Release Notes for NetScaler 10.1 Enhancement Releases

This document describes the enhancements and known issues in the enhancement releases of the Citrix NetScaler software.

Note: For the release notes of the NetScaler 10.1 main release, see Release Notes.

Build 129.1105.e

Release version: Citrix NetScaler release 10.1.e build 129.1105.e

Replaces build: None

Release date: Oct 2014

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 10.1 build 129.11. The release notes are available in the Build 129.11 section on Citrix eDocs.

  • The enhancements and known issues in this release apply to Citrix NetScaler 10.1.e nCore.

Bug Fixes

Networking

  • Issue ID 490341: With MAC based forwarding (MBF) option enabled, the NetScaler ADC does not update Layer 2 information such as MAC address, interface ID, and VLAN ID, for a dynamic service even when the associated router is inactive. As a result, the router drops the packets destined to the IP address specified by the dynamic service.

Build 127.1007.e

Release version: Citrix NetScaler release 10.1.e build 127.1007.e

Replaces build: None

Release date: Aug 2014

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 10.1 build 127.10. The release notes are available in the Build 127.10 section on Citrix eDocs.

  • The enhancements and known issues in this release apply to Citrix NetScaler 10.1.e nCore.

Bug Fixes

High Availability

  • Issue ID 469857: On a HA setup, even though the source IP is not explicitly set to *, the output of the "show ns rpcNode" commands shows the source IP as *. Therefore, when HA failover happens for the second time, the LB persistency session information is not propagated to the secondary node. This means that the information is not available when a forced failover is performed on the new primary node.

    The fix ensures that the NetScaler IP (NSIP) address of the local box is always set as the source IP address in a HA setup.

NetScaler Gateway

  • Issue ID 484245: If Kerberos uses x.509 certificates (PKINIT) for single sign-on, NetScaler Gateway fails to obtain tickets if the Key Distribution Center (KDC) returns a realm referral. This can cause the NetScaler Gateway appliance to fail.
  • Issue ID 461279: When users upgrade the NetScaler Gateway Plug-in from Version 10.1.122.17 or later to the latest Version 10.1 Maintenance Release on a computer that includes an installation of Citrix Receiver, the automatic upgrade fails.
  • Issue ID 463871: If you bind SAML and LDAP authentication polices to the virtual server for two-factor authentication, after authenticating with SAML which is primary authentication type the LDAP user name populates automatically. If the first logon attempt to LDAP fails, user names are case-sensitive and must be entered again exactly as it appears after SAML authentication. For example, if the user name is populated as JohnDoe@xyzz.com and the user types johndoe@xyzz.com during the subsequent attempt, log on fails.
  • Issue IDs 481889, 486176: In a high availability deployment, if the NetScaler Gateway virtual server is missing on the secondary appliance, NetScaler Gateway fails during session propagation.

NetScaler SDX Appliance

  • Issue ID 423917: DNS configuration is not included in backup files

    Workaround:Configure the DNS configuration through network settings option


Build 126.1203.e

Release version: Citrix NetScaler release 10.1.e build 126.1203.e

Replaces build: None

Release date: June 2014

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 10.1 build 126.12. The release notes are available in the Build 126.12 section on Citrix eDocs.

  • The enhancements and known issues in this release apply to Citrix NetScaler 10.1.e nCore.

Enhancements

Networking

  • Issue ID 437359: A parameter Source IP Persistency has been introduced in RNAT rules and Netprofiles:

    Source IP Persistency for RNAT Sessions

    The source IP persistency of a RNAT rule enables the NetScaler ADC to use the same NAT IP address for all RNAT sessions initiated from a particular server.

    Source IP Persistency for NetProfiles

    The source IP persistency of a netprofile associated with a virtual server or service enables the NetScaler ADC to use the same address, specified in the net profile, for all sessions initiated from a particular client.

Bug Fixes

NetScaler SDx Appliance

  • Issue ID 0475099: Configuring a wrong DNS IP address was slowing internal communication between Management Service and XenServer. With the current release, the DNS look up will be ignored for internal communication.

