticate, the Android Receiver client generates the following error: "invalid server certificate". This error is caused by improper cookie handling by the Android Receiver client.

Application Firewall

  • Issue ID 0416714: When the NetScaler appliance sends large amounts of input data to the application firewall at once, the appliance can hang or crash. The appliance has now been programmed to send input data in batches limited to sizes that do not cause hangs or crashes to occur.

AppFlow

  • Issue ID 0418296: A newly added HTTP header prevents parsing of the HTTP request.

Command Line Interface

  • Issue ID 0379234: The show ns runningConfig command displays the current time instead of the time at which the configuration was last modified.

Configuration Utility

  • Issue IDs 0361970, 0387024, 0397473, and 0400307: When a NetScaler session expires, a session expiry message appears in the graphical user interface, and the user has to manually enter the IP address or the domain name of the NetScaler appliance in the address bar to log back on.

  • Issue ID 0409605: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, the compression feature is not enabled on the appliance and for the service groups.

  • Issue ID 0413087: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, if you configure XenDesktop and later edit the Xen Farm settings to have only XenApp, the XenDesktop bound to the Web Interface site of type Xenappservices in not modified. Therefore, published resources of both, XenApp and XenDesktop, are displayed when accessing the Web Interface site through Receivers.

  • Issue ID 0414361: When you click the Edit link to update the configurations specified in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, an error is displayed when you try to apply the optimization settings.

  • Issue ID 0414760: When editing the Xen Farm settings in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, load balancing configuration is lost if you switch from XenApp or XenDesktop to Both or from Both to XenApp or XenDesktop. This issue is observed only when Web Interface on NetScaler is the integration point.

  • Issue ID 0414807: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, an error is displayed if:

    • More than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers.
    • More than one service is bound to the service group.
  • Issue ID 0420349: Unable to access ICA connections through the graphical user interface

Global Server Load Balancing

  • Issue ID 0408374: If a configuration has a large number of GSLB services and add location file command is used to add the location database, then not all the services may be assigned a location from the database.

  • Issue ID 0421837: When GSLB vserver is configured with RTT or Static Proximity as load balancing method or SOURCEIPHASH as the persistence type, the NetScaler appliance might restart because of invalid memory access.

High Availability

  • Issue IDs 0357841 and 0408502: In an high availability configuration, for a connection to an FTP virtual server with stateful connection failover option enabled, if the FTP control connection is closed before the passive mode FTP data connection is opened, the secondary node may become unresponsive.

ICA AppFlow

  • Issue ID 0414137: NetScaler appliance might fail if AppFlow is enabled and the user tries to access a XenApp/Xendesktop farm under certain network conditions that result in split data packets.
  • Issue IDs 0423840 and 0426203: When you enable HDX Insight on a VPN server and try to launch an application from the XenApp server, the NetScaler appliance might fail as it copies the data to an invalid memory location.

Load Balancing

  • Issue ID 0409055: If you run a custom health monitoring script that does not require an argument, the NetScaler appliance sends an incorrect timeout to the script. As a result, the script continues to run for longer than expected. After some time, the maximum limit for the number of scripts allowed on the appliance is reached and new scripts cannot be run.

  • Issue ID 0417101 (MPX 9500): Oracle database monitor fills the console window with DONE and DEEP_FLD_LEN messages.

  • Issue ID 0410711: When diameter traffic hits a diameter load balancing virtual server which has persistency enabled, and that single packet contains multiple full requests and a partial request, the NetScaler fails to recognize the partial request and therefore sends the partial request to the server. This results in an invalid packet being sent to the server and the NetScaler sends 5XXX code to the client.

Monitoring

  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.

Multipath TCP Support

  • Issue ID 0401793: MPTCP does not support IPv6 addresses.

  • Issue ID 0409426: The NetScaler appliances does not acknowledge the subflow FIN when it comes with the MPTCP DATA_FIN.

  • Issue ID 0412833: While using MPTCP, the NetScaler cannot adequately handle overlapping data sequence maps.

  • Issue ID 0414182: The NetScaler appliance must not send MPTCP control signals such as DATA_FIN or FAST_CLOSE when the NetScaler has already sent a subflow FIN.

  • Issue ID 0419184: While using MPTCP, the NetScaler appliance crashes when trying to free an already freed TCP session.

NetScaler Insight Center

  • Issue ID 0416889: In some cases, NetScaler Insight Center reports incorrect values for XenApp launch count.

NetScaler SDX Appliance

  • Issue ID 0413123: When you display the running configuration of a NetScaler instance in the Service Management interface, the double quotation marks (") are replaced with HTML code (;quot &).

Networking

  • Issue ID 0404849: The NetScaler appliance might restart if it receives a duplicate IPv6 fragment within a very short time after receiving the original fragment.

SNMP

  • Issue ID 0413733, 0413871, and 0421055: SNMPD fails to respond if it receives a packet with a NULL community string.

SSL

  • Issue ID 0408393: If any entity is added as part of user interactive process on command line for SSL Certificates and the operation is aborted in between using CTRL+C, then again carrying out the same operation causes the NetScaler command line to crash.

System

  • Issue IDs 0216272 and 0358540: In an high availability setup, after a forced failover, the sync operation fails to sync the -establishClientConnection parameter setting.

  • Issue IDs 0375425, 0399769, 0401111, 0408648, 0413721, and 0414273: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.

  • Issue ID 0401526: On a NetScaler appliance, an invalid HTTP range request results in a large amount of memory usage and the following error appears: "ERROR: Communication error with the packet engine."

  • Issue ID 0405532 :TCP buffering bypasses as the calculated 'usable system memory' is less than the configured threshold value.

  • Issue ID 0411613: The NetScaler appliance can crash when there are split ICA frames that span 2 CGP frames with other CGP packets in between.

  • Issue ID 0412681: If changes are made in the nsconfig/resolv.conf file, the appliance fails to override the default DNS configurations.

  • Issue ID 0415623: If you specify an invalid IPv4 address in a command that can accept either IPv4 or IPv6 address, the NetScaler shell exits automatically due to memory corruption.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.

Application Firewall

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.

  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml.

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0411152: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings results in the unavailability of applications/desktops on accessing StoreFront through VPN.

    Workaround: Do not apply the optimization settings.

  • Issue ID 0414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.

  • Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.

    Workaround: Do not cancel the wizard during the first setup. If you want to change some configuration, go through the entire flow, click Done, and then return to the wizard and click the Edit link to update the required configuration.

  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Documentation

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

Multipath TCP Support

  • Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.

  • Issue ID 0400819: MPTCP does not support FTP data connections.

  • Issue ID 0400861: Virtual servers to which a listen policy is bound accept connections from the first subflow only.

  • Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.

NetScaler Insight Center

  • Issue ID 0331944: When there are no devices added in the inventory, the welcome screen is displayed for the configuration tab along with the dashboard tab which makes it unable to perform any basic configurations.
  • Issue ID 0333555 and 346171: After you enable appflow on some virtual servers, even though no error message appears, the check box does not appear in the Insight column .

    Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405849: NetScaler entity names are case insensitive, but NetScaler Insight Center expects the virtual server names or policy names to be case sensitive.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405936: After the NetScaler upgrade or downgrade operation, NetScaler Insight Center does not report any data on the dashboard.

    Workaround: Restart the NetScaler Insight Center appliance.

  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0412129: The WAN jitter and DC jitter values are not displayed in the NetScaler Insight Center reports.
  • Issue ID 0414155: If you move columns and refresh the page, the column ordering is sometimes reset to default.
  • Issue ID 0414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.
  • Issue ID 0417415: If you add a NetScaler appliance to a NetScaler Insight Center setup while ICA sessions are enabled, NetScaler Insight Center does not report the existing ICA sessions. It reports only the ICA sessions initiated after the appliance is added.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: After using the Management Service to create a channel, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.

  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

  • Issue ID 0424588: If a NetScaler instance is created with a Management VLAN using the 0/1 or 0/2 interface, the guest VMs fail to start post provisioning, because the guest VMs use the VLAN networks instead of physical network while assigning the interface.

    Workaround:
    1. Remove the NetScaler instances whose management ports are in tagged VLAN.

    2. Logon to the XenServer shell prompt and remove all the VLAN networks.

    3. Create the guest VM instances first, and then create the NetScaler instances.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or use the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each of the nodes of an HA configuration:

    add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node’s NSIP address is 198.51.100.9 and the secondary node’s NSIP address is 198.51.100.27, you would run the following command on the primary node:
    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 
    and the following command on the secondary node:
    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.

    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)

    This change affects the following platforms:

    • MPX 11500/13500/14500/16500/18500/20500
    • MPX 17550/19550/20550/21550
    • MPX 8200/8400/8600
    • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

  • Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:

    • Release 10.1 starting build 112.15 or later

    • Release 10 build 74 or later

    • Release 9.3 build 62.4 or later

    • Release 9.3.e build 59.5003.e or later

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.
    Note: Citrix encourages the use of default syntax policies rather than classic policies.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0382647: The stat system -detail command does not display the number of CPUs.

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

  • Issue IDs 0417793, 0421214, 0421329, and 0423099: The NetScaler appliance stops sending TCP DUP ACKs when it receives out of order packets. This might result in latency between the client and the appliance, or the appliance and the server, with reduced throughput for some traffic patterns.

Web Interface

  • Issue ID 0397150: On a NetScaler appliance, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user tying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later: bindservicegroup_state2 unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.


Build 120.13

Release version: Citrix NetScaler, version 10.1 build 120.13

Replaces build: None

Release date: September 2013

Release notes version: 8.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

Configuring Link Redundancy by using LACP channels

  • ENH ID 0346763: Link Redundancy by using LACP channels enables the NetScaler appliance to logically create sub channels from a LACP channel where one of the sub channel is active and the remaining sub channels stay in standby mode. If the active sub channel fails or does not meet a minimum threshold throughput, one of the standby sub channel takes over and becomes active.

    The NetScaler appliance forms a sub channels from links that are part of the LACP channel and are connected to a particular device. For example, for a LACP channel with four interfaces on a NetScaler appliance, where two of the interface is connected to device A, and the other two interfaces are connected to device B, then the NetScaler appliance logically creates two sub channels, one sub channel with two links to device A, and the other sub channel with the remaining two links to device B.

    The lrMinThroughput parameter is introduced for configuring link redundancy for a LACP channel. This parameter specifies the minimum throughput threshold to be met by the active sub channel of a LACP channel. When the throughput of the active channel falls below the lrMinThroughput , link failover occurs and one of the standby sub channels becomes active.

    For example, set channel la/1 -lrMinThroughput 2000

    Link redundancy for a LACP channel is disabled, which is also the default setting, when you set the lrMinThroughput parameter of the LACP channel to zero or when you unset this parameter.

    Note: In an HA configuration, if you want to configure throughput (throughput parameter) based HA failover and link redundancy ( lrMinThroughput parameter) on a LACP channel, you must set a lesser or equal value to the throughput parameter as compared to the lrMinThroughput parameter.

    For example, set channel la/1 throughput 2000 -lrMinThroughput 2000

    HA failover does not occur if any of the sub channels meets the lrMinThroughput parameter value even when the total throughput of the LACP channel does not meet the throughput parameter value.

    HA failover occurs only when the entire sub channels of the LACP channel does not meet the lrMinThroughput parameter value and the total throughput of the LACP channel does not meet the throughput parameter value.

DNS64

  • ENH ID 0318404: The NetScaler DNS64 feature responds with a synthesized DNS AAAA record to an IPv6 client sending an AAAA request for an IPv4-only domain. The DNS64 feature is used with the NAT64 feature to enable seamless communication between IPv6-only clients and IPv4-only servers. DNS64 enables discovery of the IPv4 domain by the IPV6 only clients, and NAT64 enables communication between the clients and servers.

    For synthesizing an AAAA record, the NetScaler appliance fetches a DNS A record from a DNS server. The DNS64 prefix is a 96-bit IPv6 prefix configured on the NetScaler appliance. The NetScaler appliance synthesizes the AAAA record by concatenation of the DNS64 Prefix (96 bits) and the IPv4 address (32 bits).

Setting Up NetScaler for XenApp/XenDesktop

  • ENH ID 0345912: The NetScaler now provides a wizard that simplifies the task of setting up a NetScaler appliance for a XenApp/XenDesktop deployment. For more information, see Setting Up NetScaler for XenApp/XenDesktop.

New Subnet Mask Field for the SNIP Address in the First-time Setup Wizard

  • ENH ID 0413542: The first-time setup wizard now has separate subnet mask fields for the NetScaler IP (NSIP) and subnet IP (SNIP) addresses.

Upgrade Progress

  • ENH ID 0346988: When you upgrade a NetScaler VPX instance on an SDX appliance, a new window, Upgrade Progress, shows the status of the upgrade operation, including any error messages. This feature is also available for SecureMatrixGSB and Websense Protector virtual machines.

Support for 8 Channels

  • ENH ID 0401113: The SDX SVM now allows you to configure 8 channels on a VPX instance.

Bug Fixes

AAA Application Traffic

  • Issue ID 0401000: When AAA is configured by authentication profile on a NetScaler appliance that has content switching enabled, users can use the Microsoft Internet Explorer or Mozilla Firefox browsers to log on, but might not be permitted to access all resources that they should be able to access. Users who log on using the Google Chrome browser do not experience this problem. The underlying cause was that authentication level is checked only once per connection rather than at each request.

Application Firewall

  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.

Configuration Utility

  • Issue ID 0361970: When a NetScaler session expires, a session expiry message appears in the graphical user interface, and the user has to manually enter the IP address or the domain name of the NetScaler appliance in the address bar to log back on.

Domain Name System

  • Issue ID 0401451: The NetScaler appliance, configured to function as DNS forwarder or DNS resolver, may becomes unresponsive whenever it receives UDP DNS truncated response from a name server.

