Release Notes for NetScaler 10.1 Maintenance Releases

This document describes the enhancements, fixed issues, and known issues in the maintenance releases of Citrix NetScaler, Citrix NetScaler SDX, and Citrix NetScaler Insight Center.


Build 131.7

Release version: Citrix NetScaler, version 10.1 build 131.7

Replaces build: None

Release date: March 2015

Release Notes version: 2.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

SSL

  • Issue ID 490273, 378182 , 404081: On all the NetScaler MPX platforms, DH cryptographic operation is now offloaded to the hardware, reducing the load on the CPU. If your deployment uses DH crypto operations heavily, you will notice a performance improvement.

Bug Fixes

AAA-TM

  • Issue ID 530792: In a AAA-TM setup that has 401 authentication enabled on the load balancing virtual server, the NetScaler appliance can, in some cases, go down if it receives a malformed authorization header.
  • Issue ID 527651: The NetScaler appliance can fail if the logout of the AAA-TM session is initiated through a traffic policy. The configuration that can lead to this is of the form:

    > add tm trafficAction testAction1 -InitiateLogout ON

    > add tm trafficPolicy testPolicy1 <rule> testAction1

AppFlow

  • Issue ID 472971: The HTML Injection JavaScript is incorrectly inserted into one of the JavaScript responses sent by the server, causing the page to fail to load.
  • Issue ID 523088: If you have enabled AppFlow for ICA on a NetScaler ADC, the ADC fails while processing Common Gateway Protocol (CGP) packets.

Application Firewall

  • Issue ID 528170: The external syslog servers are not able to properly display the audit-log messages from the NetScaler application firewall, because the messages are longer than expected. With this fix, the messages are the correct length.
  • Issue ID 511480: After an upgrade from a 9.3 build, the user interfaces display inaccurate information about classic policy bindings and inheritance. With this fix, both the configuration utility and the command line interface display the information accurately.

Cache Redirection

  • Issue ID 509690: The NetScaler ADC fails if the cache redirection virtual server and the httpport parameter point to the same service. For example, the following configuration causes the ADC to fail:

    > set ns param -httpport 80

    > add cr vserver cr1 http * 80

    > set cr vserver cr1 -listenpoliciy "client.ip.src.eq(1.1.1.1)"

    Workarounds:

    Add a listen policy when you add the cache redirection virtual server. For example:

    set ns param -httpport 80

    > add cr vserver cr1 -td 0 HTTP * 80 -range 1 -cacheType TRANSPARENT -Listenpolicy "CLIENT.IP.DST.EQ(4.4.4.10)"

    OR:

    Unset the httpport parameter. For example:

    > unset ns param httpport

    > add cr vserver cr1 http * 80

Command Line Interface

  • Issue ID 508618, 508815: NetScaler ADC fails to run the commands that have arguments accepting string values and starting with a hyphen (-).

    For example, NetScaler ADC fails to run the following command because the expected value is a string for uat argument that begins with a hyphen.

    bind policy patset ps_adi_any_robots_deny -uat -index 1

Configuration Utility

  • Issue ID 353015: Load balancing virtual servers that are used by AppExpert applications are displayed in nodes other than the AppExpert node. For example, they are displayed in the Available Virtual Servers list in the "Create Persistency Group" dialog box (Load Balancing > Persistency Groups > Add) and in the Target Load Balancing Virtual Server list in the "Create Content Switching Action" dialog box (Content Switching > Actions > Add).
  • Issue ID 521579, 508630, 519918, 521983: The statistics of service group members do not appear correctly in the configuration utility.
  • Issue ID 522511, 517993: The NetScaler configuration utility displays the following error message if a user with no shell access logs on to the NetScaler appliance: "Not authorized to execute this command".
  • Issue ID 522654: If you configure a command policy for a system user (System> User Administration > Users > <username> >Edit > Insert) by using the NetScaler configuration utility, the check-boxes do not function as expected on the Command Policies screen.
  • Issue ID 375277, 322602, 334465, 396405, 412455, 419503, 438382, 438534, 438796, 441853, 446387, 448361: If a NetScaler connection from a client is closed without the client logging out, the session created for that connection remains active until the configured timeout period elapses. If this happens frequently, after about the 20th occurrence the user might get a "Connection limit to CFE exceeded" error message.
  • Issue ID 420736, 536924: When you use the configuration utility to create a certificate, an error message appears even if the validity period specified is within the acceptable range.
  • Issue ID 524143: The NetScaler configuration utility displays the following error message if a user with no shell access logs on to the NetScaler appliance: "Not authorized to execute this command".
  • Issue ID 529177: Although the default value of the sslv2redirect parameter is “Disabled,” the configuration utility incorrectly shows this value as “Enabled” for a new SSL virtual server.

Content Switching

  • Issue ID 523636, 532832, 533690: If you perform the following sequence of actions, the second command fails when the restart process runs the commands, because that process adds the gotopriorityexpression to the second binding:

    1. Bind a policy to a content switching virtual server and specify a gotopriorityexpression.

    2. Bind a filter or compression policy to another content switching virtual server without specifying a gotopriorityexpression.

    3. Save the configuration and restart the appliance.

GSLB

  • Issue ID 497412: If you force synchronization of the GSLB configuration, the non-default settings on the RPC node are lost. As a result, the GSLB auto-sync functionality is lost.
  • Issue ID 433094, 469937, 517974: The NetScaler ADC fails if a VPN session action, a WI home page, or DBS services are configured with a domain name that at the same time is managed by a GSLB virtual server configured with static proximity or RTT load balancing methods.
  • Issue ID 505932: A NetScaler appliance in a GSLB configuration might fail if the public IP address of a GSLB service is different on two GSLB sites and, on one of the sites, the public IP address for that service is the address of a load balancing virtual server.
  • Issue ID 517961: If the disablePrimaryOnDown parameter is configured on the primary GSLB virtual server, the primary GSLB virtual server remains in the DISABLED state even after its health state is UP. The backup GSLB virtual server continues to serve the traffic until HA failover, or until you manually enable the primary GSLB virtual server.
  • Issue ID 498854: The show gslb service command now displays the following values related to the GSLB service:

    -Last State Change

    -Time since last state change

    -Client and Server idle timeout

  • Issue ID 511878: If the length of the domain name bound to a GSLB virtual server exceeds 31 characters, the domain name is displayed as HASHED STRING during an SNMP MIB Walk operation.
  • Issue ID 519589: All GSLB features except DNS views, auto sync, and static proximity are supported for IPV6.

High Availability

  • Issue ID 524146, 526699: In a high availability configuration, if the diff ns config command includes the -ignoreDeviceSpecific parameter, the command fails and does not display the difference in configurations between the two nodes.
  • Issue ID 519085, 525203, 533671, 534616, 537991, 539518, 541525: If the link between the primary and secondary appliance is very slow and there are a large number (millions) of sessions to be synchronized (because of, for example, load balancing persistence), the primary appliance quickly consumes all the NetScaler memory available for buffering. The lack of buffer space for other subsystems can result in various disruptions, such as failover.

Load Balancing

  • Issue ID 516615: If your spillover policy contains the ACTIVETRANSACTIONS or the SURGECOUNT expression (for example, <expression>. ACTIVETRANSACTIONS.GT(<N>)), traffic might spill over to the virtual server bound to this policy even though the current value of the counter has not reached N. This is because these two expressions use an arbitrary number for comparison.

    For example, spillover to a virtual server bound to the following policy might occur before the active transactions counter reaches a value of 10:

    SYS.VSERVER("A').ACTIVETRANSACTION.GT(10) -action spillover

  • Issue ID 505543: The NetScaler ADC might fail if a high idle timeout value is set on a TFTP load balancing virtual server and the ADC runs out of memory.
  • Issue ID 519644: The SIP monitor probe has an invalid character in the VIA header. As a result, the probe fails and an incorrect service state might appear.
  • Issue ID 443027: The NetScaler ADC might fail after you rename a server that is bound to a service group. This problem does not occur if you assign a name to a server that was previously identified by its IP address.

NetScaler Gateway

  • Issue ID 527757: If a user installs Microsoft Security Bulletin MS14-080 (KB3025390) for Internet Explorer 11, then uses the IE 11 browser to log on to a NetScaler Gateway virtual IP with endpoint analysis, either as pre-authentication or post-authentication check, the endpoint analysis fails and a Download or Skip Check button appears in the browser.
  • Issue ID 529205: If existing AAA sessions exist on a Secondary Netscaler after failover with no associated vpn vservers, then the secondary Netscaler can fail during session sync from Primary.
  • Issue ID 523321, 534178: On nCore systems, when pre-authentication policies are configured or when an admin session times out, a core dump might occur when the NetScaler Gateway appliance cleans up the session.
  • Issue ID 459311: When a user logs on with the NetScaler Gateway Plug-in, if a Domain Name System (DNS) suffix is configured on the user device, resolution fails. This occurs if a DNS server is not configured and all of the following are configured on the NetScaler Gateway appliance:

    - Authoritative DNS

    - DNS address record configured with the host name only

    - DNS Suffix

  • Issue ID 528011, 527990: If preauthorization is configured on a NetScaler Gateway nCore appliance, the system might fail while cleaning up after an interrupted session. Even if preauthorization is not configured, the system can fail while cleaning up after a session timeout.
  • Issue ID 491076, 535339: Java Runtime Environment (JRE) version 7, update 51 or later, displays a security warning when NetScaler Gateway for Java is launched. In some cases, JRE blocks the launch.
  • Issue ID 503811: In MPX devices, there can be a delay delivering UDP packets from the server to the client in full tunnel mode.
  • Issue ID 511805, 532549: The NetScaler Gateway appliance fails during the device certificate check if AppController is configured on the virtual server.
  • Issue ID 535530: The NetScaler GUI blocks the creation of a Session Action with a "forced time out" value greater than 255 (256 - 65535). The acceptable range for the "forced time-out" property was increased to 65535 at the back-end, but the GUI does not reflect the same.
  • Issue ID 531956, 538937: In a high-availabiltity (HA) configuration, the secondary appliance may fail occasionally due to a duplicate free-attempt of a AAA context.
  • Issue ID 522700, 531535: If the NetScaler Gateway virtual server is behind a proxy server and its fully qualified domain name (FQDN) is not resolvable by the local DNS server, endpoint analysis fails and a "failed sending epaq" error message appears.
  • Issue ID 531520: Remote users who use the Windows full client/plugin to access Netscaler Gateway can encounter an issue if the Internet Explorer browser has "Automatic Configuration Script" settings configured for Proxy, and the automatic configuration script file is unreachable from the user device at the time of Gateway session establishment. In this scenario, the Windows plugin incorrectly connects to the Proxy server configured in the Manual Settings and fails to establish the session. The expected correct behavior in this situation would be to bypass the proxy and connect to NetScaler Gateway directly.

    Users are affected only if:

    1. They use Windows full client for establishing the gateway session

    AND

    2. They have both Automatic Configuration script and Manual configuration for Proxy in their Internet Explorer settings

    AND

    3. The configured Automatic Proxy script file happens to be unreachable from the user's device (for example the Automatic Proxy script file address is an internal address and not reachable remotely).

NetScaler Insight Center

  • Issue ID 541712: You cannot install an SSL certificate on a NetScaler Insight Center virtual appliance.

NetScaler SDX Appliance

  • Issue ID 440208: If a new SSL certificate that requires a key is installed without the key, access to management service GUI is lost.
  • Issue ID 512624: When a NetSclaer VLAN with tagged option for channels is selected, the native VLAN also gets tagged inside the NetScaler VPX for the channel.
  • Issue ID 525871: The NetScaler SDX appliance fails if it receives SNMP requests before system initialization.
  • Issue ID 536844: Some of the NIC's may become unusable and may not be visible in Management Service on SDX220XX and SDX241XX platforms running with XenServer 6.1 Supplemental Pack 100016A.

Networking

  • Issue ID 522538: Upon receiving Generic Routing Encapsulation (GRE) packets as IP fragments on a virtual server with protocol ANY, the NetScaler ADC fails and restarts. This occurs only when you do not explicitly configure a GRE tunnel on the NetScaler ADC.
  • Issue ID 438901: In a high availability (HA) configuration, ACL rules that are configured to block SSH related packets also block HA file synchronization that internally uses the SSH protocol.
  • Issue ID 355965, 485260: In an active-active configuration, services bound to the backup VIP addresses do not send monitor probes to the associated servers.
  • Issue ID 528554: An ACL6 rule might not get evaluated for a series of TCP packets.
  • Issue ID 507345: If you bind an interface with a unit number greater than 31 to a VLAN that is used as a Sync VLAN in an HA configuration, the Sync VLAN becomes unoperational.

Platform

  • Issue ID 251216, 302381: The user interfaces (command line and configuration utility) of a NetScaler instance running on a SDX appliance do not display the actual state of the management ports.
  • Issue ID 510673, 517241, 538267: NetScaler VPX instances running on VMware ESXi lose network connectivity when you apply either of the following patches:

    - ESXi550-201410401-BG

    - ESXi510-201410401-BG

    Workaround: For more information, see http://support.citrix.com/article/CTX200278.

  • Issue ID 525360: On NetScaler MPX 22040/22060/22080/22100/22120 and ByteMobile T1200 appliances, SNMP based alarms are supported for only first two power supplies.

System

  • Issue ID 524949: If you enable SPDY and the SPDY layer accumulates more than 8912 bytes of set-cookie values while processing a sever response, a buffer overrun causes the NetScaler appliance to fail.
  • Issue ID 527320, 527211: If the NetScaler appliance uses the HTTP pipeline to parse an HTTP request, and the parsing process fragments the request packet, the appliance might not UNSET the NS_FINAL_DATA flag after receiving a fragment of the packet. In that case, the appliance will fails.
  • Issue ID 504910: If a non-HTTP request is received on an HTTP virtual server, the transaction might fail.
  • Issue ID 532042, 447664, 532587, 533164: The ns_monuploadd_err.pl script monitors the health of the NetScaler appliance by looking for errors recorded in the log files. The script decompresses the log files and does not remove the decompressed log files, which therefore consume disk space.
  • Issue ID 532316, 532045, 533018, 534634, 534671, 537616: When the Netscaler ADC encounters congestion with HA or LACP packets, it cannot recover and packet transmission stops. This is applicable to the management ports on NetScaler SDX appliances and to all ports on NetScaler VPX instances running on XenServer.
  • Issue ID 451841, 332826 , 346327 , 361979 , 465489 , 485864: When upgrading the NetScaler software from release 9.3, without a cache license, to release 10.0 or later, with a cache license, you have to apply the cache configuration manually to enable the integrated caching feature.
  • Issue ID 519004, 528861: A NetScaler ADC processing SPDY traffic on SPDY enabled virtual servers fails intermittently if an HTTP response body received with chunked transfer-encoding and the response header is modified by other NetScaler features.
  • Issue ID 286861, 301935, 513312, 522183, 541332: If password based authentication is used to open an SSH session to a NetScaler appliance, the wrong remote IP address is sent to the NetScaler syslog records.
  • Issue ID 486257: The NetScaler randomly crashes when SPDY is enabled on a NetScaler deployment which has integrated caching or front end optimization enabled. This occurs due to some interaction issues.

    Workaround: Disable SDPY when integrated caching or front end optimization is enabled.

  • Issue ID 528309: A NetScaler VPX virtual appliance with multiple packet engines fails if you enable the nstrace feature in TX mode with an advanced filter expression.
  • Issue ID 488110, 496136: The save ns config command and the nsnetsvc process fail under low memory conditions.
  • Issue ID 494911, 481032, 511763, 528309, 532708, 538507: If you enable the nstrace feature in TX mode with an advanced filter expression, the NetScaler appliance fails.
  • Issue ID 506378: The NetScaler backup and restore functionality now creates a backup of each of the following configuration files: inetd.conf, ntp.conf, syslog.conf, newsyslog.conf, crontab, host.conf, hosts, ttys, sshd_config, httpd.conf, monitrc, rc.conf, ssh_config, localtime, issue, and issue.net.

User Interface

  • Issue ID 528818, 529425: The memory allocation API, malloc, returns a NULL value if it does not obtain memory for the nscollect utility. If the nscollect utility tries to dereference this NULL pointer, the result is a memory segmentation error.
  • Issue ID 368832: The NetScaler ADC generates SNMP clear alarm traps for successful cases of haVersionMismatch, haNoHeartbeats, haBadSecState, haSyncFailure, and haPropFailure error events in an HA configuration.
  • Issue ID 524080, 448724: The SNMP counter of type cntr32 has been changed to a gauge counter.

WIonNS

  • Issue ID 508743: You can now optionally configure agCallbackURL from agURL. The agURL would represent the front end Access Gateway (AG) for the client. The agCallback is for communication between Web Interface (WI) and AG. Also, The agCallbackURL is an optional parameter. Use the following command to configure agCallbackURL:

    add wi site /Citrix/new http://agee.citrix.com http://sta.citrix.com -agCallbackUrl http://callback.citrix.com

Known Issues and Workarounds

AAA-TM

  • Issue ID 437454: The NetScaler ADC AAA-TM user interface has a timeout of 20 seconds. If authentication through an external authentication server takes more than 20 seconds, the following message appears in the logs: "libaaa recv failed." This message does not indicate authentication failure or any other problem that affects users. It can safely be ignored.
  • Issue ID 530287, 536545: In a high availability setup, AAA-TM sessions are not removed from the secondary appliance even after the AAA-TM sessions are logged out.

    Workaround: Remove the sessions manually by executing the "kill aaa sess" command. You might have to execute the command multiple times.

  • Issue ID 332831: The rule (expression) in a AAA-TM policy can be from one to 1434 characters in length. If you enter a longer rule, AAA-TM displays an "invalid rule" error.
  • Issue ID 457817: In NetScaler 9.3 and previous versions, the NetScaler ADC used a SNIP address as the source IP address for authentication requests unless the administrator configured a static route to a different interface. In NetScaler 10.1 and subsequent versions, the ADC uses the NSIP address as the source for authentication requests even when a static route points to a different interface.

    To force the ADC to use a SNIP (not the NSIP) as the source IP address in version 10.1 or later, you can set up a load balancing virtual server with an authentication service, and then configure that load balancing virtual server to perform the authentication.

  • Issue ID 481876: When AAA-TM logs users off after their sessions time out, the traffic management session associated with the user is not terminated. If the number of abandoned traffic management sessions exceeds internal limits, the NetScaler ADC might become unresponsive.
  • Issue ID 519898: The "set appfw" command cannot be executed on the Netscaler ADC if TACACS server is used for authorization. An error message -"Not authorized to execute this command" might be seen.

Acceleration

  • Issue ID 535130: The classic-policy expression used by the default acceleration policy fails to identify an Internet Explorer browser whose signature does not comply with the IE user-agent string standards.

AppFlow

  • Issue ID 396892: The AppFlow exporter might not export the correct information. Therefore, the client IP address shown on the NetScaler Insight Center dashboard might be incorrect.
  • Issue ID 327439: AppFlow records generated by the NetScaler appliance cannot be seen on SPLUNK.
  • Issue ID 388563, 438710, 488206: The following behavior is seen during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    --- The applications stop functioning, but are visible on the browser.

    --- The Citrix Receiver displays a dialog box, with a message stating that the connection is disconnected.

    --- When you click OK on the dialog box, the applications are not displayed anymore.

    --- If you launch any fresh applications without re-login, all the previously launched applications will resume with the previous status.

  • Issue ID 525568: The timestamp in AppFlow records are not in NTP format.

Application Firewall

  • Issue ID 427798: A NetScaler ADC that has the application firewall feature enabled might reset the connection after a protected web server issues an HTTP 204 response.
  • Issue ID 430014: During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:

    show appfw JSONContentType

    If the default content type is configured, the command output is similar to the following example:

    > show appfw JSONContentType

    1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX

    Done

    If it is not, the screen shows only the following:

    > show appfw JSONContentType

    Done

    To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:

    add appfw JSONContentType ^application/json$ -isRegex REGEX

    show appfw JSONContentType

  • Issue ID 283780: When you enable the sessionless URL closure feature, you must also enable the URL closure feature. If you do not enable URL closure, the sessionless URL closure feature does not work.
  • Issue ID 510006: For some malformed requests, the NetScaler application firewall log messages might not include the client IP address.
  • Issue ID 506653: If the server sends less data than the amount specified in the Content-length header, the NetScaler application firewall might send a 9845 response and reset the connection.
  • Issue ID 511654: For some requests, the application firewall log message for a Field Consistency violation might not include the name of the field that triggered the violation.
  • Issue ID 519792: The NetScaler appliance might fail if improperly written regular expressions used in the application firewall configuration result in excessive processing time.

    Workaround: Use efficient regular expressions.

  • Issue ID 498912: On a NetScaler ADC that has the application firewall enabled and the buffer overflow check configured to block, the following error message might appear in the logs: "Internal error: additional data generated after partial response <blocked>." This error message indicates that a partial response was sent before the remainder of the response was blocked.
  • Issue ID 489691: If a user request triggers an application firewall policy that is bound to the APPFW_BYPASS profile, the application firewall might fail to generate an SNMP alarm.
  • Issue ID 466329: If the application firewall blocks a request because of a limiting policy, such as a maximum upload size limit on a web form, the blocking action is not logged. If a custom redirect page has been configured for that web page, the application firewall does not display it.
  • Issue ID 451014: On a NetScaler ADC that has the application firewall enabled and the HTML SQL injection feature configured to block, when the ADC detects an SQL violation on a page with a web form, a second violation might be generated for the Form Action URL. This is expected behavior. To avoid unexpected blocks, when you configure a relaxation for a web form, be sure to include a relaxation for the Form Action URL as well.
  • Issue ID 532248: The Perl script that parses and merges the application firewall signatures during schema version upgrade can cause Perl to crash on the NetScaler ADC. These crash files can fill up the space on the hard drive, preventing access to the Graphical User Interface.
  • Issue ID 530277: A POST request with an attached word document is silently blocked by the application firewall for a customized application.
  • Issue ID 372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.

    For example, if you had two sets of custom signatures, named "custom_signatures" and "custom_signatures_2", that were based on copies of the default signatures file, you would update the signatures on your NetScaler ADC by issuing the following commands:

    > update appfw signatures "*Default Signatures"

    > update appfw signatures "custom_signatures"

    > update appfw signatures "custom_signatures_2"

  • Issue ID 455652: The auto-update operation restores the default SQL/XSS patterns in the signatures. If the user edits a signature to remove any of the SQL/XSS patterns, the removed patterns might reappear in the signature when it is auto-updated.
  • Issue ID 457926, 506333: If the user sends a request that contains the string "Javascript" without a non-alphanumeric delimeter, the Cross-Site Scripting check does not block the request. This is expected behavior. Without a delimiter, the keyword "Javascript" cannot trigger code execution and therefore poses no threat to the protected web application.

Application firewall

  • Issue ID 511254: The customer's application does not work when the application firewall is deployed to inspect the request for security check violations. When the application firewall forwards the request to the backend server, the server responds with a 403 HTTP error code, indicating that it cannot properly validate the CORBA session, and sends the page without the expected data in the form fields. The root cause is under investigation.

    Workaround: Turn off form field tagging and credit card checks.

  • Issue ID 510509: In release 9.3, if a NetScaler ADC has only a standalone application firewall license, the user is able to bind a classic application firewall policy to the load balancing virtual server. In release 10.1, the design is changed. If the load balancing feature is not licensed, binding a classic application firewall policy to the load balancing virtual server now results in an error message in both the CLI and the GUI.

CloudBridge Connector

  • Issue ID 508535: With TCP services reachable over a GRE tunnel (without IPSEC), one or both tunnel end points (NetScaler appliances) might become unresponsive while monitoring the services over the tunnel.

Cluster

  • Issue ID 519327, 542633: NetScaler cluster nodes may send a large number of ARP requests if a large number of ARP entries are learned over a cluster LA interface.

Command Line Interface

  • Issue ID 512526, 527066, 545578: The NetScaler command line interface exists abruptly upon executing the "show dns addRec -format old" command.

Configuration Utility

  • Issue ID 490130: When you use the configuration utility to create a FIPS key, the FIPS wizard fails to respond.
  • Issue ID 459703: In a high availability setup, if you run the "add ssl certkey" command on the primary node, and the certificate and key files are not present on the secondary node, the command fails on the secondary node. However, the configuration utility does not display an error message.
  • Issue ID 400073, 401262: If you use a Chrome browser to access the NetScaler graphical user interface (GUI), the browser might display the Page Unresponsive error message.

    Workaround:

    If you are using a Windows computer, do the following:

    1. Right-click the shortcut icon that you use to open the Chrome browser, and select Properties from the pop-up menu.

    2. In the Google Chrome Properties dialog box, click the Shortcut tab and, in the Target field, append the following value: --disable-hang-monitor

    For example: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --disable-hang-monitor" http://www.google.com

    3. Close all instances of the Chrome browser, and restart the Chrome browser.

    If you are using a MAC computer, do the following:

    1. Open the terminal.

    2. Launch the Chrome browser from the terminal and append the --disable-hang-monitor value, as follows:

    open -a /Applications/Google\ Chrome.app --args --disable-hang-monitor

  • Issue ID 469755: If you open the NetScaler ADC configuration utility on multiple browser tabs, and if you disable a feature on one of the tabs, the other tabs are not automatically refreshed.

    Workaround: Manually refresh the tabs.

  • Issue ID 388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 374437: If, when using the configuration utility to configure a NetScaler ADC, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 499223: The maximum length for creating a NetScaler ADC system user password (System > User Administration > Users) is 127. The GUI tooltip displays this value as 255, which is incorrect.
  • Issue ID 414807: The Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard displays an error if more than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers, or if more than one service is bound to the service group.
  • Issue ID 389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 470941: You cannot use the configuration utility to add signatures to an existing application firewall profile using the wizard, if the application firewall policy is not globally bound.

    Workaround: Use the command line interface .

  • Issue ID 414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.
  • Issue ID 482135: Java Runtime Environment (JRE) does not work on Internet Explorer version 10.

    Workaround: Press F12 and set the Document Mode and Browser mode to Internet Explorer 9.

  • Issue ID 485314: On the Reporting tab of the NetScaler GUI, if you have chosen to use the time zone settings of the NetScaler ADC, the System Overview graph does not reflect the time zone set on the NetScaler ADC. The values in the graph are for the GMT time zone.
  • Issue ID 483226: The key filename property of Import FIPS key (Configuration > Traffic Management > SSL > FIPS > FIPS keys >Action > Import > Key Filename) fails if you enter an incomplete file path consisting folder1/folder2/rsa.key, where folder1 and folder2 are the folders within the nsconfig/ssl path.

    Workaround: In release 10.1, provide only the FIPS key. For example, rsa.key.

    In release 10.5, you must specify the complete file path to the FIPS key. For example, nsconfig/ssl/folder1/folder2/rsa.key.

Content Switching

  • Issue ID 541667: If your content switching virtual server is associated with a load balancing virtual server that has a backup virtual server, and if the primary load balancing virtual server is disabled, an HTTP 503 error message appears for some time before the traffic is directed to the backup virtual server.
  • Issue ID 522510, 528782, 538223: In certain cases, if the state of a load balancing virtual server changes, the NetScaler appliance might fail while changing the state of the associated content switching virtual server.

Content Switching/Load Balancing

  • Issue ID 399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

DNS

  • Issue ID 458313: When NetScaler is configured as DNS proxy and it receives a DNSSEC query with Checking Disbaled (CD) bit set, it does not pass the bit as is to the server at the back end. It instead turns the bit off. This impacts deployments where the NetScaler is load balancing DNSSEC aware resolver. The impact is that the resolver will check the DNSSEC signatures even if the client had not requested to do so by setting the CD bit.
  • Issue ID 382478: If, while adding a DNS record (such as addrec and nsrec) from the GUI or by using the NITRO API, you specify the TTL value as 3600, the value of the minimum TTL of the SOA record is used instead.
  • Issue ID 458244: If DNS caching is enabled and the NetScaler ADC receives a query that is not cached, it forwards the query to the name server. It sends the response from the server to the client and also caches the records in the Answer, Authority, and Additional sections of the DNS response. The response from the server can have the AA bit set or unset.

    - If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache, with the AA bit unset and TTL decremented.

    - If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache, with the AA bit set and the original TTL.

GSLB

  • Issue ID 499523: In all releases of 10.0 and 10.1, the "show server" output does not include IP address and state information for GSLB services.

    This feature works in all builds of the 9.3 and 10.5 releases.

Graphical user Interface

  • Issue ID 511638: If you do not specify the deployment details when you import the SharePoint AppExpert template, you cannot configure backend servers.

High Availability

  • Issue ID 534795: In a high availability configuration, with failSafe mode enabled on the secondary node, the node might briefly become primary when restarted.
  • Issue ID 471294: When upgrading HA nodes that have Web Interface on NetScaler (WIonNS) build 126.x, the updates made in the Webinterface.conf file are overwritten by the previous version of the file. This is due to the rolling upgrade of HA nodes or due to the file sync operation between HA nodes.

    To avoid this issue, use the following steps when upgrading the HA nodes:

    1. Before upgrading, run the "set ns param -internaluserlogin DISABLED" command.

    2. Upgrade the secondary HA node to NetScaler release 10.1 build 126.x.

    3. Force failover to make the upgraded node the primary node.

    4. Upgrade the other HA node to NetScaler release 10.1 build 126.x.

    5. Reenable the "internaluserlogin" parameter with the "set ns param -internaluserlogin ENABLED" command.

    6. Save the configurations.

    Note: Before upgrading synchronize files between the HA nodes by using the "sync ha files all" command.

  • Issue ID 479666, 507519, 541503: In a high availability configuration, if a NetScaler packet processing engine (NSPPE) fails on the primary node, both the nodes might go into a warm reboot loop.
  • Issue ID 537496: After an HA configuration is stabilized from a “spilt brain” condition (both nodes primary), connections are not immediately synchronized between the current primary and the current secondary node. This latency might result in an HA failover.

    Workaround: After the HA pair is stabilized, perform a forced synchronization, on either the primary or the secondary node.

    To perform a forced synchronization use the following command:

    force ha sync

Integrated Caching

  • Issue ID 440107, 440389: When a selector-based content group has been configured, the NetScaler ADC can fail when a policy associated with this content group is matched and the response status is "404 Not Found".
  • Issue ID 486535: In a NetScaler deployment that has integrated caching and SSL enabled, the NetScaler can crash in the following scenario:

    1. Client1 requests for an object that is not in cache.

    2. While the NetScaler fetches the object from the backend server, client2 (a slow client) sends a request for the same object.

    3. Client1 now decides to reset the connection.

    4. When available, NetScaler serves the object to the client2.

    However, since client2 is slow, large data is piled up on the NetScaler that needs to be forwarded to client2. When the NetScaler tries to send this large data to the client, the NetScaler can crash.

Load Balancing

  • Issue ID 464952: If a DNS autoscale service group is bound to a virtual server, the "show lb vserver" command output displays one extra service bound to the virtual server.
  • Issue ID 466094, 534755: If the load balancing (LB) feature is not licensed, and you try to enable an LB virtual server, an error message appears.
  • Issue ID 540965: If a NetScaler appliance sending a DNSSEC negative response over UDP is not able to include the required records (for example, SOA, NSECs, and RRSIG records) in the Authority section, the appliance might send a truncated response in the wrong packet format.
  • Issue ID 455133: If the FQDN is not resolvable, you might notice high CPU utilization on the NetScaler ADC.
  • Issue ID 441776: The NetScaler ADC might fail or become unresponsive if the FTP virtual server name exceeds 32 characters and L2Conn is enabled on the virtual server.
  • Issue ID 460040: A Storefront service on a NetScaler ADC is not marked as DOWN even though all the storefront services bound to the StoreFront server are manually brought down.
  • Issue ID 516606, 528242: If all of the following conditions are present, they might lead to a situation in which CPU usage is significantly different among the packet engines (PEs):

    1. The maximum number of clients (maxclients) for a service is set to a value less than the number of PEs in the system.

    2. Connections to this service have a high degree of connection reuse, that is, multiple requests are sent on the same TCP connection.

    3. Requests for connections to this service cause a surge queue buildup.

    If the maxclient setting is less than the number of PEs, only some PEs can open connections. After the maxclient limit is reached, PEs that have open connections are not likely to close them, because they are using those connections to process the traffic generated by high connection reuse and the large surge queue. As a result, the other PEs might not be able to open new connections. They therefore have a lower level of CPU usage, because they cannot participate in processing the surge queue.

    This is expected behavior and usually does not cause any issues. However, if some of the PEs have near 100% CPU usage while the other PEs have relatively low CPU usage, you might want to limit the maximum requests per connection by using the "set service <name> -maxReq <positive_integer>" command, so that the PEs close connections that have delivered the specified number of requests. This evens out the CPU usage, because it allows the other PEs to open connections to the service.

  • Issue ID 524079: If you configure cookie persistence and custom cookie on a virtual server, and later change the name or IP address of the virtual server, persistence is not honored.

SureConnect

  • Issue ID 526782: SureConnect (SC) should be enabled on one entity. If you enable SC or configure SC policies on a load balancing virtual server, do not enable SC on any of the services or service groups that are bound to this virtual server. Doing so can result in configuration loss during reboot or lead to inconsistent configuration across an HA pair.

NetScaler Gateway

  • Issue ID 392389: When users log on with the NetScaler Gateway Plug-in, when WiFi roaming occurs, intermittent ICMP requests time out and users cannot access network resources.
  • Issue ID 374890: If you configure the appliance with NetScaler Gateway and Application Firewall, logon attempts by unauthorized users appear in the logs. When an authorized user logs on and then attempts to access a network resource to which users are explicitly denied, the access attempt does not appear in the logs and users receive a 403 error.
  • Issue ID 411851: If you configure a NetScaler Gateway virtual server, enable ICA proxy and enable the Use Source IP (USIP) mode globally, when users connect and use StoreFront to open an application, NetScaler Gateway uses the client IP address as the source IP address when contacting the STA server and the application fails to open. If you disable USIP mode, the same behavior occurs unless you restart the NetScaler Gateway appliance. To avoid the issue, you need to configure a service on NetScaler for the STA server and disable USIP on that service.
  • Issue ID 411152: When you use the Set Up NetScaler for XenApp/XenDesktop wizard in NetScaler, apply optimization settings, and bind the cache policy globally, when users log on with the NetScaler Gateway Plug-in and open Citrix Receiver, the applications and desktops do not appear. The following message appears: There are no apps or desktops assigned to you at this time. Citrix recommends disabling the optimization settings.
  • Issue ID 398693: Installing and uninstalling the NetScaler Gateway Plug-in can take a long time. This is due to multiple entries of the Citrix Virtual Adapter in the registry.
  • Issue ID 393357: If Pre-authentication scan is configured on NetScaler and users launch NetScaler Gateway plugin when browser is already opened then users intermittently get redirected to "Internal error" page.
  • Issue ID 427092: When running the NetScaler Gateway wizard, a prompt appears at the end to make the LDAP authentication policy the primary authentication type, even though the LDAP policy is selected as primary earlier in the wizard.
  • Issue ID 373991: On an nCore appliances, when users attempt to access the subnet IP address through the VPN tunnel over HTTP, a 401 Access Denied error message appears. Connecting to the subnet IP address works if users make the attempt by using HTTPS.
  • Issue ID 511757: The pop-up messages for NetScaler Gateway Plug-in for Windows appear behind the active applications (such as browsers) on Windows 8.
  • Issue ID 399405: Java Plug-in: Intranet Application fails to connect if AG VIP is running on non default port
  • Issue ID 384998: If you configure NetScaler Gateway as a high availability pair and if there is a failover from the primary to the secondary appliance, the ICA connection to published apps that are already open on the user device is reestablished. If users attempt to open more applications from the Web Interface, the applications fail to open and user receive an error message
  • Issue ID 464518, 467420: When users connect, the DNS Service Location (SRV) records configured on NetScaler Gateway are not served.
  • Issue ID 368229: The running configuration does not include group extraction policies bound to the NetScaler Gateway virtual server.
  • Issue ID 346729: If you apply the Citrix Receiver theme to the NetScaler Gateway logon page, the layout appears garbled on computers running Windows XP Service Pack 3 with Internet Explorer 7 browsers.
  • Issue ID 397625: To configure two-factor authentication with SAML authentication, you must configure the secondary authentication policy in the primary cascade.
  • Issue ID 376303, 394800: If you configure an intranet IP address, when users log on by using clientless access and then open SharePoint 2007, when they try to open a folder with Windows Explorer, a blank page appears.
  • Issue ID 444387: NetScaler Gateway currently does not support Cross-Domain Constrained Delegation. If the user and service belong to different domains, constrained delegation fails. If the user and the service belong to the same domain and the user logs on with a user name and password, constrained delegation is successful. In addition, if users log on with a user name and password for cross-domain impersonation, constrained delegation works.
  • Issue ID 400050: The NetScaler Gateway Plug-in for Java does not compress network traffic even when compression is configured on the NetScaler Gateway.
  • Issue ID 400171: If you configure Group Extraction, you cannot bind an LDAP authentication policy to the virtual server. However, if an LDAP authentication policy was bound to the virtual server before configuring Group Extraction, you can enable authentication on the virtual server.
  • Issue ID 385318: If you have configured a proxy server and you configure NetScaler Gateway to route traffic through the proxy server, when users log off from a clientless access session, a 403 error occurs.