Known Issues

Configuration Utility

  • Issue IDs 0447077 and 0460857: If you create a monitor by using the graphical user interface and choose the default browse option to select the in-built monitor scripts from the /nsconfig/monitors folder, the folder does not display any scripts to choose.

Networking

  • Issue ID 0438557: The NetScaler appliance might consume excessive CPU cycles when processing ACL rules.

NetScaler SDX Appliance

  • Issue ID 0456884: When you click on a NetScaler IP address in the SVM GUI, the NetScaler configuration utility opens without prompting for logon credentials. Log on is done through single sign on (SSO).
  • Issue ID 0460376: Management service was showing wrong alert for power supply status with the message that "One of the two power supplies is not working.

Platform

  • Issue ID 0436380: The LCD display on the front of every NetScaler SDX appliance, except SDX 11500/13500/14500/16500/18500/20500 and SDX 11515/11520/11530/11540/11542 displays a booting message when the appliance is started or restarted.

    The LCD has a neon backlight. Normally, the backlight glows steadily. When there is an active alert, it blinks rapidly. When the appliance shuts down, the backlight remains on for one minute and then automatically turns off.

    Note: The LCD screen on a NetScaler SDX appliance displays the base model number for that platform. To view the licensed model number of the appliance, log on to the Management Service and check the licensed model number on the top left corner of the screen. For example, if you have purchased an SDX 11515 license, the LCD screen displays SDX 11500, and the Management Service screen displays NetScaler SDX (11515).

    On some SDX platforms, the LCD backlight might not work. Therefore, the display might not be clear.

System

  • Issue ID 0360334: SNMP Trap for Port Allocation Failures

    NetScaler ADC sends SNMP trap when port allocation fails on the NetScaler. The following SNMP OID is added: dstip (1.3.6.1.4.1.5951.1.1.0.143)

  • Issue ID 0403733: The NetScaler appliance does not make a log entry in the ns.log file when the port limit is exceeded.
  • Issue IDs 441843, 457850 and 451285: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.

Build 124.1311.e

Release version: Citrix NetScaler release 10.1.e build 124.1311.e

Replaces build: None

Release date: May 2014

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 10.1 build 124.13. The release notes are available in the Build 124.13 section on Citrix eDocs.

  • The enhancement and known issues in this release apply to Citrix NetScaler 10.1.e nCore.

Enhancements

Source IP Persistency for RNAT Sessions

  • ENH ID 0437359: The source IP persistency of a RNAT rule enables the NetScaler appliance to use the same NAT IP address throughout a particular RNAT session.

Source IP Persistency for NetProfiles

  • ENH ID 0437359: The source IP persistency of a netprofile associated with a virtual server enables the Netscaler appliance to use the same source IP address, specified in the netprofile, throughout a particular session to a server bound to the virtual server.

Known Issues

Networking

  • Issue ID 0455936: The source IP persistency functionality might not work for an RNAT rule that does not have the NAT IP parameter set to an IP address.
  • Issue ID 0459679: If you have enabled Source IP Persistency on multiple IPv4 RNAT rules that have the same condition but with different NAT IP addresses, the NetScaler command line and the configuration utility displays Source IP Persistency as ENABLED only for one of these rules.

Build 124.1308.e

Release version: Citrix NetScaler release 10.1.e build 124.1308.e

Replaces build: None

Release date: April 2014

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 10.1 build 124.13. The release notes are available in the Build 124.13 section on Citrix eDocs.

  • The enhancement in this release apply to Citrix NetScaler 10.1.e nCore.

Enhancements

Configuring RISE with NetScaler ADC and Cisco Nexus 7000 Switches

  • ENH ID 0413833: You can now use Remote Integrated Service Engine (RISE) technology to integrate a NetScaler ADC and a Cisco Nexus 7000 Series switch. This combination offers layered network services, including robust application delivery capabilities that accelerate application performance for all users.

    With a RISE based implementation, the NetScaler functionality is available as a centralized resource that can be leveraged across the application infrastructure supported by the Cisco Nexus 7000 series switch. The key functionalities of the RISE architecture include:

    • Plug and play auto-provisioning

      RISE provides a plug and play auto-provisioning feature. When you directly connect the NetScaler ADC to the Cisco Nexus 7000 series switch, auto-discovery commences.