Load Balancing

  • Issue ID 0390545 (nCore): A NetScaler nCore appliance uses multiple CPU cores (Packet Engines) for packet handling. Every session on the appliance is owned by a packet engine (PE). If the appliance receives a request for which a session does not already exist, a session is created, and one of the PEs is designated as the owner of that session. Subsequent requests that belong to that session might not always arrive at and be handled by the owner PE. During the time that the PE gets details about the session from the owner PE, the packet is corrupted.

  • Issue ID 0398327: You can now bind a StoreFront monitor to a service group. Each member of a service group is now monitored by using the member's IP address.

    The -hostname parameter is no longer required and is deprecated.

    To determine whether to use HTTP (the default) or HTTPS to send monitor probes, you must now use the -secure parameter. If your current StoreFront monitor configuration uses HTTP, you only have to remove the hostname parameter.

    To use HTTPS, set the -secure option to Yes.

    Example:
    add lb monitor storefront_ssl STOREFRONT -storename myStore -storefrontacctservice YES -secure yes
  • Issue ID 0409028: If you unbind a load balancing (LB) monitor from its service, all the connections to the configured destination IP address (destip) and port (destport) of the LB monitor are closed. In a typical L3 Direct Server Return (DSR) deployment mode, the destip and destport of the LB monitor are actually the IP address and port of the virtual server. Therefore, in a typical L3 DSR deployment, if you unbind an LB monitor from its service, all the existing connections to the virtual server are closed. The same behavior is observed if you delete a service.

Monitoring

  • Issue ID 0406391: If you bind monitors to services, and then bind a DoS or SureConnect policy to one of these services, save the configuration, and restart the appliance, you lose information about monitors bound to any services created after the service to which you bound the policy was created. Also, if you run the show ns runningConfig command before restarting the appliance, the monitor binding information does not appear.

Multipath TCP Support

  • Issue ID 0399708: Syncookie cannot be disabled on a TCP profile that has MPTCP enabled.

  • Issue ID 0399938: The NetScaler appliance might not respond when TCP buffering and MPTCP is enabled.

  • Issue ID 0400888: The NetScaler appliance does not respond when using client IP insertion with MPTCP.

  • Issue ID 0401105: MPTCP transactions of a TCP profile with Selective ACKnowledgement and window scaling might not respond.

NetScaler Insight Center

  • Issue ID 0369664: For an Active session, data is sent to the AppFlow collector even if the policy rule is changed to FALSE when the session is active.
  • Issue ID 0395022: On the Dashboard > HDX Insight > Users page, the Active Apps count is not updated instantly on the left pane.
  • Issue ID 0402458: If the memory usage on the NetScaler Insight Center reaches the maximum limit, the appliance fails to respond to further memory-allocation requests by other modules and becomes unresponsive.
  • Issue ID 0402727: If you have installed NetScaler Insight Center virtual appliance on ESX, then the console may display watchdog timeout errors or the Graphical User Interface (GUI) may freeze sometimes.
  • Issue ID 0402959: In certain situations, the NetScaler appliance incorrectly interprets the compression buffer size negotiation between the client and the server, and enabling AppFLow on the ICA connection causes the appliance to fail when the connection is used to launch an application or desktop. This problem most commonly occurs when a CloudBridge appliance or any WAN optimization device is placed between the client and the NetScaler appliance.
  • Issue ID 0405818/ 0405273: On the Dashboard > Users page, ICA RTT values displayed on the graph in the left panel do not match the values displayed below the graph, or there is a delay in the updating the values.
  • Issue ID 0408495: During installation of a virtual NetScaler Insight Center on VMware ESX, NetScaler Insight allocates only 14 GB of space in the var directory, even though the OVF file specifies 120 GB.
  • Issue ID 0411107: In a mixed XenApp/XenDesktop server farm, if the XenApp and XenDesktop versions are older than 6.5 and 5.0 respectively, the applications fail to launch because the NetScaler appliance incorrectly parses the ICA packets.
  • Issue ID 0413016/0414140 : NetScaler appliance may fail to respond when AppFlow is enabled on the NetScaler Insight Center and the user tries to access the XenApp/XenDesktop farm.
  • Issue ID 0414844: HDX Insight does not support XenApp versions earlier than 6.5.
  • Issue ID 0415812: If a CloudBridge appliance is placed between the client and a NetScaler appliance, and AppFlow is enabled for ICA traffic, the XenApp/XenDesktop applications fail to launch and the NetScaler appliance fails.
  • Issue ID 0413657: In some situations, the NetScaler appliance fails after parsing ICA traffic incorrectly.

NetScaler SDX Appliance

  • Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of NetScaler instance Modify NetScaler Wizard.

  • Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.

  • Issue ID 0405115: SSL certificate installation on a NetScaler instance from the SDX Management Service fails during validation if the SSL certificate does not have an associated key file.

  • Issue ID 0405921: The SVM restore operation of NetScaler instances fail as the SVM shuts down the NetScaler instances that are still being provisioned.

  • Issue ID 0410416: After the SDX appliance restarts, NetScaler VPX instances on the appliance cannot send packets tagged with VLAN IDs through an LACP channel.

Networking

  • Issue ID 0401303: When the conditions specified in an ACL rule includes the operator !=, the NetScaler appliance may not properly filter packets based on the ACL rule.

  • Issue ID 0402123: The NetScaler appliance might not send the received IPv6 fragments to the appropriate packet engine for processing, which might result in the NetScaler appliance becoming unresponsive.

  • Issue ID 0404861: If the NetScaler appliance has redundant L2 connectivity with a switch, the NetScaler appliance may mark its link-local IPv6 addresses as duplicate during the DAD (Duplicate address detection) process.

  • Issue ID 0405190: When IP fragments are received on a load balancing virtual server with client timeout parameter set to zero, the NetScaler appliance might dump core and then restart.

Platform

  • Issue ID 0409202: The NetScaler license is not processed if the configuration file (ns.conf) contains multiple instances of the host name, or if the host name in the ns.conf file is different from the host name in the rc.conf file. With this fix, if the ns.conf file contains multiple host names, only the name set by the set ns hostname command is used. Also, the host name in ns.conf no longer takes precedence over the host name in rc.conf.

Rewrite

  • Issue ID 0401455: Modifying the content with more than one callout results in incorrect computation of the content length. This issue is not observed if all the callouts use GET requests.

System

  • Issue ID 0353546: When you try to add a second name-based SNMP manager, you get an error message that says an SNMP manger with that name already exists.

  • Issue ID 0391632: The output of the stat commands specified with -fullValues option is aligned incorrectly.

  • Issue ID 0391754: On a NetScaler MPX system, the SNMP count for the system's hardware memory and the show system memory display are incorrect. The amount of memory shown is larger than the actual amount.

  • Issue ID 0401111: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.

  • Issue ID 0402677: The NetScaler appliance might fail to respond if an ICMP error occurs when TCP buffering and integrated caching are enabled on the appliance.

  • Issue ID 0407868: Remote monitoring of a high capacity appliance, such as a NetScaler MPX 22000, might indicate a drop in performance even though performance remains robust. The apparent problem is the result of a pause in the stream of monitoring data, not an actual drop in throughput.

  • Issue ID 0407974: A session is not freed when port allocation fails. The session is getting matched and the NetScaler fails when it tries to access other linked sessions which are NULL.