NetScaler Insight Center

  • Issue ID 441163: NetScaler Insight Center might not display reports under the following set of conditions:

    -NetScaler ADCs that are configured for Network Address Translation (NAT) are added to the NetScaler Insight Center inventory.

    -A NetScaler ADC and a NetScaler Insight Center virtual appliance are in different networks and are configured for NAT.

  • Issue ID 388096, 423109: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 482590: If Appflow for ICA is enabled on a NetScaler ADC, the NetScaler Insight Center reports should show XenDesktop details, but that is not always the case. When certain users access XenDesktop, the reports show the application details instead.
  • Issue ID 409634: All the metrics except bandwidth and hits display the average values.
  • Issue ID 379876, 424686, 437964: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 446120: In some instances, the bar line on a graph appears outside the time points on the x-axis.
  • Issue ID 386911: When launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 424673: Upgrading NetScaler Insight Center on a VMware ESX server from build 118.7 or 119.7 to build 120.13 or later is not supported. However, upgrading from build 120.13 to later build is supported.

    Workaround: To upgrade to build 120.13 or later, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same.

  • Issue ID 399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off:

    The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.

  • Issue ID 397236: On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 385821: If an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name "(user-id@domain-name)".
  • Issue ID 394526: On the Dashboard > Web Insight > Applications page, the values shown when you select "Response Time" from the drop-down list can be incorrect.
  • Issue ID 368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.

NetScaler SDX Appliance

  • Issue ID 434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.
  • Issue ID 476304: On SDX systems, sometime while creating/deleting or modifying a LACP channel, TX stalls are seen on some of the member interfaces.
  • Issue ID 369650, 442942, 468381: Configuring of Enforced VLAN by providing VLAN number in the VLAN ID field is not supported on SDX Rome 1G port.

    Workaround: Use the Allowed VLAN feature which has the same functionality as Enforced VLAN.

  • Issue ID 384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 506167: If there are no 0/x interfaces provisioned in a VPX and 10/x or 1/x interface is used for manageability purpose and the user creates a LACP channel on those interfaces (10/x or 1/x), then the VPX will become unreachable by Management Service and the channel configurations will not be propagated to the VPX.

    The best way to achieve the same is to create the required channel first and then provision the VPX with the LACP selected.

  • Issue ID 499311: On adding many VPX instances, you may hit the default cache memory limit which could result in unexpected behavior.

    Workaround: Increase the default cache memory limit.

  • Issue ID 474438, 493664: In SDX systems, sometimes interface or channel binding to a VLAN fails. This happens only if the interface is down or one of the member interfaces of a channel is down.
  • Issue ID 494262: Management Service Monitoring page's interface statistics shows only the SDX platform usage statistics. The statistics of the VPX's that use the interface are not included. Since the platform itself does not transmit any traffic in normal conditions, the transmission statistics show as zero.
  • Issue ID 444854, 487984, 496194, 506802: On an SDX appliance, the Management Service may lose connectivity. The issue is seen only with Management Service which is in the UP state for many days, minimum being 277 days.

NetScaler VPX Appliance

  • Issue ID 405383, 360482: A NetScaler VPX instance might fail to restart on a Linux-KVM virtualization platform using processors that do not support the constant_tsc CPU feature.
  • Issue ID 405164: On a NetScaler VPX instance running on a Linux-KVM platform, dynamic routing protocols OSPF and ISIS fail to run on the platforms MacVTap interfaces.

    Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).

Networking

  • Issue ID 318684: In an HA configuration in INC mode running the OSPF routing protocol, the secondary node drops all L3 traffic that has the destination that was advertised by the secondary node.
  • Issue ID 485260: In an active-active high availability configuration using Virtual Router Redundancy Protocol (VRRP) protocol, a ping to a virtual IP address (VIP) might fail from a node that is a backup node for this VIP address.
  • Issue ID 529317: The NetScaler appliance does not block traffic that matches an ACL rule if the traffic is destined to the appliance's NSIP address, or one of its SNIP addresses, and a port in the 3008-3011 range.
  • Issue ID 323127: The NetScaler ADC might become unresponsive if you run the show route operation during a dynamic route addition or deletion process.
  • Issue ID 371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the "sync HA files" command from the NetScaler command line or by using the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each node of the HA configuration:

    > add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node's NSIP address is 198.51.100.9 and the secondary node's NSIP address is 198.51.100.27, you would run the following commands:

    On the primary node:

    > add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22

    On the secondary node:

    > add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22

  • Issue ID 383958, 411806: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 507908: An active FTP connection might get reset for no apparent reason, regardless of the state of the random source port.
  • Issue ID 399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 402111: VLAN tagging is not supported on a Netscaler VPX instance operating in MacVTap-Bridge, MacVTap-Private, MacVTap-VEPA, or MacVTap-Passthrough interface mode.
  • Issue ID 385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.
  • Issue ID 402113: L2 mode is not supported on NetScaler VPX instances running on a Linux-KVM host.
  • Issue ID 381000: On some NetScaler appliances, the following four sensor readings are no longer available. The "stat system -detail" command displays a value of 0.

    - Intel CPU Vtt Power (Volts)

    - Voltage Sensor2 (Volts)

    - Temperature 0 (Celsius)

    - Temperature 1 (Celsius)

    This change affects the following platforms:

    - MPX 11500/13500/14500/16500/18500/20500

    - MPX 17550/19550/20550/21550

    - MPX 8200/8400/8600

    - MPX 5550/5650/5750

  • Issue ID 494183: A high number of nic_err_rx_crc errors has been attributed to improperly seated or faulty small form-factor pluggable (SFP) transceivers.

    Workaround: If experiencing nic_err_rx_crc errors, perform a manual diagnostic check to rule out problems with SFPs, cables, and connectivity with the partner device ports.

  • Issue ID 407185: Live migration of a NetScaler virtual machine running on a Linux-KVM host is not supported.
  • Issue ID 407184: LACP is not supported on Netscaler VPX instances operating in Bridge, MacVTap-Bridge, MacVTap-Private, or MacVTap-VEPA interface mode.
  • Issue ID 519000, 519041: In rare conditions, a 10G interface might stop processing the traffic.

    Workaround: Reset the interface.

Policies

  • Issue ID 422967: If a wildcard virtual server (** IP address and port values) that accepts both IPv4 and IPv6 packets uses a listen policy of CLIENT.IP.PROTOCOL.EQ(ICMP) to capture ICMP traffic, it also captures IPv6 packets in which the second byte of the source IPv6 address has a value of 01).

    Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP.

    !CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)

  • Issue ID 390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies rather than classic policies.

  • Issue ID 554460: A NetScaler appliance that has a rewrite policy configured, becomes unresponsive, if all the following conditions are met:

    1. The rewrite action type is either "replace" or "insert_after".
    2. The HTTP response does not have the content-length header.
    3. The body of the HTTP response is split into multiple TCP packets with different TCP packets arriving with some time delay. This causes the policy rewrite engine to pause and resume the packet processing.
    4. The string specified in the rewrite action is present in the last packet of the HTTP response.

Reporting

  • Issue ID 368982: After you import a custom data source, the charts for the counters under "System entities statistics" are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 521569: If you disable SSLv3 on the "nskrpcs-127.0.0.1-3009" service, an "ERROR: Operation not permitted" message appears even though SSLv3 has been successfully disabled on the service.
  • Issue ID 343395: On a NetScaler MPX or SDX appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue ID 532136, 525686, 531207, 539902: On all NetScaler appliances except MPX 5500 and MPX 5550/5650/5750 appliances, if both the rate of new SSL connections and the percentage of SSL session reuse are high, SSL session buildup causes high usage of memory. If the result is a memory allocation failure, SSL traffic is dropped.

    Workaround: Disable SSL session reuse on the SSL virtual servers on which you observe traffic loss.

  • Issue ID 402423: In a cluster setup, if you include the "cipherdetails" option in the "show ssl service" or "show ssl vserver" command, an incorrect message appears. This is only a display issue.

    For example,

    > show ssl service svc1 -cipherDetails

    ERROR: No such resource [serviceName, svc1]

  • Issue ID 455821: An SSL chip is disabled at the third reinitialization attempt. That is, the maximum reinitialization limit is 2. Earlier, this limit was 5.
  • Issue ID 509608: If a certificate has a validity of 100 years, Days to Expiration incorrectly appears as 0 in the NetScaler command line interface and the configuration utility.
  • Issue ID 519368: In rare cases, the "update ssl certKey" command fails and, in spite of displaying a "Resource already exists" error message, creates a stale duplicate entry with the same certificate-key pair in the configuration file (ns.conf).
  • Issue ID 468198: If the format of a CRL is incorrect or the issuer of a CRL does not match the specified CA certificate, and you run the "show crl" command, an error message showing the CRL status as invalid appears.

System

  • Issue ID 480258, 494482, 523853: During the execution of the "nstrace.sh" script (from shell) or the "start nstrace" command (from CLI), when the trace file is rolled over, some packets might not be available in the trace. The number of packets that will be dropped from the trace is directly proportional to the traffic rate.
  • Issue ID 524320: If an LACP channel is bound to nine or more interfaces and is a member of a tagged VLAN, deleting the channel from a service VM can cause the NetScaler appliance to fail intermittently.
  • Issue ID 529493: A NetScaler appliance fails if it attempts to apply HTML injection to a server response that does not have a content type header.
  • Issue ID 427126, 441982, 452885, 456645: When using MPTCP, if a single SSL record is split into a large number (> 100) of small segments, an SSL buffer overrun causes the NetScaler appliance to crash.
  • Issue ID 523473: Every Domain Based Service (DBS) on a NetScaler appliance is assigned two monitors. Therefore, the limit of 7500 monitors can result in a memory allocation failure when you add a new service to the appliance.
  • Issue ID 377618, 341460, 351127, 364015, 481575, 499259: When the management CPU is running at close to 100% of capacity, the aggregator might not be able to process some of the statistics requests from clients, such as requests from the configuration utility, the CLI, and SNMP. If the aggregator fails to respond within the timeout period, the client returns following error:

    Invalid response from the aggregator [Device not Configured]

  • Issue ID 449234, 457629: In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

  • Issue ID 501100: Setting 'Request timeout' or 'Request timeout action' in HTTP Profiles can cause the NetScaler to fail in some situations.
  • Issue ID 536576: If the NetScaler appliance receives a Websocket upgrade request, and an HTTP-body based policy is bound globally or to a virtual server, the appliance does not forward the request to server until a TCP FIN flag is received from the client.
  • Issue ID 522665: The virtual IP (VIP) address of a load balancing virtual server cannot be changed if the LB virtual server and syslog server have same configuration (ip, port, service) and use the same server information. In such cases, if the syslog server's IP address is changed, the syslog server uses different server information and does not update the server information used by the LB virtual server. As a result, the LB virtual server displays an error message when you try to change its VIP address.

User Interface

  • Issue ID 542702: If, while upgrading a NetScaler appliance, you change the RSS key type, the configuration utility does not display a warning message to restart the NetScaler appliance.
  • Issue ID 475830, 449234: A large configuration file puts a heavy load on the management CPU. The resulting delay in displaying the output of the "show ns runningconfig" command might exceed the timeout value.

    Workaround: If you are using a script to fetch the output for "show ns runningConfig" command, and the script has a placeholder for timeout value, modify the script to increase the timeout value to 500 seconds.

Web Interface

  • Issue ID 397150: On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 363145: The following APIs are not available in version 10.1 or later:

    - bindservicegroup_state2

    - unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.


Build 130.13

Release version: Citrix NetScaler, version 10.1 build 130.13

Replaces build: 130.11

Release date: February 2015

Release Notes version: 3.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).
Note: This release note is for builds 130.10, 130.11, and 130.13.

Additions in Build 130.13: 532316

Additions in Build 130.11: 523321

Bug Fixes

AAA-TM

  • Issue ID 505809, 507692: The NetScaler ADC does not handle an authentication request if the incoming base64 decoded kerberos ticket is more than 10 kilobytes. This fix increases the buffer-size limit to accommodate tickets of up to 65 kilobytes.
  • Issue ID 474918, 502915: The NetScaler ADC no longer sets the NSC_TMAA session cookie during a secure load balancing virtual server session.
  • Issue ID 507386: If a user name or password consists of UTF8 characters, basic authentication fails on the NetScaler ADC. With this fix, the ADC now passes the encoding type in the 401 challenge so that the incoming data is accurately encoded.

Action Analytics

  • Issue ID 406457: The NetScaler crashes due to an issue in hash calculation and comparison of the action analytics records. The crash is observed when the NetScaler receives URLs that differ only in case.

    Examples:

    http://10.217.6.239/TesT/

    http://10.217.6.239/TEST/

    http://10.217.6.239/TEsT/

    http://10.217.6.239/TeST/

    Note post fix:

    Stream analytics record creation will be case sensitive. For example, WWW.GOOGLE.COM and www.google.com will result in two seperate records.

    If this is not desired, stream selector results should be converted to one case. Example:

    add stream selector sel1 HTTP.REQ.hostname.to_lower

Application Firewall

  • Issue ID 315183: If the NetScaler application firewall receives a request with percent-encoded space character, such as "login%20name" for a form field login name, the deployed learned rule containing the encoded character (%20) fails to work as relaxation rule. The security check violation is still triggered. Note that the browser converts the space to a "+" character. For such a request, the corresponding learned rule with "login+name" for "login name" works as expected when deployed as a startURL relaxation rule.

    Workaround: Edit the relaxation rule to replace "%20" with "\s*" for requests with percent encoded space characters.

  • Issue ID 443673: The Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as "Not Set".
  • Issue ID 476206: If CEF logging is turned on, only the format of application firewall log messages is expected to change, but the format of other logs is also affected, causing problem with their display. With this fix, turning on the application firewall CEF logging does not modify the format or display of other logs.
  • Issue ID 473322, 466491: If a NetScaler ADC receives a request for an object that it cached before the application firewall configuration was modified to add any advanced security check protection, the ADC responds with HTTP Error 503 for subsequent requests to access this cached object, because the object does not contain the expected application firewall metadata. With this fix, the existing cached objects without the required metadata are considered stale and are flushed. The request is served from the origin server and the cache is updated with refreshed data.
  • Issue ID 472476, 418036: When a user attempts to upload a file to a server that is protected by the application firewall, the file upload fails. The underlying cause is that the application firewall included an invalid character in the MIME boundary when encoding the file.
  • Issue ID 488369: If a response contains href links that include query parameters, the NetScaler application firewall triggers false positives for CSRF and form field consistency violations if these links are accessed. With this fix, if CSRF or Field Consistency checks are enabled, the URLs in the hrefs are added to the URL Closure table even if startURL Closure is not enabled.
  • Issue ID 481899: The NetScaler ADC might fail if a transaction is aborted before the application firewall completes processing the request.
  • Issue ID 423150: The application firewall PCI-DSS report does not contain information about the "SQLInjectionCheckSQLWildChars" parameter.
  • Issue ID 505272, 505039: NetScaler Application Firewall Default Signature object now has rules that can be enabled to protect against Shellshock vulnerability (CVE-2014-6271, CVE-2014-7169) which could allow arbitrary code execution.

Cache Redirection

  • Issue ID 502366, 505091, 514785: Applying multiple ACL rules causes excessive consumption of CPU cycles. As a result, the NetScaler ADC might become unresponsive.
  • Issue ID 497866, 502366: An invalid HTTP request received on a cache redirection virtual server configured on the NetScaler ADC is sent to the cache server. This results in errors and degraded performance.

    With the fix, invalid HTTP requests are redirected to the origin server instead of the cache server.

CloudBridge Connector

  • Issue ID 440781: When the state of a CloudBridge connector tunnel is DOWN, there is a delay in displaying the related log messages (from the /tmp/iked.debug file) on the Create CloudBridge Connector page of the configuration utility.

Cluster

  • Issue ID 486259: From NetScaler 10.5 Build 52.x, the cluster feature is licensed with the Platinum and Enterprise licenses. In earlier releases, the cluster feature was licensed by a separate cluster license file.

    Note:

    - If you have configured a cluster in an earlier build, the cluster will work with the separate cluster license file. No changes are required.

    - When you configure a new cluster in Build 52.x and then downgrade to an earlier build, the cluster will not work as it now expects the separate cluster license file.

Configuration Utility

  • Issue ID 490142: The configuration utility displays the "Resource already exists" error if you configure a content switching virtual server with the IP address 10.69.129.128 .

    Workaround: Configure the content switching virtual server with a different IP address.

  • Issue ID 489884: The configuration utility does not display SSL policies if you navigate to Traffic Management > SSL > Policies to create a policy.

    Workaround: Navigate to Traffic Management > SSL and, in the right pane, select SSL Policy Manager. Or click the refresh button on the top right corner to display the SSL policies.

  • Issue ID 375277, 322602, 334465, 396405, 412455, 419503, 438382, 438534, 438796, 441853, 446387, 448361: If a NetScaler connection from a client is closed without the client logging out, the session created for that connection remains active until the configured timeout period elapses. If this happens frequently, after about the 20th occurrence the user might get a "Connection limit to CFE exceeded" error message.
  • Issue ID 511565: If a connection from a client to a NetScaler ADC is closed without the client logging out, the session created for that connection remains active until the configured timeout period lapses. If this occurs frequently, after about the 20th occurrence the user might get a "Connection limit to CFE exceeded" error message.
  • Issue ID 501644, 505641, 509379: If you create a GSLB service by using a server name with alphanumeric characters, the server name does not get converted to a server IP address, and the server IP address value is null. As a result, GSLB synchronization fails.
  • Issue ID 494804: If the number of interfaces that you created are more than eight, the Reporting tab in the configuration utility displays only eight interfaces to be monitored.
  • Issue ID 512427: If a user with read-only permissions opens a monitor (Configuration > Traffic Management >Load Balancing> Monitors), the configuration utility displays the 'Not authorized to execute this command' error message.

Content Switching

  • Issue ID 501856: If an invalid HTTP request that spans multiple TCP segments is sent to a content switching virtual server, the NetScaler ADC might skip the load balancing decision and initiate a connection from the SNIP address to the content switching virtual server. This can cause the ADC to fail.

    To prevent this problem, the ADC closes the client connection when this situation arises.

DNS

  • Issue ID 382478: If, while adding a DNS record (such as addrec and nsrec) from the GUI or by using the NITRO API, you specify the TTL value as 3600, the value of the minimum TTL of the SOA record is used instead.
  • Issue ID 437529: If the number of records in a DNS response for a domain exceeds the Netscaler ADC limit, or if one of the records in the response contains invalid data, the NetScaler ADC does not cache the response. As a result, DNS resolution using NetScaler nameserver entities fails.

Data Stream

  • Issue ID 507709: If you use SQL server driver for SQL Server 2000 SP1, the databases are not enumerated for Kerberos authentication on the NetScaler ADC, because the ADC does not process the SSPI packet correctly.

GSLB

  • Issue ID 485811: If you change the GSLB configuration while the GSLB feature is disabled, the NetScaler ADC might process some stale messages when you enable the feature. As a result, the ADC might dump core and restart.

Graphical User Interface

  • Issue ID 513132: A user session is not terminated if the user logs out of NetScaler ADC by using the configuration utility. The session is terminated only after the session timeout is complete.
  • Issue ID 502309, 503357: If you enable NTP synchronization on a NetScaler ADC, the ntpd service binds to port 3010. The binding causes resource conflicts, because the port was reserved for the nsnetsvc service.
  • Issue ID 495067: On a NetScaler SDX appliance or NetScaler VPX instance, if you use the graphical user interface (GUI) to modify the high availability (HA) monitoring or any other property, the GUI displays the Operation not Permitted error message.

Load Balancing

  • Issue ID 502338: If a semantically incorrect command is entered while a domain based service is being resolved to a NetScaler-owned IP address, the NetScaler ADC displays the state of the service incorrectly.
  • Issue ID 489400: In a high availability setup, a failover might disconnect active connections even though stateful connection failover is enabled on the virtual servers.

    Workaround:

    Check the output of the “show rpcnode” command. If it shows an asterisk (*) for the SRCIP parameter, run the “set rpcnode <remote NSIP> -scrip <local NSIP>” command.

  • Issue ID 497470: If a load balancing virtual server on which persistence is configured is bound to a load balancing group that has no persistence setting, the NetScaler ADC does not change the virtual server’s persistence setting. As a result, when traffic arrives at the virtual server, it tries to create a persistence session, but that session fails and the number of sessions increases.

    Workaround: Run the “set lb group –persistenceType” command to reset the persistence on the virtual servers that are bound to the group.

  • Issue ID 457639: A very slow memory leak occurs on the secondary node in a high availability pair if all of the following conditions are met:

    a) The configuration is large (approximately 4MB).

    b) The configuration includes a large number of "bind lb group" commands.

    c) Configuration changes very frequently, resulting in frequent synchronization.

  • Issue ID 504209: You can now bind loopback members (for example 127.0.0.1) to service groups. Previously, you could bind loopback members to services only.

NITRO API

  • Issue ID 507594: When AppFlow is enabled on a NetScaler, the following query, which requests console messages from nsconmsg tool, results in httpd core dump due to large buffer length.

    http://<NSIP>/nitro/v1/config/clioutput?args=command:"shell+nsconmsg+%2DK+%2Fvar%2Fnslog%2Fnewnslog+%2Dd+consmsg"

NetScaler Gateway

  • Issue ID 495867: Responder or URL transform policies that are bound to the Content Switching virtual server are not applied to connection requests that come through NetScaler Gateway.
  • Issue ID 506686: If users do not have administrative rights, the Endpoint Analysis Plug-in installation fails.
  • Issue ID 498679: If users connect with the NetScaler Gateway Plug-in for Windows and then attempt to receive a call through a softphone, the call fails.
  • Issue ID 508831: In a double-hop DMZ deployment, if the Receiver connection closes and the connection to XenApp or XenDesktop is in progress, the appliance might fail.
  • Issue ID 528011, 527990: When pre-auth is configured on ncore systems, or when Session timeout kicks in, the NetScaler Gateway may fail while cleaning up the session.
  • Issue ID 523321, 534178: On nCore systems, when pre-authentication policies are configured or when an admin session timeout elapses, a core dump may occur when the NetScaler Gateway cleans up the session.
  • Issue ID 500207, 508831: When users log on with the NetScaler Gateway Plug-in, if the users TCP connection closes and the connection to the internal network through NetScaler Gateway is in progress, the appliance might fail.
  • Issue ID 527990: Netscaler Gateway might fail on nCore systems if End Point Analysis is configured or if the configured Session Timeout kicks in.
  • Issue ID 513385: When user connects to a multi-core NetScaler Gateway running out of memory during inter-core communication, NetScaler Gateway fails.
  • Issue ID 501369, 500311: If ICA proxy is set to On and you configure authorization policies, when users attempt to connect, NetScaler Gateway modifies the host header to the FQDN of the Web Interface or StoreFront server. When this occurs, user log on fails with the message "Error: Not a priviledged user."
  • Issue ID 505029: When users log on with the NetScaler Gateway Plug-in for Windows, attempts to access internal network resources fail from Windows Metro applications, such as Internet Explorer Metro Mode. This occurs when you configure address pools (intranet IP addresses).
  • Issue ID 516257: When the Endpoint Analysis is configured, the users are redirected to index.html. Otherwise, a session is created for any arbitrary URL if the authentication is disabled on the NetScaler Gateway.
  • Issue ID 506689: When users connect from a web browser and enter their SAML credentials, NetScaler Gateway fails. This occurs when you configure pre-authentication policies and two-factor authentication policies with SAML and LDAP with SAML as the primary authentication type and having a higher priority.

NetScaler Insight Center

  • Issue ID 505985, 507879, 507882: The NetScaler ADCs being monitored by NetScaler Insight Center might fail if, while ICA sessions are active, you enable AppFlow for ICA and then either clear the configuration or disable and re-enable AppFlow on NetScaler Insight Center.
  • Issue ID 490680: The NetScaler ADC might fail if you enable AppFlow for ICA and access XenApp or XenDesktop through the Windows Receiver client.

NetScaler SDX Appliance

  • Issue ID 470002, 460650, 484387, 504145, 505053: The management interface of a SDX-8000/SDX8200/SDX-8400 appliance might loose connectivity if the interface is connected to a CAT switch.

    Workaround: Set the speed of the interface to 100 Mbps and disable auto-negotiation.

  • Issue ID 469680: In SDX NetScaler cluster, SDX management VLAN modifications are not allowed through cluster IP.
  • Issue ID 502428: Restore operation fails when the backup file of newer version is restored in older Management Service version.
  • Issue ID 488794, 497445, 504308: On NetScaler SDX 8000 appliances, the Service Virtual Machine (SVM) might not detect the disk correctly, in which case it marks the status of the disk as down in system health monitoring. However, the provisioning of NetScaler VPX instances works as expected. This issue occurs in the following releases:

    - NetScaler 10.1 Build 129.11 or earlier

    - NetScaler 10.5 Build 52.11 or earlier

  • Issue ID 506128: In Management Service, the Tagall setting configured for channels under Management VLAN settings is not available on VPXs.
  • Issue ID 495614: The installation of supplemental pack 100015 fails on NSSDX-8200 10G platforms. The root cause of failure is that the install script treats a warning as an error and aborts the installation.
  • Issue ID 502975: The installation of supplemental pack 100015 fails on NetScaler SDX 8200 10G appliances.

Networking

  • Issue ID 508631, 509453: If you disable the TCP Proxy parameter while creating a Reverse Network Address Translation (RNAT) rule on a multi-core NetScaler ADC, the NAT operation fails.
  • Issue ID 441005: Old or stale OSPF LSAs might exist after a warm restart, or a restart after a power failure, resulting in a triple flip.
  • Issue ID 510173: An Access Control List (ACL) rule specifying the TCP protocol and the Established option might not get evaluated if another ACL rule with a higher priority also specifies TCP.
  • Issue ID 502213, 512248: The NetScaler ADC might become unresponsive when ICMP error packets match a forwarding session rule.
  • Issue ID 496237: For a load balancing server configured on a non-default traffic domain, modifying the IP address of the server also changes the name of the server.
  • Issue ID 490341: With MAC based forwarding (MBF) enabled, the NetScaler ADC does not update Layer 2 information such as MAC address, interface ID, and VLAN ID, for a dynamic service even when the associated router is inactive. As a result, the router drops the packets destined to the IP address specified by the dynamic service.
  • Issue ID 497277: The NetScaler ADC might not update its bridge and ARP tables with the information received from GARP messages.

Platform

  • Issue ID 498929: NetScaler VPX instances running on Xen Server might consume a high percentage of CPU cycles while processing 1G traffic.
  • Issue ID 484123: NetScaler supports Multi-PE for Hyper-V.
  • Issue ID 487169: On a NetScaler ADC that has a Small Form-factor Pluggable (SFP) interface with part number FTLF8519P2BNL, disabling this interface might not disable the interface of the peer device.

Policies

  • Issue ID 508510, 513724, 517150, 518535, 519945: Rewrite policy bindings to virtual servers can be lost when you upgrade the NetScaler firmware to version 10.1.128.11. If the rewrite policy is bound to a load balancing virtual server, the policy bindings are not displayed as part of the server configuration, but they are saved when the user saves the configuration. If the rewrite policy is bound to a content switching virtual server, the policy bindings are lost when the user saves the configuration.

Policies

  • Issue ID 506761, 519776, 446507, 463284, 500444: The NetScaler appliance can crash or the data can get corrupted when the URL (or other string) satisfies the following criteria:

    - Length is more than 1300 bytes (800 bytes for HTML_XML_SAFE).

    - Has at least one unsafe character.

    - A significant initial part of the string does not need encoding (or some smaller initial part of the string does not need encoding and there are lots of characters needing encoding)

    - One of the following functions is used on the string in the expression:

    * HTTP_URL_SAFE - unsafe characters are not allowed. Safe characters are: a-z, A-Z, 0-9, "-", "_", ".", "!", "~", "*", "'", "(", ")", ";", ":", "@", "?", "=", "$", "%", "&amp;", "+", ",", "/".

    * HTTP_HEADER_SAFE - new line ('\n') characters are unsafe.

    * HTML_XML_SAFE - unsafe characters are '<', '>' and '&'.

    * APPEND_QUERY_PARAMETER - same as HTTP_URL_SAFE

    Workaround: As a workaround, remove uses of these functions from your expressions if strings can be long (or truncate the strings to 1300 bytes (800 bytes for HTML_XML_SAFE)). In a number of cases you can avoid using these functions if you concatenate the URL with some string constant to the left of it (for example "" + HTTP.REQ.URL) - if the input was encoded, so will be the result.

SSL

  • Issue ID 492087, 510038, 510483: In a setup with a large number of virtual servers, if only a few virtual servers receive most of the traffic while the other virtual servers are idle, there might be a delay in cleaning up the sessions.
  • Issue ID 494093, 485932, 492191, 492797, 497321: If session reuse is enabled on the NetScaler and a network error occurs, the NetScaler attempts to clear the session information so that it is not reused for a subsequent session request from the same client. In rare cases, the NetScaler might fail during this cleanup process.

System

  • Issue ID 418028, 409722, 467187: The nsnetsvc process size increases when the "stat" command is executed.
  • Issue ID 507009: Enhancement to add 'lspci -vvvxxx' logging at boot time information to SDX log. It uses logrotate to keep log data from the last 3 boots.
  • Issue ID 497321, 501856, 502116, 502902, 517374: The NetScaler appliance can crash when a large HTTP request URL has a space in it and if the request is broken into multiple packets.
  • Issue ID 494013: When a HTTP profile is bound to a virtual server or service, the configurations of this profile are considered over the configurations of the global HTTP profile (nshttp_default_profile). However, when connection multiplexing is disabled globally and enabled on the virtual server or service, the global setting for connection multiplexing is being considered. This issue has now been fixed.
  • Issue ID 532316, 532045, 533018, 534634, 534671, 537616: When the Netscaler ADC hits congestion with HA or LACP packets or continuous congestion in a single-PE environment, it cannot recover and packet transmission stops. This is applicable to the management ports on NetScaler SDX appliances and to all ports on NetScaler VPX instances running on XenServer.

User Interface

  • Issue ID 496957: If you have assigned an SSL chip to a VPX instance provisioned on an SDX appliance, you cannot enable or disable TLS1.1 and TLS1.2 protocol support on a virtual server by using the configuration utility.

    Workaround: Use the command line to enable or disable support for these protocols on the virtual server.

Known Issues and Workarounds

AAA-TM

  • Issue ID 457817: In NetScaler 9.3 and previous versions, the NetScaler ADC used the SNIP as the source IP address for authentication requests unless the administrator configured a static route to a different interface. In NetScaler 10.1 and subsequent versions, the ADC uses the NSIP address as the source for authentication requests even when a static route points to a different interface.

    To force the ADC to use the SNIP (not the NSIP) as the source IP address in version 10.1 and subsequent versions, you can set up a load balancing virtual server with an authentication service, and then configure that load balancing virtual server to perform the authentication action.

  • Issue ID 437454: The NetScaler ADC AAA-TM user interface has a timeout of 20 seconds. If authenticating through an external authentication server takes more than 20 seconds, the following message appears in the logs: "libaaa recv failed". This message does not indicate that authentication failed or any other problem that affects users. It can safely be ignored.
  • Issue ID 481876: When AAA-TM logs users off after their sessions time out, the traffic management session associated with the user is not terminated. If the number of abandoned traffic management sessions exceeds internal limits, the NetScaler ADC might become unresponsive.
  • Issue ID 332831: The rule (expression) in a AAA-TM policy can be from one to 1434 characters in length. If you enter a longer rule, AAA-TM displays an "invalid rule" error.

AppFlow

  • Issue ID 327439: AppFlow records generated by the NetScaler appliance cannot be seen on SPLUNK.
  • Issue ID 396892: The AppFlow exporter might not export the correct information. Therefore, the client IP address shown on the NetScaler Insight Center dashboard might be incorrect.
  • Issue ID 472971: The HTML Injection JavaScript is incorrectly inserted into one of the JavaScript responses sent by the server, causing the page to fail to load.
  • Issue ID 388563, 438710, 488206: The following behavior is seen during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    --- The applications stop functioning, but are visible on the browser.

    --- The Citrix Receiver displays a dialog box, with a message stating that the connection is disconnected.

    --- When you click OK on the dialog box, the applications are not displayed anymore.

    --- If you launch any fresh applications without re-login, all the previously launched applications will resume with the previous status.

Application Firewall

  • Issue ID 498912: On a NetScaler ADC that has the application firewall enabled and the buffer overflow check configured to block, the following error message might appear in the logs: "Internal error: additional data generated after partial response <blocked>". This error message indicates that a partial response was sent before the remainder of the response was blocked.
  • Issue ID 489691: If a user request triggers an application firewall policy that is bound to the APPFW_BYPASS profile, the application firewall might fail to generate an SNMP alarm.
  • Issue ID 455652: The auto-update operation restores the default SQL/XSS patterns in the signatures. If the user edits a signature to remove any of the SQL/XSS patterns, the removed patterns might reappear in the signature when it is auto-updated.
  • Issue ID 466329: If the application firewall blocks a request because of a limiting policy, such as a maximum upload size limit on a web form, the blocking action is not logged. If a custom redirect page has been configured for that web page, the application firewall does not display it.
  • Issue ID 399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.

    For example, if you had two sets of custom signatures, named "custom_signatures" and "custom_signatures_2", that were based on copies of the default signatures file, you would update the signatures on your NetScaler ADC by issuing the following commands:

    > update appfw signatures "*Default Signatures"

    > update appfw signatures "custom_signatures"

    > update appfw signatures "custom_signatures_2"

  • Issue ID 283780: When you enable the sessionless URL closure feature, you must also enable the URL closure feature. If you do not enable URL closure, the sessionless URL closure feature does not work.
  • Issue ID 430014: During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:

    show appfw JSONContentType

    If the default content type is configured, the command output is similar to the following example:

    > show appfw JSONContentType

    1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX

    Done

    If it is not, the screen shows only the following:

    > show appfw JSONContentType

    Done

    To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:

    add appfw JSONContentType ^application/json$ -isRegex REGEX

    show appfw JSONContentType

  • Issue ID 457926, 506333: If the user sends a request that contains the string "Javascript" without a non-alphanumeric delimeter, the Cross-Site Scripting check does not block the request. This is expected behavior. Without a delimiter, the keyword "Javascript" cannot trigger code execution and therefore poses no threat to the protected web application.
  • Issue ID 451014: On a NetScaler ADC that has the application firewall enabled and the HTML SQL injection feature configured to block, when the ADC detects an SQL violation on a page with a web form, a second violation might be generated for the Form Action URL. This is expected behavior. To avoid unexpected blocks, when you configure a relaxation for a web form, be sure to include a relaxation for the Form Action URL as well.
  • Issue ID 427798: A NetScaler ADC that has the application firewall feature enabled might reset the connection after a protected web server issues an HTTP 204 response.
  • Issue ID 511654: For some requests, the application firewall log message for a Field Consistency violation might not include the name of the field that triggered the violation.
  • Issue ID 364134: In the configuration utility, when you perform the Show Bindings operation, globally bound auditing syslog policies do not appear under Application Firewall. This issue occurs only in a cluster setup.

    Workaround: Display the bindings in the command line interface, by using the "show system global" command.

  • Issue ID 510006: For some malformed requests, the NetScaler application firewall log messages might not include the client IP address.
  • Issue ID 372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 511254: The customer's application does not work when the application firewall is deployed to inspect the request for security check violations. When the application firewall forwards the request to the backend server, the server responds with a 403 HTTP error code indicating that it cannot properly validate the CORBA session and sends the page without the expected data in the form fields. The root cause is under investigation.

    The workaround is to turn off form field tagging and credit card checks.

Cache Redirection

  • Issue ID 509690: The NetScaler ADC fails if the cache redirection virtual server and the httpport parameter point to the same service. For example, the following configuration causes the ADC to fail:

    set ns param -httpport 80

    add cr vserver cr1 http * 80

    set cr vserver cr1 -listenpoliciy "client.ip.src.eq(1.1.1.1)"

    Workaround:

    Add a listen policy when you add the cache redirection virtual server. For example:

    set ns param -httpport 80

    add cr vserver cr1 -td 0 HTTP * 80 -range 1 -cacheType TRANSPARENT -Listenpolicy "CLIENT.IP.DST.EQ(4.4.4.10)"

    Or:

    Unset the httpport parameter. For example:

    unset ns param httpport

    add cr vserver cr1 http * 80

Command Line Interface

  • Issue ID 512526: The NetScaler command line interface exists abruptly on executing the "show dns addRec -format old" command.