    • Discovery and bootstrapping

      The discovery and bootstrap mechanism enables the Cisco Nexus 7000 Series switch to communicate with the NetScaler ADC by exchanging information to set up a RISE channel, which transmits control and data packets.

    • Health Monitoring

      The NetScaler ADC uses its health monitoring feature to track and support server health by sending health probes to verify server responses.

    • Automatic Policy Based Routing (APBR)

      Automatic Policy Based Routing (APBR) automatically routes the return traffic from the servers to the NetScaler ADC, preserving the client IP addresses. The automatic policy based routes are defined on the Cisco Nexus 7000 series switch. When the return traffic from the server reaches the Cisco Nexus 7000 series switch, the APBR policies defined on the switch route the traffic to the NetScaler ADC, which in turn routes the traffic to the client.

Stateful Connection Failover support for Load Balancing Virtual Server in TOS mode

  • ENH ID 0436500: In a High Availability (HA) setup, stateful connection failover is now supported for load balancing virtual servers configured in TOS mode.

    With stateful connection failover enabled, the secondary appliance has information about the connections established before the failover and starts serving those already established connections after the failover.

    After HA failover, the client remains connected to the same physical server. The new primary appliance synchronizes the information with the new secondary appliance by using the SSF framework. During the transition period, the client and server may experience a brief disruption and retransmissions.


Build 123.1100.e

Release version: Citrix NetScaler release 10.1.e build 123.1100.e

Replaces build: None

Release date: March 2013

Release notes version: 2.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 10.1 build 123.11. The release notes are available in the Build 123.11 section on Citrix eDocs.

  • The enhancements and known issue in this release apply to Citrix NetScaler 10.1.e nCore™.

Enhancements

Variable Support for Policies

  • ENH ID 0368447: This enhancement allows state information, in the form of variables, to be stored and used on NetScaler appliances . Variables can be of ulong, text, or map types. A map can have ulong and text type elements. And the map key is always text.

    Note:
    • Variables are not supported in a high availability setup.
    • Once configured, a variable's settings cannot be modified or reset. If the variable needs to be changed, the variable and all references to the variable (expressions and assignments) need to be deleted. Then the variable can be re-added with new settings, and the references (expressions and assignments) can be re-added.
    To use variables by using the command line interface
    1. Create a variable. Variables can be of singleton (ulong and text) and map type.
      //Declares a single valued 64-bit integer variable named my_counter. It is initialized to 0.
      add ns variable my_counter –type ulong
      //Declares a map named user_privilege_map that will contain keys of maximum length 15 characters and text values of maximum length 10 characters, with a maximum of 10000 entries. If the map contains 10000 unexpired entries, assignments for new keys reuse one of the least recently used entries . By default, an expression trying to get a value for a non-existent key will initialize an empty text value.
      add ns variable user_privilege_map -type map(text(15),text(10),10000)
    2. Specify the assignment for the variable. The assignment specifies the value or operation to be performed on that variable.
      //Defines an assignment named inc_my_counter that automatically adds one to the my_counter variable.
      add ns assignment inc_my_counter -var $my_counter -add 1
      //Defines an assignment named set_user_privilege that adds to the user_privilege_map variable an entry for the client's IP address with the value returned by the get_user_privilege HTTP callout. If an entry for that key already exists, the value will be replaced. Otherwise a new entry for the key and value will be added. Based on the previous declaration for user_privilege_map, if the map already has 10000 entries, one of the least recently used entries will be reused for the new key and value.
      add ns assignment set_user_privilege -var $user_privilege_map[client.ip.src.typecast_text_t] -set sys.http.callout(get_user_privilege)
      //Defines an assignment named clear_user_privilege that clears the entry for the client's IP address in the user_privilege_map variable.
      add ns assignment clear_user_privilege -var $user_privilege_map[client.ip.src.typecast_text_t] -clear
    3. Configure the assignment as an action for a policy.
      //Configures the assignment set_user_privilege with a compression policy
      add cmp policy set_user_privilege_pol -rule $user_privilege_map.valueExists(client.ip.src.typecast_text_t).not -resAction set_user_privilege
    To use variables by using the configuration utility
    1. Navigate to AppExpert > NS Variables, to create the variables.
    2. Navigate to AppExpert > NS Assignments, to assign values to the variables.
    3. Navigate to the appropriate feature area where you want to configure the assignment as an action.