  • Issue ID 0423610: If, from a management computer, you run a command that forms a request size of more than 8000 bytes, the NetScaler ADC might not properly buffer this large request. As a result, the ADC terminates the connection to the management computer.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.

Application Firewall

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

  • Issue ID 0361793 (nCore and nCore VPX): The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.

  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0409605: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, the compression feature is not enabled on the appliance and for the service groups.

    Workaround: Enable compression on the appliance by using the enable ns feature CMP command. Also, enable compression for the service groups by using the set servicegroup <name> -CMP on command.

  • Issue ID 0411152: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings results in the unavailability of applications/desktops on accessing StoreFront through VPN.

    Workaround: Do not apply the optimization settings.

  • Issue ID 0413087: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, if you configure XenDesktop and later edit the Xen Farm settings to have only XenApp, the XenDesktop bound to the Web Interface site of type Xenappservices in not modified. Therefore, published resources of both, XenApp and XenDesktop, are displayed when accessing the Web Interface site through Receivers.

  • Issue ID 0414361: When you click the Edit link to update the configurations specified in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, an error is displayed when you try to apply the optimization settings.

    Workaround: Edit the XenFarm section (no actual changes required), click Continue and then apply the optimization settings.

  • Issue ID 0414422: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.

  • Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.

    Workaround: Do not cancel the wizard during the first setup. If you want to change some configuration, go through the entire flow, click Done, and then return to the wizard and click the Edit link to update the required configuration.

  • Issue ID 0414760: When editing the Xen Farm settings in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, load balancing configuration is lost if you switch from XenApp or XenDesktop to Both or from Both to XenApp or XenDesktop. This issue is observed only when Web Interface on NetScaler is the integration point.

  • Issue ID 0414807: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, an error is displayed if:

    • More than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers.
    • More than one service is bound to the service group.
  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Documentation

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.

    Workaround:
    1. Create a monitor of type CiTRIX-wi-EXTENDED.
    2. Set the script name.
    3. Set the site path.
    For example,
    add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
    set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
    set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp

Multipath TCP Support

  • Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.

  • Issue ID 0400819: MPTCP does not support FTP data connections.

  • Issue ID 0400861: Virtual servers to which a listen policy is bound accept connections from the first subflow only.

  • Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.

  • Issue ID 0401793: MPTCP does not support IPv6 addresses.

NetScaler Insight Center

  • Issue ID 0331944: When there are no devices added in the inventory, the welcome screen is displayed for the configuration tab along with the dashboard tab which makes it unable to perform any basic configurations.
  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0403665: If the values for certain metrics are zero, the graphs display these values incorrectly.
  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405849: NetScaler entity names are case insensitive, but NetScaler Insight Center expects the virtual server names or policy names to be case sensitive.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405936: After the NetScaler upgrade or downgrade operation, NetScaler Insight Center does not report any data on the dashboard.

    Workaround: Restart the NetScaler Insight Center appliance.

  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0412129: The WAN jitter and DC jitter values are not displayed in the NetScaler Insight Center reports.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on VMware ESX from build 118.7 or 119.7 to 120.13 is not supported.

    Workaround: To upgrade to build 120.13, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: After using the Management Service to create a channel, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.

  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or use the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each of the nodes of an HA configuration:

    add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node’s NSIP address is 198.51.100.9 and the secondary node’s NSIP address is 198.51.100.27, you would run the following command on the primary node:
    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 
    and the following command on the secondary node:
    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

  • Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:

    • Release 10.1 starting build 112.15 or later

    • Release 10 build 74 or later

    • Release 9.3 build 62.4 or later

    • Release 9.3.e build 59.5003.e or later

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies rather than classic policies.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

  • Issue ID 0411613: The NetScaler appliance can crash when there are split ICA frames that span 2 CGP frames with other CGP packets in between.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2

    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.


Build 119.7

Release version: Citrix NetScaler, version 10.1 build 119.7

Replaces build: None

Release date: July 2013

Release notes version: 5.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

Multipath TCP Support

  • ENH ID 0320221: NetScaler appliances now support Multipath TCP (MPTCP). MPTCP is a TCP/IP protocol extension that identifies and uses multiple paths available between hosts to maintain the TCP session. You have to enable MPTCP on a TCP profile and bind it to a virtual server. When MPTCP is enabled, the virtual server functions as an MPTCP gateway and converts MPTCP connections with the clients to TCP connections that it maintains with the servers.

    For more information, see TCP Configurations.

Call Home Proxy Mode Support

  • ENH ID 0311623: Call Home can now upload your NetScaler appliance's data to the Citrix TaaS server through a proxy server.

    For more information, see Configuring Call Home.

Custom HTTP Headers Support using Web Server Logging

  • ENH ID 0329710: The NetScaler can now export values of custom HTTP headers to the NSWL client. You can configure up to a maximum of two HTTP request header names and two HTTP response header names.

    For more information, see Exporting Custom HTTP Headers.

Backing Up and Restoring a NetScaler Appliance

Checking Content Type of Responses

  • ENH ID 0236218: When configuring the Safe Commerce (credit card) check, you can now configure the application firewall to check the MIME/type of HTTP responses and skip responses that are not of the appropriate content type for Safe Commerce filtering. You can use this configuration option to prevent false positives.

    To enable MIME/type checking, at the NetScaler command line type the following command:

     bind appfw profile <name> -inspectResContentType <type>

    For <name>, substitute the name of the profile. For <type>, substitute a string that matches the MIME/type. For example, to check for and skip PDF content sent to the library profile, you would type the following:

     bind appfw profile library -inspectResContentType "text/PDF"

    To disable a MIME/type rule that you have previously enabled, use the unbind command:

     unbind appfw profile <name> -inspectResContentType <type>

Enterprise License Support for AppFlow

  • ENH ID 0395659: AppFlow can now export ICA records from NetScaler appliances that have enterprise licenses. This ensures that HDX insight reports for NetScaler appliances with enterprise licenses are now available on the NetScaler Insight Center.

New Metrics Support for NetScaler Insight Center

  • ENH ID 0400867: HDX Insight reports now include details about Client Side NS Latency, Server Side NS Latency and Host Delay.

Enabling or Disabling the Recursion Available Flag

  • ENH ID 0403114: An option Recursion Available is added for the load balancing virtual servers of type DNS and DNS TCP to control the RA (Recursion Available) flag in all the DNS responses from these virtual servers.

Bug Fixes

AAA Application Traffic

  • Issue ID 0387049: When importing a keytab while setting up a KCD account, AAA might fail to extract the SPN from the keytab, causing the import to fail.

Application Firewall

  • Issue ID 0403027: The application firewall includes an extraneous line break in the hidden field that it adds to forms as part of the form field consistency check. This line break is not javascript-compliant and can cause issues with javascript-enhanced forms.

Cache Redirection

  • Issue ID 0401148: The NetScaler cache fails to respond to a request in which an absolute URL does not include a slash (/) after the host name.

Configuration Utility

  • Issue ID 0372535: The pagination count on the page listing SSL policies that can be bound does not display the correct values.