Configuration Utility

  • Issue ID 485314: On the Reporting tab of the NetScaler GUI, if you have chosen to use the time zone settings of the NetScaler ADC, the System Overview graph does not reflect the time zone set on the NetScaler ADC. The values in the graph are for the GMT time zone.
  • Issue ID 499223: The maximum length for creating a NetScaler ADC system user password (System > User Administration > Users) is 127. The GUI tooltip displays this value as 255, which is incorrect.
  • Issue ID 490130: When you use the configuration utility to create a FIPS key, the FIPS wizard fails to respond
  • Issue ID 483226: The key filename property of Import FIPS key (Configuration > Traffic Management > SSL > FIPS > FIPS keys >Action > Import > Key Filename) fails if you enter an incomplete file path consisting folder1/folder2/rsa.key, where folder1 and folder2 are the folders within the nsconfig/ssl path.

    Workaround: In release 10.1, provide only the FIPS key. For example, rsa.key.

    In release 10.5, you must specify the complete file path to the FIPS key. For example, nsconfig/ssl/folder1/folder2/rsa.key.

  • Issue ID 470941: You cannot use the configuration utility to add signatures to an existing application firewall policy.

    Workaround: Use the command line interface .

  • Issue ID 374437: If, when using the configuration utility to configure a NetScaler ADC, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 459703: In a high availability setup, if you run the "add ssl certkey" command on the primary node, and the certificate and key files are not present on the secondary node, the command fails on the secondary node. However, the configuration utility does not display an error message.
  • Issue ID 400073, 401262: If you use a Chrome browser to access the NetScaler graphical user interface (GUI), the browser might display the Page Unresponsive error message.

    Workaround:

    If you are using a Windows computer, do the following:

    1. Right-click the shortcut icon that you use to open the Chrome browser, and select Properties from the pop-up menu.

    2. In the Google Chrome Properties dialog box, click the Shortcut tab and, in the Target field, append the following value: --disable-hang-monitor

    For example: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --disable-hang-monitor" http://www.google.com

    3. Close all instances of the Chrome browser, and restart the Chrome browser.

    If you are using a MAC computer, do the following:

    1. Open the terminal.

    2. Launch the Chrome browser from the terminal and append the --disable-hang-monitor value, as follows:

    open -a /Applications/Google\ Chrome.app --args --disable-hang-monitor

  • Issue ID 389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.
  • Issue ID 469755: If you open the NetScaler ADC configuration utility on multiple browser tabs, and if you disable a feature on one of the tabs, the other tabs are not automatically refreshed.

    Workaround: Manually refresh the tabs.

  • Issue ID 414807: The Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard displays an error if more than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers, or if more than one service is bound to the service group.
  • Issue ID 388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 353015: Load balancing virtual servers that are used by AppExpert applications are displayed in nodes other than the AppExpert node. For example, they are displayed in the Available Virtual Servers list in the "Create Persistency Group" dialog box (Load Balancing > Persistency Groups > Add) and in the "Create Persistency Group" dialog box list that appears when you click the "Name" button in the list "Create Content Switching Action" dialog box "Content Switching > Actions > Add).
  • Issue ID 482135: Java Runtime Environment (JRE) does not work on Internet Explorer version 10.

    Workaround: Press F12 and set the Document Mode and Browser mode to Internet Explorer 9.

  • Issue ID 456428: The IP Bindings tab on the Create VLAN and Configure VLAN pages does not display IP addresses that are in the same subnet as the management IP (NSIP) address.
  • Issue ID 278002, 273176, 389874: If you use the configuration utility to enable or disable an extended ACL or ACL6, the utility does not warn you that the change does not take effect until you apply ACLs.

Content Switching/Load Balancing

  • Issue ID 399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

DNS

  • Issue ID 458313: When NetScaler is configured as DNS proxy and it receives a DNSSEC query with Checking Disbaled (CD) bit set, it does not pass the bit as is to the server at the back end. It instead turns the bit off. This impacts deployments where the NetScaler is load balancing DNSSEC aware resolver. The impact is that the resolver will check the DNSSEC signatures even if the client had not requested to do so by setting the CD bit.
  • Issue ID 458244: If DNS caching is enabled and the NetScaler ADC receives a query that is not cached, it forwards the query to the name server. It sends the response from the server to the client and also caches the records in the Answer, Authority, and Additional sections of the DNS response. The response from the server can have the AA bit set or unset.

    - If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache with the AA bit unset and TTL decremented.

    - If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache with the AA bit set and the original TTL.

GSLB

  • Issue ID 497412: If you perform a force sync of the GSLB configuration, the non-default settings on the RPC node are lost. As a result, the GSLB auto-sync functionality is lost.
  • Issue ID 511878: If the length of the domain name bound to a GSLB virtual server exceeds 31 characters, the domain name is displayed as HASHED STRING while performing an SNMP MIB Walk operation.

Graphical user Interface

  • Issue ID 511638: If you do not specify the deployment details when you import the SharePoint AppExpert template, you cannot configure backend servers.

HTTP Profiles

  • Issue ID 501100: Setting 'Request timeout' or 'Request timeout action' in HTTP Profiles can cause the NetScaler to fail in some situations.

High Availability

  • Issue ID 471294: When upgrading HA nodes that have Web Interface on NetScaler (WIonNS) build 126.x, the updates made in the Webinterface.conf file are overwritten by the previous version of the file. This is due to the rolling upgrade of HA nodes or due to the file sync operation between HA nodes.

    To avoid this issue, use the following steps when upgrading the HA nodes:

    1. Before upgrading, run the "set ns param -internaluserlogin DISABLED" command.

    2. Upgrade the secondary HA node to NetScaler release 10.1 build 126.x.

    3. Force failover to make the upgraded node the primary node.

    4. Upgrade the other HA node to NetScaler release 10.1 build 126.x.

    5. Reenable the "internaluserlogin" parameter with the "set ns param -internaluserlogin ENABLED" command.

    6. Save the configurations.

    Note: Before upgrading synchronize files between the HA nodes by using the "sync ha files all" command.

Integrated Caching

  • Issue ID 486535: In a NetScaler deployment that has integrated caching and SSL enabled, the NetScaler can crash in the following scenario:

    1. Client1 requests for an object that is not in cache.

    2. While the NetScaler fetches the object from the backend server, client2 (a slow client) sends a request for the same object.

    3. Client1 now decides to reset the connection.

    4. When available, NetScaler serves the object to the client2.

    However, since client2 is slow, large data is piled up on the NetScaler that needs to be forwarded to client2. When the NetScaler tries to send this large data to the client, the NetScaler can crash.

  • Issue ID 440107, 440389: When a selector-based content group has been configured, the NetScaler ADC can fail when a policy associated with this content group is matched and the response status is "404 Not Found".

Load Balancing

  • Issue ID 499523: In all releases of 10.0 and 10.1, "show server" is missing information for GSLB services: IP address and state.

    This feature works in all releases of 9.3 and 10.5.

  • Issue ID 460040: A Storefront service on a NetScaler ADC is not marked as DOWN even though all the storefront services bound to the StoreFront server are manually brought down.
  • Issue ID 455133: If the FQDN is not resolvable, you might notice high CPU utilization on the NetScaler ADC.
  • Issue ID 277862: With a NetScaler Web 2.0 Push configuration in streaming mode, if the length of the response from the server is in the range of 10^n - 2^4n bytes, where n=1, 2, 3, and so on (for example, 1-15, 100-255, or 1000-4095 bytes), the push virtual server adds a byte to the response that it sends to the client. As a result, after the first response, subsequent updates sent on the same connection are lost.
  • Issue ID 464952: If a DNS autoscale service group is bound to a virtual server, the "show lb vserver" command output displays one extra service bound to the virtual server.
  • Issue ID 505543: The NetScaler ADC might fail if a high idle timeout value is set on a TFTP load balancing virtual server and the ADC runs out of memory.
  • Issue ID 441776: The NetScaler ADC might fail or become unresponsive if the FTP virtual server name exceeds 32 characters and L2Conn is enabled on the virtual server.
  • Issue ID 516615: If your spillover policy contains the ACTIVETRANSACTIONS or the SURGECOUNT expression (for example, <expression>. ACTIVETRANSACTIONS.GT(<N>)),

    traffic might spill over to the virtual server bound to this policy even though the current value of the counter has not reached N. This is because these two expressions use an arbitrary number for comparison.

    For example, spillover to a virtual server bound to the following policy might occur before the active transactions counter reaches a value of 10:

    SYS.VSERVER("A').ACTIVETRANSACTION.GT(10) -action spillover

  • Issue ID 516606: If all of the following conditions are present, they might lead to a situation in which CPU usage is significantly different among the packet engines (PEs):

    1. The maximum number of clients (maxclients) for a service is set to a value less than the number of PEs in the system.

    2. Connections to this service have a high degree of connection reuse, that is, multiple requests are sent on the same TCP connection.

    3. Requests for connections to this service cause a surge queue build up.

    If the maxclient setting is less than the number of PEs, only some PEs can open connections. After the maxclient limit is reached, PEs that have open connections are not likely to close them, because they are using those connections to process the traffic generated by high connection reuse and the large surge queue. As a result, the other PEs might not be able to open new connections. They therefore have a lower level of CPU usage, because they cannot participate in processing the surge queue.

    This is expected behavior and usually does not cause any issues. However, if some of the PEs have near 100% CPU usage while the other PEs have relatively low CPU usage, you might want to limit the maximum requests per connection by using the "set service <name> -maxReq <positive_integer>" command, so that the PEs close connections that have delivered the specified number of requests. This evens out the CPU usage,because it allows the other PEs to open connections to the service.

NS-Platform

  • Issue ID 524320: If an LACP channel is bound to nine or more interfaces and is a member of a tagged VLAN, deleting the channel from a service VM can cause the NetScaler appliance to fail intermittently.

NetScaler Gateway

  • Issue ID 374890: If you configure the appliance with NetScaler Gateway and Application Firewall, logon attempts by unauthorized users appear in the logs. When an authorized user logs on and then attempts to access a network resource to which users are explicitly denied, the access attempt does not appear in the logs and users receive a 403 error.
  • Issue ID 400171: If you configure Group Extraction, you cannot bind an LDAP authentication policy to the virtual server. However, if an LDAP authentication policy was bound to the virtual server before configuring Group Extraction, you can enable authentication on the virtual server.
  • Issue ID 400050: The NetScaler Gateway Plug-in for Java does not compress network traffic even when compression is configured on the NetScaler Gateway.
  • Issue ID 376303, 394800: If you configure an intranet IP address, when users log on by using clientless access and then open SharePoint 2007, when they try to open a folder with Windows Explorer, a blank page appears.
  • Issue ID 411152: When you use the Set Up NetScaler for XenApp/XenDesktop wizard in NetScaler, apply optimization settings, and bind the cache policy globally, when users log on with the NetScaler Gateway Plug-in and open Citrix Receiver, the applications and desktops do not appear. The following message appears: There are no apps or desktops assigned to you at this time. Citrix recommends disabling the optimization settings.
  • Issue ID 464518, 467420: When users connect, the DNS Service Location (SRV) records configured on NetScaler Gateway are not served.
  • Issue ID 427092: When running the NetScaler Gateway wizard, a prompt appears at the end to make the LDAP authentication policy the primary authentication type, even though the LDAP policy is selected as primary earlier in the wizard.
  • Issue ID 346729: If you apply the Citrix Receiver theme to the NetScaler Gateway logon page, the layout appears garbled on computers running Windows XP Service Pack 3 with Internet Explorer 7 browsers.
  • Issue ID 398693: Installing and uninstalling the NetScaler Gateway Plug-in can take a long time. This is due to multiple entries of the Citrix Virtual Adapter in the registry.
  • Issue ID 373991: On an nCore appliances, when users attempt to access the subnet IP address through the VPN tunnel over HTTP, a 401 Access Denied error message appears. Connecting to the subnet IP address works if users make the attempt by using HTTPS.
  • Issue ID 368229: The running configuration does not include group extraction policies bound to the NetScaler Gateway virtual server.
  • Issue ID 392389: When users log on with the NetScaler Gateway Plug-in, when WiFi roaming occurs, intermittent ICMP requests time out and users cannot access network resources.
  • Issue ID 393357: If Pre-authentication scan is configured on NetScaler and users launch NetScaler Gateway plugin when browser is already opened then users intermittently get redirected to "Internal error" page.
  • Issue ID 385318: If you have configured a proxy server and you configure NetScaler Gateway to route traffic through the proxy server, when users log off from a clientless access session, a 403 error occurs.
  • Issue ID 384998: If you configure NetScaler Gateway as a high availability pair and if there is a failover from the primary to the secondary appliance, the ICA connection to published apps that are already open on the user device is reestablished. If users attempt to open more applications from the Web Interface, the applications fail to open and user receive an error message
  • Issue ID 397625: To configure two-factor authentication with SAML authentication, you must configure the secondary authentication policy in the primary cascade.
  • Issue ID 399405: Java Plug-in: Intranet Application fails to connect if AG VIP is running on non default port
  • Issue ID 444387: NetScaler Gateway currently does not support Cross-Domain Constrained Delegation. If the user and service belong to different domains, constrained delegation fails. If the user and the service belong to the same domain and the user logs on with a user name and password, constrained delegation is successful. In addition, if users log on with a user name and password for cross-domain impersonation, constrained delegation works.
  • Issue ID 411851: If you configure a NetScaler Gateway virtual server, enable ICA proxy and enable the Use Source IP (USIP) mode globally, when users connect and use StoreFront to open an application, NetScaler Gateway uses the client IP address as the source IP address when contacting the STA server and the application fails to open. If you disable USIP mode, the same behavior occurs unless you restart the NetScaler Gateway appliance. To avoid the issue, you need to configure a service on NetScaler for the STA server and disable USIP on that service.

NetScaler Insight Center

  • Issue ID 397236: On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 379876, 424686, 437964: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 409634: All the metrics except bandwidth and hits display the average values.
  • Issue ID 414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 482590: If Appflow for ICA is enabled on a NetScaler ADC, the NetScaler Insight Center reports should show XenDesktop details, but that is not always the case. When certain users access XenDesktop, the reports show the application details instead.
  • Issue ID 368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name "(user-id@domain-name)".
  • Issue ID 388096, 423109: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 446120: In some instances, the bar line on a graph appears outside the time points on the x-axis.
  • Issue ID 399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off:

    The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.

  • Issue ID 386911: When launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 424673: Upgrading NetScaler Insight Center on a VMware ESX server from build 118.7 or 119.7 to build 120.13 or later is not supported. However, upgrading from build 120.13 to later builds is supported.

    Workaround: To upgrade to build 120.13 or later build, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .

  • Issue ID 441163: NetScaler Insight Center might not display reports under the following set of conditions:

    -NetScaler ADCs that are configured for Network Address Translation (NAT) are added to the NetScaler Insight Center inventory.

    -A NetScaler ADC and a NetScaler Insight Center virtual appliance are in different networks and are configured for Network Address Translation (NAT.)

  • Issue ID 394526: In the Dashboard > Web Insight > Applications page, the values shown when you select "Response Time" from the drop-down list can be incorrect.

NetScaler SDX Appliance

  • Issue ID 444854, 487984, 496194, 506802: On an SDX appliance, the Management Service may lose connectivity. The issue is seen only with Management Service which is in the UP state for many days, minimum being 277 days.
  • Issue ID 502791: If you use the management service to reset an interface that uses a 1G Fiber SFP, the reset is not detected by the NetScaler VPX instance.
  • Issue ID 494262: Management Service Monitoring page's interface statistics shows only the SDX platform usage statistics. The statistics of the VPX's that use the interface are not included. Since the platform itself does not transmit any traffic in normal conditions, the transmission statistics show as zero.
  • Issue ID 369650, 442942, 468381: Configuring of Enforced VLAN by providing VLAN number in the VLAN ID field is not supported on SDX Rome 1G port.

    Workaround: Use the Allowed VLAN feature which has the same functionality as Enforced VLAN.

  • Issue ID 512624: When a NetSclaer VLAN with tagged option for channels is selected , the native VLAN also gets tagged inside the NetScaler VPX for the channel.
  • Issue ID 384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 474438, 493664: In SDX systems, sometimes interface or channel binding to a VLAN fails. This happens only if the interface is down or one of the member interfaces of a channel is down.
  • Issue ID 499311: On adding many VPX instances, you may hit the default cache memory limit which could result in unexpected behavior.

    Workaround: Increase the default cache memory limit.

  • Issue ID 476304: On SDX systems, sometime while creating/deleting or modifying a LACP channel, TX stalls are seen on some of the member interfaces.
  • Issue ID 434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.

NetScaler VPX Appliance

  • Issue ID 405383, 360482: A NetScaler VPX instance might fail to restart on a Linux-KVM virtualization platform using processors that do not support the constant_tsc CPU feature.
  • Issue ID 405164: On a NetScaler VPX instance running on a Linux-KVM platform, dynamic routing protocols OSPF and ISIS fail to run on the platforms MacVTap interfaces.

    Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).

Networking

  • Issue ID 507345: If you bind an interface with a unit number greater than 31 to a VLAN that is used as a Sync VLAN in an HA configuration, the Sync VLAN becomes unoperational.
  • Issue ID 399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.
  • Issue ID 383958, 411806: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 318684: In an HA configuration in INC mode running the OSPF routing protocol, the secondary node drops all the L3 traffic that has the destination that was advertised by the secondary node.
  • Issue ID 485260: In an active-active high availability configuration using Virtual Router Redundancy Protocol (VRRP) protocol, a ping to a virtual IP address (VIP) might fail from a node that is a backup node for this VIP address.
  • Issue ID 323127: The NetScaler ADC might become unresponsive if you run the show route operation during a dynamic route addition or deletion process.
  • Issue ID 371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the "sync HA files" command from the NetScaler command line or by using the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each node of the HA configuration:

    > add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary node's NSIP address is 198.51.100.9 and the secondary node's NSIP address is 198.51.100.27, you would run the following commands:

    On the primary node:

    > add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22

    On the secondary node:

    > add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22

  • Issue ID 528554: An ACL6 rule might not get evaluated for a series of TCP packets.

Platform

  • Issue ID 402113: L2 mode is not supported on NetScaler VPX instances running on a Linux-KVM host.
  • Issue ID 402111: VLAN tagging is not supported on a Netscaler VPX instance operating in MacVTap-Bridge, MacVTap-Private, MacVTap-VEPA, or MacVTap-Passthrough interface mode.
  • Issue ID 407184: LACP is not supported on Netscaler VPX instances operating in Bridge, MacVTap-Bridge, MacVTap-Private, or MacVTap-VEPA interface mode.
  • Issue ID 385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.
  • Issue ID 407185: Live migration of a NetScaler virtual machine running on a Linux-KVM host is not supported.
  • Issue ID 381000: On some NetScaler appliances, the following four sensor readings are no longer available. The "stat system -detail" command displays a value of 0.

    - Intel CPU Vtt Power (Volts)

    - Voltage Sensor2 (Volts)

    - Temperature 0 (Celsius)

    - Temperature 1 (Celsius)

    This change affects the following platforms:

    - MPX 11500/13500/14500/16500/18500/20500

    - MPX 17550/19550/20550/21550

    - MPX 8200/8400/8600

    - MPX 5550/5650/5750

  • Issue ID 510673, 517241: NetScaler VPX instances running on VMware ESXi loose network connectivity when you apply either of the following patches:

    - ESXi550-201410401-BG

    - ESXi510-201410401-BG

    Workaround: For more information, see http://support.citrix.com/article/CTX200278.

Policies

  • Issue ID 390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies rather than classic policies.

  • Issue ID 422967: If a wildcard virtual server (** IP address and port values) that accepts both IPv4 and IPv6 packets uses a listen policy of CLIENT.IP.PROTOCOL.EQ(ICMP) to capture ICMP traffic, it also captures IPv6 packets in which the second byte of the source IPv6 address has a value of 01).

    Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP.

    !CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)

Reporting

  • Issue ID 368982: After you import a custom data source, the charts for the counters under "System entities statistics" are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 343395: On a NetScaler MPX or SDX appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue ID 468198: If the format of a CRL is incorrect or the issuer of a CRL does not match the specified CA certificate, and you run the "show crl" command, an error message showing the CRL status as invalid appears.
  • Issue ID 402423: In a cluster setup, if you include the "cipherdetails" option in the "show ssl service" or "show ssl vserver" command, an incorrect message appears. This is only a display issue.

    For example,

    > sh ssl service svc1 -cipherDetails

    ERROR: No such resource [serviceName, svc1]

  • Issue ID 455821: An SSL chip is disabled at the third reinitialization attempt. That is, the maximum reinitialization limit is 2. Earlier, this limit was 5.

System

  • Issue ID 480258, 494482: During the execution of the "nstrace.sh" script (from shell) or the "start nstrace" command (from CLI), when the trace file is rolled over, some packets might not be available in the trace. The number of packets that will be dropped from the trace is directly proportional to the traffic rate.
  • Issue ID 427126, 441982, 452885, 456645: When using MPTCP, if a single SSL record is split into a large number (> 100) of small segments, an SSL buffer overrun causes the NetScaler appliance to crash.
  • Issue ID 449234, 457629: In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

  • Issue ID 377618, 341460, 351127, 364015, 481575, 499259: When the management CPU is running at close to 100% of capacity, the aggregator might not be able to process some of the statistics requests from clients, such as requests from the configuration utility, the CLI, and SNMP. If the aggregator fails to respond within the timeout period, the client returns following error:

    Invalid response from the aggregator [Device not Configured]

User Interface

  • Issue ID 440208: If a new SSL certificate that requires a key is installed without the key, access to management service GUI is lost.
  • Issue ID 475830, 449234: A large configuration file puts a heavy load on the management CPU. The resulting delay in displaying the output of the "show ns runningconfig" command might exceed the timeout value.

    Workaround: If you are using a script to fetch the output for "show ns runningConfig" command, and the script has a placeholder for timeout value, modify the script to increase the timeout value to 500 seconds.

Web Interface

  • Issue ID 397150: On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 363145: The following APIs are not available in version 10.1 or later:

    - bindservicegroup_state2

    - unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.


Build 129.22

Release version: Citrix NetScaler , version 10.1 build 129.22

Replaces build: 129.11

Release date: October 2014

Release Notes version: 2.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).
Note: The fixed issues listed below are in addition to the ones listed in 129.11
  • 512321
  • 523088
  • 512191
  • 487686
  • 504990
  • 501834
  • 510483,528655
  • 503856
  • 483340
  • 513952

Enhancements

NetScaler Gateway

  • Issue ID 406312: On Windows-based devices, there are two new registry entries for NetScaler Gateway that override Citrix Receiver for Windows behavior. The new registry entries specify the following:

    - Enable or disable client cleanup on the user device when Receiver is also running.

    - Show or hide the NetScaler Gateway Plug-in icon even if it is integrated with Receiver.

    To enable client cleanup:

    Note: Enable client cleanup on NetScaler Gateway and then set the registry entry on the user device.

    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client

    Name: AllowCleanup

    Type: REG_DWORD

    Data: 1

    To show the NetScaler Gateway Plug-in icon:

    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client

    Name: DisableIconHide

    Type: REG_DWORD

    Data: 1

NetScaler SDX Appliance

  • Issue ID 464856: When system sends any e-mail notification, it will contain host name along with IP address as sender.
  • Issue ID 492668: You do not require a separate license file to set up a cluster on an SDX appliance. Clustering support will be provided with a valid SDX Platform License.

Networking

  • Issue ID 486632: Now, the NetScaler appliance sends all ARP replies from the first interface (lexicographical order) of an LA channel.

Platform

  • Issue ID 487831: The SDX 24100/24150 and MPX 24100/24150 platforms are now supported in this release.

Policies

  • Issue ID 388879: You can now get the ethertype by using an advanced policy expression.

    Examples:

    - CLIENT.ETHER.ETHERTYPE.EQ(IPv4)

    - SERVER.ETHER.ETHERTYPE.EQ(IPv6)

SSL

  • Issue ID 385499:

    Display HSM Model Number

    The output of the "show fips" command now displays the HSM model number as shown below. This is especially helpful if you are conducting an audit of the FIPS card in a NetScaler appliance and cannot open the appliance without voiding the warranty.

    > sh fips

    FIPS HSM Info:

    HSM Label : NetScaler FIPS

    Initialization : FIPS-140-2 Level-2

    HSM Serial Number : 2.1G1037-IC000253

    HSM State : 2

    HSM Model : NITROX XL CN1620-NFBE

    Hardware Version : 2.0-G

    Firmware Version : 1.1

    Firmware Release Date : Jun04,2010

    Max FIPS Key Memory : 3996

    Free FIPS Key Memory : 3994

    Total SRAM Memory : 467348

    Free SRAM Memory : 62580

    Total Crypto Cores : 3

    Enabled Crypto Cores : 3

    Done

Bug Fixes

AAA-TM

  • Issue ID 474918, 502915: The NetScaler ADC no longer sets the NSC_TMAA session cookie during a secure load balancing virtual server session.
  • Issue ID 493308: In forms-based single sign-on (SSO), if the designated response size is 0, the NetScaler ADC does not search for the complete response, as it normally would for responses with sizes above 0. It therefore fails to find the login form, and forms-based SSO authentication fails.
  • Issue ID 476885: When AAA is configured to authenticate users to a Microsoft Sharepoint 2013 server by using NTLM, the user might be prompted to retype his or her credentials even though the user entered those credentials correctly. After the user retypes the credentials, he or she is logged on successfully. The issue is that initially the NetScaler ADC sends an incorrect domain to Sharepoint.
  • Issue ID 488015: If the hostname that sends an incoming request does not match the domain configured on the authentication virtual server, the NetScaler ADC returns an HTTP 500 error. As a workaround, configure an authentication profile and include the hostname.
  • Issue ID 478374: The Authorization header received from the client with the user credentials for 401 based authentication for KCD was intentionally corrupted by the NetScaler ADC as “Ahoutrization” before forwarding it to the backend. To avoid the risk of decoding the user-supplied credentials by using simple base64decode, the ADC now removes the incoming authorization header containing user credentials, and inserts a new Authorization header with a Kerberos token before sending the payload to the backend application.

AppFlow

  • Issue ID 512321, 519402: If you enable Appflow for ICA on a NetScaler ADC, the NetScaler ADC might fail under certain conditions while parsing the ICA frames.
  • Issue ID 523088: If you have enabled AppFlow for ICA on a NetScaler ADC, the ADC crashes while processing CGP packets.
  • Issue ID 504990, 508918: The NetScaler ADC fails if AppFlow is enabled and it receives an ICA command longer than 2048 bytes.
  • Issue ID 487686, 502208, 516910: NetScaler ADC might fail if you disable AppFlow or clear the AppFlow actions and policies when ICA traffic flows through the NetScaler ADC.

Application Firewall

  • Issue ID 479840, 472476, 482042: The application firewall parses multipart forms correctly according to the appropriate RFC.
  • Issue ID 513952: The SQL wildcard characters (%, _, ^, []) were accidentally removed from the Citrix application firewall default signature object. This breaks the SQL wildcard functionality when the default signature file and its clones are used. This fix restores the wildcard characters in the default signature file. The application firewall detects them and flags the SQL Injection check violations.

    Workaround: You can manually add the wildcard characters to the affected builds, or you can upgrade to the latest build.

  • Issue ID 503856: The NetScaler application firewall “Click to Rule” functionality is not working in the 51.x and the 52.x builds of release 10.5. With this fix, the user can successfully select the pertinent log message in the syslog viewer and deploy it as a relaxation rule.
  • Issue ID 486231: If you update default signatures on the primary NetScaler ADC in an HA pair, you cannot sync the updated signatures to the secondary ADC.

    Workaround: Export the updated signatures, and import them on the secondary ADC.

  • Issue ID 459031, 463351: If you use the configuration utility to make changes to the HTML Cross-Site Scripting check, Allowed/Denied patterns, the application firewall becomes unresponsive after the first POST request it receives after you save your changes. (The Allowed/Denied patterns are accessed through the Modify Signature dialog box.) If you use the command line to make the same changes, no problems occur.
  • Issue ID 464641: If the application firewall receives a multipart POST request with a Content-Type header that contains a charset, it blocks that request as malformed.

Cache Redirection

  • Issue ID 497866, 502366: An invalid HTTP request received on a cache redirection virtual server configured on the NetScaler ADC is sent to the cache server. This results in errors and degraded performance.

    With the fix, invalid HTTP requests are redirected to the origin server instead of the cache server.

CloudBridge Connector

  • Issue ID 512191, 513775: Memory leaks might occur on NetScaler ADCs connected to a CloudBridge Connector tunnel when one of the ADCs sends monitor probes, through the tunnel, to a service that is bound to an HTTP or SSH load balancing virtual server.

Cluster

  • Issue ID 480071, 483171: When upgrading a cluster node to NetScaler 10.5, from any build of NetScaler 10.1, make sure that the "syncookie" parameter is disabled on the TCP profiles. Otherwise, there can be disruption in traffic flow.

Command Line Interface

  • Issue ID 480639: The rbaOnResponse system parameter fails to work after you upgrade NetScaler ADC nCore or nCore VPX from version 9.3 to 10.x.

Configuration Utility

  • Issue ID 488748: If you bind a load balancing monitor to a load balancing service, the Configure Service dialog box displays an incorrect value for response time on the Monitor tab.
  • Issue ID 475653: If you bind a content switching policy to a content switching virtual server, an incorrect value appears in the Configure Virtual Server (Content Switching) dialog box. The error is on the CSW tab, in the Hits column under Policies.
  • Issue ID 483340: The NetScaler Application Delivery Controller (ADC) and NetScaler Gateway are vulnerable to the arbitrary code execution in a SOAP interface, as described at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7140.

    With this fix, the ADC and NetScaler Gateway do not allow a remote attacker to execute arbitrary code.

  • Issue ID 490142: The configuration utility displays the “Resource already exists” error if you configure a content switching virtual server with the IP address 10.69.129.128 .

    Workaround: Configure the content switching virtual server with a different IP address.

  • Issue ID 451546: A NetScaler ADC displays a Java error if you access it by using an sshd connection.

DNS

  • Issue ID 484069: When a NetScaler ADC is deployed as a DNS server with caching enabled, and "flush dns proxyRecords" is used when the ADC is serving a large volume of traffic and has a large number of records in its cache, the ADC might fail.
  • Issue ID 471707: The DNS cache entries are not flushed if the DNS caching feature has been disabled for approximately 250 days.
  • Issue ID 477552: If a server sends a NODATA response that has CNAME record in the answer section and no records in the authoritative and additional sections, the response is marked for CNAME caching on the NetScaler ADC, because it is incorrectly assumed to be a referral response. As a result, the ADC sends a blank response to subsequent queries, of any query type, for the canonical name.

DataStream

  • Issue ID 479472, 501750: If a service group is used to load balance MSSQL servers that require Kerberos Constrained Delegation, the NetScaler ADC fails to use the proper service port to fetch tickets.

GSLB

  • Issue ID 453144, 455417: In rare cases, high management-CPU usage occurs and a large number of error messages appear in the log file. As a result, queries to the location database might fail, and the backup load balancing method is used for site load balancing.

High Availability

  • Issue ID 469857: On a HA setup, even though the source IP is not explicitly set to *, the output of the "show ns rpcNode" commands shows the source IP as *. Therefore, when HA failover happens for the second time, the LB persistency session information is not propagated to the secondary node. This means that the information is not available when a forced failover is performed on the new primary node.

    The fix ensures that the NetScaler IP (NSIP) address of the local box is always set as the source IP address in a HA setup.

Integrated Caching

  • Issue ID 488145: With integrated caching enabled, the NetScaler can crash when the evaluation of a callout 'result expression' (configured with the resultExpr parameter) results in a UNDEF condition.

Load Balancing

  • Issue ID 482113: If you have configured the RADIUS PI expression CLIENT.UDP.RADIUS.ATTR_TYPE(<avp code>) for content switching, rule-based persistency, or the token load balancing method, and you typecast the result of this expression to an integer or IP address by using the expression TYPECAST_NUM_AT / TYPECAST_IP_ADDRESS_AT, the typecast operation fails.
  • Issue ID 489197: If a client connection is in the CLOSE_WAIT state, the NetScaler ADC does not send PUSH notifications to the client. However, it reports success to the PUSH server.

NetScaler Gateway

  • Issue ID 470013, 480556: If users connect to a web resource over Secure Browse and a proxy server resides behind NetScaler Gateway, single sign-on fails. Single sign-on is successful to either the web resource or the proxy server, but not both at the same time.
  • Issue ID 489343: If the authentication server is extremely slow to respond, such as 15-30 seconds or more, this can cause delays with users logging on successfully, even if the amount of simultaneous connections is low.
  • Issue ID 417481, 423915, 496637: The endpoint analysis scan fails when users log on by using Internet Explorer 11.
  • Issue ID 447452, 486009: If the maximum number of users is set to a number greater than 5 on a NetScaler Gateway virtual server, if you remove the Universal license, the virtual server configuration is also removed.
  • Issue ID 488182, 489345, 493939: When there are a very large number of simultaneous user authentication requests and the authentication server is slow to respond, Netscaler Gateway can fail.
  • Issue ID 484245: If Kerberos uses x.509 certificates (PKINIT) for single sign-on, NetScaler Gateway fails to obtain tickets if the Key Distribution Center (KDC) returns a realm referral. This can cause the NetScaler Gateway appliance to fail.
  • Issue ID 484431, 488182: When there are a very large number of simultaneous user authentication requests and the authentication server is slow to respond, Netscaler Gateway can fail.
  • Issue ID 481889, 486176, 501408: In a high availability deployment, if the NetScaler Gateway virtual server is missing on the secondary appliance, NetScaler Gateway fails during session propagation.
  • Issue ID 495610: Upgrading to Maintenance Build 122.11 changes the rewrite policy for HTTP.REQ.USER.NAME. This change retrieves the single sign-on name attribute instead of the server logon name.
  • Issue ID 494463: If user names contain a period (.) that have a common prefix before the period, NetScaler Gateway creates cache files based on the prefix. When this occurs, tickets for one user are sent to a different user.
  • Issue ID 489609: If you configure SAML authentication with signed SAML assertions, if the user connection disconnects before the SAML response is normalized, NetScaler Gateway fails.
  • Issue ID 461279, 491220: When users upgrade the NetScaler Gateway Plug-in from Version 10.1.122.17 or later to the latest Version 10.1 Maintenance Release on a computer that includes an installation of Citrix Receiver, the automatic upgrade fails.
  • Issue ID 490075, 485042: In a high availability deployment, when users log on with SAML authentication, the secondary appliance fails over.
  • Issue ID 459149: If you configure endpoint analysis policies, if the session times out and users do not close the web browser, they cannot log on again.

NetScaler Insight Center

  • Issue ID 486792: If you enable AppFlow for ICA traffic on a NetScaler ADC, and if there is a large number of sessions, the ADC might fail because of an internal memory re-use and dependency issue.
  • Issue ID 482413, 492160: A NetScaler ADC fails when it receives ICA traffic from metro receiver client.
  • Issue ID 475981: A NetScaler ADC fails when it receives ICA traffic from metro receiver client.

NetScaler SDX Appliance

  • Issue ID 498440: The backup file contain more NetScaler instance than allowed instance in the license applied. Now instance restore for a single NetScaler fails with error message "License does not allow more than x NetScaler instance".

    WorkAround:

    SDX appliance should have same license as in the backed up SDX appliance.

    Fix:

    For instance restore operation, licence validation is done against no of NetScaler selected for restore instead of validating against all NetScaler instance in the backup files

  • Issue ID 484194: After you unbind the interface from a channel, interface drops the packets sent to the individual interfaces.

    Workaround: In such a situation, it is recommended to reboot the VPX.

  • Issue ID 473681: In case of shared management of CPU in SDX, licenses fail to load on start-up sometimes if the management CPU is overloaded.
  • Issue ID 432899, 435206: If you create channels on SDX and use these channels in VPXs and then take a backup of the appliance to restore either the complete appliance or selected instances, then channels are not restored and instances may fail.

Networking

  • Issue ID 490190: The NetScaler ADC drops IPv4 packets related to the following protocols: 

    • IPv6 encapsulation (41)

    • Fragment Header for IPv6 (44)

    • ICMP for IPv6 (58)

  • Issue ID 460246: In a transparent cache redirection deployment, when a request is destined to a MAC address (say MAC-A) and the response for the request is sent from another MAC address (say MAC-B), the NetScaler ADC sends further requests to MAC-B. If MAC-B stops handling the requests, the session might get hung.
  • Issue ID 480621, 478048: For a link load balancing with RNAT configuration, the NetScaler ADC might use an incorrect subnet IP (SNIP) address to communicate to the external devices.
  • Issue ID 432192: The CPU usage might be approximately 10% higher in NetScaler 10.5 version as compared to NetScaler 9.3 version.
  • Issue ID 471651, 479882, 485831, 493232: For a link load balancing with RNAT configuration in which persistence is enabled for the virtual server, the NetScaler ADC might become unresponsive when the virtual server receives traffic.
  • Issue ID 496564: The NetScaler ADC might fail to evaluate listen policies, containing source or destination ipv6 address/subnet, for certain IPv6 addresses.
  • Issue ID 477402: In a high availability (HA) configuration, VMAC configuration might be lost when continuous HA failover happens.
  • Issue ID 491473: With more than 1000 IP tunnels configured on a NetScaler ADC, the internal data structure for these IP tunnels might not be updated for some events. This changes the status of these IP tunnels to the DOWN state.
  • Issue ID 475622: The LACP channels of a NetScaler ADC might take around 7 minutes to become functional (UP state) after the NetScaler is restarted.
  • Issue ID 480573: The NetScaler ADC might use a large amount of CPU cycles when it receives a burst of GRE traffic, which meets the following criteria:

    - The NetScaler ADC is not the GRE end point for this traffic.