For more information, see Variables.

Known Issue

Configuration Utility

  • Issue ID 0419226: In the configuration utility, the online help for the content accelerator feature mentions a video that is not available.


Build 122.1708.e

Release version: Citrix NetScaler release 10.1.e build 122.1708.e

Replaces build: None

Release date: February 2014

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 10.1 build 122.17. The release notes are available in the Build 122.17 section on Citrix eDocs.

  • The enhancements and known issues in this release apply to Citrix NetScaler 10.1.e nCore.

Enhancements

Adaptive Threshold in NetScaler Insight Center

  • ENH ID 0378995: The adaptive threshold functionality in NetScaler Insight Center dynamically sets the threshold value for the maximum number of hits on each URL. If the maximum number of hits on a URL is greater than the threshold value set for the URL, a syslog message is sent to an external syslog server. The threshold value can be set for daily or weekly interval.

    For more information, see Managing Threshold.

Provisioning Palo Alto VM-Series Instances on a NetScaler SDX Appliance

  • ENH ID 0357214: Palo Alto Networks VM-Series on Citrix NetScaler SDX enables consolidation of best-in-class security and ADC capabilities on a single platform, for secure, reliable access to applications by businesses, business units, and service-provider customers. The combination of VM-Series on Citrix NetScaler SDX also provides a complete, validated, security and ADC solution for Citrix XenApp and XenDesktop deployments.

    You can provision, monitor, manage, and troubleshoot an instance from the Management Service.

    Note: The total number of instances that you can provision on an SDX appliance depends on the license installed on the appliance.
    Important: You must upgrade your XenServer version to version 6.1.0 and install the xs-netscaler-6.1.0-2.6.32.43-0.4.1.xs1.6.10.777.170770-100012 supplemental pack.

    For more information, see Palo Alto Networks VM-Series.

Known Issue

Configuration Utility

  • Issue ID 0419226: In the configuration utility, the online help for the content accelerator feature mentions a video that is not available.


Build 121.1013.e

Release version: Citrix NetScaler release 10.1.e build 121.1013.e

Replaces build: None

Release date: December 2013

Release notes version: 1.0

Language supported: English (US)

Note:
  • This release is based on Citrix NetScaler release 10.1 build 121.10. The release notes are available in the Build 121.10 section on Citrix eDocs.

  • The enhancements and known issue in this release apply to Citrix NetScaler 10.1.e nCore™.

Enhancements

Authentication and Authorization Enhancements

  • ENH ID 0399086: With this release, the following authentication and authorization capabilities are supported on NetScaler SDX appliance:

    • External authentication for RADIUS, TACACS, and LDAP servers.
    • Group extraction capability for LDAP and RADIUS authentication types.
    • Authentication and authorization for requests through SSH. However, the authorization of SSH users is limited to super-user privileges only.
    • Audit logs for RADIUS and TACACS servers. You need to enable the Accounting option for the servers in the Management Service.

    For more information, see Configuring Authentication and Authorization Settings.

User Name and Password Length Extended to 127 Characters

  • ENH ID 0325421: User names and passwords on the NetScaler appliance can now be up to 127 characters in length. Usernames and passwords can consist of upper-case and lower-case letters, digits, and the hyphen and underscore characters.

Content Accelerator

  • ENH ID 0400961: The NetScaler provides a feature called Content Accelerator, that can be used in a Citrix ByteMobile T1100 deployment, to store content on a Citrix ByteMobile T2100 appliance. For more information, see Content Accelerator.

Known Issue

Configuration Utility

  • Issue ID 0419226: In the configuration utility, the online help for the content accelerator feature mentions a video that is not available.