Global Server Load Balancing

  • Issue ID 0385305: In a GSLB setup, if you perform auto synchronization and the configuration file in your local site contains the add locationFile command, the command is not synchronized to the remote location.

Load Balancing

  • Issue ID 0351870: If you change the load balancing group of a virtual server that has a large number of SSL sessions, the appliance might fail.

  • Issue ID 0383402: If a virtual server is UP because the service(s) are in Transition Out-Of-Service (TROFS) state, the clients do not respond due to requests being queued at the virtual server rather than at the services. Instead, the client must issue 503 or RST.

  • Issue ID 0401118: On a NetScaler appliance or VPX that is configured for load balancing in an environment that includes a Microsoft SQL server database, when a client sends a large number of long queries to the MSSQL database, the appliance or VPX might hang or crash.

Load Balancing/AAA-TM

  • Issue ID 0402472: If you attempt to create a KCD service account on a NetScaler appliance or virtual appliance that has AAA-TM enabled and integrated caching disabled, a buffer overflow might load the appliance or cause it to fail.

NetScaler Insight Center

  • Issue ID 0332854: Unable to add the IP address in the inventory which contains the number 255 in any quadrant.
  • Issue ID 0400545: The help page on the Graphical User Interface (GUI) displays incorrect information for enabling data collection.
  • Issue ID 0400665: The HDX Insight node is not displayed for Enterprise licenses of NetScaler appliances.
  • Issue ID 0400900: The load time and render time metrics are not displayed for standard or enterprise licenses of NetScaler appliances.
  • Issue ID 0405177: During an ICA session, the NetScaler appliance fails to respond when you access it's invalid memory space.
  • Issue ID 0403134/0403195: During an ICA session, the NetScaler appliance fails to respond due to a NULL pointer access.

NetScaler SDX Appliance

  • Issue ID 0400409: If you modify a NetScaler instance from the Management Service, binding 1/x and 10/x interfaces to an L2 VLAN fails.

  • Issue ID 0400607: If you create a static channel, you cannot use the Management Service to remove more than one member interface at a time from the channel.

Networking

  • Issue ID 0366321: The Network Visualizer does not display the bound IP addresses of a configured VLAN.

  • Issue ID 0402068: With Random source port selection for Active FTP enabled on the NetScaler appliance, when an FTP server initiates a connection from the standard TCP port number 20, the NetScaler appliance uses a random port instead of port 20 for the client side data connection.

  • Issue ID 0402123: The NetScaler appliance might not send the received IPv6 fragments to the appropriate packet engine for processing, which might result in the NetScaler appliance becoming unresponsive.

Policies

  • Issue ID 0391238: When an HTTP callout is configured with a virtual server that has a widcard port, the NetScaler appliance fails to respond the first time the callout is triggered.

SSL

  • Issue ID 0400084: An attempt to establish an HTTPS connection to a NetScaler FIPS appliance through a Chrome browser fails, because the browser sends a SPDY-NPN extension by default, and the NetScaler FIPS appliance does not support the NPN extension.

  • Issue ID 0400649: In the NetScaler configuration utility, the FipsKey parameter does not appear in the Install certificate dialog box. As a result, you cannot add a certificate-key pair on an MPX FIPS appliance by using the configuration utility.

System

  • Issue ID 0390257: SNMP returns incorrect values for the ifOutOctets and ifInOctets counters.

  • Issue ID 0394724: The SNMP module allocates memory for all OIDs in an SNMP request and queues them for further processing. With a large number of SNMP requests (each request with possibly hundreds of OIDs), the result can be a memory shortage that in turn leads to memory allocation failures.

  • Issue ID 0395735: The NetScaler appliance dumps a core when you create a cluster or a high availability setup on an appliance that has a TFTP load balancing virtual server.

  • Issue ID 0404094: If the SNMP service has the NSI_NS_SERVICE flag set, and you clear the configuration, the NetScaler appliance crashes.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.

Application Firewall

  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:

    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

  • Issue ID 0361793: (nCore and nCore VPX) The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing; Virtual Servers pane.

  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed. Workaround : Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching

  • Issue ID 0399575: When configuring load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Documentation

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

    • Issue ID 0401451: The NetScaler appliance, configured to function as DNS forwarder or DNS resolver, may becomes unresponsive whenever it receives UDP DNS truncated response from a name server.

Load Balancing

  • Issue ID 0398327: Monitoring of StoreFront servers fails if they are part of a cluster and the StoreFront monitor is bound to the entire service group. The StoreFront monitor probe fails because individual members have different host names.

    Workaround: If the StoreFront servers are part of a cluster, Citrix recommends that you add them as individual services instead of as members of a service group.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.

    Workaround:
    1. Create a monitor of type CiTRIX-wi-EXTENDED.
    2. Set the script name.
    3. Set the site path.
    For example,
    add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
    set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
    set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp
  • Issue ID 0406391: If you bind monitors to services, and then bind a DoS or SureConnect policy to one of these services, save the configuration, and restart the appliance, you lose information about monitors bound to any services created after the service to which you bound the policy was created. Also, the monitor binding information does not appear if you run the show ns runningConfig command before restarting the appliance.

Multipath TCP Support

  • Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.

  • Issue ID 0399708: Syncookie cannot be disabled on a TCP profile that has MPTCP enabled.

  • Issue ID 0399938: The NetScaler appliance might not respond when TCP buffering and MPTCP is enabled.

  • Issue ID 0400819: MPTCP does not support FTP data connections.

  • Issue ID 0400861: Virtual servers with listenPolicy specified, accept connections from the first subflow only.

  • Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.

  • Issue ID 0400888: The NetScaler appliance does not respond when using client IP insertion with MPTCP.

  • Issue ID 0401105: MPTCP transactions of a TCP profile with Selective ACKnowledgement and window scaling might not respond.

  • Issue ID 0401793: MPTCP does not support IPv6 addresses.

NetScaler Insight Center

  • Issue ID 0331944: When there are no devices added in the inventory, the welcome screen is displayed for the configuration tab along with the dashboard tab which makes it unable to perform any basic configurations.
  • Issue ID 0369664: In HDX Insight mode, data is sent to the AppFlow collector even if the policy rule is set to FALSE.

    Workaround: Start the session again.

  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: In transparent mode, when you launch XenApp through Citrix Receiver (standard edition), the app launch duration is shown as zero.
  • Issue ID 0388875: If the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, and the page size is set to 25, only the first 25 virtual servers are shown. The list does not continue on another page.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0395022: On the Dashboard > HDX Insight > Users page, the Active Apps count is not updated instantly on the left pane.

    Workaround: The correct value is displayed in the Dashboard > HDX Insight > Applications page.