    - The NetScaler ADC creates a NAT session information for this traffic.

  • Issue ID 480100, 483728: On a NetScaler ADC, ND6 entries might get in INCOMPLETE state due to synchronization mismatch among different internal modules. As a result NetScaler fails to serve traffic for that IPV6 address.
  • Issue ID 494875, 498447: In a CloudBridge connector tunnel, IKED packets might get routed back to the same NetScaler ADC instead of the peer tunnel end point.

Policies

  • Issue ID 493045: Using the "SYS.CHECK_LIMIT” expression in conjunction with any boolean expression can cause the NetScaler to crash.
  • Issue ID 473721: The maximum value of the RelayState attribute that can be sent with the assertion that NetScaler sends is increased to 512 bytes. This applies to cases where the administrator configures a traffic policy to send assertion to a relying party.

Platform

  • Issue ID 501834: For NetScaler platforms that have Small Form-factor Pluggable (SFP) transceivers, with part number FTLF8519P3BNL, the bootup log files show that the SFPs are unsupported, even though they are functioning properly. This issue occurs in the following releases:

    - NetScaler 9.3 Build 67.5 or earlier

    - NetScaler 10.1 Build 129.11 or earlier

    - NetScaler 10.5 Build 52.11 or earlier

SSL

  • Issue ID 490273, 378182, 404081: On all the NetScaler MPX platforms, DH cryptographic operation is now offloaded to the hardware, reducing the load on the CPU. If your deployment uses DH crypto operations heavily, you will notice a performance improvement.
  • Issue ID 510483, 527995, 528484: Deployments with one or more SSL virtual servers with SNI enabled might have small memory leaks for each connection. Eventually, after millions of connections, the appliance runs out of memory and fails.
  • Issue ID 484525: If a spike in traffic occurs while the NetScaler ADC is doing a DH-based handshake, some packets might be dropped, because a DH handshake consumes a high number of CPU cycles.

System

  • Issue ID 471100, 425465, 484159, 484187: Changes made to the time zone are not reflected till the NetScaler appliance is warm rebooted.
  • Issue ID 490192: The NetScaler intermittently fails to generate traps due to issues in propagating the alarm state to the SNMP daemon.
  • Issue ID 480219: A new HTTP profile option "rtspTunnel" allows RTSP over HTTP. The RTSP tunnel is detected by the presence of either one of the following

    - 'Accept: application/x-rtsp-tunnelled' request header

    - 'Content-Type: application/x-rtsp-tunnelled' response header

    Once the tunnel is detected, NetScaler stops HTTP tracking for that TCP connection and lets the RTSP flow go through. The "rtspTunnel" option is disabled by default.

  • Issue ID 478356: With USIP mode enabled, when the client FIN comes along with the final ACK for the server response, the NetScaler TCP module does not acknowledge the FIN.
  • Issue ID 484527: If you change the IP address of a load balancing virtual server that shares the same server information (IP address, port and service) with an audit server and then clear the configurations, the NetScaler is expected to remove the virtual server, the audit server, and other NetScaler configurations. However, when you now add the virtual server with the original server details, the NetScaler throws an error message that says "resource already exists".

    Note: In a HA setup, this behavior is displayed even when you perform a force sync or a force failover operation.

  • Issue ID 498232: When the Call Home feature is disabled before the Call Home enable operation is successful, a second instance of the Call Home process starts to run. This results in high usage of the management CPU.
  • Issue ID 477709: SNMP walk shows the operational status of a LA channel as DOWN even when it is in the PARTIAL-UP state.

XML

  • Issue ID 450232: Users who access a Microsoft Sharepoint server through a NetScaler ADC that has the application firewall enabled are unable to open any document type that requires software that is not part of the browser, such as Microsoft Office files.

Known Issues and Workarounds

AAA-TM

  • Issue ID 481876: When AAA-TM logs users off after their sessions time out, the traffic management session associated with the user is not terminated. If the number of abandoned traffic management sessions exceeds internal limits, the NetScaler ADC might become unresponsive.
  • Issue ID 332831: The rule (expression) in a AAA-TM policy can be from one to 1434 characters in length. If you enter a longer rule, AAA-TM displays an "invalid rule" error.
  • Issue ID 437454: The NetScaler ADC AAA-TM user interface has a timeout of 20 seconds. When authenticating to an external authentication server, if authentication takes more than 20 seconds, the following message appears in the logs: "libaaa recv failed". This message does not indicate that authentication failed or any other problem that affects users, and can safely be ignored.

Action Analytics

  • Issue ID 406457: The NetScaler crashes due to an issue in hash calculation and comparison of the action analytics records. The crash is observed when the NetScaler receives URLs that differ only in case.

    Examples:

    http://10.217.6.239/TesT/

    http://10.217.6.239/TEST/

    http://10.217.6.239/TEsT/

    http://10.217.6.239/TeST/

    Note post fix:

    Stream analytics record creation will be case sensitive. For example, WWW.GOOGLE.COM and www.google.com will result in two seperate records.

    If this is not desired, stream selector results should be converted to one case. Example:

    add stream selector sel1 HTTP.REQ.hostname.to_lower

AppFlow

  • Issue ID 472971: The HTML Injection JavaScript is incorrectly inserted into one of the JavaScript responses sent by the server, causing the page to fail to load.
  • Issue ID 388563, 438710, 488206: The following behavior is seen during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    --- The applications stop functioning, but are visible on the browser.

    --- The Citrix Receiver displays a dialog box, with a message stating that the connection is disconnected.

    --- When you click OK on the dialog box, the applications are not displayed anymore.

    --- If you launch any fresh applications without re-login, all the previously launched applications will resume with the previous status.

  • Issue ID 396892: The AppFlow exporter might not export the correct information. Therefore, the client IP address shown on the NetScaler Insight Center dashboard might be incorrect.
  • Issue ID 327439: AppFlow records generated by the NetScaler appliance cannot be seen on SPLUNK.

Application Firewall

  • Issue ID 283780: When you enable the sessionless URL closure feature, you must also enable the URL closure feature. If you do not enable URL closure, the sessionless URL closure feature does not work.
  • Issue ID 399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.

    For example, if you had two sets of custom signatures, named "custom_signatures" and "custom_signatures_2", that were based on copies of the default signatures file, you would update the signatures on your NetScaler ADC by issuing the following commands:

    > update appfw signatures "*Default Signatures"

    > update appfw signatures "custom_signatures"

    > update appfw signatures "custom_signatures_2"

  • Issue ID 372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 443673: Signature Bindings Not Shown in PCI-DSS Report

    The Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as "not set".

  • Issue ID 427798: A NetScaler ADC that has the application firewall feature enabled might reset the connection after a protected web server issues an HTTP 204 response.
  • Issue ID 457926: If the user sends a request that contains the string "Javascript" without a non-alphanumeric delimeter, the Cross-Site Scripting check does not block the request. This is expected behavior. Without a delimiter, the keyword "Javascript" cannot trigger code execution and therefore poses no threat to the protected web application.
  • Issue ID 466329: If the application firewall blocks a request because of a limiting policy, such as a maximum upload size limit on a web form, the blocking action is not logged. If a custom redirect page has been configured for that web page, the application firewall does not display it.
  • Issue ID 451014: On a NetScaler ADC that has the application firewall enabled and the HTML SQL injection feature configured to block, when the ADC detects an SQL violation on a page with a web form, a second violation might be generated for the Form Action URL. This is expected behavior. To avoid unexpected blocks, when you configure a relaxation for a web form, be sure to include a relaxation for the Form Action URL as well.
  • Issue ID 489691: If a user request triggers an application firewall policy that is bound to the APPFW_BYPASS profile, the application firewall might fail to generate an SNMP alarm.
  • Issue ID 430014: During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:

    show appfw JSONContentType

    If the default content type is configured, the command output is similar to the following example:

    > show appfw JSONContentType

    1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX

    Done

    If it is not, the screen shows only the following:

    > show appfw JSONContentType

    Done

    To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:

    add appfw JSONContentType ^application/json$ -isRegex REGEX

    show appfw JSONContentType

  • Issue ID 364134: In the configuration utility, when you perform the Show Bindings operation, globally bound auditing syslog policies do not appear under Application Firewall. This issue occurs only in a cluster setup.

    Workaround: Display the bindings in the command line interface, by using the "show system global" command.

  • Issue ID 498912: On a NetScaler ADC that has the application firewall enabled and the buffer overflow check configured to block, the following error message might appear in th elogs: "Internal error: additional data generated after partial response <blocked>". This error message indicates that a partial response was sent before the remainder of the response was blocked.
  • Issue ID 472476, 418036: When a user attempts to upload a file to a server that is protected by the application firewall, the file upload fails. The underlying cause is that the application firewall included an invalid character in the MIME boundary when encoding the file.
  • Issue ID 423150: The application firewall PCI-DSS report does not contain information on the "SQLInjectionCheckSQLWildChars" parameter.

Content Switching

  • Issue ID 501856: An invalid HTTP request that spans multiple TCP segments that is sent to a content switching virtual server can cause the NetScaler to skip the load balancing decision and initiate a connection from the SNIP to the content switching virtual server. This can cause the NetScaler appliance to crash.

    Preventive fix: There is a preventive fix that closes the client connection when this situation arises.

  • Issue ID 501888: Appflow for ICA, Integrated Disk Caching, Delta Compression features should not be listed under "System->Licenses" section in the NetScaler Configuration Utility.

CloudBridge Connector

  • Issue ID 440781: When the state of a cloudbridge connector tunnel is DOWN, there is a delay in displaying the related log messages (from the /tmp/iked.debug file) on the Create CloudBridge Connector page of the configuration utility.

Configuration Utility

  • Issue ID 482135: Java Runtime Environment (JRE) does not work on Internet Explorer version 10.

    Workaround: Press F12 and set the Document Mode and Browser mode to Internet Explorer 9.

  • Issue ID 374437: If, when using the configuration utility to configure the NetScaler appliance, you press "Alt+Tab" to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press "Alt+Tab" a second time.
  • Issue ID 353015: Load balancing virtual servers that are used by AppExpert applications are displayed in nodes other than the AppExpert node. For example, they are displayed in the Available Virtual Servers list in the "Create Persistency Group" dialog box (Load Balancing > Persistency Groups > Add and in the "Create Persistency Group" dialog box list that appears when you click the "Name" button in the list "Create Content Switching Action" dialog box "Content Switching > Actions > Add).
  • Issue ID 456428: The IP Bindings tab on the Create VLAN and Configure VLAN pages does not display IP addresses that are in the same subnet as the management IP (NSIP) address.
  • Issue ID 470941: You cannot use the configuration utility to add signatures to an existing application firewall policy.

    Workaround: Use the command line interface .

  • Issue ID 389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 459703: In a high availability setup, if you run the "add ssl certkey" command on the primary node, and if the certificate and key files are not present on the secondary node, the command fails on the secondary node. However, an error message is not displayed in the configuration utility.
  • Issue ID 388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 485314: On the Reporting tab of the NetScaler GUI, if you choose to use the time zone settings of the NetScaler ADC, the System Overview graph does not reflect the time zone set on the NetScaler ADC. The values in the graph are for the GMT time zone.
  • Issue ID 400073, 401262: If you use a Chrome browser to access the NetScaler graphical user interface (GUI), the browser might display the Page Unresponsive error message.

    Workaround:

    If you are using a Windows computer, do the following:

    1. Right-click the shortcut icon that you use to open the Chrome browser, and select Properties from the pop-up menu.

    2. In the Google Chrome Properties dialog box, click the Shortcut tab and, in the Target field, append the following value:

    --disable-hang-monitor

    For example: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --disable-hang-monitor" http://www.google.com

    3. Close all instances of the Chrome browser, and restart the Chrome browser.

    If you are using a MAC computer, do the following:

    1. Open the terminal.

    2. Launch the Chrome browser from the terminal and append the --disable-hang-monitor value, as follows:

    open –a /Applications/Google\ Chrome.app --args --disable-hang-monitor

  • Issue ID 414807: The Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard displays an error if more than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers, or if more than one service is bound to the service group.
  • Issue ID 489884: The configuration utility does not display SSL policies if you navigate to Traffic Management > SSL > Policies to create a policy.

    Workaround: Navigate to Traffic Management > SSL and, in the right pane, select SSL Policy Manager. Or click the refresh button on the top right corner to display the SSL policies.

  • Issue ID 490130: When you use the configuration utility to create a FIPS key, the FIPS wizard fails to respond
  • Issue ID 278002, 273176, 389874: If you use the configuration utility to enable or disable an extended ACL or ACL6, the utility does not warn you that the change does not take effect until you apply ACLs.
  • Issue ID 414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.
  • Issue ID 499223: The maximum length for creating a NetScaler ADC system user password (System > User Administration > Users) is 127. The GUI tooltip displays this value as 255, which is incorrect.
  • Issue ID 483226: The key filename property of Import FIPS key (Configuration > Traffic Management > SSL > FIPS > FIPS keys >Action > Import > Key Filename) fails if you provide an incomplete filepath, folder1/folder2/rsa.key, where folder1 and folder2 are the folders within the nsconfig/ssl path.

    Workaround: In release 10.1, provide only the FIPS key.

    In release 10.5, you must specify the complete file path to the FIPS key.

  • Issue ID 375277, 322602, 334465, 396405, 412455, 419503, 438382, 438534, 438796, 441853, 446387, 448361: If a NetScaler connection from a client is closed without the client logging out, the session created for that connection remains active until the configured timeout period elapses. If this happens frequently, after about the 20th occurrence the user might get a "Connection limit to CFE exceeded" error message.
  • Issue ID 469755: If you open the NetScaler ADC configuration utility on multiple browser tabs, and if you disable a feature on one of the tabs, the other tabs are not automatically refreshed.

    Workaround: Manually refresh the tabs.

Content Switching/Load Balancing

  • Issue ID 399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

DNS

  • Issue ID 382478: If, while adding a DNS record (such as addrec and nsrec) from the GUI or by using the NITRO API, you specify the TTL value as 3600, the value of the minimum TTL of the SOA record is used instead.

    Workaround: Use the corresponding CLI command to add the DNS record.

  • Issue ID 458313: When NetScaler is configured as DNS proxy and it receives a DNSSEC query with Checking Disbaled (CD) bit set, it does not pass the bit as is to the server at the back end. It instead turns the bit off. This impacts deployments where the NetScaler is load balancing DNSSEC aware resolver. The impact is that the resolver will check the DNSSEC signatures even if the client had not requested to do so by setting the CD bit.
  • Issue ID 458244: If DNS caching is enabled and the NetScaler ADC receives a query that is not cached, it forwards the query to the name server. It sends the response from the server to the client and also caches the records in the Answer, Authority, and Additional sections of the DNS response. The response from the server can have the AA bit set or unset.

    - If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache with the AA bit unset and TTL decremented.

    - If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache with the AA bit set and the original TTL.

  • Issue ID 437529: If the number of records in a DNS response for a domain exceeds the Netscaler ADC limit, or if one of the records in the response contains invalid data, the NetScaler ADC does not cache the response. As a result, DNS resolution using NetScaler nameserver entities fails.

GSLB

  • Issue ID 497412: If you perform a force sync of the GSLB configuration, the non-default settings on the RPC node are lost. As a result, the GSLB auto-sync functionality is lost.

High Availability

  • Issue ID 471294: When upgrading HA nodes that have Web Interface on NetScaler (WIonNS) to build 126.x, the updates made in the Webinterface.conf file are over-written by the previous version of the file. This is due to the rolling upgrade of HA nodes or due to the file sync operation between HA nodes.

    To avoid this issue, use the following steps when upgrading the HA nodes:

    1. Before upgrading, run the command: "set ns param -internaluserlogin DISABLED"

    2. Upgrade the secondary HA node to NetScaler 10.1 Build 126.x release.

    3. Force failover to make the upgraded node as the primary node.

    4. Upgrade the other HA node to NetScaler 10.1 Build 126.x release.

    5. Restore the previously disabled "internaluserlogin" parameter to enabled using the command: "set ns param -internaluserlogin ENABLED".

    6. Save the configurations.

    Note: Before upgrade sync files between the HA nodes by using CLI command: "sync ha files all".

Integrated Caching

  • Issue ID 486535: In a NetScaler deployment that has integrated caching and SSL enabled, the NetScaler can crash in the following scenario:

    1. Client1 requests for an object that is not in cache.

    2. While the NetScaler fetches the object from the backend server, client2 (a slow client) sends a request for the same object.

    3. Client1 now decides to reset the connection.

    4. When available, NetScaler serves the object to the client2.

    However, since client2 is slow, large data is piled up on the NetScaler that needs to be forwarded to client2. When the NetScaler tries to send this large data to the client, the NetScaler can crash.

  • Issue ID 440107, 440389: When a selector-based content group has been configured, the NetScaler ADC can fail when a policy associated with this content group is matched and the response status is "404 Not Found".

Load Balancing

  • Issue ID 457639: A very slow memory leak occurs on the secondary node in a high availability pair if all of the following conditions are met:

    a) The configuration is large (approximately 4MB).

    b) The configuration includes a large number of “bind lb group” commands.

    c) Configuration changes very frequently, resulting in frequent synchronization.

  • Issue ID 460040: A Storefront service on a NetScaler ADC is not marked as DOWN even though all the storefront services bound to the StoreFront server are manually brought down.
  • Issue ID 497470: If a load balancing virtual server on which persistence is configured is bound to a load balancing group that has no persistence setting, the NetScaler ADC does not change the virtual server’s persistence setting. As a result, when traffic arrives at the virtual server, it tries to create a persistence session, but that session fails and the number of sessions increases.

    Workaround: Run the “set lb group –persistenceType” command to reset the persistence on the virtual servers that are bound to the group.

  • Issue ID 464952: If a DNS autoscale service group is bound to a virtual server, the "show lb vserver" command output displays one extra service bound to the virtual server.
  • Issue ID 441776: The NetScaler ADC might fail or become unresponsive if the FTP virtual server name exceeds 32 characters and L2Conn is enabled on the virtual server.
  • Issue ID 489400: In a high availability setup, a failover might disconnect active connections even though stateful connection failover is enabled on the virtual servers.

    Workaround:

    Check the output of the “show rpcnode” command. If it shows an asterisk (*) for the SRCIP parameter, run the “set rpcnode <remote NSIP> -scrip <local NSIP>” command.

  • Issue ID 455133: If the FQDN is not resolvable, you might notice high CPU utilization on the NetScaler ADC.
  • Issue ID 277862: With a NetScaler Web 2.0 Push configuration in streaming mode, if the length of the response from the server is in the range of 10^n - 2^4n bytes, where n=1, 2, 3, and so on (for example, 1-15, 100-255, and 1000-4095 bytes), the push virtual server adds a byte to the response that it sends to the client. As a result, after the first response, subsequent updates sent on the same connection are lost.

NetScaler Gateway

  • Issue ID 374890: If you configure the appliance with NetScaler Gateway and Application Firewall, logon attempts by unauthorized users appear in the logs. When an authorized user logs on and then attempts to access a network resource to which users are explicitly denied, the access attempt does not appear in the logs and users receive a 403 error.
  • Issue ID 397625: To configure two-factor authentication with SAML authentication, you must configure the secondary authentication policy in the primary cascade.
  • Issue ID 393357: If Pre-authentication scan is configured on NetScaler and users launch NetScaler Gateway plugin when browser is already opened then users intermittently get redirected to "Internal error" page.
  • Issue ID 392389: When users log on with the NetScaler Gateway Plug-in, when WiFi roaming occurs, intermittent ICMP requests time out and users cannot access network resources.
  • Issue ID 373991: On an nCore appliances, when users attempt to access the subnet IP address through the VPN tunnel over HTTP, a 401 Access Denied error message appears. Connecting to the subnet IP address works if users make the attempt by using HTTPS.
  • Issue ID 384998: If you configure NetScaler Gateway as a high availability pair and if there is a failover from the primary to the secondary appliance, the ICA connection to published apps that are already open on the user device is reestablished. If users attempt to open more applications from the Web Interface, the applications fail to open and user receive an error message
  • Issue ID 385318: If you have configured a proxy server and you configure NetScaler Gateway to route traffic through the proxy server, when users log off from a clientless access session, a 403 error occurs.
  • Issue ID 411851: If you configure a NetScaler Gateway virtual server, enable ICA proxy and enable the Use Source IP (USIP) mode globally, when users connect and use StoreFront to open an application, NetScaler Gateway uses the client IP address as the source IP address when contacting the STA server and the application fails to open. If you disable USIP mode, the same behavior occurs unless you restart the NetScaler Gateway appliance. To avoid the issue, you need to configure a service on NetScaler for the STA server and disable USIP on that service.
  • Issue ID 411152: When you use the Set Up NetScaler for XenApp/XenDesktop wizard in NetScaler, apply optimization settings, and bind the cache policy globally, when users log on with the NetScaler Gateway Plug-in and open Citrix Receiver, the applications and desktops do not appear. The following message appears: There are no apps or desktops assigned to you at this time. Citrix recommends disabling the optimization settings.
  • Issue ID 376303, 394800: If you configure an intranet IP address, when users log on by using clientless access and then open SharePoint 2007, when they try to open a folder with Windows Explorer, a blank page appears.
  • Issue ID 400171: If you configure Group Extraction, you cannot bind an LDAP authentication policy to the virtual server. However, if an LDAP authentication policy was bound to the virtual server before configuring Group Extraction, you can enable authentication on the virtual server.
  • Issue ID 400050: The NetScaler Gateway Plug-in for Java does not compress network traffic even when compression is configured on the NetScaler Gateway.
  • Issue ID 398693: Installing and uninstalling the NetScaler Gateway Plug-in can take a long time. This is due to multiple entries of the Citrix Virtual Adapter in the registry.
  • Issue ID 399405: Java Plug-in: Intranet Application fails to connect if AG VIP is running on non default port
  • Issue ID 346729: If you apply the Citrix Receiver theme to the NetScaler Gateway logon page, the layout appears garbled on computers running Windows XP Service Pack 3 with Internet Explorer 7 browsers.
  • Issue ID 368229: The running configuration does not include group extraction policies bound to the NetScaler Gateway virtual server.

NetScaler Insight Center

  • Issue ID 388096, 423109: Netscaler Insight Center (Issue IDs 0388096, 0423109)

    When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.

  • Issue ID 424673: Upgrading NetScaler Insight Center on a VMware ESX server from build 118.7 or 119.7 to build 120.13 or later is not supported. However, upgrading from build 120.13 to later builds is supported.

    Workaround: To upgrade to build 120.13 or later build, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .

  • Issue ID 441163: NetScaler Insight Center might not display reports under the following set of conditions:

    -NetScaler ADCs that are configured for Network Address Translation (NAT) are added to the NetScaler Insight Center inventory.

    -A NetScaler ADC and a NetScaler Insight Center virtual appliance are in different networks and are configured for Network Address Translation (NAT.)

  • Issue ID 399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 379876, 424686, 437964: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 394526: In the Dashboard > Web Insight > Applications page, the values shown when you select "Response Time" from the drop-down list can be incorrect.
  • Issue ID 397236: On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off:

    The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.

  • Issue ID 482590: If Appflow for ICA is enabled on a NetScaler ADC, the NetScaler Insight Center reports should show XenDesktop details, but that is not always the case. When certain users access XenDesktop, the reports show the application details instead.
  • Issue ID 484515: If you enable AppFlow for ICA on a NetScaler ADC and access Windows XP VDI through XenDesktop 5.6, the Windows XP VDI might fail to launch.
  • Issue ID 446120: In some instances, the bar line on a graph appears outside the time points on the x-axis.
  • Issue ID 490680: The NetScaler ADC might fail if you enable AppFlow for ICA and access XenApp or XenDesktop through the Windows Receiver client.
  • Issue ID 385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name "(user-id@domain-name)".
  • Issue ID 386911: When launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 409634: All the metrics except bandwidth and hits display the average values.
  • Issue ID 504990: The NetScaler ADC fails, if AppFlow is enabled and it receives an ICA command whose length is more than 2048 bytes.The NetScaler ADC fails, if AppFlow is enabled and it receives an ICA command whose length is more than 2048 bytes.

NetScaler SDX Appliance

  • Issue ID 494262: Management Service Monitoring page's interface statistics shows only the SDX platform usage statistics. The statistics of the VPX's that use the interface are not included. Since the platform itself does not transmit any traffic in normal conditions, the transmission statistics show as zero.
  • Issue ID 474438, 493664: In SDX systems, sometimes interface or channel binding to a VLAN fails. This happens only if the interface is down or one of the member interfaces of a channel is down.
  • Issue ID 369650, 442942, 468381: Configuring of Enforced VLAN by providing VLAN number in the VLAN ID field is not supported on SDX Rome 1G port.

    Workaround: Use the Allowed VLAN feature which has the same functionality as Enforced VLAN.

  • Issue ID 434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.
  • Issue ID 384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 476304: On SDX systems, sometime while creating/deleting or modifying a LACP channel, TX stalls are seen on some of the member interfaces.

NetScaler VPX Appliance

  • Issue ID 405164: On a NetScaler VPX instance running on a Linux-KVM platform, dynamic routing protocols OSPF and ISIS fail to run on the platforms MacVTap interfaces.

    Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).

  • Issue ID 405383, 360482: A NetScaler VPX instance might fail to restart on a Linux-KVM virtualization platform using processors that do not support the constant_tsc CPU feature.

Networking

  • Issue ID 318684: In an HA configuration in INC mode where both the nodes run the OSPF routing protocol, the secondary node drops all the L3 traffic that has the destination that was advertised by the secondary node.
  • Issue ID 399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.
  • Issue ID 371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the "sync HA files" command from the NetScaler command line or by using the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each node of the HA configuration:

    > add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary nodes NSIP address is 198.51.100.9 and the secondary nodes NSIP address is 198.51.100.27, you would run the following commands:

    On the primary node:

    > add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22

    On the secondary node:

    > add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22

  • Issue ID 497277: The NetScaler ADC might not update its bridge and ARP tables with the information received from GARP messages.
  • Issue ID 485260: In an active-active high availability configuration using Virtual Router Redundancy Protocol (VRRP) protocol, PING to a virtual IP address (VIP) might fail from a node, which is a backup node for this VIP address.
  • Issue ID 383958, 411806: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 323127: The NetScaler ADC might become unresponsive if you run the show route operation during a dynamic route addition or deletion process.

Platform

  • Issue ID 381000: On some NetScaler appliances, the following four sensor readings are no longer available. The "stat system -detail" command displays a value of 0.

    - Intel CPU Vtt Power (Volts)

    - Voltage Sensor2 (Volts)

    - Temperature 0 (Celsius)

    - Temperature 1 (Celsius)

    This change affects the following platforms:

    - MPX 11500/13500/14500/16500/18500/20500

    - MPX 17550/19550/20550/21550

    - MPX 8200/8400/8600

    - MPX 5550/5650/5750

  • Issue ID 385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.
  • Issue ID 407184: LACP is not supported on Netscaler VPX instances operating in Bridge, MacVTap-Bridge, MacVTap-Private, or MacVTap-VEPA interface mode.
  • Issue ID 402113: L2 mode is not supported on Netscaler VPX instances running on a Linux-KVM host.
  • Issue ID 402111: VLAN tagging is not supported on Netscaler-VPX operating on MacVTap-Bridge, MacVTap-Private, MacVTap-VEPA, MacVTap-Passthrough interface Modes.
  • Issue ID 407185: Live migration of a NetScaler virtual machine running on a Linux-KVM host is not supported.

Policies

  • Issue ID 422967: If a wildcard virtual server (** IP address and port values) that accepts both IPv4 and IPv6 packets uses a listen policy of CLIENT.IP.PROTOCOL.EQ(ICMP) to capture ICMP traffic, it also captures IPv6 packets in which the second byte of the source IPv6 address has a value of 01).

    Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP.

    !CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)

  • Issue ID 390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies rather than classic policies.

Reporting

  • Issue ID 368982: After you import a custom data source, the charts for the counters under "System entities statistics" are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 343395: On a NetScaler MPX or SDX appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue ID 468198: If the format of a CRL is incorrect or the issuer of a CRL does not match the specified CA certificate, and you run the "show crl" command, an error message showing the CRL status as invalid appears.
  • Issue ID 455821: An SSL chip is disabled at the third reinitialization attempt. That is, the maximum reinitialization limit is 2. Earlier, this limit was 5.
  • Issue ID 402423: In a cluster setup, if you include the "cipherdetails" option in the "show ssl service" or "show ssl vserver" command, an incorrect message appears. This is only a display issue.

    For example,

    > sh ssl service svc1 -cipherDetails

    ERROR: No such resource [serviceName, svc1]

  • Issue ID 494093: If session reuse is enabled on the NetScaler and a network error occurs, the NetScaler attempts to clear the session information so that it is not reused for a subsequent session request from the same client. In rare cases, the NetScaler might fail during this cleanup process.

System

  • Issue ID 377618, 341460, 351127, 364015, 481575, 499259: When the management CPU is running at close to 100% of capacity, the aggregator might not be able to process some of the statistics requests from clients, such as requests from the configuration utility, the CLI, and SNMP. If the aggregator fails to respond within the timeout period, the client returns following error:

    Invalid response from the aggregator [Device not Configured]

  • Issue ID 470002, 460650, 484387, 504145, 505053: The management interface of a SDX-8000/SDX8200/SDX-8400 appliance might loose connectivity if the interface is connected to a CAT switch.

    Workaround: Set the speed of the interface to 100 Mbps and disable auto-negotiation.

  • Issue ID 427126, 441982, 452885, 456645: When using MPTCP, if a single SSL record is split into a large number (> 100) of small segments, an SSL buffer overrun causes the NetScaler appliance to crash.
  • Issue ID 449234, 457629: In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

User Interface

  • Issue ID 496957: If you have assigned an SSL chip to a VPX instance provisioned on an SDX appliance, you cannot enable or disable TLS1.1 and TLS1.2 protocol support on a virtual server by using the configuration utility.

    Workaround: Use the command line to enable or disable support for these protocols on the virtual server.

  • Issue ID 475830: A large configuration file puts a heavy load on the management CPU. The resulting delay in displaying the output of the "show ns runningconfig" command might exceed the timeout value.

    Workaround: If you are using a script to fetch the output for "show ns runningConfig" command, and the script has a placeholder for timeout value, modify the script to increase the timeout value to 500 seconds.

Web Interface

  • Issue ID 397150: On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 363145: The following APIs are not available in version 10.1 or later:

    - bindservicegroup_state2

    - unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.


Build 128.8

Release version: Citrix NetScaler , version 10.1 build 128.8

Replaces build: None

Release date: July 2014

Release Notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Bug Fixes

AAA-TM

  • Issue ID 317157: AAA-TM now supports relative URLs as form Action URLs in forms-based SSO logon forms. You do not have to specify an absolute path to the web form when configuring forms-based SSO.

AppFlow

  • Issue ID 478480:If a browser executes the JavaScript that is inserted into the response of the main page, it sends a special request intended for the NetScaler ADC. AppFlow records for this request must not be generated. While handling this behavior, the logic in one part of the code assumes that the AppFlow records must not be sent, but another part of the code assumes that the records must be sent. As a result, the NetScaler ADC fails to respond.

CloudBridge Connector

  • Issue ID 460193, 444265, 451886, 474654: The Internet Key Exchange Daemon (IKED) might fail after the NetScaler ADC is restarted.

DNS

  • Issue ID 462862: Statistics do not appear correctly for a DNS load balancing virtual server.

  • Issue ID 422509: CNAME Record Caching

    NetScaler ADC when deployed in a proxy mode does not always send the query for an address record to the back-end server. This happens when for an answer to a query for an address record, a partial CNAME chain is present in the cache. Under few conditions, ADC caches the partial CNAME record and serves the query from the cache.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-tmg-dns-caching-cname-record-con.html

ICA AppFlow

  • Issue ID 458122: When appflow is enabled, Multi-Stream ICA connections do not work if an appflow policy is bound to a VPN virtual server and appflow logging is enabled on the VPN virtual server.

Integrated Caching

  • Issue ID 466452, 469584, 469588, 470925: While revalidating cached objects, the integrated caching feature performs some incorrect accounting of the cache size. This causes the NetScaler appliance to crash.

  • Issue ID 427479, 463589, 482725, 502413: The output of the "stat cache -d" command displays an incorrect value for the utilized memory parameter.

Load Balancing

  • Issue ID 478949: The NetScaler ADC fails if requests requiring IP fragmentation are forwarded to a virtual server that is configured for sessionless load balancing in IP mode.

NetScaler Gateway

  • Issue ID 485042: On a multi-core appliance, if session propagation to one core fails, NetScaler Gateway fails.

  • Issue ID 468145, 473867: Attempts to connect to the NetScaler Gateway from a Windows-based computer fails with the error 1008 when Transport Security Layer (TLS) block ciphers are configured and TLS 1.2 is enabled on NetScaler Gateway.

  • Issue ID 470059: If you disable authentication on NetScaler Gateway, endpoint analysis scan can occasionally be bypassed.

  • Issue ID 374296: If you configure load balancing virtual servers and the Secure Ticket Authority (STA) with the same fully qualified domain name (FQDN), attempts to bind the STA to the NetScaler Gateway virtual server fail.

  • Issue ID 464956, 470873, 471478, 474012: If the Domain Name Server (DNS) configuration is not available, users receive an "Internal error 500" message after successfully logging on to NetScaler Gateway.

  • Issue ID 461225: When users log on with clientless access and then open the Access Interface, the order of files that appear in Personal File Shares differs from the order of files on the file share server.

  • Issue ID 461279: When users upgrade the NetScaler Gateway Plug-in from Version 10.1.122.17 or later to the latest Version 10.1 Maintenance Release on a computer that includes an installation of Citrix Receiver, the automatic upgrade fails.

  • Issue ID 463871: If you bind SAML and LDAP authentication polices to the virtual server for two-factor authentication, after authenticating with SAML which is primary authentication type the LDAP user name populates automatically. If the first logon attempt to LDAP fails, user names are case-sensitive and must be entered again exactly as it appears after SAML authentication. For example, if the user name is populated as JohnDoe@xyzz.com and the user types johndoe@xyzz.com during the subsequent attempt, log on fails.

NetScaler Insight Center

  • Issue ID 474159, 475853: If you enable and then disable AppFlow on a NetScaler ADC, the ADC fails while sending the ICA AppFlow records.

  • Issue ID 459668: A memory corruption issue causes a NetScaler ADC with AppFlow for ICA enabled to fail.

  • Issue ID 482748: If you enable AppFlow for ICA traffic on a NetScaler ADC, the NetScaler ADC might fail because of an internal memory re-use and dependency issue.

NetScaler SDX Appliance

  • Issue ID 480054: The backup of an SDX appliance was failing with an error "username missing". The root cause for this was that the migration from 9.3.x was failing because of duplicate database entries. Going forward, the Management Service will remove the duplicate database entries resulting in a successful migration.

  • Issue ID 463820, 480347: Management Service gives an error when an SDX administrator tries to bind a management channel while provisioning or modifying a NetScaler instance.

  • Issue ID 436286: If a VPX is using an interface A and a channel is created on Management Service using interface A and interface B then this channel should also get added to the VPX. But if the Interface B is already shared to its maximum limit, that is no free VFs are left on interface B then that channel will not be added to the VPX.

  • Issue ID 480581: The NSIP modify action from the Management Service results in inconsistent state if the "Save Config" command from the Management Service to VPX takes a long time to respond. This happens because the connection might time-out. The issue has been fixed by increasing the time-out values.

  • Issue ID 481835: If a management channel modify request is sent through Nitro and a data interface is added in the member interface list, then the request succeeds and makes management channel inconsistent.

  • Issue ID 482603: For a case under the following conditions, when:

    1. A VLAN is present on XenServer on management interfaces (normally ETH0 and ETH1 on most platforms)

    2. A management channel created from Management Service is present on SDX, and

    3. A VPX is using this management channel.

    Then, If the management channel is deleted from Management Service, then post deletion the VPX may be seen with the VLAN present on its management interfaces.

  • Issue ID 482122: On creating a LACP channel, interface MAC address is altered and the new MAC address will be persistent even after the unbind operation.

  • Issue ID 483430: Set operation on a channel may lead to channel MAC address becoming zero on a VPX running on an SDX appliance.

Networking

  • Issue ID 414407, 485512: The default speed for an LACP channel is set to NONE instead of AUTO.

  • Issue ID 477507: If you have configured active FTP with random source port option enabled for an FTP virtual server, the NetScaler ADC might not handle data connections properly for this FTP server and (NetScaler) might become unresponsive.

    SSL

    • Issue ID 474417, 474413: The version displayed in syslog is SSLv2.0 even though the session is negotiated using TLSv1.2.

    • Issue ID 414388, 345883, 349858, 428257, 428259: In rare cases, if the random number generated for the DH key exchange has a leading zero, DH negotiation fails because of a hardware limitation.

    System

    • Issue ID 481442: When different TCP profiles are bound to a virtual server and to the services that are bound to that virtual server, and one of the profiles has window scaling as ENABLED and the other has it as DISABLED, NetScaler sometimes considers that window scaling is ENABLED. The expectation in such a case is that NetScaler considers window scaling as DISABLED.

    • Issue ID 478895: The "show ns runningConfig" command may produce partial output if invoked while another "show ns runningConfig" command, from the same or other admin session is in progress.

    • Issue ID 452240: The Monupload process monitors the power supply and sends a "show techsupport" bundle as soon as a power failure is observed. This behavior is now modified to upload the bundle only in case the power supply does not recover in a 1 minute.

Known Issues and Workarounds

AAA-TM

  • Issue ID 332831: The rule (expression) in a AAA-TM policy can be from one to 1434 characters in length. If you enter a longer rule, AAA-TM displays an "invalid rule" error.

AppFlow

  • Issue ID 327439: AppFlow records generated by the NetScaler appliance cannot be seen on SPLUNK.

  • Issue ID 396892: The AppFlow exporter might not export the correct information. Therefore, the client IP address shown on the NetScaler Insight Center dashboard might be incorrect.

  • Issue ID 388563: The following behavior is seen during a high availability failover on a NetScaler appliance that has active ICA session applications launched:
    • The applications stop functioning, but are visible on the browser.
    • The Citrix Receiver displays a dialog box, with a message stating that the connection is disconnected.
    • When you click OK on the dialog box, the applications are not displayed anymore.
    • If you launch any fresh applications without re-login, all the previously launched applications will resume with the previous status.

Application Firewall

  • Issue ID 372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 430014: During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:

    show appfw JSONContentType

    If the default content type is configured, the command output is similar to the following example:

    > show appfw JSONContentType

    1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX

    Done

    If it is not, the screen shows only the following:

    > show appfw JSONContentType

    Done

    To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:

    add appfw JSONContentType ^application/json$ -isRegex REGEX

    show appfw JSONContentType

  • Issue ID 283780: When you enable the sessionless URL closure feature, you must also enable the URL closure feature. If you do not enable URL closure, the sessionless URL closure feature does not work.

  • Issue ID 399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.

    For example, if you had two sets of custom signatures, named "custom_signatures" and "custom_signatures_2", that were based on copies of the default signatures file, you would update the signatures on your NetScaler ADC by issuing the following commands:

    > update appfw signatures "*Default Signatures"

    > update appfw signatures "custom_signatures"

    > update appfw signatures "custom_signatures_2"

  • Issue ID 423150: The application firewall PCI-DSS report does not contain information on the "SQLInjectionCheckSQLWildChars" parameter.

  • Issue ID 427798: A NetScaler ADC that has the application firewall feature enabled might reset the connection after a protected web server issues an HTTP 204 response.

  • Issue ID 443673: Signature Bindings Not Shown in PCI-DSS Report

    The Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as "not set".

  • Issue ID 451014: On a NetScaler ADC that has the application firewall enabled and the HTML SQL injection feature configured to block, when the ADC detects an SQL violation on a page with a web form, a second violation might be generated for the Form Action URL. This is expected behavior. To avoid unexpected blocks, when you configure a relaxation for a web form, be sure to include a relaxation for the Form Action URL as well.

  • Issue ID 464641: If the application firewall receives a multipart POST request with a Content-Type header that contains a charset, it blocks that request as malformed.

  • Issue ID 466329: If the application firewall blocks a request because of a limiting policy, such as a maximum upload size limit on a web form, the blocking action is not logged. If a custom redirect page has been configured for that web page, the application firewall does not display it.

  • Issue ID 472476, 418036: When a user attempts to upload a file to a server that is protected by the application firewall, the file upload fails. The underlying cause is that the application firewall included an invalid character in the MIME boundary when encoding the file.

  • Issue ID 364134: In the configuration utility, when you perform the Show Bindings operation, globally bound auditing syslog policies do not appear under Application Firewall. This issue occurs only in a cluster setup.

    Workaround: Display the bindings in the command line interface, by using the "show system global" command.

  • Issue ID 489691: If a user request triggers an application firewall policy that is bound to the APPFW_BYPASS profile, the application firewall might fail to generate an SNMP alarm.

Content Switching

  • Issue ID 501856: An invalid HTTP request that spans multiple TCP segments that is sent to a content switching virtual server can cause the NetScaler to skip the load balancing decision and initiate a connection from the SNIP to the content switching virtual server. This can cause the NetScaler appliance to crash.

CloudBridge Connector

  • Issue ID 440781: When the state of a cloudbridge connector tunnel is DOWN, there is a delay in displaying the related log messages (from the /tmp/iked.debug file) on the Create CloudBridge Connector page of the configuration utility.

Configuration Utility

  • Issue ID 388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 414807: The Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, displays an error if more than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers, or if more than one service is bound to the service group.

  • Issue ID 353015: Load balancing virtual servers that are used by AppExpert applications are displayed in nodes other than the AppExpert node. For example, they are displayed in the Available Virtual Servers list in the "Create Persistency Group" dialog box (Load Balancing > Persistency Groups > Add and in the "Create Persistency Group" dialog box list that appears when you click the "Name" button in the list "Create Content Switching Action" dialog box "Content Switching > Actions > Add).

  • Issue ID 278002, 273176, 389874: If you use the configuration utility to enable or disable an extended ACL or ACL6, the utility does not warn you that the change does not take effect until you apply ACLs.

  • Issue ID 469755: If you open the NetScaler ADC configuration utility on multiple browser tabs, and if you disable a feature on one of the tabs, the other tabs are not automatically refreshed.

    Workaround: Manually refresh the tabs.

  • Issue ID 374437: If, when using the configuration utility to configure the NetScaler appliance, you press "Alt+Tab" to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press "Alt+Tab" a second time.

  • Issue ID 375277, 322602, 334465, 396405, 412455, 419503, 438382, 438534, 438796, 441853, 446387, 448361: If a NetScaler connection from a client is closed without the client logging out, the session created for that connection remains active until the configured timeout period elapses. If this happens frequently, after about the 20th occurrence the user might get a "Connection limit to CFE exceeded" error message.

  • Issue ID 459703: In a high availability setup, if you run the "add ssl certkey" command on the primary node, and if the certificate and key files are not present on the secondary node, the command fails on the secondary node. However, an error message is not displayed in the configuration utility.

  • Issue ID 490130: When you use the configuration utility to create a FIPS key, the FIPS wizard fails to respond

  • Issue ID 389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 483226: The key filename property of Import FIPS key (Configuration > Traffic Management > SSL > FIPS > FIPS keys >Action > Import > Key Filename) fails if you provide an incomplete filepath, folder1/folder2/rsa.key, where folder1 and folder2 are the folders within the nsconfig/ssl path.

    Workaround: Provide the complete file path nsconfig/ssl/folder1/folder2/rsa.key, or provide only the file name, rsa.key.

  • Issue ID 414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.

  • Issue ID 456428: The IP Bindings tab on the Create VLAN and Configure VLAN pages does not display IP addresses that are in the same subnet as the management IP (NSIP) address.

  • Issue ID 470941: You cannot use the configuration utility to add signatures to an existing application firewall policy.

    Workaround: Use the command line interface .

Content Switching/Load Balancing

  • Issue ID 399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

DNS

  • Issue ID 458244: If DNS caching is enabled and the NetScaler ADC receives a query that is not cached, it forwards the query to the name server. It sends the response from the server to the client and also caches the records in the Answer, Authority, and Additional sections of the DNS response. The response from the server can have the AA bit set or unset.

    - If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache with the AA bit unset and TTL decremented.

    - If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache with the AA bit set and the original TTL.

  • Issue ID 458313: When NetScaler is configured as DNS proxy and it receives a DNSSEC query with Checking Disbaled (CD) bit set, it does not pass the bit as is to the server at the back end. It instead turns the bit off. This impacts deployments where the NetScaler is load balancing DNSSEC aware resolver. The impact is that the resolver will check the DNSSEC signatures even if the client had not requested to do so by setting the CD bit.

Documentation

  • Issue ID 407185: Live migration of a NetScaler virtual machine running on a Linux-KVM host is not supported.

High Availability

  • Issue ID 471294: When upgrading HA nodes that have Web Interface on NetScaler (WIonNS) to build 126.x, the updates made in the Webinterface.conf file are over-written by the previous version of the file. This is due to the rolling upgrade of HA nodes or due to the file sync operation between HA nodes.

    To avoid this issue, use the following steps when upgrading the HA nodes:

    1. Before upgrading, run the command: "set ns param -internaluserlogin DISABLED"

    2. Upgrade the secondary HA node to NetScaler 10.1 Build 126.x release.

    3. Force failover to make the upgraded node as the primary node.

    4. Upgrade the other HA node to NetScaler 10.1 Build 126.x release.

    5. Restore the previously disabled "internaluserlogin" parameter to enabled using the command: "set ns param -internaluserlogin ENABLED".

    6. Save the configurations.

    Note: Before upgrade sync files between the HA nodes by using CLI command: "sync ha files all".

Integrated Caching

  • Issue ID 440107, 440389: When a selector-based content group has been configured, the NetScaler ADC can fail when a policy associated with this content group is matched and the response status is "404 Not Found".

Load Balancing

  • Issue ID 455133: If the FQDN is not resolvable, you might notice high CPU utilization on the NetScaler ADC.

  • Issue ID 441776: The NetScaler ADC might fail or become unresponsive if the FTP virtual server name exceeds 32 characters and L2Conn is enabled on the virtual server.

  • Issue ID 460040: A Storefront service on a NetScaler ADC is not marked as DOWN even though all the storefront services bound to the StoreFront server are manually brought down.

  • Issue ID 464952: If a DNS autoscale service group is bound to a virtual server, the "show lb vserver" command output displays one extra service bound to the virtual server.

  • Issue ID 277862: With a NetScaler Web 2.0 Push configuration in streaming mode, if the length of the response from the server is in the range of 10^n - 2^4n bytes, where n=1, 2, 3, and so on (for example, 1-15, 100-255, and 1000-4095 bytes), the push virtual server adds a byte to the response that it sends to the client. As a result, after the first response, subsequent updates sent on the same connection are lost.

NetScaler Gateway

  • Issue ID 392389: When users log on with the NetScaler Gateway Plug-in, when WiFi roaming occurs, intermittent ICMP requests time out and users cannot access network resources.

  • Issue ID 393357: If Pre-authentication scan is configured on NetScaler and users launch NetScaler Gateway plugin when browser is already opened then users intermittently get redirected to "Internal error" page.

  • Issue ID 411152: When you use the Set Up NetScaler for XenApp/XenDesktop wizard in NetScaler, apply optimization settings, and bind the cache policy globally, when users log on with the NetScaler Gateway Plug-in and open Citrix Receiver, the applications and desktops do not appear. The following message appears: There are no apps or desktops assigned to you at this time. Citrix recommends disabling the optimization settings.

  • Issue ID 411851: If you configure a NetScaler Gateway virtual server, enable ICA proxy and enable the Use Source IP (USIP) mode globally, when users connect and use StoreFront to open an application, NetScaler Gateway uses the client IP address as the source IP address when contacting the STA server and the application fails to open. If you disable USIP mode, the same behavior occurs unless you restart the NetScaler Gateway appliance. To avoid the issue, you need to configure a service on NetScaler for the STA server and disable USIP on that service.

  • Issue ID 400171: If you configure Group Extraction, you cannot bind an LDAP authentication policy to the virtual server. However, if an LDAP authentication policy was bound to the virtual server before configuring Group Extraction, you can enable authentication on the virtual server.

  • Issue ID 400050: The NetScaler Gateway Plug-in for Java does not compress network traffic even when compression is configured on the NetScaler Gateway.

  • Issue ID 397625: To configure two-factor authentication with SAML authentication, you must configure the secondary authentication policy in the primary cascade.

  • Issue ID 399405: Java Plug-in: Intranet Application fails to connect if AG VIP is running on non default port

  • Issue ID 398693: Installing and uninstalling the NetScaler Gateway Plug-in can take a long time. This is due to multiple entries of the Citrix Virtual Adapter in the registry.

  • Issue ID 346729: If you apply the Citrix Receiver theme to the NetScaler Gateway logon page, the layout appears garbled on computers running Windows XP Service Pack 3 with Internet Explorer 7 browsers.

  • Issue ID 368229: The running configuration does not include group extraction policies bound to the NetScaler Gateway virtual server.

  • Issue ID 376303, 394800: If you configure an intranet IP address, when users log on by using clientless access and then open SharePoint 2007, when they try to open a folder with Windows Explorer, a blank page appears.

  • Issue ID 385318: If you have configured a proxy server and you configure NetScaler Gateway to route traffic through the proxy server, when users log off from a clientless access session, a 403 error occurs.

  • Issue ID 384998: If you configure NetScaler Gateway as a high availability pair and if there is a failover from the primary to the secondary appliance, the ICA connection to published apps that are already open on the user device is reestablished. If users attempt to open more applications from the Web Interface, the applications fail to open and user receive an error message

  • Issue ID 373991: On an nCore appliances, when users attempt to access the subnet IP address through the VPN tunnel over HTTP, a 401 Access Denied error message appears. Connecting to the subnet IP address works if users make the attempt by using HTTPS.

  • Issue ID 374890: If you configure the appliance with NetScaler Gateway and Application Firewall, logon attempts by unauthorized users appear in the logs. When an authorized user logs on and then attempts to access a network resource to which users are explicitly denied, the access attempt does not appear in the logs and users receive a 403 error.

NetScaler Insight Center

  • Issue ID 385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name "(user-id@domain-name)".

  • Issue ID 409634: All the metrics except bandwidth and hits display the average values.

  • Issue ID 414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.

  • Issue ID 424673: Upgrading NetScaler Insight Center on a VMware ESX server from build 118.7 or 119.7 to build 120.13 or later is not supported. However, upgrading from build 120.13 to later builds is supported.

    Workaround: To upgrade to build 120.13 or later build, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .

  • Issue ID 414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off:

    The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.

  • Issue ID 446120: In some instances, the bar line on a graph appears outside the time points on the x-axis.

  • Issue ID 394526: In the Dashboard > Web Insight > Applications page, the values shown when you select "Response Time" from the drop-down list can be incorrect.

  • Issue ID 397236: On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.

  • Issue ID 368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.

  • Issue ID 399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.

  • Issue ID 386911: When launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.

  • Issue ID 379876, 424686, 437964: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.

  • Issue ID 486792: If you enable AppFlow for ICA traffic on a NetScaler ADC, and if there is a large number of sessions, the ADC might fail because of an internal memory re-use and dependency issue.

  • Issue ID 475981: A NetScaler ADC fails when it receives ICA traffic from metro receiver client.

  • Issue ID 504990: The NetScaler ADC fails, if AppFlow is enabled and it receives an ICA command whose length is more than 2048 bytes.The NetScaler ADC fails, if AppFlow is enabled and it receives an ICA command whose length is more than 2048 bytes.

NetScaler SDX Appliance

  • Issue ID 369650, 442942, 468381: Configuring of Enforced VLAN by providing VLAN number in the VLAN ID field is not supported on SDX Rome 1G port.

    Workaround: Use the Allowed VLAN feature which has the same functionality as Enforced VLAN.

  • Issue ID 434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.

  • Issue ID 384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

NetScaler VPX Appliance

  • Issue ID 405164: On a NetScaler VPX instance running on a Linux-KVM platform, dynamic routing protocols OSPF and ISIS fail to run on the platforms MacVTap interfaces.

    Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).

  • Issue ID 405383, 360482: A NetScaler VPX instance might fail to restart on a Linux-KVM virtualization platform using processors that do not support the constant_tsc CPU feature.

Networking

  • Issue ID 383958, 411806: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

  • Issue ID 318684: In an HA configuration in INC mode where both the nodes run the OSPF routing protocol, the secondary node drops all the L3 traffic that has the destination that was advertised by the secondary node.

  • Issue ID 371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the "sync HA files" command from the NetScaler command line or by using the Start HA files synchronization dialog box in the configuration utility.

    Workaround: Add the following extended ACL on each node of the HA configuration:

    > add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22

    For example, for an HA configuration in which the primary nodes NSIP address is 198.51.100.9 and the secondary nodes NSIP address is 198.51.100.27, you would run the following commands:

    On the primary node:

    > add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22

    On the secondary node:

    > add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22

Platform

  • Issue ID 402111: VLAN tagging is not supported on Netscaler-VPX operating on MacVTap-Bridge, MacVTap-Private, MacVTap-VEPA, MacVTap-Passthrough interface Modes.
  • Issue ID 402113: L2 mode is not supported on Netscaler VPX instances running on a Linux-KVM host.
  • Issue ID 407184: LACP is not supported on Netscaler VPX instances operating in Bridge, MacVTap-Bridge, MacVTap-Private, or MacVTap-VEPA interface mode.
  • Issue ID 385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.
  • Issue ID 381000: On some NetScaler appliances, the following four sensor readings are no longer available. The "stat system -detail" command displays a value of 0.

    - Intel CPU Vtt Power (Volts)

    - Voltage Sensor2 (Volts)

    - Temperature 0 (Celsius)

    - Temperature 1 (Celsius)

    This change affects the following platforms:

    - MPX 11500/13500/14500/16500/18500/20500

    - MPX 17550/19550/20550/21550

    - MPX 8200/8400/8600

    - MPX 5550/5650/5750

Policies

  • Issue ID 422967: If a wildcard virtual server (** IP address and port values) that accepts both IPv4 and IPv6 packets uses a listen policy of CLIENT.IP.PROTOCOL.EQ(ICMP) to capture ICMP traffic, it also captures IPv6 packets in which the second byte of the source IPv6 address has a value of 01).

    Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP.

    !CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)

  • Issue ID 390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies rather than classic policies.

  • Issue ID 425465: After changing the time zone on a NetScaler appliance, you must restart the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.

Reporting

  • Issue ID 368982: After you import a custom data source, the charts for the counters under "System entities statistics" are inaccurate, because of issues in the third party charting engine.

SDX

  • Issue ID 432899, 435206: If you create channels on SDX and use these channels in VPXs and then take a backup of the appliance to restore either the complete appliance or selected instances, then channels are not restored and instances may fail.

SSL

  • Issue ID 455821: An SSL chip is disabled at the third reinitialization attempt. That is, the maximum reinitialization limit is 2. Earlier, this limit was 5.

  • Issue ID 494093: If session reuse is enabled on the NetScaler and a network error occurs, the NetScaler attempts to clear the session information so that it is not reused for a subsequent session request from the same client. In rare cases, the NetScaler might fail during this cleanup process.
  • Issue ID 402423: In a cluster setup, if you include the "cipherdetails" option in the "show ssl service" or "show ssl vserver" command, an incorrect message appears. This is only a display issue.

    For example,

    > sh ssl service svc1 -cipherDetails

    ERROR: No such resource [serviceName, svc1]

  • Issue ID 343395: On a NetScaler MPX or SDX appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

System

  • Issue ID 377618, 341460, 351127, 364015: When the management CPU is running at close to 100% of capacity, the aggregator might not be able to process some of the statistics requests from clients, such as requests from the configuration utility, the CLI, and SNMP. If the aggregator fails to respond within the timeout period, the client returns following error:

    Invalid response from the aggregator [Device not Configured]

  • Issue ID 449234, 457629: In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

Web Interface

  • Issue ID 397150: On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 363145: The following APIs are not available in version 10.1 or later:

    - bindservicegroup_state2

    - unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.


Build 127.10

Release version: Citrix NetScaler , version 10.1 build 127.10

Replaces build: None

Release date: June 2014

Release Notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Bug Fixes

Application Firewall Issues

  • Issue ID 472094: Any application firewall profile that has either the "AlwaysExceptFirstRequest" or the "AlwaysExceptStartURLs" option enabled cannot be viewed in the configuration utility. These options are available from the command line only. When upgrading to either the current 10.1 maintenance release or the 10.5 beta release of the NetScaler operating system from any previous release, any profile which had the "always" option enabled has that option changed to "AlwaysExceptStartURLs." Profiles that have the "if_present" or "OFF" options enabled are not affected.
  • Issue IDs 456650, 313950: A NetScaler ADC that is configured as an HA pair, and that has the application firewall feature enabled, might experience repeated failovers from the primary to the secondary node when processing HTML traffic with large tag attribute values.
  • Issue ID 455284: NetScaler ADCs that are configured as an HA pair with the application firewall enabled might become unresponsive or reboot when the application firewall is processing a large web form.

AAA Application Traffic Issues

  • Issue ID 317157: AAA-TM now supports relative URLs as form Action URLs in forms-based SSO logon forms. You do not have to specify an absolute path to the web form when configuring forms-based SSO.

Content Switching Issues

  • Issue ID 460259: The output of the "stat cs vserver -fullValues" command now displays the number of requests per second. In earlier builds, the output displayed the total number of requests.

Configuration Utility Issues

  • Issue IDs 473832, 474471: The configuration utility might display the following error message when you create a monitor by navigating to Traffic Management > Load balancing > Monitors and click Add: Error creating view. Model must not be null
  • Issue ID 0448851: The System > Cluster > Manage Cluster screen allows a user to create a cluster without providing a Cluster IP address.
  • Issue ID 403766: In the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings creates an error condition.
  • Issue ID 409057: The Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, displays a distorted view of the published resources when you apply the application firewall settings in the Security section.
  • Issue ID 446373: For MPX and VPX Netscalers, you can edit ifalias from the Graphical User Interface properly. If you are using Cluster VPX, you can only edit ifalias using the command line interface and not the Graphical User Interface.

DataStream Issues

  • Issue ID 415485: Support for SQL Server High-Availability (HA) Group Deployment

    The NetScaler ADC now supports AlwaysOn Availability group deployment in database specific load balancing for MSSQL 2012.

    For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-dbproxy-db-specific-lb-for-mssql-2012-tsk.html.

Integrated Caching Issues

  • Issue IDs 466452, 469584, 469588, 470925: While revalidating cached objects, the integrated caching feature performs some incorrect accounting of the cache size. This causes the NetScaler appliance to crash.

GSLB Issues

  • Issue ID 465500: GSLB static proximity stops working, if you remove the custom records after the database ideal times out. If you have not removed the custom records, then it starts to work when a new connection request is made.

Load Balancing Issues

  • Issue ID 475980: The NetScaler ADC does not set the mandatory flag in a Route-Record AVP. As a result, some diameter implementations might reject the AVP.
  • Issue ID 471938: In a deployment with multiple MAC-mode virtual servers, some changes in the configuration can result in a MAC-mode virtual server failing to serve traffic. Changes that can cause the problem include:
    • Disabling and enabling the interface through which the MAC of a service is learnt.
    • Removing virtual servers or clearing their configurations.
    • Changes caused by high availability failovers.

NetScaler Insight Center Issues

  • Issue ID 450474: On the dashboard, when you navigate to Web Insight > Devices > (device record) and click on HTTP Request Methods, HTTP Response Status, Operating Systems, or User Agents, and then from the bread crumb navigation click Application from the respective drop down list, the graph does not display any details.

NetScaler Gateway Issues

  • Issue ID 474027: If you configure the Green Bubble theme and if users do not meet the domain requirements when changing their passwords, users do not receive an error message. Instead, the logon page appears. With this fix, the error message appears to users.
  • Issue IDs 460997, 477547: If a configuration change occurs while being referred in the processing engine, NetScaler Gateway fails.
  • Issue IDs 456179, 462881, 466862: If proxy settings are configured on the user device and the NetScaler Gateway URL is in the proxy bypass list, users cannot establish a VPN connection with the NetScaler Gateway Plug-in for Windows.
  • Issue ID 440623: When users log on, preauthenication might not synchronize between processes. When this occurs, NetScaler Gateway fails.
  • Issue ID 412237: If users connect to a domain-based server by using clientless access, NetScaler Gateway fails occasionally.

NetScaler SDX Appliance Issues

  • Issue ID 475099: Configuring a wrong DNS IP address was slowing internal communication between Management Service and XenServer. With the current release, the DNS look up will be ignored for internal communication.
  • Issue ID 456703: When an interface other than 0/1 and 0/2 is being used for management on a VPX and later if that interfaces is made part of a channel creation from SVM, then that channel will not be pushed to this VPX and manual steps will be required to achieve the same.

    A user can delete such channels (made out of data interfaces and used for VPX management) from SVM which will leave the VPX in unmanageable state.

Networking Issues

  • Issue ID 477507: If you have configured active FTP with random source port option enabled for an FTP virtual server, the NetScaler ADC might not handle data connections properly for this FTP server and (NetScaler ) might become unresponsive.
  • Issue IDs 475466, 475462, 486447: RNAT configuration might be lost in a NetScaler ADC after you restart it.
  • Issue ID 457119: In a high availability (HA) configuration, the secondary node might forward BOOTP and DHCP related traffic using a configured VMAC address instead of interface's MAC address.
  • Issue ID 438557: The NetScaler appliance might consume excessive CPU cycles when processing ACL rules.
  • Issue IDs 469033, 467726: In a high availability configuration, you might lose your VLAN configuration if you upgrade the secondary node to build 125.x from builds: 122.17, 123.11,124.13.
  • Issue ID 448316: The NetScaler ADC might not remove the session information of an FTP connection from its memory while closing the connection. When the NetScaler ADC allocates the same memory block for a connection related to a UDP DNS service, the NetScaler ADC becomes unresponsive.

SSL Issues

  • Issue IDs 460918, 474003: Next Protocol Negotiation (NPN) TLS extension cannot be explicitly enabled or disabled. It is automatically enabled when SPDY is enabled on a HTTP profile, and disabled when SPDY is disabled.
  • Issue IDs 459688, 446760: If you use the configuration utility to configure FIPS appliances in a high availability setup, FIPS keys are not exported or imported between the nodes, because the option to enable secure information management (SIM) is not available.

System Issues

  • Issue IDs 451285, 441843, 457850: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
  • Issue ID 450398: The NetScaler nstrace utility does not filter out all IPv6 packets when a IPv4 only filter is entered.
  • Issue IDs 450054, 450787, 453207, 453481, 459354: When the NetScaler has application firewall disabled but SSO enabled, and if the NetScaler memory is less, all unused memory (appfw memory) is not recovered. This leads to an erroneous value for the "ActualInUse" memory counter.
  • Issue IDs 455041, 478635, 484981: The NetScaler system backup tar file does not include the following files:
    • /nsconfig/ns.conf
    • /nsconfig/Zebos.conf
    • /nsconfig/rc.netscaler
    • /nsconfig/snmpd.conf
    • /var/log/wicmd.log
    • /nsconfig/nsbefore.sh
    • /nsconfig/nsafter.sh
  • Issue ID 478895: The "show ns runningConfig" command may produce partial output if invoked while another "show ns runningConfig" command, from the same or other admin session is in progress. Workaround: Re-execute the "show ns runningConfig" command to fetch the entire running configuration.

Known Issues and Workarounds

Application Firewall Issues

  • Issue ID 399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named "custom_signatures" and "custom_signatures_2", that were based on copies of the default signatures file, you would update the signatures on your NetScaler ADC by issuing the following commands:

    > update appfw signatures "*Default Signatures"

    > update appfw signatures "custom_signatures"

    > update appfw signatures "custom_signatures_2"

  • Issue ID 451014: On a NetScaler ADC that has the application firewall enabled and the HTML SQL injection feature configured to block, when the ADC detects an SQL violation on a page with a web form, a second violation might be generated for the Form Action URL. This is expected behavior. To avoid unexpected blocks, when you configure a relaxation for a web form, be sure to include a relaxation for the Form Action URL as well.
  • Issue ID 466329: If the application firewall blocks a request because of a limiting policy, such as a maximum upload size limit on a web form, the blocking action is not logged. If a custom redirect page has been configured for that web page, the application firewall does not display it.
  • Issue ID 443673: Signature Bindings Not Shown in PCI-DSS ReportThe Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as "not set".
  • Issue ID 372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 364134: In the configuration utility, when you perform the Show Bindings operation, globally bound auditing syslog policies do not appear under Application Firewall. This issue occurs only in a cluster setup.Workaround: Display the bindings in the command line interface, by using the "show system global" command.
  • Issue ID 430014: During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:

    show appfw JSONContentTypeIf the default content type is configured, the command output is similar to the following example:

    > show appfw JSONContentType

    1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX

    Done

    If it is not, the screen shows only the following:

    > show appfw JSONContentType

    Done

    To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:

    add appfw JSONContentType ^application/json$ -isRegex REGEX

    show appfw JSONContentType

AppFlow Issues

  • Issue ID 396892: The AppFlow exporter might not export the correct information. Therefore, the client IP address shown on the NetScaler Insight Center dashboard might be incorrect.
  • Issue ID 388563: The following behavior is seen during a high availability failover on a NetScaler appliance that has active ICA session applications launched:
    • The applications stop functioning, but are visible on the browser.
    • The Citrix Receiver displays a dialog box, with a message stating that the connection is disconnected.
    • When you click OK on the dialog box, the applications are not displayed anymore.
    • If you launch any fresh applications without re-login, all the previously launched applications will resume with the previous status.
  • Issue ID 478480: If a browser executes the JavaScript that is inserted into the response of the main page, it sends a special request intended for the NetScaler ADC. AppFlow records for this request must not be generated. While handling this behavior, the logic in one part of the code assumes that the AppFlow records must not be sent, but another part of the code assumes that the records must be sent. As a result, the NetScaler ADC fails to respond.

Content Switching

  • Issue ID 501856: An invalid HTTP request that spans multiple TCP segments that is sent to a content switching virtual server can cause the NetScaler to skip the load balancing decision and initiate a connection from the SNIP to the content switching virtual server. This can cause the NetScaler appliance to crash.

CloudBridge Connector

  • Issue ID 440781: When the state of a cloudbridge connector tunnel is DOWN, there is a delay in displaying the related log messages (from the /tmp/iked.debug file) on the Create CloudBridge Connector page of the configuration utility.

Configuration Utility

  • Issue ID 374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 459703: In a high availability setup, if you run the “add ssl certkey†command on the primary node, and if the certificate and key files are not present on the secondary node, the command fails on the secondary node. However, an error message is not displayed in the configuration utility.
  • Issue ID 388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 482135: Java Runtime Environment (JRE) does not work on Internet Explorer version 10.Workaround: Press F12 and set the Document Mode and Browser mode to Internet Explorer 9.
  • Issue ID 483226: The key filename property of Import FIPS key (Configuration > Traffic Management > SSL > FIPS > FIPS keys >Action > Import > Key Filename) fails if you provide an incomplete filepath, folder1/folder2/rsa.key, where folder1 and folder2 are the folders within the nsconfig/ssl path.

    Workaround: Provide the complete file path nsconfig/ssl/folder1/folder2/rsa.key, or provide only the file name, rsa.key.

  • Issue IDs 374304 and 377460: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a "No such resource" error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button instead of pressing the ENTER key on the keyboard.

  • Issue ID 414807: The Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, displays an error if more than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers, or if more than one service is bound to the service group.
  • Issue ID 414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.
  • Issue ID 469755: If you open the NetScaler ADC configuration utility on multiple browser tabs, and if you disable a feature on one of the tabs, the other tabs are not automatically refreshed.

    Workaround: Manually refresh the tabs.

DNS

  • Issue ID 458244: If DNS caching is enabled and the NetScaler ADC receives a query that is not cached, it forwards the query to the name server. It sends the response from the server to the client and also caches the records in the Answer, Authority, and Additional sections of the DNS response. The response from the server can have the AA bit set or unset.
    • If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache with the AA bit unset and TTL decremented.
    • If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache with the AA bit set and the original TTL.

Integrated Caching

  • Issue IDs 440107 and 440389: When a selector-based content group has been configured, the NetScaler ADC can fail when a policy associated with this content group is matched and the response status is "404 Not Found".

High Availability

  • Issue ID 471294: When upgrading HA nodes that have Web Interface on NetScaler (WIonNS) to build 126.x, the updates made in the Webinterface.conf file are over-written by the previous version of the file. This is due to the rolling upgrade of HA nodes or due to the file sync operation between HA nodes.To avoid this issue, use the following steps when upgrading the HA nodes:
    1. Before upgrading, run the command: "set ns param -internaluserlogin DISABLED"
    2. Upgrade the secondary HA node to NetScaler 10.1 Build 126.x release.
    3. Force failover to make the upgraded node as the primary node.
    4. Upgrade the other HA node to NetScaler 10.1 Build 126.x release.
    5. Restore the previously disabled "internaluserlogin" parameter to enabled using the command: "set ns param -internaluserlogin ENABLED".
    6. Save the configurations.
    Note: Before upgrade sync files between the HA nodes by using CLI command: "sync ha files all".

Load Balancing

  • Issue ID 399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.
  • Issue ID 441776: The NetScaler ADC might fail or become unresponsive if the FTP virtual server name exceeds 32 characters and L2Conn is enabled on the virtual server.

NetScaler Insight Center

  • Issue ID 385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name "(user-id@domain-name)".
  • Issue ID 399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 386911: When launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 446120: In some instances, the bar line on a graph appears outside the time points on the x-axis.
  • Issue ID 394526: In the Dashboard > Web Insight > Applications page, the values shown when you select "Response Time" from the drop-down list can be incorrect.
  • Issue ID 424673: Upgrading NetScaler Insight Center on a VMware ESX server from build 118.7 or 119.7 to build 120.13 or later is not supported. However, upgrading from build 120.13 to later builds is supported.Workaround: To upgrade to build 120.13 or later build, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .
  • Issue ID 368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 409634: All the metrics except bandwidth and hits display the average values.
  • Issue ID 397236: On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off:The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.
  • Issue ID 414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue IDs 379876, 437964, and 424686: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 486792: If you enable AppFlow for ICA traffic on a NetScaler ADC, and if there is a large number of sessions, the ADC might fail because of an internal memory re-use and dependency issue.
  • Issue ID 482748: If you enable AppFlow for ICA traffic on a NetScaler ADC, the NetScaler ADC might fail because of an internal memory re-use and dependency issue.
  • Issue ID 475981: A NetScaler ADC fails when it receives ICA traffic from metro receiver client.

NetScaler Gateway

  • Issue ID 397625: To configure two-factor authentication with SAML authentication, you must configure the secondary authentication policy in the primary cascade.
  • Issue ID 398693: Installing and uninstalling the NetScaler Gateway Plug-in can take a long time. This is due to multiple entries of the Citrix Virtual Adapter in the registry.
  • Issue ID 373991: On an ncore appliances, when users attempt to access the subnet IP address through the VPN tunnel over HTTP, a 401 Access Denied error message appears. Connecting to the subnet IP address works if users make the attempt by using HTTPS.
  • Issue ID 400171: If you configure Group Extraction, you cannot bind an LDAP authentication policy to the virtual server. However, if an LDAP authentication policy was bound to the virtual server before configuring Group Extraction, you can enable authentication on the virtual server.
  • Issue ID 385318: If you have configured a proxy server and you configure NetScaler Gateway to route traffic through the proxy server, when users log off from a clientless access session, a 403 error occurs.
  • Issue ID 411152: When you use the Set Up NetScaler for XenApp/XenDesktop wizard in NetScaler, apply optimization settings, and bind the cache policy globally, when users log on with the NetScaler Gateway Plug-in and open Citrix Receiver, the applications and desktops do not appear. The following message appears: There are no apps or desktops assigned to you at this time. Citrix recommends disabling the optimization settings.
  • Issue ID 346729: If you apply the Citrix Receiver theme to the NetScaler Gateway logon page, the layout appears garbled on computers running Windows XP Service Pack 3 with Internet Explorer 7 browsers.
  • Issue ID 400050: The NetScaler Gateway Plug-in for Java does not compress network traffic even when compression is configured on the NetScaler Gateway.
  • Issue ID 392389: When users log on with the NetScaler Gateway Plug-in, when WiFi roaming occurs, intermittent ICMP requests time out and users cannot access network resources.
  • Issue ID 368229: The running configuration does not include group extraction policies bound to the NetScaler Gateway virtual server.
  • Issue ID 374890: If you configure the appliance with NetScaler Gateway and Application Firewall, logon attempts by unauthorized users appear in the logs. When an authorized user logs on and then attempts to access a network resource to which users are explicitly denied, the access attempt does not appear in the logs and users receive a 403 error.
  • Issue ID 411851: If you configure a NetScaler Gateway virtual server, enable ICA proxy and enable the Use Source IP (USIP) mode globally, when users connect and use StoreFront to open an application, NetScaler Gateway uses the client IP address as the source IP address when contacting the STA server and the application fails to open. If you disable USIP mode, the same behavior occurs unless you restart the NetScaler Gateway appliance. To avoid the issue, you need to configure a service on NetScaler for the STA server and disable USIP on that service.
  • Issue IDs 376303 and 394800: If you configure an intranet IP address, when users log on by using clientless access and then open SharePoint 2007, when they try to open a folder with Windows Explorer, a blank page appears.
  • Issue ID 384998: If you configure NetScaler Gateway as a high availability pair and if there is a failover from the primary to the secondary appliance, the ICA connection to published apps that are already open on the user device is reestablished. If users attempt to open more applications from the Web Interface, the applications fail to open and user receive an error message

Networking

  • Issue ID 399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.
  • Issue ID 475462: The NetScaler appliance might not properly processes ACL based RNAT rules.
  • Issue IDs 383958 and 411806: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

NetScaler SDX Appliance

  • Issue ID 384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.
  • Issue IDs 369650, 468381 and 442942: Configuring of Enforced VLAN by providing VLAN number in the VLAN ID field is not supported on SDX Rome 1G port.