  • Issue ID 0397236 :On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports display session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0402458: If the analytics decoding process requires more than 100% of RAM memory, the system fails to respond to further memory-allocation requests by other modules.
  • Issue ID 0402727: If you have installed NetScaler Insight Center virtual appliance on ESX, then the console may display watchdog timeout errors or the Graphical User Interface (GUI) may freeze sometimes.
  • Issue ID 0403665: If the values for certain metrics are zero, the graphs display these values incorrectly.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0405818/ 0405273: On the Dashboard > Users page, ICA RTT values displayed on the graph in the left panel do not match the values displayed below the graph, or there is a delay in the updating the values.
  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0405849: Sometimes, the commands used in the NetScaler Insight Center command line interface are case sensitive.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405936 : If the NetScaler Insight Center virtual appliance remains inactive for a longer duration, the data will not be logged.

    Workaround: Restart the appliance by running the following command on the command line interface:

    #/etc/rc.d/analyticsd restart
  • Issue ID 0408495: During installation of a virtual NetScaler Insight Center on VMware ESX, NetScaler Insight allocates only 14 GB of space in the var directory, even though the OVF file specifies 120 GB.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: After creating a channel by using the Management Service, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable on the network.

  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

  • Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of the NetScaler instance's Modify wizard.

    Workaround: Modify the NetScaler instance and remove the nonexistent channel from the VLAN settings page.

  • Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.

  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613 : In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the sync HA files command from the NetScaler command line or use the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each of the nodes of an HA configuration:

    add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node’s NSIP is 198.51.100.9 and the secondary node’s NSIP is 198.51.100.27, you would run the following command on the primary node:
    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22 
    and the following command on the secondary node:
    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while configuring an extended ACL by using the configuration utility, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies over classic policies.

Reporting

  • Issue ID 0368982: After you have imported a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2

    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.


Build 118.7

Release version: Citrix NetScaler, version 10.1 build 118.7

Replaces build: None

Release date: June 2013

Release notes version: 3.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

NetScaler VPX Support on Microsoft Hyper-V and VMware ESX virtualization platforms

The NetScaler VPX virtual appliance is supported on Microsoft Hyper-V Server 2012 and VMware ESX 5.1 virtualization platforms.

Oracle Monitor Support

ENH ID 0364085: You can now create a load balancing monitor for an Oracle DBMS server by using the new Oracle-ECV monitor type. The supported data types are BINARY_DOUBLE, BINARY_FLOAT, CHAR, DATE, INTERVALDS, INTERVALYM, NUMBER, NVARCHAR, TIMESTAMP, TIMESTAMP_WITH_LOCAL_TIME_ZONE, and TIMESTAMP_WITH_TIME_ZONE.

You can configure the monitor by using the NetScaler command line or the configuration utility.

To create and configure an Oracle-ECV monitor at the command line, type:
 add lb monitor <monitorName> oracle-ecv [ parameters... ]
Example:
add lb monitor oracle-monitor5 ORACLE-ECV -userName hr -database xe -sqlQuery 
"select Name from testlb" -evalRule "ORACLE.RES.ATLEAST_ROWS_COUNT(1)"
Where:
  • username is the name of the database user.
  • database is the database for query
  • sqlQuery is the query to be sent to server
  • evalrule is the rule to be evaluated against the response
Note: Database user has to be configured using add db user hr -password passwd

To create or configure an Oracle-ECV monitor by using the configuration utility, navigate to Traffic Management => Load Balancing => Monitors, and then click Add to create the monitor or select an existing monitor and then click Open to configure the monitor.

The new expressions that support the Oracle-ECV monitor are as follows:
  • ORACLE.RES.ATLEAST_ROWS_COUNT(n) Determines whether the query response contains at least the specified number of rows.
  • ORACLE.RES.ROW(i).NUM_ELEM(j).eq(n) Determines whether the value located at the specified row and column is equal to the specified number. You can substitute other valid numeric operations for "eq". ORACLE.RES.ROW(i).IS_NULL_ELEM(j) Determines whether the value located at the specified row and column is NULL.
  • ORACLE.RES.ROW(i).TEXT_ELEM(j).eq("pattern") Determines whether the value located at the specified row and column matches the specified pattern. You can substitute other valid text operations for "eq".

NetScaler and XenMobile Solution for Enterprise Mobility

ENH ID 0365382: Citrix NetScaler deployed with XenMobile Mobile Device Management (MDM) provides the ability to scale, ensure high availability for apps, and maintain security.

Use the XenMobile MDM Setup wizard on the NetScaler configuration utility to configure the following two deployment scenarios:
  • Load balance XenMobile Device Managers (MDM servers): In this scenario, the NetScaler appliance sits between the client and the XenMobile MDM servers to load balance encrypted data from mobile devices to the XDM servers.
  • Load balance MS Exchange servers with email filtering: In this scenario, the NetScaler appliance sits between the client and the XNC and CAS servers. All requests from the client devices go to the NetScaler appliance, which then communicates with the XNC to retrieve information about the device. Based on the response from the XNC, the NetScaler either forwards the request from a whitelisted device to the backend server, or drops the connection from a blacklisted device.

For more information, see the "NetScaler and XenMobile Solution for Enterprise Mobility" deployment guide.

Low Encryption Licenses for Russia

ENH ID 0349674: A NetScaler MPX appliance for customers in Russia initially ships with a low encryption license. After proper authorization from the Russian agency, customers can upgrade to a Standard, Enterprise, or Platinum software edition, which enables high-encryption SSL performance on the appliance.

First Time User Wizard Changes

The look and feel of the first time user wizard has changed.

Provisioning Third-Party Instances on a NetScaler SDX Appliance

You can now provision the following third-party virtual machines (instances):
  • ENH ID 0329072: SECUREMATRIX® GSB—Provides a highly secure password system that eliminates the need to carry any token devices.
  • ENH ID 0329072: Websense® Protector—Allows enterprises to deploy a data loss prevention (DLP) solution to protect sensitive enterprise information.
  • ENH ID 0349549: BlueCat DNS/DHCP Server—Provides a DNS, DHCP, and IP Address Management software solution for enterprises.
Important: You must upgrade to XenServer version 6.1.0 before provisioning a third-party instance on the SDX appliance.

Upgrading the XenServer Software

ENH ID 0322368: You must upgrade the NetScaler SDX appliance to XenServer version 6.1.0 to enable functionality of some features, such as LACP and third-party virtual machines. The process of upgrading the XenServer software involves uploading the build file of the target build to the Management Service, and then upgrading the XenServer software.

Configure Link Aggregation from the Management Service

ENH ID 0257892: You can now configure link aggregation from the Management Service at the time of provisioning a NetScaler instance, or later by modifying an instance. An aggregated link is also known as a channel. The interfaces that form part of a channel are not listed in the Network Settings view shown when you add or modify a NetScaler instance. Instead of the interfaces, the channels are listed.

NetScaler Insight Center

  • ENH ID 0341904: NetScaler Insight Center supports clearing AppFlow configurations from a virtual server.
  • ENH ID 0381072: NetScaler Insight Center supports sending syslog messages to an external syslog server.
  • ENH ID 0388409: On the Dashboard > HDX Insight > Users > <user name> page, the application and gateway reports display the active applications by default.
  • ENH ID 0392732: The HTML Injection feature is now available for Web Insight data collection on platinum licenses of NetScaler 10.0 appliances and on all licenses of NetScaler 10.1 appliances.