    Workaround: Use the Allowed VLAN feature which has the same functionality as Enforced VLAN.

Platform

  • Issue ID 407185: Live migration of a NetScaler virtual machine running on a Linux-KVM host is not supported.
  • Issue ID 402113: L2 mode is not supported on Netscaler VPX instances running on a Linux-KVM host.
  • Issue ID 407184: LACP is not supported on Netscaler VPX instances operating in Bridge, MacVTap-Bridge, MacVTap-Private, or MacVTap-VEPA interface mode.
  • Issue ID 381000: On some NetScaler appliances, the following four sensor readings are no longer available. The "stat system -detail" command displays a value of 0.
    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)This change affects the following platforms:
      • MPX 11500/13500/14500/16500/18500/20500
      • MPX 17550/19550/20550/21550
      • MPX 8200/8400/8600
      • MPX 5550/5650/5750
  • Issue ID 402111: VLAN tagging is not supported on Netscaler-VPX operating on MacVTap-Bridge, MacVTap-Private, MacVTap-VEPA, MacVTap-Passthrough interface Modes.
  • Issue ID 385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policy

  • Issue ID 422967: If a wildcard virtual server (** IP address and port values) that accepts both IPv4 and IPv6 packets uses a listen policy of CLIENT.IP.PROTOCOL.EQ(ICMP) to capture ICMP traffic, it also captures IPv6 packets in which the second byte of the source IPv6 address has a value of 01).

    Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP.!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)

  • Issue ID 425465: After changing the time zone on a NetScaler appliance, you must restart the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.
  • Issue ID 390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies rather than classic policies.

Reporting

  • Issue ID 368982: After you import a custom data source, the charts for the counters under "System entities statistics" are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 343395: On a NetScaler MPX or SDX appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue ID 494093: If session reuse is enabled on the NetScaler and a network error occurs, the NetScaler attempts to clear the session information so that it is not reused for a subsequent session request from the same client. In rare cases, the NetScaler might fail during this cleanup process.

System

  • Issue ID 476304: On SDX systems, sometime while creating/deleting or modifying a LACP channel, TX stalls are seen on some of the member interfaces.
  • Issude IDs 377618, 341460, 364015 and 351127: When the management CPU is running at close to 100% of capacity, the aggregator might not be able to process some of the statistics requests from clients, such as requests from the configuration utility, the CLI, and SNMP. If the aggregator fails to respond within the timeout period, the client returns following error:

    Invalid response from the aggregator [Device not Configured]

  • Issue IDs 449234, 457629: In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

VPX

  • Issue ID 405164: On a NetScaler VPX instance running on a Linux-KVM platform, dynamic routing protocols OSPF and ISIS fail to run on the platforms MacVTap interfaces.Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).
  • Issue IDs 405383 and 360482: A NetScaler VPX instance might fail to restart on a Linux-KVM virtualization platform using processors that do not support the constant_tsc CPU feature.

Web Interface

  • Issue ID 397150: On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2
    • unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.

Build 126.12

Release version: Citrix NetScaler , version 10.1 build 126.12

Replaces build: None

Release date: May 2014

Release Notes version: 1.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Changes

Caching Stored Procedures and SQL Queries Issues

  • Issue ID 0453973: If connection multiplexing is disabled in a database profile, stored procedures and SQL batch queries are not cached, despite caching being enabled for the profile. With this enhancement, you can enable caching, if connection multiplexing is disabled, by setting the new "enableCachingConMuxOFF" parameter in the profile.

    At the command prompt, type:

    add dbProfile <name> –conMultiplex DISABLED -enableCachingConMuxOFF ENABLED

    or

    set dbProfile <name> -enableCachingConMuxOFF ENABLED

    In the configuration utility, select "Enable caching when connection multiplexing OFF".

SNMP Issues

  • Issue ID 0418044: A new SNMP OID, vsvrEstablishedConn (1.3.6.1.4.1.5951.4.1.3.1.1.71) is available for current client connections in the ESTABLISHED state at the vserver level.

Bug Fixes

Application Firewall Issues

  • Issue ID 0407347: By default, the application firewall's SQL Injection signatures patterns and security checks do not prevent SQL injection attacks that use the percent (%) or underscore (_) characters. To work around this issue, add the percent and underscore characters to each signatures object as SQL special characters.
  • Issue ID 0424879: A user with a web proxy that allows the user to modify the HTTP header can on rare occasions bypass certain security checks when sending content that would normally be blocked. For example, a user might bypass the HTML and XML SQL injection checks when sending an SQL special symbol to a protected web application, as long as the special symbol is not combined with an SQL command. A user might also be able to send a modified cookie by intercepting and including all cookies that the application firewall sent to the user, including the NetScaler cookie. Finally, the user might be able to use a web form to upload a script and save that script as a different file type. It does not appear that this technique can be used to cause an actual security breach.
  • Issue IDs 0443207, 0355620: If an attacker includes an SQL special character that is not followed by an SQL keyword in web form data filtered by the application firewall, the application firewall does not block the request because it classifies a special character that does not include a keyword as a false positive.
  • Issue ID 0457454: After automatic update of the application firewall signature rules, custom signature rules with versions lower than the current signatures are automatically disabled.

AppFlow Issues

  • Issue IDs 0441332, 0401672, 0357422: If HTML Injection is enabled, the NetScaler ADC injects JavaScript into the response to obtain client-side page-load time and client-side page-render time details. The JavaScript triggers a special request that is intended only for the NetScaler ADC, but the NetScaler ADC creates an additional request by forwarding the request to the server.

Cluster Issues

  • Issue ID 0455148: In some cases, the MSR routes remain in DOWN state since probing ownership is incorrectly being distributed across the cluster. MSR in cluster needs spotted SNIPs and probing ownership must be with the local node alone.

Configuration Utility Issues

  • Issue IDs 0447077, 0460857: If you create a monitor by using the graphical user interface and choose the default browse option to select the in-built monitor scripts from the /nsconfig/monitors folder, the folder does not display any scripts to choose..
  • Issue ID 0448851: The System > Cluster > Manage Cluster screen allows a user to create a cluster without providing a Cluster IP address.
  • Issue ID 0460413: On a NetScaler SDX graphical user interface, an nsroot user cannot change the passwords of other configured user accounts.

Compression Issues

  • Issue ID 0456734: The output of the "show cmp parameter" command incorrectly displays the label as "Disable External Cache" instead of "Enable External Cache".
  • Issue ID 0456734: The output of the "show cmp parameter" command incorrectly displays the label as "Disable External Cache" instead of "Enable External Cache".

Command Line Interface Issues

  • Issue ID 0436772: When you run the command show techsupport to generate a tar of system configuration data, in certain scenarios, the NetScaler ADC might ignore to collect certain large files.
  • Issue ID 0436772: When you run the command show techsupport to generate a tar of system configuration data, in certain scenarios, the NetScaler ADC might ignore to collect certain large files.

DataStream Issues

  • Issue ID 0451036: NTLM authentication is now supported on all Windows clients.

Load Balancing Issues

  • Issue IDs 0369369, 0252157, 0438593: In NetScaler deployments where a load balancing virtual server is deployed behind another virtual server, the count of the number of request bytes is inadvertently doubled.
  • Issue ID 0434925: If you add a server with a name that contains an IP address and a string, and then use that server to add a service, the error message “service already exists” appears.
  • Issue IDs 0441973 and 0442098: If you bind policies in one of the following orders of priority, and then run the “show running config” or the “save config” command, the command runs repeatedly:
    • Syslog, nslog, syslog
    • Nslog, syslog, nslog
  • Issue ID 0456632: If a user tries to use a long URL (more than 1024 bytes) to access a protected resource for the first time (that is, without a valid cookie), the NetScaler ADC returns a 500 error.
  • Issue ID 0454497: When the primary virtual IP address is down and no backup is configured, spillover persistence fails to decrement the session allocation counter. This leads the NetScaler appliance to believe that sessions are alive and therefore reject new client requests.

NetScaler Insight Center Issues

  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0451609: If a NetScaler ADC is deployed in transparent mode for HDX Insight, Citrix Receiver fails to launch the applications or desktops if use source IP (USIP) is enabled and use subnet IP (USNIP) is disabled.
  • Issue ID 0452989: If a NetScaler ADC is deployed in transparent mode for HDX Insight, Citrix Receiver fails to launch the applications or desktops if the appflow policy is not bound to a global bind point.
  • Issue ID 0456449: On the Dashboard > Web Insight > Applications page, the report for a specific application does not display the client type and client version details.
  • Issue ID 0453764: On the dashboard, HDX Insight reports do not display the active sessions and also displays an incorrect value for session launch count.

NetScaler SDX Appliance Issues

  • Issue ID 0449247: If appliance inventory is going on at the same time when channel is being created, then it may happen that channel is created on the VPX but it is not visible from the SVM.
  • Issue ID 0456884: When you click on a NetScaler IP address in the SVM GUI, the NetScaler configuration utility opens without prompting for logon credentials. Log on is done through single sign on (SSO).
  • Issue ID 0460329: If you are using the NetScaler SDX 8015/ 8400/8600 10G platform, no interfaces are shown in the interface list when an LACP channel is being created.
  • Issue ID 0455601: There existed an issue with disk configuration file for NSSDX-22000 and NSSDX-22000T systems. The Local Storage partition was configured as sda3 instead of sda4 for these systems.
  • Issue ID 0460376: Management service was showing wrong alert for power supply status with the message that "One of the two power supplies is not working".

Networking Issues

  • Issue ID 0452434: In a high availability configuration in INC mode, net profile and IPset commands propagate to the secondary node.
  • Issue IDs 0469033, 0467726: In a high availability configuration, you might lose your VLAN configuration if you upgrade the secondary node to build 125.x from builds: 122.17, 123.11,124.13.

Platform Issues

  • The LCD display on the front of every NetScaler SDX appliance, except SDX 11500/13500/14500/16500/18500/20500 and SDX 11515/11520/11530/11540/11542 displays a booting message when the appliance is started or restarted.

    The LCD has a neon backlight. Normally, the backlight glows steadily. When there is an active alert, it blinks rapidly. When the appliance shuts down, the backlight remains on for one minute and then automatically turns off.

    Note: The LCD screen on a NetScaler SDX appliance displays the base model number for that platform. To view the licensed model number of the appliance, log on to the Management Service and check the licensed model number on the top left corner of the screen. For example, if you have purchased an SDX 11515 license, the LCD screen displays SDX 11500, and the Management Service screen displays NetScaler SDX (11515).

    On some SDX platforms, the LCD backlight might not work. Therefore, the display might not be clear.

SSL Issues

  • Issue ID 0437018: On a Nitrox-2 chip based platform, if you bind cipher groups, such as HIGH and AES, to your virtual server, the unsupported ECDHE cipher might also be bound. This cipher does not cause any problems. To remove it, you must unbind the cipher group.
  • Issue IDs 0451698, 0446674, 0452080: In a high availability setup, the force ha sync command appends the DEFAULT cipher group to the user-defined ciphers on the virtual server of the secondary node.

System Issues

  • Issue IDs 0335202, 0341155, 0404099, 0248103: When web server logging and audit logging are enabled on the NetScaler, the TCP current clients counter goes to negative values and shows a very large value in the stat or the SNMP OID.
  • Issue IDs 0396628, 0402205: With large number of configuration entries in the ns.conf file, the commands in the /nsconfig/rc.netscaler file might not be applied after the appliance is restarted.
  • Issue IDs 0401111, 0414273, 0413721, 0408648, 0399769, 0375425, 0460731, 0424726, 0408267: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
  • Issue ID 0432612: The NetScaler ADC forwards unprocessed packets to the load balancing virtual servers without selecting a service, because of an HTTP out-of-order packet processing issue. Instead of being dropped, these connections queue up at the virtual servers. The ADC fails to respond while processing these connections.
  • Issue ID 0446300: The NetScaler ADC might fail during an nstrace operation.
  • Issue IDs 441843, 457850, 451285: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
  • Issue ID 0453108: The NetScaler appliance drops a connection if it receives 255 back-to-back old packets (re-transmissions). The limit is configurable and the default value has been increased.
  • Issue ID 0453811: The state of services for which NATPCB is allocated starts flapping because of NATPCB allocation failure.
  • Issue ID 0450580: High CPU usage is observed when evaluating listen policy named expressions on a virtual server that picks up every packet.
  • Issue IDs 0462797, 0441758, 0446780, 0455911, 0457505, 0459435, 0468798, 0476812: Memory leak found in shell '/bin/sh' while performing management CPU profiling in "nsproflog.sh" thereby causing swap zone issues.

VPX Issues

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might occur in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:

    sysctl netscaler.ns_vpx_halt_method=2

    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:

    sysctl netscaler.ns_vpx_halt_method=2

Web Interface Issues

  • Issue ID 0450811: In a high availability setup, if the failover operation is performed twice, a user trying to launch an application is unable to proceed after the AGESSO.jsp page appears. If the domain controller is configured for x number of logon retries, and the user refreshes the page x number of times, the account is locked. With this fix, the user is able to launch the application. However, if an application is launched immediately after failover, and the launch takes longer than usual (about 75 seconds), a session error page might appear, in which case the user has to log on again.
  • Issue ID 0456120: Upgrading a NetScaler ADC from release 10 to release 10.1 deletes a set of customized options of the add wi site command.
  • Issue ID 0458113: Neither the CLI nor the configuration utility allows a user to configure a pre-login message of more than 255 characters.

Known Issues and Workarounds

Application Firewall Issues

  • Issue ID 0364134: In the configuration utility, when you perform the Show Bindings operation, globally bound auditing syslog policies do not appear under Application Firewall. This issue occurs only in a cluster setup. Display the bindings in the command line interface, by using the show system global command.
  • Issue ID 0466329: If the application firewall blocks a request because of a limiting policy, such as a maximum upload size limit on a web form, the blocking action is not logged. If a custom redirect page has been configured for that web page, the application firewall does not display it.
  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0430014: During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:
    show appfw JSONContentType
    If the default content type is configured, the command output
    is similar to the following example:
    > show appfw JSONContentType
    1)
    JSONContenttypevalue: "^application/json$" IsRegex: REGEX
    Done
    If
    it is not, the screen shows only the following:
    > show appfw JSONContentType
    Done
    To add the default content type to the configuration, after upgrading to
    10.1 (121.1), log onto the NetScaler command line, and then type the following
    commands to configure the default content type and verify the
    configuration:
    add appfw JSONContentType ^application/json$ -isRegex REGEX
    show appfw JSONContentType
  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signatues file, you would update the signatures on your NetScaler ADC by issuing the following commands: update appfw signatures "*Default Signatures" update appfw signatures "custom_signatures" update appfw signatures "custom_signatures_2".
  • Issue ID 0451014: On a NetScaler ADC that has the application firewall enabled and the HTML SQL injection feature configured to block, when the ADC detects an SQL violation on a page with a web form, a second violation might be generated for the Form Action URL. This is expected behavior. To avoid unexpected blocks, when you configure a relaxation for a web form, be sure to include a relaxation for the Form Action URL as well.

AppFlow Issues

  • Issue ID 0396892: The AppFlow exporter might not export the correct information. Therefore, the client IP address shown on the NetScaler Insight Center dashboard might be incorrect.

CloudBridge Connector Issues

  • Issue ID 0440781: When the state of a cloudbridge connector tunnel is DOWN, there is a delay in displaying the related log messages (from the /tmp/iked.debug file) on the Create CloudBridge Connector page of the configuration utility.

Content Switching/Load Balancing Issues

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Configuration Utility Issues

  • Issue ID 0361793 (nCore and nCore VPX): The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing> Virtual Servers pane.
  • Issue IDs 0374304, 0377460: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml.

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.
  • Issue ID 0414807: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, an error is displayed if:
    • More than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers.
    • More than one service is bound to the service group.
  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings creates an erroneous condition.
  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.
  • Issue ID 0411152: When you use the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings makes applications and desktops unavailable when StoreFront is accessed through a VPN.

    Workaround: Do not apply the optimization settings.

DNS Issues

  • Issue ID: 0458244: If DNS caching is enabled and the NetScaler ADC receives a query that is not cached, it forwards the query to the name server. It sends the response from the server to the client and also caches the records in the Answer, Authority, and Additional sections of the DNS response. The response from the server can have the AA bit set or unset.
    • If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache with the AA bit unset and TTL decremented.
    • If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache with the AA bit set and the original TTL.

High Availability Issues

  • Issue ID 0443588: In a High Availability configuration, after you remove an HA configuration from one of the two nodes, if you confirm the following prompt message, "Do you want to remove ha node from remote system also ?”, an error message might get displayed and the HA configuration is not removed from the remote node.
  • Issue ID 0471294: When upgrading HA nodes that have Web Interface on NetScaler (WIonNS) to build 126.x, the updates made in the Webinterface.conf file are over-written by the previous version of the file. This is due to the rolling upgrade of HA nodes or due to the file sync operation between HA nodes.
    To avoid this issue, use the following steps when upgrading the HA nodes:
    1. Before upgrading, run the command: "set ns param –internaluserlogin DISABLED".
    2. Upgrade the secondary HA node to NetScaler 10.1 Build 126.x release.
    3. Force failover to make the upgraded node as the primary node.
    4. Upgrade the other HA node to NetScaler 10.1 Build 126.x release.
    5. Restore the previously disabled " internaluserlogin" parameter to enabled using the command: "set ns param –internaluserlogin ENABLED"
    6. Save the configurations.
    Note: Before upgrade sync files between the HA nodes by using CLI command: "sync ha files all".

ICA AppFlow Issues

  • Issue ID 0458122: When appflow is enabled, Multi-Stream ICA connections do not work if an appflow policy is bound to a VPN virtual server and appflow logging is enabled on the VPN virtual server.
  • Issue ID 0456440: On the Dashboard > HDX Insight > Desktops page, the report for a specific user displays the desktop record for that user, but it does not include the desktop records for all users.

Integrated Caching Issues

  • Issue IDs 0440107, 0440389: When a selector-based content group has been configured, the NetScaler ADC can fail when a policy associated with this content group is matched and the response status is "404 Not Found".

Load Balancing Issues

  • Issue ID 0441776: The NetScaler ADC might fail or become unresponsive if the FTP virtual server name exceeds 32 characters and L2Conn is enabled on the virtual server.

NetScaler Insight Center Issues

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0446120: In some instances, the bar line on a graph appears outside the time points on the x-axis.
  • Issue IDs 0379876, 0424686, 0437964: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: When launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • issue ID 0397236: On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0409634: All the metrics except bandwidth and hits display the average values.
  • Issue ID 414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.
  • Issue ID 414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on a VMware ESX server from build 118.7 or 119.7 to build 120.13 or later is not supported. However, upgrading from build 120.13 to later builds is supported.

    Workaround: To upgrade to build 120.13 or later build, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .

  • Issue ID 0324010: A higher than normal load on NetScaler Insight Center or on the database can cause the afdecoder subsystem to stop functioning. As a result, NetScaler Insight Center is unable to connect to the database.

    Workaround: Restart the appliance by running the following command on the command line interface:

    #/etc/rc.d/analyticsd restart

  • Issue ID 0331944: If no devices have been added to the inventory, the Getting Started wizard is displayed. You cannot access the Configuration tab.
  • Issue IDs 0333555 and 346171: After you enable appflow on some virtual servers, even though no error message appears, the Insight column does not display a check box indicating that the feature is enabled.

    Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a Notepad.

  • Issue IDs 0388096 and 0423109: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue IDs 0388563 and 0438710: The following behavior is seen during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    --- The applications stop functioning, but are visible on the browser.

    --- The Citrix Receiver displays a dialog box, with a message stating that the connection is disconnected.

    --- When you click OK on the dialog box, the applications are not displayed anymore.

    --- If you launch any fresh applications without re-login, all the previously launched applications will resume with the previous status.

  • Issue ID 0388875: When you navigate to Configuration > Inventory and click on a NetScaler IP address, only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0402105: The following error can occur when you use an IE8 browser to access NetScaler Insight Center from XenDesktop 5.6 or XenApp 6.5:

    " Object does not support this property or method."

  • Issue IDs 0404100 and 0404822: The VPN option on the View drop- down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server that has the lowest priority.
  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 421657: If the ICMP port used to verify the network reachability of a NetScaler appliance from NetScaler Insight Center is blocked, the internal routing in NetScaler Insight Center is disrupted and the HDX Insight node is not displayed on the dashboard.

NetScaler SDX Appliance Issues

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.
  • Issue ID 0434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.
  • Issue ID 0456703: When an interface other than 0/1 and 0/2 is being used for management on a VPX and later if that interfaces is made part of a channel creation from SVM, then that channel will not be pushed to this VPX and manual steps will be required to achieve the same. A user can delete such channels (made out of data interfaces and used for VPX management) from SVM which will leave the VPX in unmanageable state.
  • Issue ID 0423068: The Management Service allows deleting a channel that is part of an NSVLAN on any NetScaler instance. If you delete such a channel, the NetScaler instance is not reachable over the management network.
  • Issue ID 0430121: The Management Service intermittently dumps a stat core when BlueCat VMs are provisioned on the SDX appliance.

Networking Issues

  • Issue IDs 0383958, 0411806: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform Issues

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.
    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)
    This change affects the following platforms:
    • MPX 11500/13500/14500/16500/18500/20500
    • MPX 17550/19550/20550/21550
    • MPX 8200/8400/8600
    • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.
  • Issue ID 0402111: VLAN tagging is not supported on Netscaler-VPX operating on MacVTap-Bridge, MacVTap-Private, MacVTap-VEPA, MacVTap-Passthrough interface Modes.
  • Issue ID 0402113: L2 mode is not supported on Netscaler VPX running on a Linux-KVM host.
  • Issues ID 0407184: LACP is not supported on Netscaler VPX instances operating in Bridge, MacVTap-Bridge, MacVTap-Private, or MacVTap-VEPA interface mode.
  • Issue ID 0407185: Live migration of a NetScaler virtual machine running on a Linux-KVM host is not supported.

Policy Issues

  • Issue ID 0425465: After changing the time zone on a NetScaler appliance, you must restart the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.

Policies Issues

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.
    Workaround: Use the CLI to define classic SSL policies.
    Note: Citrix encourages the use of default syntax policies rather than classic policies.
  • Issue ID 0422967: If a wildcard virtual server (** IP address and port values) that accepts both IPv4 and IPv6 packets uses a listen policy of CLIENT.IP.PROTOCOL.EQ(ICMP) to capture ICMP traffic, it also captures IPv6 packets in which the second byte of the source IPv6 address has a value of 01).

    Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP. ‘!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)’ .

Reporting Issues

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under the System entities statistics are inaccurate, because of issues in the third party charting engine.

Signature Bindings Not Shown in PCI-DSS Report Issues

  • Issue ID 0443673: The Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as “not set”.

SSL Issues

  • Issue ID 0343395: On a NetScaler MPX or SDX appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue IDs 0459688, 0446760: If you use the configuration utility to configure FIPS appliances in a high availability setup, FIPS keys are not exported or imported between the nodes, because the option to enable secure information management (SIM) is not available.

    Workaround: Use the command line to enable SIM. For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-tmg-fips-configure-fips-ha-tsk.html.

  • Issue ID 0469556: In rare cases, in which an unusually large number of new SSL requests are received, freeing an SSL session takes longer than expected. As a result, after some time available memory is exhausted.

System Issues

  • Issue IDs 0377618, 0351127, 0364015: When the management CPU is running at close to 100% of capacity, the aggregator might not be able to process some of the statistics requests from clients, such as requests from the configuration utility, the CLI, and SNMP. If the aggregator fails to respond within the timeout period, the client returns following error: Invalid response from the aggregator [Device not Configured] .
  • Issue ID 0455041: The NetScaler system backup tar file does not include the following files:

    /nsconfig/ns.conf

    /nsconfig/Zebos.conf

    /nsconfig/rc.netscaler

    /nsconfig/snmpd.conf

    /var/log/wicmd.log

    /nsconfig/nsbefore.sh

    /nsconfig/nsafter.sh

  • Issue IDs 449234, 457629: In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

  • Issue ID 478895: The "show ns runningConfig" command may produce partial output if invoked while another "show ns runningConfig" command, from the same or other admin session is in progress. Workaround: Re-execute the "show ns runningConfig" command to fetch the entire running configuration.

System/Application Firewall Issues

  • Issue ID 0437307: On a NetScaler ADC that is not configured to use jumbo frames and that protects a server that is configured to use jumbo frames, if the application firewall is enabled and at least one profile is configured, the ADC might become unresponsive for a period of time and then reset the connection.

VPX Issues

  • Issue ID 0405164: On a NetScaler VPX instance running on a Linux-KVM platform, dynamic routing protocols OSPF and ISIS fail to run on the platform’s MacVTap interfaces.

    Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).

  • Issue IDs 0405383, 0360482: A NetScaler VPX instance might fail to restart on a Linux-KVM virtualization platform using processors that do not support the constant_tsc CPU feature.
  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might occur in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:

    sysctl netscaler.ns_vpx_halt_method=2

    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:

    sysctl netscaler.ns_vpx_halt_method=2

Web Interface Issues

  • Issue ID 0397150: On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API Issues

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later: bindservicegroup_state2 unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.

Build 125.9

Release version: Citrix NetScaler, version 10.1 build 125.9

Replaces build: 125.8

Release date: April 2014

Release notes version: 5.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Changes

Platform

  • Issue ID 0419237: The 10G ixgbe (ix) driver on the NetScaler appliance now supports the following Active Optical Cables (AOCs):
    • Finisar FCBG110SD1C03
    • Avago AFBR-7CAR03Z

SSL

  • Issue ID 0376153: You can now set a limit to the number of disabled SSL chips after which the appliance restarts. At the command prompt, type:
    set ssl parameter -cryptodevDisableLimit

    A chip is marked disabled after the third failed reinitialization attempt.

  • Issue ID 0455821: An SSL chip is disabled at the third reinitialization attempt. That is, the maximum reinitialization limit is 2. Earlier, this limit was 5.

Bug Fixes

Application Firewall

  • Issue ID 0428852: On a NetScaler ADC with limited CPU and memory, if the application firewall is enabled, out-of-memory errors might accumulate in the NetScaler log, causing rapid rotation of log files.
  • Issue IDs 0436100 & 0447536: On a NetScaler ADC that has the application firewall enabled and the Form Field Consistency check or Field Formats check enabled, a memory leak might cause the ADC to become unresponsive, requiring a manual restart. The underlying issue is a failure to process certain types of web form content properly. Appliances or VPX instances that have limited CPU and memory are especially likely to experience this issue.
  • Issue ID 0445552: On a NetScaler ADC HA pair configured to use the Citrix VPN, single sign-on, and the Application Firewall, a memory page issue might cause the primary ADC to reboot, failing over to the secondary ADC.
  • Issue ID 0448610: On a NetScaler ADC that has the application firewall enabled and an XML or Web 2.0 profile configured, if a response-side check (such as the Credit Card or Safe Object check) is enabled along with at least one XML-based check, Lotus Notes webmail does not load correctly. Specifically, the frame that should contain the user's inbox is blank.
  • Issue IDs 0448961, 0449223, 0449851, & 0450070: When using CVPN or the application firewall credit card or safe object security checks, memory issues might cause the Netscaler ADC to become unresponsive or restart.
  • Issue IDs 0446304, 0447206, 0444746, 0444810, 0448814, 0449393, 0449396, 0451162, 0451860, 0452078, and 0452427: If you use the single sign on (SSO) feature on your NetScaler ADC or NetScaler Gateway, it might become unresponsive or restart.
  • Issue ID 0450939: On a NetScaler ADC that has the application firewall enabled and an XML or Web 2.0 profile configured, if any XML security checks are enabled, certain web content does not load correctly.
  • Issue IDs 0452846, 0453768, 0456263, 0459327, and 046450: On a NetScaler ADC that has the application firewall enabled, when a Google Chrome user opens a large PDF file on a protected web server, the ADC might become unresponsive. The same file, if downloaded with Internet Explorer or Mozilla Firefox, causes no problems. The cause is a loop in a backup queue.
  • Issue ID 0453111: On a NetScaler ADC that has the application firewall enabled, and that has either limited available memory or a small memory cache configured, a memory page issue might cause the ADC to become unresponsive or reboot.

AAA Application Traffic

  • Issue ID 0382693: Currently AAA supports Kerberos authentication only with Datastream Windows Authentication. AAA does not support fallback to NTLM if Kerberos authentication fails.
  • Issue ID 0435529: When the NetScaler ADC is configured to use AAA with SAML authentication, and it receives a response from the IDP, it reformats the response in standard SAML format. (This process is sometimes called "canonicalizing" the response.) The ADC might not reformat SAML <samlp: response> namespace prefix tags correctly, because it expects <saml: assertion> format. In that case, digest verification fails.
  • Issue ID 0441290: When performing Kerberos authentication or authorization, instead of accepting the hostname that the user provided in the request, AAA-TM now performs a DNS lookup on the hostname IP, and uses the canonical FQDN for that IP when constructing a server SPN.
  • Issue ID 0453125: AAA-TM now supports the use of RFC822 name-based (SAN) client certificates to authenticate users. SAN client certificates work in exactly the same way as other client certificates. To configure the NetScaler ADC to use SAN client certificate authentication, follow the client certificate authentication instructions in the AAA-TM documentation.

Command Line Interface

  • Issue ID 0441505: A response policy bound to a VPN virtual server is no longer bound to the virtual server after you restart the NetScaler ADC.

Configuration Utility

  • Issue ID 0443850: If you use the configuration utility to create a NetScaler-owned IP address, and provide the OSPF LSA Type1 area value, the Type1 area value is not displayed when you click on the created IP address to view or edit the details.
  • Issue ID 0446549: After you set the SSO Domain (Single Sign-on Domain) value, the value is not displayed on the configuration utility when you navigate to Security > AAA Application Traffic > Settings > Change Global Settings.
  • Issue ID 0447077: If you create a monitor by using the graphical user interface and choose the default browse option to select the in-built monitor scripts from the /nsconfig/monitors folder, the folder does not display any scripts to choose.
  • Issue ID 0449229: The configuration utility includes an option to enable Net Profile when you create a StoreFront monitor, but that option should not be enabled for a StoreFront monitor.

Content Switching

  • Issue ID 0428991: The NetScaler appliance fails in the following scenario:
    1. Create a content switching virtual server (CS1) and bind a policy (P1) to it.
    2. Rename the virtual server (CS1) to CS2.
    3. Create another content switching virtual server named CS1 and bind P1 to the new CS1.
    4. Send traffic to virtual server CS1.
  • Issue ID 0445561: If an HTTP content switching virtual server is bound to an SSL virtual server that has a backup SSL virtual server, the following error message appears:

    ERROR: The backup vserver of the target vserver is not compatible with the CS vserver.

  • Issue ID 0449261: You must bind only a load balancing (LB) virtual server as the default or target LB virtual server to a content switching (CS) virtual server. Global server load balancing (GSLB), cache redirection (CR), virtual private network (VPN), and CS virtual servers must not be bound to a CS virtual sever as the default or target virtual server.

ICA AppFlow

  • Issue ID 0430696: The NetScaler Gateway fails if AppFlow is enabled or disabled during ICA connections. The NetScaler Gateway might also fail if the NetScaler appliance receives an ICA parsing error.
  • Issue ID 0445959: The NetScaler ADC might fail if the EUEM channel data that is part of the ICA traffic flow is split across multiple frames in such a way that the first frame contains only 1 byte.
  • Issue ID 0445550: With some WYSE clients, NetScaler ADC fails while processing the ICA connections if the ICA frame is fragmented across several CGP frames (more than three 3 frames).

Integrated Caching

  • Issue ID 0427598: The NetScaler appliance fails to respond when it receives multiple byte-range requests for the same objects at almost the same time and where the starting range of byte-range is greater than 1MB.
  • Issue IDs 0436298 and 0434877: When refreshing a cache object for a conditional GET to an expired object, the memory is deducted two times but is returned only once when the cache cell goes away. This causes the memory that is used for a content group to slowly increase and finally reach the maximum memory that a content group can use. The NetScaler appliance is therefore unable to cache objects for that content group.

Load Balancing

  • Issue ID 0451670: The configuration for the NetScaler Web 2.0 Push feature is not saved in the configuration (ns.conf) file. As a result, if you run the show running config command, the push configuration is not shown.
  • Issue ID 0452648: In direct server return mode, the NetScaler ADC does not send a RST flag to the client after the idle timeout has expired.

NetScaler SDX Appliance

  • Issue ID 0445598: On a NetScaler SDX appliance running Management Service version 10.1, build 119.7, manually initiated backup operations fail, and a User name missing error message appears.
  • Issue ID 0446985: On NetScaler SDX appliance, the NetScaler instances do not start when the total number of interfaces and SSL cores is more than 26.
  • Issue ID 0447773: If the administrative password for the Management Service contains an ampersand character (&), communication between Management Service and XenServer is affected, and errors occur during provisioning or modification of the instances.
  • Issue ID 0456884: When you click on NetScaler IP address in SVM GUI, it opens the NetScaler configuration utility without prompting for log in credentials. Log in is carried out using Single Sign On (SSO).

Networking

  • Issue ID 0448738: On a NetScaler ADC configured for link load balancing with RNAT, access to external sites fails intermittently.
  • Issue ID 0449175: In a High Availability configuration, if you set the maxFlips, maxFlipTime or syncvlan parameter of the set HA node command, the NetScaler ADC adds a duplicate entry of the add HA node command to the running configuration.

NITRO API

  • Issue ID 0444986: When importing an AppExpert template that has back end services configured, the NetScaler ADC reports a protocol mismatch error even if other service parameters (service name, IP address and port) are not the same.

Policies

  • Issue ID 0430148: Error messages displayed during policy binding are shown as hexadecimal code instead of the corresponding warning message.

SNMP

  • Issue ID 0407594: The aggregateBWUseHigh and aggregateBWUseNormal SNMP traps are frequently generated even though the bandwidth is less than the set value for the alarm.

SSL

  • Issue ID 0436205: If you add a certificate revocation list (CRL) with refresh enabled, the appliance might perform a core dump and restart.

System

  • Issue ID 0447623: When a client’s MPTCP token is invalid in the C2C steered MP_CAPABLE final ACK, the packet is dropped silently without flushing out the RSS filter. This filter is never deleted. If the client reuses the same 4-tuple as the filter, the incoming packet may go into the steering loop between the PEs. This will lead to very high CPU utilization.
  • Issue ID 447618: The NetScaler VPX appliance is now supported on VMware vSphere Hypervisor (ESXi) versions 5.1 and 5.5. This means that a NetScaler virtual instance can be instantiated on the 5.1 or 5.5 versions of the ESXi hypervisor.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.
  • Issue ID 0396892: Sometimes, the AppFlow exporter may not export the correct information due to which the client IP address is displayed incorrectly on the NetScaler Insight Center dashboard.

Application Firewall

  • Issue ID 0364134: In the configuration utility, when you perform the Show Bindings operation, globally bound auditing syslog policies do not appear under Application Firewall. This issue occurs only in a cluster setup.

    Workaround: Display the bindings in the command line interface, by using the show system global command.

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.
    For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signatues file, you would update the signatures on your NetScaler ADC by issuing the following commands:
    update appfw signatures "*Default Signatures"
    update appfw signatures "custom_signatures"
    update appfw signatures "custom_signatures_2"
  • Issue ID 0430014: During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:

    show appfw JSONContentType

    If the default content type is configured, the command output is similar to the following example:
    > show appfw JSONContentType 
    1) JSONContenttypevalue: "^application/json$"
    IsRegex: REGEX
    Done
    If it is not, the screen shows only the following:
    > show appfw JSONContentType
    Done
    To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:
    add appfw JSONContentType ^application/json$ -isRegex 
    REGEX
    show appfw JSONContentType
  • Issue ID 0443673: The Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as "not set".

Configuration Utility

  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.
  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml.

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0411152: When you use the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings makes applications and desktops unavailable when StoreFront is accessed through a VPN.

    Workaround: Do not apply the optimization settings.

  • Issue ID 0448851: The System > Cluster > Manage Cluster screen allows a user to create a cluster without providing a Cluster IP address.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Domain Name System

  • Issue ID 0458244: If DNS caching is enabled and the NetScaler ADC receives a query that is not cached, it forwards the query to the name server. It sends the response from the server to the client and also caches the records in the Answer, Authority, and Additional sections of the DNS response. The response from the server can have the AA bit set or unset.
    • If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache with the AA bit unset and TTL decremented.
    • If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache with the AA bit set and the original TTL.

High Availability

  • Issue ID 0443588: In a High Availability configuration, after you remove an HA configuration from one of the two nodes, if you confirm the following prompt message "Do you want to remove ha node from remote system also ?”, an error message might get displayed and the HA configuration is not removed from the remote node.

Integrated Caching

  • Issue ID 0440107: When a selector-based content group has been configured, the NetScaler ADC can fail when a policy associated with this content group is matched and the response status is "404 Not Found".

Load Balancing

  • Issue ID 0441776: The NetScaler ADC might fail or become unresponsive if the FTP virtual server name exceeds 32 characters and L2Conn is enabled on the virtual server.

NetScaler Insight Center

  • Issue ID 0324010: A higher than normal load on NetScaler Insight Center or on the database can cause the afdecoder subsystem to stop functioning. As a result, NetScaler Insight Center is unable to connect to the database.
    Workaround: Restart the appliance by running the following command on the command line interface:
    #/etc/rc.d/analyticsd restart
  • Issue ID 0331944: If no devices have been added to the inventory, the Getting Started wizard is displayed. You cannot access the Configuration tab.
  • Issue ID 0333555 and 346171: After you enable AppFlow on some virtual servers, even though no error message appears, the Insight column does not display a check box indicating that the feature is enabled.

    Workaround: Refresh the screen. If AppFlow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable AppFlow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a Notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The graphs display overlapping time values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error can occur when you use an IE8 browser to access NetScaler Insight Center from XenDesktop 5.6 or XenApp 6.5:

    Object does not support this property or method.

  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, the clear AppFlow configurations (Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server that has the lowest priority.
  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on a VMware ESX server from build 118.7 or 119.7 to build 120.13 or later is not supported. However, upgrading from build 120.13 to later builds is supported.

    Workaround: To upgrade to 120.13 or later builds, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same.

  • Issue ID 0421657: If the ICMP port used to verify the network reachability of a NetScaler appliance from NetScaler Insight Center is blocked, the internal routing in NetScaler Insight Center is disrupted and the HDX Insight node is not displayed on the dashboard.
  • Issue ID 0446120: On the HDX Insight reports, the bar in the chart is sometimes shown at a location higher than the X axis.
  • Issue ID 0456449: On the Dashboard > Web Insight > Applications page, the report for a specific application does not display the client type and client version details.
  • Issue ID 0456440: On the Dashboard > HDX Insight > Desktops page, the report for a specific user displays the desktop record for that user, but it does not include the desktop records for all users.

NetScaler SDX Appliance

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.
  • Issue ID 0423068: The Management Service allows deleting a channel that is part of an NSVLAN on any NetScaler instance. If you delete such a channel, the NetScaler instance is not reachable over the management network.
  • Issue ID 0430121: The Management Service intermittently dumps a stat core when BlueCat VMs are provisioned on the SDX appliance.
  • Issue ID 0434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2
  • Issue ID 0405164: On a NetScaler VPX instance running on a Linux-KVM platform, dynamic routing protocols OSPF and ISIS fail to run on the platform's MacVTap interfaces.

    Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).

  • Issue ID 0405383: A NetScaler VPX instance might fail to restart on a Linux-KVM virtualization platform using processors that do not support the constant_tsc CPU feature.

Networking

  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.
  • Issue ID 0469033: In a high availability configuration, you might lose your VLAN configuration if you upgrade the secondary node to build 125.9 from builds 122.17, 123.11, or 124.13.

Platform

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.
    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)
    This change affects the following platforms:
    • MPX 11500/13500/14500/16500/18500/20500
    • MPX 17550/19550/20550/21550
    • MPX 8200/8400/8600
    • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.
  • Issue ID 0402111: VLAN tagging is not supported on Netscaler-VPX operating on MacVTap-Bridge, MacVTap-Private, MacVTap-VEPA, MacVTap-Passthrough interface Modes.
  • Issue ID 0402113: L2 mode is not supported on Netscaler VPX running on a Linux-KVM host.
  • Issue ID 0407185: Live migration of a NetScaler virtual machine running on a Linux-KVM host is not supported.
  • Issue ID 0407184: LACP is not supported on Netscaler VPX instances operating in Bridge, MacVTap-Bridge, MacVTap-Private, or MacVTap-VEPA interface mode.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.
    Workaround: Use the CLI to define classic SSL policies.
    Note: Citrix encourages the use of default syntax policies rather than classic policies.
  • Issue ID 0422967: If a wildcard virtual server (** IP address and port values) that accepts both IPv4 and IPv6 packets uses a listen policy of CLIENT.IP.PROTOCOL.EQ(ICMP) to capture ICMP traffic, it also captures IPv6 packets in which the second byte of the source IPv6 address has a value of 01).

    Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP. ‘!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)’

  • Issue ID 0425465: After changing the time zone on a NetScaler appliance, you must restart the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under the System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On a NetScaler MPX or SDX appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue IDs 0414388 and 0345883: In rare cases, if the random number generated for the DH key exchange has a leading zero, DH negotiation fails because of a hardware limitation.

System

  • Issue ID 0377618: When the management CPU is running at close to 100% of capacity, the aggregator might not be able to process some of the statistics requests from clients, such as requests from the configuration utility, the CLI, and SNMP. If the aggregator fails to respond within the timeout period, the client returns following error:

    Invalid response from the aggregator [Device not Configured]

  • Issue ID 0396628: With large number of configuration entries in the ns.conf file, the commands in the /nsconfig/rc.netscaler file might not be applied after the appliance is restarted.
  • Issue ID 0432612: The NetScaler ADC forwards unprocessed packets to the load balancing virtual servers without selecting a service, because of an HTTP out-of-order packet processing issue. Instead of being dropped, these connections queue up at the virtual servers. The ADC fails to respond while processing these connections.
  • Issue ID 0446300: NetScaler might fail to respond when performing the nstrace operation.
  • Issue IDs 0441843, 0375425, 0399769, 0401111, 0408648, 0413721, and 0414273: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
  • Issue IDs 449234, 457629: In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

  • Issue ID 478895: The "show ns runningConfig" command may produce partial output if invoked while another "show ns runningConfig" command, from the same or other admin session is in progress. Workaround: Re-execute the "show ns runningConfig" command to fetch the entire running configuration.

System/Application Firewall

  • Issue ID 0437307: On a NetScaler ADC that is not configured to use jumbo frames and that protects a server that is configured to use jumbo frames, if the application firewall is enabled and at least one profile is configured, the ADC might become unresponsive for a period of time and then reset the connection.

Web Interface

  • Issue ID 0397150: On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2
    • unsetnslimitidentifier_selectorname

    Use unsetnslimitidentifier_selector instead.


Build 124.13

Release version: Citrix NetScaler, version 10.1 build 124.13

Replaces build: None

Release date: February 2014

Release notes version: 5.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

Support for ECDHE Ciphers

  • ENH ID 0453765: The Citrix NetScaler MPX 11515/11520/11530/11540/11542 appliances support the ECDHE cipher group. On the SDX 11515/11520/11530/11540/11542 appliances, the cipher group is supported only if an SSL chip is assigned to a VPX instance. This group contains the following ciphers:
    • TLS1-ECDHE-RSA-RC4-SHA
    • TLS1-ECDHE-RSA-DES-CBC3-SHA
    • TLS1-ECDHE-RSA-AES128-SHA
    • TLS1-ECDHE-RSA-AES256-SHA
    The following ECC curves are supported:
    • P_256
    • P_384
    • P_224
    • P_521
    Note: ECC curves 224 and 521 are not supported with TLS1.2 protocol.

NetScaler MPX 11515/11520/11530/11540/11542 Appliance

NetScaler SDX 11515/11520/11530/11540/11542 Appliance

Bug Fixes

AAA Application Traffic

  • Issue ID 0441755: When AAA-TM is configured to use SAML authentication, the redirect URL that the SAML virtual server returns appends the string "%00", a text-based form of the null value, to the original redirect URL. Most browsers handle the appended string properly, but newer Apple iOS and some Apple MacOS browsers fail to load the web page because of this string.

    Workaround: Create a Rewrite action and policy to strip off the "%00" string, and bind it to global. If you configure the gotoPriorityExpr for the policy to NEXT, and bind the policy with a priority of 1, it will run first, strip the null string from the end of all redirect URLs, and then continue policy evaluation with the next policy. This configuration should work without creating any problems with your existing policy evaluation flow.

    To create the necessary action and policy, and bind them to global, from the NetScaler command line you can type the following commands:

    add rewrite action act_stripFinalNull DELETE "HTTP.RES.HEADER(\"Location\").VALUE(\"%00\")"
    add rewrite policy pol_stripFinalNull "HTTP.RES.IS_VALID" act_stripFinalNull norewrite
    bind rewrite global pol_stripFinalNull 1 NEXT

Application Firewall

  • Issue ID 0405434: Apple iPhone and iPad users are unable to watch MP4 videos on web sites that are protected by the application firewall when either the form field consistency check or the credit card check is enabled, even if blocking is not enabled. The problem is specific to Apple iOS. Google Android smartphone or tablet users are able to watch MP4 content.

    Workaround: Add the following expression to the policy that invokes the application firewall:

    "HTTP.REQ.URL.REGEX_MATCH(re#.mp4$#).NOT"

    For example, to exempt URLs that contain the string ".mp4" from the policy pol_media.example.com, which calls the profile prfl_media.example.com, you would type the following command:

    add appfw policy pol_media-example.com "HTTP.REQ.URL.REGEX_MATCH(re#.mp4$#).NOT" prfl_media.example.com
  • Issue ID 0444471: On a NetScaler appliance or VPX that has the application firewall enabled and at least one profile that has the Safe Object security check enabled, the application firewall might generate an extremely large buffer file while checking responses for objects. The oversized buffer might cause performance problems or, in extreme cases, hang the system. To work around this issue, disable the Safe Object check.
  • Issue ID 0445552: On a NetScaler ADC HA pair configured to use the Citrix VPN, single sign-on, and the Application Firewall, a memory page issue might cause the primary ADC to reboot, failing over to the secondary ADC.
  • Issue IDs 0446304, 0447206, 0444746, 0444810, 0448814, 0449393, 0449396, 0451162, 0451860, 0452078, and 0452427: If you use the single sign on (SSO) feature on your NetScaler ADC or NetScaler Gateway, it might become unresponsive or reboot.

Configuration Utility

  • Issue ID 0405303: A large ns.conf file can make the configuration utility slow to respond. The large file also slows processing of the following commands:

    • show ns runningConfig
    • save config
  • Issue ID 0439603: If the Surge Protection feature is not licensed, you cannot use the configuration utility to modify the global system settings (System > Settings).

DataStream

  • Issue IDs 0441162 and 0439300: A pluggable authentication request causes the handshake to fail. A NetScaler ADC does not support pluggable authentication requests.

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

High Availability

  • Issue ID 0416573: On the secondary node of a high availability (HA) configuration, if the HA propagation and HA synchronization options are disabled and Stay secondary is enabled, you cannot disable the Stay secondary option after upgrading the node.

Global Server Load Balancing

  • Issue ID 0434660: Adding GSLB site IP address with Traffic Domain setting was not supported. If you had a setup where GSLB site IP address was added with Traffic Domain, then NetScaler fails. Now, you cannot add a GSLB site IP address with Traffic Domain setting.

Load Balancing

  • Issue ID 0407493: In a high availability setup, if an autoscaling service group with more than 4000 members is removed, failover occurs.
  • Issue ID 0417872: If Edge mode is disabled, the state of the name-based service group member appears as UNKNOWN although the server represented by the service group member is reachable.
  • Issue IDs 0420827 and 0434537: If a NetScaler appliance receives a request for which a session does not already exist, the appliance creates a session and designates one of the packet engines (PEs) as the session owner. Subsequent requests that belong to that session might not always arrive at and be handled by the owner PE (for example, PE1). If such a request arrives at another PE (for example PE2), that PE (PE2) gets the information from the owner PE (PE1). Now, the cached session is present in PE2 and the owned session is present in PE1. Because of a timing issue, the information in PE1 is cleared before the cached entry in PE2. As a result, different session entries are created for the same client on PE1 and PE2 and source IP persistence might not work correctly.
  • Issue ID 0421411: If you rename an autoscaling service group, the NetScaler appliance might fail.
  • Issue ID 0429538: If you add a new service group, the SOAP API query for show servicegroup might fail.
  • Issue ID 0440406: If you have added a backup virtual server on release 9.x, the configuration is lost after you upgrade to release 10.1.
  • Issue ID 0433324: If you configure an HTTP_ECV monitor with a response string, and the response arrives in multiple packets, the NetScaler appliance might not parse the response correctly. As a result, a monitoring probe to the appliance fails and services are marked DOWN.

Load Balancing/Responder

  • Issue ID 0432790 (nCore, MPX15000): On a NetScaler MPX15000 appliance that has the load balancing and responder features enabled, and has a load balancing policy that includes both the SYS.CHECK_LIMIT and HTTP.REQ.BODY statements, a complex cascade of events might cause the appliance to restart repeatedly. To work around this issue, you can either rewrite the configuration to separate the SYS.CHECK_LIMIT and HTTP.REQ.BODY statements into two separate policies, or operate the NetScaler appliance on a single core.

Monitoring

  • Issue ID 0301570: Transparent monitors are now combined with the functionality of an ARP monitor. This avoids the need to bind a separate monitor to incorporate reachability as part of the health status. Without an ARP monitor, UP services could not transition to DOWN when the next hop failed.

NetScaler Insight Center

  • Issue ID 0414155: If you move columns and refresh the page, the column ordering is sometimes reset to default.
  • Issue ID 0424610: On the dashboard, the table that appears when you navigate toHDX Insight > Gateways might display a blank desktop name.
  • Issue ID 0439992: The HDX Insight dashboard displays the host delay as server-side NetScaler delay.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create, modify or delete an LACP channel, one of the member interfaces might temporarily stop transmitting. The NetScaler instance might intermittently show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: Log on to the Netscaler instance and execute the following command on the interface that is shown as Error-disabled: enable interface <interface_id> (eg.. enable interface 1/1)

  • Issue ID 0396252: If you specify secure-only access on a NetScaler instance, single sign-on to that instance from the Management Service user interface is not successful.
  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

Networking

  • Issue ID 0423856: For a load balancing configuration in which an IPv6 virtual server is used to load balance IPv6 servers, if the NetScaler appliance processes client’s final ACK of the TCP handshake and the first data packets in the same IO cycle, the appliance may not forward the data packets to the server causing the connection to fail.

Platform

  • Issue ID 0395280: The MPX 11515/11520/11530/11540/11542 platform now supports NetScaler release 10.1 build 124.x.
  • Issue ID 0435200: If you try to form a cluster of MPX 22040, MPX 22060, MPX 22080, MPX 22100, and MPX 22120 appliances, the appliance on which you issue the join cluster command performs a core dump and restarts. As a result, that appliance is not added to the cluster.

Policies

  • Issue ID 0414552: The NetScaler appliance may fail to respond if it does not have sufficient memory during the execution of an XML_DECRYPT function in a policy expression.
  • Issue ID 0442807: A memory leak in the XML_DECRYPT() policy function causes all of the NetScaler memory to be used up. This results in the unavailability of memory to perform other operations.

SSL

  • Issue ID 0235990: If you upgrade to this build, the number of SSL chips for which the status is shown as UP on an MPX 21550 platform with 36 chips is less than the actual number of chips that are UP. This is only a reporting issue.

System

  • Issue ID 0397587: The MPTCP data_ack signal is not sent in the subflow in which the MP_FAIL signal is sent.
  • Issue ID 0432728: A signed short integer overflow can occur during packet processing. Subsequent packets are corrupted.
  • Issue ID 0439579: If large number of small packets are sent through the packet processing pipeline, the packet engine enters a loop and restarts, causing a pitboss failure.
  • Issue ID 0435796: When Call Home is enabled, duplicate SNMP traps are generated for power supply unit (PSU) failures.
  • Issue ID 0436798: The NetScaler appliance might fail to respond if an ICMP error causes the packet engine to enter a loop and thereby resulting in a pitboss process failure.

Known Issues and Workarounds

AAA Application Traffic

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.
  • Issue ID 0396892: Sometimes, the AppFlow exporter may not export the correct information due to which the client IP address is displayed incorrectly on the NetScaler Insight Center dashboard.

Application Firewall

  • Issue ID 0364134: Globally bound auditing syslog policies under Application Firewall are not displayed when you perform the Show Bindings operation on the configuration utility. This issue is observed only in a cluster setup.

    Workaround: The bindings are visible in the command line interface by using the show system global command.

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"
  • Issue ID 0430014: When upgrading a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (121.1) is installed on new hardware or in a new VPS. To check whether your NetScaler appliance or VPX has the correct default setting, log onto the NetScaler command line and type the following command:
    show appfw JSONContentType

    If your NetScaler appliance has the default content type set, you should see the following response or something similar to it:

    > show appfw JSONContentType
    1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX
    Done

    If it does not, you will see the following response:

    > show appfw JSONContentType
    Done

    To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line and issue the following commands to configure the default content type, and then verify the configuration:

    add appfw JSONContentType ^application/json$ -isRegex REGEX
    show appfw JSONContentType

Configuration Utility

  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.
  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed. Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml
  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen. Workaround: Use the arrow keys on the keyboard to scroll the screen.
  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0411152: When you use the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings makes applications and desktops unavailable when StoreFront is accessed through a VPN.

    Workaround: Do not apply the optimization settings.

  • Issue ID 0446549: After you set the SSO Domain (Single Sign-on Domain) value, the value is not displayed on the configuration utility when you navigate to Security > AAA Application Traffic > Settings > Change Global Settings.
  • Issue ID 0447077: When you create a monitor using the graphical user interface and choose the default browse option to select the in-built monitor scripts from the /nsconfig/monitors folder, the folder does not display any scripts to choose.
  • Issue ID 0449229: The configuration utility includes an option to enable Net Profile when you create a StoreFront monitor, but that option should not be enabled for a StoreFront monitor.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

High Availability

  • Issue ID 0443588: In a High Availability configuration, after you remove an HA configuration from one of the two nodes, if you confirm the following prompt message "Do you want to remove ha node from remote system also ?”, an error message might get displayed and the HA configuration is not removed from the remote node.

Integrated Caching

  • Issue ID 0440107: When there is a selector-based content group configured, the NetScaler can crash when a policy that has this content group associated to it is satisfied and when the response status is "404 Not Found".

Load Balancing

  • Issue ID 0441776: The NetScaler appliance might fail or become unresponsive if the FTP virtual server name exceeds 32 characters and L2Conn is enabled on the virtual server.

NetScaler Insight Center

  • Issue ID 0324010: A higher than normal load on NetScaler Insight Center or on the database can cause the afdecoder subsystem to stop functioning. As a result, NetScaler Insight Center is unable to connect to the database.
    Workaround: Restart the appliance by running the following command on the command line interface:
    #/etc/rc.d/analyticsd restart
  • Issue ID 0331944: If no devices have been added to the inventory, the Getting Started wizard is displayed. You cannot access the Configuration tab.
  • Issue ID 0333555 and 346171: After you enable appflow on some virtual servers, even though no error message appears, the Insight column does not display a check box indicating that the feature is enabled.

    Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on VMware ESX server from build 118.7 or 119.7 to 120.13 or later builds is not supported. However, upgrade from build 120.13 to later builds is supported.

    Workaround: To upgrade to 120.13 or later builds, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .

  • Issue ID 0421657: If the ICMP port used to verify the network reachability of a NetScaler appliance from NetScaler Insight Center is blocked, the internal routing in NetScaler Insight Center is disrupted and the HDX Insight node is not displayed on the dashboard.
  • Issue ID 0446120: On the HDX Insight reports, the bar in the chart is sometimes shown at a location higher than the X axis.

NetScaler SDX Appliance

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface. Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.
  • Issue ID 0423068: The Management Service allows deleting a channel that is part of an NSVLAN on any NetScaler instance. If you delete such a channel, the NetScaler instance is not reachable over the management network.
  • Issue ID 0430121: The Management Service intermittently dumps a stat core when BlueCat VMs are provisioned on the SDX appliance.
  • Issue ID 0434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.
    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius) This change affects the following platforms:
      • MPX 11500/13500/14500/16500/18500/20500
      • MPX 17550/19550/20550/21550
      • MPX 8200/8400/8600
      • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.
    Workaround: Use the CLI to define classic SSL policies.
    Note: Citrix encourages the use of default syntax policies rather than classic policies.
  • Issue ID 0425465: After changing the time zone on a NetScaler appliance, you must reboot the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.
  • Issue ID 0422967: For a ** virtual (with any IP address and port) which accepts both IPv4 and IPv6 packets, when trying to capture ICMP traffic by using a listen policy as "CLIENT.IP.PROTOCOL.EQ(ICMP)", it also captures certain IPv6 packets (more precisely packets where the second byte of the source IPv6 address has "01").

    Workaround: First use an expression that filters the IPv4 traffic and then use an expression that reads the protocol value from the filtered IPv4 packets and checks if the protocol value matches ICMP.

    '!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)'

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under the System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue IDs 0414388 and 0345883: In rare cases, if the random number generated for the DH key exchange has a leading zero, DH negotiation fails because of a hardware limitation.
  • Issue ID 0436205: If you add a certificate revocation list (CRL) with refresh enabled, the appliance might perform a core dump and restart.

System

  • Issue ID 0396628: With large number of configuration entries in the ns.conf file, the commands in the /nsconfig/rc.netscaler file might not be applied after the appliance is restarted.
  • Issue ID 0432612: The NetScaler appliance forwards unprocessed packets to the load balancing virtual servers without selecting a service, because of an HTTP out-of-order packet processing issue. Instead of being dropped, these connections queue up at the virtual servers. The appliance fails to respond while processing these connections.
  • Issue ID 0446300: The NetScaler appliance might fail to respond when performing the nstrace operation.
  • Issue IDs 449234, 457629: In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

  • Issue ID 478895: The "show ns runningConfig" command may produce partial output if invoked while another "show ns runningConfig" command, from the same or other admin session is in progress. Workaround: Re-execute the "show ns runningConfig" command to fetch the entire running configuration.

System/Application Firewall

  • Issue ID 0437307: On a NetScaler appliance that is not configured to use jumbo frames and that protects a server that is configured to use jumbo frames, if the application firewall is enabled and at least one profile is configured, the appliance might become unresponsive for a period of time and then reset the connection.

Web Interface

  • Issue ID 0397150: On a NetScaler appliance, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2
    • unsetnslimitidentifier_selectorname

    Use unsetnslimitidentifier_selector instead.


Build 123.11

Release version: Citrix NetScaler, version 10.1 build 123.11

Replaces build: 123.9

Release date: March 2014

Release notes version: 7.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

Backend Client Hello Message Version Support

  • ENH ID 0378806: As part of the SSL handshake with the server, the NetScaler appliance now sends a Client Hello message on the basis of the version (for example SSLv3 or TLS1.0) that is configured on the appliance. Earlier, it sent an SSLv2 compliant Client Hello message to the server.

Support for ICA session timeout value in NetScaler Insight Center

  • ENH ID 0431957: You can now configure the ICA session timeout value for inactive sessions on the configuration tab of the NetScaler Insight Center.

CloudBridge Reports in HDX Insight

  • ENH ID 0432702: HDX Insight reports now include details about CloudBridge in an ICA session path.

New NetScaler MPX and SDX Appliances

Increased Throughput on the NetScaler MPX 5650 Appliance

LCD Enhancement on the NetScaler MPX Appliance

  • ENH ID 0430690: If an LCD hardware failure is detected on a NetScaler MPX appliance, the appliance restarts. With this enhancement, the LCD application gracefully exits without restarting the appliance.

    For more information, see LCD Display.

NetScaler VPX Setup for the Linux KVM Platform

  • ENH ID 0344349: The Citrix NetScaler VPX can now be hosted on Kernel-based Virtualization Machine (KVM). NetScaler VPX runs as a virtual appliance on Linux-KVM server. You can set up the NetScaler VPX on this platform either through the graphical Virtual Machine Manager (Virt-Manager) application or the vrish program.

    The host Linux operating system must be installed on suitable hardware by using virtualization tools such as KVM Module and QEMU. The number of virtual machines (VMs) that can be deployed on the hypervisor depends on the application requirement and the chosen hardware. After you provision a NetScaler virtual appliance, you can add additional interfaces.

    For more information, see Installing NetScaler Virtual Appliances on Linux-KVM Platform

Bug Fixes

AAA Application Traffic

  • Issue ID 0436493: On a NetScaler ADC that has AAA-TM enabled and Kerberos authentication configured, when you direct traffic through the ADC to a Microsoft SQL server, an error causes the ADC to restart.

AppFlow

  • Issue ID 0430960: The NetScaler fails to respond if appflow logging is disabled on a VPN virtual server when ICA traffic flows through the NetScaler.

Application Firewall

  • Issue ID 0407347: By default, the application firewall's SQL Injection signatures patterns and security checks do not prevent SQL injection attacks that use the percent (%) or underscore (_) characters.
  • Issue ID 0423861: On a NetScaler MPX5500 appliance that has the application firewall enabled, and has logging enabled for at least one signature or security check, when that logging action is triggered the appliance might hang or crash.
  • Issue ID 0427717: If memory utilization is high on a NetScaler appliance that has the application firewall enabled and configured, URL redirect might fail, causing the appliance to crash.
  • Issue ID 0427857: The application firewall currently miscalculates memory limits on 12 GB, 2 vCPU NetScaler appliances. For example, when the appliance has 2 GB of memory available, the application firewall shows only 600 MB of available memory.
  • Issue IDs 0432276 and 0433057: The application firewall blocks XML requests that have empty bodies (zero content length), which causes autodiscover and other features that use such requests to fail.
  • Issue IDs 0446304, 0447206, 0444746, 0444810, 0448814, 0449393, 0449396, 0451162, 0451860, 0452078, and 0452427: If you use the single sign on (SSO) feature on your NetScaler ADC or NetScaler Gateway, it might become unresponsive or reboot.
  • Issue IDs 0448961, 0449223, 0449851, and 0450070: When using CVPN or the application firewall credit card or safe object security checks, memory issues might cause the Netscaler ADC to become unresponsive or reboot.
  • Issue ID 0516714: If the NetScaler appliance sends a large amount of input data to the application firewall in a short time, the appliance can become unresponsive or fail. The appliance now sends input data in batches limited to sizes that do not cause this problem.

Configuration Utility

  • Issue ID 0382199: The comparison between the source IP address of the incoming packets and the configured NetScaler host-name address is unsuccessful because of an endian mismatch.
  • Issue ID 0405303: A large ns.conf file can make the configuration utility slow to respond. The large file also slows processing of the following commands:
    • show ns runningConfig
    • save config
  • Issue ID 0414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.
  • Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.
  • Issue ID 0419409: If you navigate to Traffic Management > Load Balancing > Virtual Servers and click SSL Settings under the SSL Parameter tab on the Create Virtual Server dialogue box, the Enable Cipher Redirect check box is enabled by default.

Content Switching

  • Issue ID 0411116: In a cluster environment, if you run the bind cs vserver command with the argument type, the NetScaler appliance incorrectly reports a difference between the running configuration and the saved configuration.
  • Issue ID 0432272: Rebinding a content switching policy to a content switching virtual server might result in memory corruption, which might cause the NetScaler appliance to fail.

DataStream

  • Issue ID 0433383: If a MySQL client sends a query larger than 16 MB, the query is split into multiple MySQL packets. Only the first MySQL packet in a query is forwarded to the server, and the remaining packets are accumulated on the appliance. After some time the window size is reduced to zero and the client cannot send any more packets to the appliance.

Domain Name Sytem

  • Issue ID 0385524: NetScaler caches partial response in the following two conditions:
    1. When the response contains more number of resource records for same domain than the limit mentioned in documents. In such a condition, NetScaler caches response till the maximum limit.
    2. When the response contains invalid RDATA, for example, 0.0.0.0 in address record (A record). In such a condition, NetScaler caches resource record till the invalid resource record.

    In such conditions, when NetScaler received a query for the same domain, it replied with a partil response. Going forward, NetScaler will not cache partial response and in such conditions the queries are directed to the back end server.

  • Issue ID 0426093 (VPX): In DNSRewrite Policy, CLIENT.IP.SRC.MATCHES_LOCATION is an incorrect expression for a response from the DNS. NetScaler does not recognize this expression and hence might crash.

Global Server Load Balancing

  • Issue ID 0413367: On a NetScaler appliance that has GSLB configured, when you remove custom location entries from the GSLB database, the appliance crashes.

ICA AppFlow

  • Issue ID 0397109: On the NetScaler Insight Center dashboard, the source IP address displayed in the application launch records is incorrect
  • Issue ID 0429280: When NetScaler Gateway is deployed in a double hop setup, the NetScaler fails while processing the packets.
  • Issue ID 0430696: The NetScaler Gateway fails if AppFlow is enabled or disabled during ICA connections. The NetScaler Gateway might also fail if the NetScaler appliance receives an ICA parsing error.
  • Issue ID 0432039: During an ICA handshake, the version-length value that Mac receiver sends in UNICODE format is parsed incorrectly.
  • Issue ID 0433180: The NetScaler Insight Center dashboard displays incorrect Init Program and Client Version values for MAC or HTML receivers on different platforms.
  • Issue ID 0433511: The HDX Insight console displays unnecessary ICA user-session information and console messages.

Integrated Caching

  • Issue ID 0434877: Once the memory limit for a content group is reached, the memory of the resulting object flush is not handled properly. As a result, no objects are stored after the content groups memory limit is reached.

Load Balancing

  • Issue ID 0398274: If you have configured a DNS auto-scaling service group and run the show server <server name> command to display the details of the server bound to this service group, the following incorrect entries appear:
    • an extra entity with an IP address 0.0.0.0
    • mode as POLICY
    • state as DOWN
  • Issue ID 0402996: The NetScaler appliance might fail while processing an NX domain message if you have configured an autoscaling service group on the appliance.
  • Issue ID 0406467: If you bind a content switching (CS) policy to a CS virtual server, specify a load balancing (LB) virtual server as the target virtual server, and then view the LB virtual server details in the configuration utility, the CS virtual server bindings incorrectly appear in the cache redirection virtual server section. However, if you use the command line to view the details of the virtual server (show lb vserver), the details appear in the correct section.
  • Issue ID 0410365: If you use NITRO to display the details of the load balancing monitors configured on a NetScaler appliance, the output for non-HTTP type monitors incorrectly displays a response code, user name, and password. These attributes are not applicable to non-HTTP type monitors.
  • Issue IDs 0418698 and 0431925: If you configure persistence on a virtual server that is configured for link load balancing, the NetScaler appliance might fail.
  • Issue ID 0422821: If you have configured an autoscaling service group on the NetScaler appliance, the states of some of these services are not updated, because command numbers are not updated. For example, a service state might appear as UP although the monitor has marked it as DOWN.
  • Issue ID 0429445: The NetScaler appliance fails under the following sequence of events:
    1. An IPv6 domain based service and an IPv6 address based service are configured on the appliance.
    2. Both the services are bound to a load balancing virtual server.
    3. The domain based service is UP when the address based service enters the UP state.
  • Issue ID 0438169: If you create a service of type SSL_BRIDGE and enable client IP address (CIP) on the service, the NetScaler appliance inserts an HTTP header with the client's IP address as its value. In an SSL_BRIDGE topology, you must not insert a header. With this fix, the appliance throws a warning and removes the CIP option for an SSL_BRIDGE service while saving the configuration.

Load Balancing/AAA-TM

  • Issue ID 0431917: On a NetScaler appliance that has the load balancing and AAA-TM features enabled, and that protects an application that uses 401 Basic authentication, if a client authenticates with a browser that does not support cookies, the appliance might experience repeated crashes or (for HA setups) repeated failovers. The cause is that the appliance does not receive the expected traffic management cookie, fails to reconnect to the existing session, and instead creates a new sesson each time the client connects to a protected resource. If a large number of authentication requests is sent within a short period of time, the abandoned sessions do not expire quickly enough and can therefore consume available memory.
  • Issue ID 0437407: On a NetScaler appliance that has the load balancing and AAA-TM features enabled, a request that contains an extraneous space in the URL might cause the appliance to crash. This issue occurs only with unauthenticated connections; the appliance processes the same request correctly over authenticated connections.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

NetScaler Insight Center

  • Issue ID 0405849: NetScaler entity names are case insensitive, but NetScaler Insight Center expects the virtual server names or policy names to be case sensitive.
  • Issue ID 0412129: The WAN jitter and DC jitter values are not displayed in the NetScaler Insight Center reports.
  • Issue ID 0424610: On the dashboard, the table that appears when you navigate to HDX Insight > Gateways might display a blank desktop name.
  • Issue IDs 0437475 and 0439088: In certain scenarios, if data sent from the XenApp server to the client receiver is delayed because of network congestion or increased network latency, the client re-transmits the ICA magic string, which causes the Netscaler Gateway to fail. This failure happens because the NetScaler Gateway was not expecting two packets containing the magic string.
  • Issue ID 0439992: The HDX Insight dashboard displays the host delay as server side server-side NetScaler delay.

NetScaler SDX Appliance

  • Issue ID 0262505: When viewing the built-in or custom reports on the Reporting tab on a NetScaler VPX instance running on the NetScaler SDX 17550/19550/20550/21550 platform, the following message appears: NO DATA TO CHART.
  • Issue ID 0424630: If you create an LACP channel with more than 8 member interfaces, or a static channel with more that 16 member interfaces, the following error message appears: "Channel Interface String Length: 185 is greater than maximum allowed length:128".
  • Issue ID 0430449: Even after you configure a short message service (SMS) server, you do not receive an SMS message when an alert is generated.
  • Issue ID 0431243: If a management channel exists on a NetScaler instance, you cannot trace the route of a packet from the Management Service to a NetScaler instance.
  • Issue ID 0431463: If you apply a license after modifying the SVM host name, the license application might fail.
  • Issue ID 0433054: Deletion of a management channel from the Management Service might not always succeed.

Networking

  • Issue ID 0408693: If you have configured more than ten ICMP extended ACLs, high CPU spikes might occur when you run the "apply ns acls" command either by using the configuration utility or the NetScaler command line.
  • Issue ID 0424243: If you have configured an extended ACL without specifying the optional parameter "source IP address", high CPU spikes might occur when you run the "apply ns acls" command either by using the configuration utility or the NetScaler command line.
  • Issue ID 0428819: If you have configured a TFTP load balancing virtual server with persistency option enabled, the NetScaler appliance might become unresponsive when the virtual server receives some traffic.
  • Issue ID 0431652: The NetScaler appliance might become unresponsive when traffic from a TFTP server matches a RNAT rule configured on the appliance.
  • Issue ID 0435697: When you reset a member interface of a LACP channel, Tx stalls might increment continuously.

NITRO API

  • Issue ID 0424553: For a service that is bound to a service group, NITRO cannot obtain the state of the service monitor.

Platform

  • Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported.
  • Issue ID 0428562: NetScaler does not display the correct daylight savings time for Israel.
  • Issue ID 0432687: On the MPX 22040/22060/22080/22100/22120 appliance, if the 10G ports are not populated, the appliance takes about 20 minutes to finish the restart process.

Policies

  • Issue ID 0417071: The NetScaler appliance might fail to respond in the event that a policy of the form HTTP.REQ.BODY(n).AFTER_STR(target-string) has a large value for "n" (for example, 40000) and when the appliance receives large requests in combination with requests with no content length.

NetScaler SDX Appliance

  • Issue ID 0434738: A NetScaler SDX appliance intermittently stops processing traffic on interfaces that are part of an LACP link aggregation interface that is transmitting a small abount of traffic.
  • Issue ID 0430097: Descriptors in the NetScaler SDX SNMP MIB file include underscore characters, which are invalid. Only alphanumeric characters are supported.

SNMP

  • Issue ID 0435520: Net-SNMP does not handle the endOfMibView condition properly if the value of max-repetition is set to zero, which leads to memory allocation failure, and SNMPD fails to respond.

SSL

  • Issue ID 0235990: If you upgrade to this build, the number of SSL chips for which the status is shown as UP on an MPX 21550 platform with 36 chips is less than the actual number of chips that are UP. This is only a reporting issue.
  • Issue ID 0431919: If a client sends a certain type of malformed message, which can make uninitialized resources available for subsequent handshakes, an SSL handshake that uses one of those resources causes a memory leak.
  • Issue ID 0432375: If the SSL handshake uses the TLSv1.1 or TLSv1.2 protocol and you have bound an RC4 cipher to the SSL virtual server, downloading a large file might take an unusually long time.
  • Issue ID 0434737: If you create a certificate revocation list (CRL), enable refresh, and specify the method as HTTP or LDAP, CRL refresh does not happen.