Changes and Fixes

AAA Application Traffic

  • Issue ID 0372362: When KCD is configured with a content switching virtual server, the NetScaler appliance might hang or crash. The cause is a GET request with multiple authorization headers. (Only one authorization header is expected.)
  • Issue ID 0387076: On a NetScaler appliance with AAA enabled and KCD single sign-on configured, after several single sign-on requests are successfully authenticated, the virtual server principle can unexpectedly become blank. When this happens, subsequent authentication requests fail.
  • Issue ID 0390037: After authentication, if AAA generates the URL redirect, it rewrites the query portions of certain URLs into base 8 ASCII string equivalents instead of passing on the original strings.
  • Issue ID 0391105: A NetScaler appliance that has AAA-TM configured for authentication with a RADIUS Server might generate intermittent logon failures with the error message HTTP/1.1 Internal Server Error 6.

Application Firewall

  • Issue ID 0351544: The application firewall now supports sessionless cookie proxying on NetScaler cluster configurations that do not use the spotted VIP feature.

Application Firewall Signatures

  • Issue ID 0376437: To improve performance, when processing buffer overflow signatures the application firewall now evaluates PCRE regular expressions only when the minLength parameter is set.
  • Issue ID 0384103: You can now configure the JSON content types for your application firewall in the Manage JSON Content Types dialog box in the global settings. The dialog box is nearly identical to the Manage XML Content Types dialog box.
  • Issue ID 0390804: If you configure an application firewall profile but do not bind any signatures to it, the NetScaler appliance becomes unresponsive or fails if a user sends a request with a JSON body to a web site protected by that profile.

Cluster

  • Issue ID 0370814: A newly added node cannot synchronize the cluster configuration, because it cannot establish a connection to the cluster configuration coordinator. This issue might arise if the configuration coordinator rpcNode password on the new node is not the same as that on the configuration coordinator.

Configuration Utility

  • Issue ID 0360163: You cannot configure a GSLB service for which a server is not configured on the NetScaler appliance. The configuration utility displays the message Server must be specified.
  • Issue ID 0369583: If you use the configuration utility to view a Responder action, the Responder Actions page is reloaded.
  • Issue ID 0369900: When search results do not fit onto one page, duplicate records might appear on the second and subsequent pages.
  • Issue ID 0387554: On NetScaler appliances that run the cluster OS, user-defined control policies are not listed in the control flow and therefore do not appear in the Policy Manager. After these policies are bound to Global or an appropriate bind point, they are listed in the data flow.

Content Switching

  • Issue ID 0397673: When you configure a content switching rule that is evaluated before the user authenticates with AAA-TM, and the rule is supposed to redirect users to a specific virtual server on the basis of the user name, the rule fails.

Documentation

  • Issue IDs 0395277 and 0395282: The PDF format of NetScaler product documentation is no longer packaged with the NetScaler MPX, VPX, and SDX software. NetScaler product documentation is available in HTML format on the eDocs product library web site. You can generate a PDF for any topic from eDocs.

    To access NetScaler documentation on eDocs, see http://support.citrix.com/proddocs/topic/netscaler/ns-gen-netscaler-wrapper-con.html.

Global Server Load Balancing

  • Issue ID 0394328: On a NetScaler appliance that has both a monitor and a GSLB view bound to a GSLB service, occasionally the view binding is not visible from the CLI and is not saved in ns.conf although the GSLB service is properly configured and UP.

Load Balancing

  • Issue ID 0376173: If two NetScaler appliances in a high-availability configuration have TCPB mode enabled globally, and you create a DNS TCP service, the service might be successfully created on the primary NetScaler appliance but fail on the secondary appliance.
  • Issue ID 0387253: When you create a new load balancing server on the configuration utility, occasionally a series of error messages appear indicating that the Load Balancing feature is not licensed, and you are unable to create the virtual server.
  • Issue ID 0391273: When you add a new server to an existing service group, the services in the group might be designated as DOWN even though monitoring probes succeed. To enable the services, unset the virtual server spillover method. They are then correctly designated as UP.

NetScaler Insight Center

  • Issue IDs 0377737 and 0365977: NetScaler Insight Center appliance fails to respond.
  • Issue ID 0378044: On the Configuration > Inventory > Application List page, the values for number of applications displayed and total number of applications can be incorrect.
  • Issue ID 0378652: The Page analysis button is in the wrong place and not functional on the Dashboard > Web Insight > URL page.
  • Issue ID 0381522: On the Dashboard > HDX Insight > Applications page, the Total Session Launch count displays an incorrect number of sessions launched.
  • Issue ID 0385895: The graph of user applications, which appears when you navigate to Dashboard > HDX Insight > Users <username> > <sessionID> >Applications > More <application name>, is incorrectly plotted.
  • Issue ID 0386543: No graph is plotted for users on the page that appears when you click the Dashboard > HDX Insight > Users <username> > <SessionID> > Applications > More button.
  • Issue ID 0387257: The introduction that appears when you log on to a new NetScaler Insight Center appliance provides only Web Insight information. It does not provide information about HDX Insight.
  • Issue ID 0388093: When the Dashboard tab displays reports, the text that appears when you on click the orange icon beside a metric does not accurately describe the licensing issue.
  • Issue ID 0388453: On the Configuration > Inventory > Application List page, after you right-click a VPN application and select Enable AppFlow, then clear the ICA check-box and click Enable AppFlow, AppFlow is shown enabled, but no data is collected and therefore no reports are displayed on the Dashboard > HDX Insight page.
  • Issue ID 0388650: NetScaler appliance crashes when AppFlow is enabled on the virtual servers from Netscaler Insight Center appliance.
  • Issue ID 0390581: On the Dashboard tab, in some cases, the breadcrumb navigation does not display any text for labels.
  • Issue ID 0391336: The HDX Insight node appears even if all NetScaler appliances have only standard licenses. The node is supposed to appear only when at least one appliance has an Enterprise or Platinum license.
  • Issue ID 0391477: You cannot enable Appflow on a VPN application for which you have specified an expression from the drop-down list.
  • Issue ID 0392515: Data collection cannot be enabled on virtual servers (load balancing, content switching, or VPN) that have space characters in their names.

NetScaler SDX Appliance

  • Issue ID 0385037: If the /var/mps/policy/mps_policy_backup.xml file is empty or corrupted, the appliance performs a core dump and the Management Service user interface is blank.

Networking

  • Issue ID 0359348: For an IPv6 load balancing virtual server that belongs to a traffic domain, and for which the persistence is set as cookieinsert, the NetScaler appliance does not insert the correct cookie in its response.

Platform

  • Issue ID 0360223: In certain cases, error messages on the console of an MPX 5550/5650 or MPX 8200/8400/8600 appliance continuously scroll if the physical registers are not correctly read.
  • Issue ID 0373125: The NetScaler hardware might sometimes report incorrect values for system health counters. The health counters are read over the SMBus, which is prone to reporting wrong or zero values.

SNMP

  • Issue ID 0246215: A new SNMP alarm, vridStateChange, indicates the change of the state of a VRID from backup to master in an active-active configuration. The NetScaler appliance in which the state of a VRID changes to master sends a trap message for each VIP address bound to that VRID to the configured SNMP managers, indicating that the NetScaler appliance is currently serving traffic for a particular VIP address bound to that VRID. If no VIP addresses are bound to that VRID, the appliance does not send any trap messages.

SSL

  • Issue ID 0392683: In some cases, parsing an incorrectly formatted client certificate might take more than a few seconds. The delay can trigger the monitoring logic to terminate the process and restart the appliance.

System

  • Issue ID 0384153: When selective acknowledgement (SACK) and partial buffering are enabled on the appliance, acknowledgements with incorrect TCP checksum are forwarded to the server.
  • Issue ID 0392293: The NetScaler wrongly advertises TCP buffer size to the client side when dynamic windows management is enabled and the service-side buffer size is greater than 40k. This issue is observed when two different TCP profiles are bound to the virtual server (buffer size is 8k) and the service (buffer size > 40k) and causes failure when the NetScaler is uploading files.

Known Issues and Workarounds

Application Firewall

  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.
  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.

    For example, if you have two sets of custom signatures named custom_signatures and custom_signatures_2 that are based on copies of the default signatures file, you would update the signatures on your NetScaler appliance by issuing the following commands:

    update appfw signatures "*Default Signatures"
    update appfw signatures "custom_signatures"
    update appfw signatures "custom_signatures_2"

Cluster

  • Issue ID 0395735: The NetScaler appliance dumps a core when creating a cluster or a high availability setup on an appliance that has a TFTP load balancing virtual server.

    Workaround: Make sure you delete existing TFTP load balancing virtual servers before creating the cluster or high availability setup.

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.
  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.
  • Issue ID 0372535: The pagination count on the page listing SSL policies that can be bound does not display the correct values.
  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 0387135: If you access the NetScaler configuration utility through Internet Explorer 8, an attempt to view more than 25 load balancing virtual servers per page results in an alert message about an unresponsive script.

    Workaround: Do not change the default pagination value (25). If you change the default pagination value and the appliance prompts you to stop running the script, choose to continue.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins in the Start screen, and therefore Java cannot run in the Start screen. For information, see http://www.java.com/en/download/faq/win8_faq.xml.

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching

  • Issue ID 0399575: When configuring load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you have a load balancing virtual server with a service type of HTTP, and assign a backup virtual server with a service type of TCP to it, any content switching action bound to it fails.

Documentation

  • Issue ID 0370607: The configuration utility procedures in the NetScaler 10.1 documentation have not been updated to reflect the new top-level nodes.

    See Configuration Utility Changes, for information on the new node structure.

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:
    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.
    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

Global Server Load Balancing

  • Issue ID 0385305: In a GSLB setup, if you perform auto synchronization and the configuration file in your local site contains the add locationFile command, the command is not synchronized to the remote location.

Load Balancing

  • Issue ID 0383402: If a virtual server is UP by virtue of the service(s) being in Transition Out-Of-Service State (TROFS), the clients do not respond (instead of issuing 503 or RST) due to requests being queued at the virtual server rather than at the services.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.
  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path argument are not explicitly set.
    Workaround:
    1. Create a monitor of type CiTRIX-wi-EXTENDED.
    2. Set the script name.
    3. Set the site path.
    For example,
    add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
    set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
    set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp

NetScaler Insight Center

  • Issue ID 0369664: In HDX Insight mode, data is sent to the AppFlow collector even when the policy rule is set to FALSE.

    Workaround: Start the session again.

  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: In transparent mode, when you launch XenApp through Citrix Receiver (standard edition), the app launch duration is shown as zero.
  • Issue ID 0388875: If the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, and the page size is set to 25, only the first 25 virtual servers are shown. The list does not continue on another page.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0395022: On the Dashboard > HDX Insight > Users page, the Active Apps count is not updated instantly on the left pane.

    Workaround: The correct value is displayed in the Dashboard > HDX Insight > Applications page.

  • Issue ID 0397236 :On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports display session termination records.
  • Issue ID 0400545: The help page on the Graphical User Interface (GUI) displays incorrect information for enabling data collection.

    Workaround: To view the details, click the help icon in the graphical user interface when the help page opens, click on the TOC tab and navigate to NetScaler Insight Center 10.1 > Enabling Data Collection.

  • Issue ID 0400665: The HDX Insight node is not displayed for Enterprise licenses of NetScaler appliances.
  • Issue ID 0400900: The load time and render time metrics are not displayed for Standard Licenses of NetScaler appliances.
  • Issue ID 0402727: If you have installed NetScaler Insight Center virtual appliance on ESX, then the console may display watchdog timeout errors or the Graphical User Interface (GUI) may freeze sometimes.
  • Issue ID 0408495: During installation of a virtual NetScaler Insight Center on VMware ESX, NetScaler Insight allocates only 14 GB of space in the var directory, even though the OVF file specifies 120 GB.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the status of the member interfaces might appear as Error-Disabled (in the command line) or DOWN (in the configuration utility) of the NetScaler instance.

    Workaround: After creating a channel by using the Management Service, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable on the network.
  • Issue ID 0399630: If a new interface is bound to an LACP channel by using the Management Service, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.
  • Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of the NetScaler instance modify wizard.

    Workaround: Modify the NetScaler instance and remove the non-existent channel from the VLAN settings page.

  • Issue ID 0400409: While modifying a NetScaler instance from the Management Service, binding 1/x and 10/x interfaces to an L2 VLAN fails.

    Workaround: Provision the NetScaler instance again.

  • Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.
  • Issue ID 0400607: If you create a static channel, you cannot use the Management Service to remove more than one member interface at a time from the channel.
  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on this channel, the third-party instance is not reachable on the network.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0371613: If you synchronize a high availability configuration with the network firewall mode set to BASIC on the current secondary node, the synchronization of configuration files from the primary to secondary node fails. The failure occurs with both the sync HA file command on the NetScaler command line and the Start HA files synchronization dialog box in the configuration utility.
    Workaround: Add the following extended ACL on each of the nodes of an HA configuration:
    add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node's NSIP address is 198.51.100.9 and the secondary node's NSIP address is 198.51.100.27, you would run the following command on the primary node:

    add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22

    and the following command on the secondary node:

    add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22

  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while configuring an extended ACL by using the configuration utility, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 error message that match a forwarding-session rule.

Platform

  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. You must use the CLI. However, you can use the configuration utility to bind and unbind classic SSL policies.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.
  • Issue ID 0400084: An attempt to establish an HTTPS connection to a NetScaler FIPS appliance through a Chrome browser fails, because the browser sends a SPDY-NPN extension by default, and the NetScaler FIPS appliance does not support the NPN extension.

    Workaround: Disable SPDY in the Chrome browser.

  • Issue ID 0400649: In the NetScaler configuration utility, the FipsKey parameter does not appear in the Install Certificate dialog box. As a result, you cannot add a certificate-key pair on an MPX FIPS appliance by using the configuration utility.

    Workaround: Use the command line interface.

System

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.
    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to 10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

  • Issue ID 0390257: SNMP returns incorrect values for the ifOutOctets and ifInOctets counters.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2
    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.