System

  • Issue ID 0382647: The stat system -detail command does not display the number of CPUs.
  • Issue IDs 0411627, 0430646, and 0430652: On the System > Diagnostics page, when you select Saved v/s running, the configuration utility displays a difference between the running and saved configurations, even if there is no difference.
  • Issue ID 0418028: The nsnetsvc process size increases when the stat command is executed.

Known Issues and Workarounds

AAA Application Traffic

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.
  • Issue ID 0396892: Sometimes, the AppFlow exporter may not export the correct information due to which the client IP address is displayed incorrectly on the NetScaler Insight Center dashboard.

Application Firewall

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.
  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0411152: When you use the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings makes applications and desktops unavailable when StoreFront is accessed through a VPN.

    Workaround: Do not apply the optimization settings.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

High Availability

  • Issue ID 0416573: On the secondary node of a high availability (HA) configuration, if the HA propagation and HA synchronization options are disabled and Stay secondary is enabled, you cannot disable the Stay secondary option after upgrading the node.

Integrated Caching

  • Issue ID 0440107: When there is a selector-based content group configured, the NetScaler can crash when a policy that has this content group associated to it is satisfied and when the response status is "404 Not Found".

Load Balancing

  • Issue ID 0407493: In a high availability setup, if an autoscaling service group with more than 4000 members is removed, failover occurs.
  • Issue IDs 0420827 and 0434537: If a NetScaler appliance receives a request for which a session does not already exist, the appliance creates a session and designates one of the packet engines (PEs) as the session owner. Subsequent requests that belong to that session might not always arrive at and be handled by the owner PE (for example, PE1). If such a request arrives at another PE (for example PE2), that PE (PE2) gets the information from the owner PE (PE1). Now, the cached session is present in PE2 and the owned session is present in PE1. Because of a timing issue, the information in PE1 is cleared before the cached entry in PE2. As a result, different session entries are created for the same client on PE1 and PE2 and source IP persistence might not work correctly.
  • Issue ID 0421411: If you rename an autoscaling service group, the NetScaler appliance might fail.
  • Issue ID 0440406: If you have added a backup virtual server on release 9.x, the configuration is lost after you upgrade to release 10.1.

NetScaler Insight Center

  • Issue ID 0324010: A higher than normal load on NetScaler Insight Center or on the database can cause the afdecoder subsystem to stop functioning. As a result, NetScaler Insight Center is unable to connect to the database.
    Workaround: Restart the appliance by running the following command on the command line interface:
    #/etc/rc.d/analyticsd restart
  • Issue ID 0331944: If no devices have been added to the inventory, the Getting Started wizard is displayed. You cannot access the Configuration tab.
  • Issue ID 0333555 and 346171: After you enable appflow on some virtual servers, even though no error message appears, the Insight column does not display a check box indicating that the feature is enabled.

    Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0414155: If you move columns and refresh the page, the column ordering is sometimes reset to default.
  • Issue ID 0414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on VMware ESX server from build 118.7 or 119.7 to 120.13 or later builds is not supported. However, upgrade from build 120.13 to later builds is supported.

    Workaround: To upgrade to 120.13 or later builds, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .

  • Issue ID 0421657: If the ICMP port used to verify the network reachability of a NetScaler appliance from NetScaler Insight Center is blocked, the internal routing in NetScaler Insight Center is disrupted and the HDX Insight node is not displayed on the dashboard.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create, modify or delete an LACP channel, one of the member interfaces might temporarily stop transmitting. The NetScaler instance might intermittently show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: Log on to the Netscaler instance and execute the following command on the interface that is shown as Error-disabled: enable interface <interface_id> (eg.. enable interface 1/1)

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0396252: If you specify secure-only access on a NetScaler instance, single sign-on to that instance from the Management Service user interface is not successful.
  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.
  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.
  • Issue ID 0423068: The Management Service allows deleting a channel that is part of an NSVLAN on any NetScaler instance. If you delete such a channel, the NetScaler instance is not reachable over the management network.
  • Issue ID 0430121: The Management Service intermittently dumps a stat core when BlueCat VMs are provisioned on the SDX appliance.
  • Issue ID 0434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.
    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)
    This change affects the following platforms:
    • MPX 11500/13500/14500/16500/18500/20500
    • MPX 17550/19550/20550/21550
    • MPX 8200/8400/8600
    • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies rather than classic policies.
  • Issue ID 0425465: After changing the time zone on a NetScaler appliance, you must reboot the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under the System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0396628: With large number of configuration entries in the ns.conf file, the commands in the /nsconfig/rc.netscaler file might not be applied after the appliance is restarted.
  • Issue ID 0430071: ISIS packets are dropped at the Nexus 1000V distributed virtual switch (DVS), which has no option to enable promiscuous mode. However, this issue is not observed when the virtual machines are connected through the ESX virtual switch with promiscuous mode ON.
  • Issue ID 0436798: The NetScaler appliance might fail to respond if an ICMP error causes the packet engine to enter a loop and thereby resulting in a pitboss process failure
  • Issue IDs 449234, 457629 : In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.

    Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.

System/Application Firewall

  • Issue ID 0437307: On a NetScaler appliance that is not configured to use jumbo frames and that protects a server that is configured to use jumbo frames, if the application firewall is enabled and at least one profile is configured, the appliance might become unresponsive for a period of time and then reset the connection.

Web Interface

  • Issue ID 0397150: On a NetScaler appliance, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later: bindservicegroup_state2 unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.

Build 122.17

Release version: Citrix NetScaler, version 10.1 build 122.17

Replaces build: 122.11

Release date: November 2013

Release notes version: 5.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

Support for Cisco QSPF+ Cables on NetScaler MPX Appliances

  • ENH ID 0427155: NetScaler MPX appliances now support Cisco QSPF+ cables (part number L45593-D178-C30).

    For more information, see Ports.

Support for NetScaler VPX Virtual Appliance on XenServer 6.2

  • ENH ID 0439509: The NetScaler VPX virtual appliance now supports XenServer version 6.2 only on a non-SDX appliance. On the NetScaler SDX appliance, only the XenServer versions available for download on www.citrix.com under NetScaler downloads are supported. XenServer 6.1.1 is the latest supported version on the NetScaler SDX appliance.

NetScaler SDX 22040/22060/22080/22100/22120 Platform

RAID Controller Support on NetScaler SDX 22040/22060/22080/22100/22120 Platform

  • ENH ID 0353415: NetScaler SDX platform supports a Redundant Array of Independent Disks (RAID) controller, which can support up to eight physical disks.

    For more information, see RAID.

Multi-interface Support for BlueCat DNS/DHCP Server Virtual Machines

  • ENH ID 0413839: Management Service now supports assigning interfaces explicitly for high availability and service along with the management for BlueCat DNS/DHCP Server virtual machines.

Percentile Icon in NetScaler Insight Center

  • ENH ID 0418196: The top-right corner of the page now displays a percentile icon, which you can click to display percentile values and the highest and lowest values for a selected metric.

New Information in HDX Insight Center reports

  • ENH ID 0392016: HDX Insight reports now include details about session reconnects, client-side retransmissions, and server-side retransmissions.

Active Sessions Reports in HDX Insight

  • ENH ID 0398322: HDX Insight now provides a report about active sessions, grouped by server IP and gateway IP address.

Customize the display of columns in NetScaler Insight Center

  • ENH ID 0423207: You can now select which columns to show in the tables in the NetScaler Insight Center graphical user interface (GUI), and you can rearrange the columns. Each user can make his or her changes persistent across his or her sessions.

Changes

NetScaler Insight Center

  • Issue ID 0409634: All the metrics except bandwidth and hits display the average values.

Monitor: Directory locations of script files for user monitors

  • Issue ID 0447105: Starting with release 10.1 build 122.17, the location of the script files for user monitors is changed.
    If you upgrade an MPX or VPX virtual appliance to release 10.1 build 122.17 or later, the changes are as follows:
    • A new directory named conflicts is created in /nsconfig/monitors/ and all the built-in scripts of the previous builds are moved to this directory.
    • All new built-in scripts are available in the /netscaler/monitors/ directory. All custom scripts are available in the /nsconfig/monitors/ directory.
    • You must save a new custom script in the /nsconfig/monitors/ directory.
    • After the upgrade is completed, if a custom script is created and saved in the /nsconfig/monitors/ directory with the same name as that of a built-in script, the script in the /netscaler/monitors/ directory takes priority. That is, the custom script is not run.
    If you provision a virtual appliance running release 10.1 build 122.17 or later, the changes are as follows:
    • All built-in scripts are available in the /netscaler/monitors/ directory
    • The directory /nsconfig/monitors/ is empty.
    • You must save a new custom script in the /nsconfig/monitors/ directory.

System

  • Issue ID 0365828: Before reusing a server connection in the reuse pool, the NetScaler appliance checks the connection's idletimeout and reusepool values, and closes the connection if either value is exceeded. The appliance also checks the reuse pool for idle connections, and closes them, more frequently than specified by the zombie timer interval.

Bug Fixes

AppFlow

Issue ID 0430591: A Nitro call used by NetScaler Insight Center to fetch the license information from a NetScaler appliance affects the performance of the appliance.

Application Firewall

  • Issue IDs 0391317 and 0423289: On a NetScaler appliance with both the application firewall and integrated caching enabled, a memory leak might occur.

  • Issue ID 0422639: On a NetScaler appliance with the application firewall enabled, web forms submitted with URL-encoded double-byte character (Chinese, Japanese, or Korean) inputs might generate a Form Field consistency check violation. The reason is that the application firewall counts bytes instead of characters when validating web form input, causing some double-byte input to exceed the form field maxlength attribute.

  • Issue IDs 0422919 and 0423289: On a NetScaler appliance with the application firewall enabled and configured, if a protected web site contains a multipart web form, a memory leak causes a small amount of memory to be consumed and not released each time the application firewall processes the web form. Repeated processing of requests and responses can gradually consume available memory.

Command Line Interface

  • Issue ID 0420596: After a user logs on to a NetScaler appliance through the CLI, the set cli mode-disabledFeatureAction NONE command is automatically executed, and the following error message appears:

    ERROR: Not authorized to execute this command.

Configuration Utility

  • Issue ID 0426594: The NetScaler configuration utility is not compatible with JRE version 7.45.

  • Issue ID 0429652: If a SureConnect policy is bound to a virtual server and you upgrade the NetScaler appliance to version 10.1, build 120.13, the policy is not displayed when you navigate to Traffic Management > Virtual Servers > <virtual server name>.

  • Issue ID 0430094: When you navigate to System > Diagnostics and, under Utilities, click TraceRoute and Run, the utility uses the default value for Packet Length(44) and displays the error message:

    Packet length must be greater than 47.

  • Issue ID 0431045: When you use the configuration utility to add a new NetScaler IP address or subnet mask, the qwerty keyboard does not allow you to enter a value greater than 249 for the last octet.

Content Switching

  • Issue ID 0394856: If a content switching virtual server with a large number of existing connections is removed, flushing all the PCBs takes time. If any traffic destined for the virtual server is received during this time, the appliance fails.

Documentation

  • Issue ID 0370607: The configuration utility procedures in the NetScaler 10.1 documentation have not been updated to reflect the new top-level nodes.

Domain Name System

  • Issue ID 0412530: If a NetScaler appliance responds to a DNSSEC-enabled request from its cache, and this response is immediately followed by a response from the server to an earlier query that could not be addressed from the NetScaler cache, the appliance drops the response from the server instead of forwarding it. However, the memory associated with the response packet is not freed. As more such requests are received, the memory on the appliance is gradually exhausted.

High Availability

  • Issue IDs 0420089 and 0425486: The synchronization of files in an HA setup stops working after the nsinternal user is disabled.

ICA AppFlow

  • Issue ID 0417274: The NetScaler appliance fails while processing ICA traffic if you have disabled AppFlow logging on the VPN virtual server (set vpn vserver -appflowlog disable).

Load Balancing

  • Issue IDs 0393613 and 0427971: If the first octet of the IP address of a service has a value of 6 (6.x.x.x), and the service is bound to a virtual server that is configured for persistence, the NetScaler appliance fails when it tries to direct a request to that service.

  • Issue IDs 0399446 and 0416718: In some cases, if you configure a domain-based IPv6 service on the NetScaler appliance, the appliance might become unresponsive.

  • Issue ID 0417630: In a high availability setup, after you upgrade the secondary node and make it the new primary, the process of file synchronization from the new secondary (old primary) node with the new primary node overwrites some of the updated data on the new primary. Specifically, the new monitoring scripts delivered as part of the upgrade on the new primary node are overwritten. As a result, the monitoring scripts might fail.

  • Issue ID 0424780: The stat servicegroup command incorrectly displays the svrttfb (server-time-to-first-byte) value as zero.

Load Balancing/AAA-TM

  • Issue ID 0426421: On a NetScaler SDX with AAA and SAML enabled and configured, occasionally the NetScaler appliance crashes and generates a core dump during SAML authentication.

  • Issue ID 0431206: On a NetScaler appliance with AAA enabled and configured, a user whose account is bound to over 100 groups might be unable to execute NetScaler commands at the command line despite having the appropriate permissions to do so. To work around this issue, do not bind a single user account to more than 99 groups.

NetScaler Insight Center

  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for the Total Application Launch count.
  • Issue ID 0399329: Even when Appflow is disabled for a virtual server, you can still clear the configurations on the NetScaler Insight Center by selecting the Clear AppFlow Configurations from the Action list.
  • Issue ID 0403665: If the values for certain metrics are zero, the graphs display these values incorrectly.

NetScaler SDX Appliance

  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

  • Issue ID 0414851: The format of the APPFW CSRF TAG syslog message is not in the expected format. As a result, Command Center displays incorrect values, under AppFirewall Recent Logs, in some fields for this type of AppFirewall syslog message.

  • Issue ID 0424588: If a NetScaler instance is created with a Management VLAN using the 0/1 or 0/2 interface, the guest VMs fail to start after provisioning, because the guest VMs use the VLAN networks instead of physical network while assigning the interface.

  • Issue ID 0420630: The SNMP responses are not as specified by the RFC 4001.

Networking

  • Issue ID 0416941: After unbinding a netprofile from a NetScaler Gateway virtual server, the netprofile cannot be removed from the NetScaler appliance.

Policies

  • Issue ID 0410624: When a filter policy is globally bound to a NetScaler, application firewall or compression or authorization policies that are bound to a content switching virtual server are not saved in the running configuration. However, these bindings are displayed when you run the show cs vserver command.

  • Issue ID 0429232: After upgrading to NetScaler 10.1, policies that were globally bound to the NetScaler are also being bound at a virtual server level.

Rewrite

  • Issue ID 0418252: On a NetScaler appliance with Rewrite enabled and configured, a newly-created Rewrite policy that is bound to a content-switching virtual server might not be saved either in the running configuration or in the saved configuration.

SNMP

  • Issue IDs 0413733, 0413871, and 0421055: SNMPD fails to respond if it receives a packet with a NULL community string.

SPDY

  • Issue IDs 0406948 and 0429211: The NetScaler appliance sometimes fails when a TCP connection is closed from a SPDY client while some streams are still active.

System

  • Issue IDs 0417793, 0421214, 0421329, and 0423099: The NetScaler appliance stops sending TCP DUP ACKs when it receives out of order packets. This might result in latency between the client and the appliance, or the appliance and the server, with reduced throughput for some traffic patterns.

  • Issue ID 0419553: When the NetScaler appliance receives invalid Selective Acknowledgment (SACK) blocks from the client, it attempts to send old data that has already been cleared. As a result, the appliance stops responding.

  • Issue ID 0420781: The NetScaler appliance does not forward the complete request to the server if the request requires more than one packet. As a result, the transaction fails.

  • Issue ID 0430176: The NetScaler appliance intermittently resets TCP connections that originate from the NetScaler FreeBSD shell and are destined for NetScaler-owned IP addresses (for example, a SNIP or VIP address). The resets affect applications such as LDAP.

SSL

  • Issue ID 0423905: If a malformed packet is received from a client, the NetScaler appliance closes the connection and releases the resources used for that connection to the common pool. In some cases, some of these resources are not cleaned before returning to the pool and a bad resource might be reused for a future request. In such cases, the SSL handshake for that future request fails.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.
  • Issue ID 0396892: Sometimes, the AppFlow exporter may not export the correct information due to which the client IP address is displayed incorrectly on the NetScaler Insight Center dashboard.

Application Firewall

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing & Virtual Servers pane.

  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0411152: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings results in the unavailability of applications/desktops on accessing StoreFront through VPN.

    Workaround: Do not apply the optimization settings.

  • Issue ID 0414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.

  • Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.

    Workaround: Do not cancel the wizard during the first setup. If you want to change some configuration, go through the entire flow, click Done, and then return to the wizard and click the Edit link to update the required configuration.

  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

High Availability

  • Issue ID 0416573: On the secondary node of a high availability (HA) configuration, if the HA propagation and HA synchronization options are disabled and Stay secondary is enabled, you cannot disable the Stay secondary option after upgrading the node.

ICA AppFlow

  • Issue ID 0433511: The console displays ICA user session information, and displaying the information can be undesirable.

    Workaround: Open the /etc/syslog.conf file and change the line *.err;kern.debug;auth.notice;mail.crit/dev/console to kern.err;kern.debug;auth.notice;mail.crit/dev/console

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

NetScaler Insight Center

  • Issue ID 0324010: A higher than normal load on NetScaler Insight Center or on the database can cause the afdecoder subsystem to stop functioning. As a result, NetScaler Insight Center is unable to connect to the database.
    Workaround: Restart the appliance by running the following command on the command line interface:
    #/etc/rc.d/analyticsd restart
  • Issue ID 0331944: If no devices have been added to the inventory, the Getting Started wizard is displayed. You cannot access the Configuration tab.
  • Issue ID 0333555 and 346171: After you enable appflow on some virtual servers, even though no error message appears, the Insight column does not display a check box indicating that the feature is enabled.

    Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405849: NetScaler entity names are case insensitive, but NetScaler Insight Center expects the virtual server names or policy names to be case sensitive.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405936: After the NetScaler upgrade or downgrade operation, NetScaler Insight Center does not report any data on the dashboard.

    Workaround: Restart the NetScaler Insight Center appliance.

  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0412129: The WAN jitter and DC jitter values are not displayed in the NetScaler Insight Center reports.
  • Issue ID 0414155: If you move columns and refresh the page, the column ordering is sometimes reset to default.
  • Issue ID 0414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors.
  • Issue ID 0417415: If you add a NetScaler appliance to a NetScaler Insight Center setup while ICA sessions are enabled, NetScaler Insight Center does not report the existing ICA sessions. It reports only the ICA sessions initiated after the appliance is added.
  • Issue ID 0424610: On the dashboard, the table that appears when you navigate to HDX Insight > Gateways might display a blank desktop name.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on VMware ESX server from build 118.7 or 119.7 to 120.13 or later builds is not supported. However, upgrade from build 120.13 to later builds is supported.

    Workaround: To upgrade to 120.13 or later builds, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .

  • Issue ID 0421657: If the ICMP port used to verify the network reachability of a NetScaler appliance from NetScaler Insight Center is blocked, the internal routing in NetScaler Insight Center is disrupted and the HDX Insight node is not displayed on the dashboard.
  • Issue IDs 0437475 and 0439088: In certain scenarios, if data sent from the XenApp server to the client receiver is delayed because of network congestion or increased network latency, the client re-transmits the ICA magic string, which causes the Netscaler Gateway to fail. This failure happens because the NetScaler Gateway was not expecting two packets containing the magic string.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: After using the Management Service to create a channel, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0396252: If you specify secure-only access on a NetScaler instance, single sign-on to that instance from the Management Service user interface is not successful.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.

  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

  • Issue ID 0423068: The Management Service allows deleting a channel that is part of an NSVLAN on any NetScaler instance. If you delete such a channel, the NetScaler instance is not reachable over the management network.

  • Issue ID 0424630: If you create an LACP channel with more than 8 member interfaces, or a static channel with more that 16 member interfaces, the following error message appears: "Channel Interface String Length: 185 is greater than maximum allowed length:128".

  • Issue ID 0430121: The Management Service intermittently dumps a stat core when BlueCat VMs are provisioned on the SDX appliance.

  • Issue ID 0430449: Even after you configure a short message service (SMS) server, you do not receive an SMS message when an alert is generated.

  • Issue ID 0431243: If a management channel exists on a NetScaler instance, you cannot trace the route of a packet from the Management Service to a NetScaler instance.

  • Issue ID 0431463: If you apply a license after modifying the SVM host name, the license application might fail.

    Workaround: Reboot the Management Service after changing the host name, and then try applying the license again.

  • Issue ID 0433054: Deletion of a management channel from the Management Service might not always succeed.

    Workaround: Try deleting the management channel again from Management Service.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.

    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)
    This change affects the following platforms:
    • MPX 11500/13500/14500/16500/18500/20500
    • MPX 17550/19550/20550/21550
    • MPX 8200/8400/8600
    • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

  • Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:

    • Release 10.1 starting build 112.15 or later

    • Release 10 build 74 or later

    • Release 9.3 build 62.4 or later

    • Release 9.3.e build 59.5003.e or later

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.
    Note: Citrix encourages the use of default syntax policies rather than classic policies.
  • Issue ID 0425465: After changing the time zone on a NetScaler appliance, you must reboot the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under the System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0382647: The stat system -detail command does not display the number of CPUs.

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

Web Interface

  • Issue ID 0397150: On a NetScaler appliance, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user tying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2
    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.

Build 121.10

Release version: Citrix NetScaler, version 10.1 build 121.10

Replaces build: None

Release date: October 2013

Release notes version: 4.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

NetScaler MPX 22040/22060/22080/22100/22120 Platform

Support for ECDHE Ciphers

  • ENH ID 0329257: The Citrix NetScaler MPX 22040/22060/22080/22100/22120 appliances now support the ECDHE cipher group. This group contains the following ciphers:
    • TLS1-ECDHE-RSA-RC4-SHA
    • TLS1-ECDHE-RSA-DES-CBC3-SHA
    • TLS1-ECDHE-RSA-AES128-SHA
    • TLS1-ECDHE-RSA-AES256-SHA

    Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.

    The following ECC curves are supported:

    • P_256
    • P_384
    • P_224
    • P_521

    By default all four curves are bound to an SSL virtual server.

Kerberos SSO

  • ENH ID 0361257: The AAA-TM Kerberos functionality now supports single sign-on (SSO) with all supported authentication mechanisms. The CAC (Smart Card) and SAML SSO mechanisms are supported in all cases, regardless of the authentication method that the client uses to log onto the NetScaler appliance. The HTTP-Basic, HTTP-Digest, Forms-based, and NTLM (versions 1 and 2) SSO mechanisms are also supported if the client uses either HTTP-Basic or Forms-Based authentication to log onto the NetScaler appliance.

    You can configure Kerberos SSO to work in one of two ways: by impersonation or by delegation. To configure Kerberos SSO by impersonation, you must have the user's password or client certificate. To configure impersonation using a client certificate, the user must also have a properly-configured version of the Citrix Receiver installed on his or her personal computer. To configure Kerberos SSO by delegation, you must have the delegated user's credentials in one of the following formats: the user's password, the keytab configuration that includes an encrypted password, or the client cert and the matching CA certificate.

    To configure Kerberos SSO, first configure your NetScaler appliance to manage traffic to the web application servers that users will access through SSO. Next, configure AAA-TM for your preferred authentication method. Verify that the NetScaler appliance can communicate with your LDAP Active Directory (AD) server and your Kerberos server.

    What you do next depends on whether you want to configure Kerberos SSO by Impersonation or by Delegation. Follow the instructions in the appropriate section below.

    Configuring Kerberos SSO by Impersonation

    To configure Kerberos SSO by Impersonation, enable integrated authentication on each web application server. After you have done this, create and configure the NetScaler KCD account that will impersonate users.

    To create the KCD account for SSO by impersonation with a password

    At the NetScaler command prompt, type the following command:
    add aaa kcdaccount <accountname> -realmStr <realm>
    For each variable, substitute the following values:
    • accountname - The KCD account name.
    • realm - The domain assigned to Kerberos SSO.
    Example:
    add aaa kcdAccount kcdaccount1 -realmStr EXAMPLE.COM

    To create the KCD account for SSO by impersonation with a client certificate

    At the NetScaler command prompt, type the following command:
    add aaa kcdAccount <accountname> -cacert <cacert>
    For each variable, substitute the following values:
    • accountname - The KCD account name.
    • cacert - The full path and name of the CA certificate file on the NetScaler appliance.
    Example:
    add aaa kcdAccount kcdaccount1 -cacert <path to certificate>
    Configuring Kerberos SSO by Delegation
    To configure Kerberos SSO by Delegation, next create an account (the Kerberos Service Account, or KSA) on the AD server for the NetScaler appliance to use as the delegated user. Next, in the KSA account Properties dialog box, Delegation tab, enable the following options: "Trust this user for delegation to specified services only" and "Use any Authentication protocol." Finally, add the HTTP service and any other services that Kerberos SSO will manage to the services list, which is located on the Properties tab beneath the two settings.

    After you configure the NetScaler account on AD, enable integrated authentication on each web application server. Finally, create and configure the NetScaler KCD account that will serve as the delegated user.

    To create the KCD account for SSO by delegation with a password

    At the NetScaler command prompt, type the following commands:
    add aaa kcdaccount <accountname> -delegatedUser root -kcdPassword <password> - realmStr <realm>
    For each variable, substitute the following values:
    • accountname - The KCD account name.
    • password - The password for the KCD account.
    • realm - The domain assigned to Kerberos SSO.

    Example (UPN format):

    Example (UPN format):
    add aaa kcdaccount kcdaccount1 -delegatedUser root -kcdPassword passsword1 -realmStr EXAMPLE.COM
    Example (SPN format):
    add aaa kcdAccount kcdaccount1 -realmStr EXAMPLE.COM -delegatedUser "host/kcdvserver.example.com" -kcdPassword password1

    To create the KCD account for SSO by delegation with a keytab file

    First, on the AD server, use the ktpass utility to create the appropriate keytab file. Next, use the file transfer utility of your choice to copy the keytab file from the AD server to the NetScaler appliance, and put it in /nsconfig/krb under the filename kcdvserver.keytab.

    Next, at the NetScaler command prompt, type the following command:
    add aaa kcdaccount <accountname> -keytab <keytab>
    Example:
    add aaa kcdaccount kcdaccount1 -keytab kcdvserver.keytab

    Finally, verify that the new KCD account has the proper keytab file and virtual server principle associated with it:

    To verify the KCD account on the NetScaler appliance
    sh kcdAccount <accountname>

    To create the KCD account for SSO by delegation with a client cert

    At the NetScaler command prompt, type the following commands:
    add aaa kcdaccount <accountname> -realmStr <realm> -delegatedUser <spnuser> -usercert <cert> -cacert <cacert>
    For each variable, substitute the following values:
    • accountname - The KCD account name.
    • realm - The domain assigned to Kerberos SSO.
    • spnuser - The username in SPN format.
    • usercert - The full path and name of the user client certificate file on the NetScaler appliance.
    • cacert - The full path and name of the CA certificate file on the NetScaler appliance.
    Example:
    add aaa kcdaccount kcdaccount1 -realmStr EXAMPLE.COM -delegatedUser "host/kcdvserver.example.com" -usercert /certs/usercert -cacert /cacerts/cacert

NetScaler Insight Center Table Data Changes

  • ENH ID 0404805: NetScaler Insight Center now saves the following:

    Granular Data

    Time to purge

    7 seconds data

    6 min

    5 minutes data

    65 minutes

    Hourly data

    25 hours

    Daily data

    8 days

    Weekly data

    5 weeks

Increased Limits on the Number of Service Groups

  • ENH ID 0406355: You can now configure up to 8K (8192) service groups on a NetScaler appliance. The earlier limit was 4K (4096) service groups.

Bug Fixes

AAA Application Traffic

  • Issue ID 0418200: On a NetScaler appliance that has AAA configured with SSL certificate set to "optional" and at least one authentication policy, when Android users attempt to authenticate, the Android Receiver client generates the following error: "invalid server certificate". This error is caused by improper cookie handling by the Android Receiver client.

Application Firewall

  • Issue ID 0416714: When the NetScaler appliance sends large amounts of input data to the application firewall at once, the appliance can hang or crash. The appliance has now been programmed to send input data in batches limited to sizes that do not cause hangs or crashes to occur.

AppFlow

  • Issue ID 0418296: A newly added HTTP header prevents parsing of the HTTP request.

Command Line Interface

  • Issue ID 0379234: The show ns runningConfig command displays the current time instead of the time at which the configuration was last modified.

Configuration Utility

  • Issue IDs 0361970, 0387024, 0397473, and 0400307: When a NetScaler session expires, a session expiry message appears in the graphical user interface, and the user has to manually enter the IP address or the domain name of the NetScaler appliance in the address bar to log back on.

  • Issue ID 0409605: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, the compression feature is not enabled on the appliance and for the service groups.

  • Issue ID 0413087: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, if you configure XenDesktop and later edit the Xen Farm settings to have only XenApp, the XenDesktop bound to the Web Interface site of type Xenappservices in not modified. Therefore, published resources of both, XenApp and XenDesktop, are displayed when accessing the Web Interface site through Receivers.

  • Issue ID 0414361: When you click the Edit link to update the configurations specified in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, an error is displayed when you try to apply the optimization settings.

  • Issue ID 0414760: When editing the Xen Farm settings in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, load balancing configuration is lost if you switch from XenApp or XenDesktop to Both or from Both to XenApp or XenDesktop. This issue is observed only when Web Interface on NetScaler is the integration point.

  • Issue ID 0414807: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, an error is displayed if:

    • More than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers.
    • More than one service is bound to the service group.
  • Issue ID 0420349: Unable to access ICA connections through the graphical user interface

Global Server Load Balancing

  • Issue ID 0408374: If a configuration has a large number of GSLB services and add location file command is used to add the location database, then not all the services may be assigned a location from the database.

  • Issue ID 0421837: When GSLB vserver is configured with RTT or Static Proximity as load balancing method or SOURCEIPHASH as the persistence type, the NetScaler appliance might restart because of invalid memory access.

High Availability

  • Issue IDs 0357841 and 0408502: In an high availability configuration, for a connection to an FTP virtual server with stateful connection failover option enabled, if the FTP control connection is closed before the passive mode FTP data connection is opened, the secondary node may become unresponsive.

ICA AppFlow

  • Issue ID 0414137: NetScaler appliance might fail if AppFlow is enabled and the user tries to access a XenApp/Xendesktop farm under certain network conditions that result in split data packets.
  • Issue IDs 0423840 and 0426203: When you enable HDX Insight on a VPN server and try to launch an application from the XenApp server, the NetScaler appliance might fail as it copies the data to an invalid memory location.

Load Balancing

  • Issue ID 0409055: If you run a custom health monitoring script that does not require an argument, the NetScaler appliance sends an incorrect timeout to the script. As a result, the script continues to run for longer than expected. After some time, the maximum limit for the number of scripts allowed on the appliance is reached and new scripts cannot be run.

  • Issue ID 0417101 (MPX 9500): Oracle database monitor fills the console window with DONE and DEEP_FLD_LEN messages.

  • Issue ID 0410711: When diameter traffic hits a diameter load balancing virtual server which has persistency enabled, and that single packet contains multiple full requests and a partial request, the NetScaler fails to recognize the partial request and therefore sends the partial request to the server. This results in an invalid packet being sent to the server and the NetScaler sends 5XXX code to the client.

Monitoring

  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.

Multipath TCP Support

  • Issue ID 0401793: MPTCP does not support IPv6 addresses.

  • Issue ID 0409426: The NetScaler appliances does not acknowledge the subflow FIN when it comes with the MPTCP DATA_FIN.

  • Issue ID 0412833: While using MPTCP, the NetScaler cannot adequately handle overlapping data sequence maps.

  • Issue ID 0414182: The NetScaler appliance must not send MPTCP control signals such as DATA_FIN or FAST_CLOSE when the NetScaler has already sent a subflow FIN.

  • Issue ID 0419184: While using MPTCP, the NetScaler appliance crashes when trying to free an already freed TCP session.

NetScaler Insight Center

  • Issue ID 0416889: In some cases, NetScaler Insight Center reports incorrect values for XenApp launch count.

NetScaler SDX Appliance

  • Issue ID 0413123: When you display the running configuration of a NetScaler instance in the Service Management interface, the double quotation marks (") are replaced with HTML code (;quot &).

Networking

  • Issue ID 0404849: The NetScaler appliance might restart if it receives a duplicate IPv6 fragment within a very short time after receiving the original fragment.

SNMP

  • Issue ID 0413733, 0413871, and 0421055: SNMPD fails to respond if it receives a packet with a NULL community string.

SSL

  • Issue ID 0408393: If any entity is added as part of user interactive process on command line for SSL Certificates and the operation is aborted in between using CTRL+C, then again carrying out the same operation causes the NetScaler command line to crash.

System

  • Issue IDs 0216272 and 0358540: In an high availability setup, after a forced failover, the sync operation fails to sync the -establishClientConnection parameter setting.

  • Issue IDs 0375425, 0399769, 0401111, 0408648, 0413721, and 0414273: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.

  • Issue ID 0401526: On a NetScaler appliance, an invalid HTTP range request results in a large amount of memory usage and the following error appears: "ERROR: Communication error with the packet engine."

  • Issue ID 0405532 :TCP buffering bypasses as the calculated 'usable system memory' is less than the configured threshold value.

  • Issue ID 0411613: The NetScaler appliance can crash when there are split ICA frames that span 2 CGP frames with other CGP packets in between.

  • Issue ID 0412681: If changes are made in the nsconfig/resolv.conf file, the appliance fails to override the default DNS configurations.

  • Issue ID 0415623: If you specify an invalid IPv4 address in a command that can accept either IPv4 or IPv6 address, the NetScaler shell exits automatically due to memory corruption.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.

Application Firewall

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.

  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml.

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0411152: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings results in the unavailability of applications/desktops on accessing StoreFront through VPN.

    Workaround: Do not apply the optimization settings.

  • Issue ID 0414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.

  • Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.

    Workaround: Do not cancel the wizard during the first setup. If you want to change some configuration, go through the entire flow, click Done, and then return to the wizard and click the Edit link to update the required configuration.

  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Documentation

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

Multipath TCP Support

  • Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.

  • Issue ID 0400819: MPTCP does not support FTP data connections.

  • Issue ID 0400861: Virtual servers to which a listen policy is bound accept connections from the first subflow only.

  • Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.

NetScaler Insight Center

  • Issue ID 0331944: When there are no devices added in the inventory, the welcome screen is displayed for the configuration tab along with the dashboard tab which makes it unable to perform any basic configurations.
  • Issue ID 0333555 and 346171: After you enable appflow on some virtual servers, even though no error message appears, the check box does not appear in the Insight column .

    Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.

  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405849: NetScaler entity names are case insensitive, but NetScaler Insight Center expects the virtual server names or policy names to be case sensitive.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405936: After the NetScaler upgrade or downgrade operation, NetScaler Insight Center does not report any data on the dashboard.

    Workaround: Restart the NetScaler Insight Center appliance.

  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0412129: The WAN jitter and DC jitter values are not displayed in the NetScaler Insight Center reports.
  • Issue ID 0414155: If you move columns and refresh the page, the column ordering is sometimes reset to default.
  • Issue ID 0414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
  • Issue ID 0414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off: The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.
  • Issue ID 0417415: If you add a NetScaler appliance to a NetScaler Insight Center setup while ICA sessions are enabled, NetScaler Insight Center does not report the existing ICA sessions. It reports only the ICA sessions initiated after the appliance is added.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: After using the Management Service to create a channel, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.

  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

  • Issue ID 0424588: If a NetScaler instance is created with a Management VLAN using the 0/1 or 0/2 interface, the guest VMs fail to start post provisioning, because the guest VMs use the VLAN networks instead of physical network while assigning the interface.

    Workaround:
    1. Remove the NetScaler instances whose management ports are in tagged VLAN.

    2. Logon to the XenServer shell prompt and remove all the VLAN networks.

    3. Create the guest VM instances first, and then create the NetScaler instances.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.

    • Intel CPU Vtt Power (Volts)
    • Voltage Sensor2 (Volts)
    • Temperature 0 (Celsius)
    • Temperature 1 (Celsius)

    This change affects the following platforms:

    • MPX 11500/13500/14500/16500/18500/20500
    • MPX 17550/19550/20550/21550
    • MPX 8200/8400/8600
    • MPX 5550/5650/5750
  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

  • Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:

    • Release 10.1 starting build 112.15 or later

    • Release 10 build 74 or later

    • Release 9.3 build 62.4 or later

    • Release 9.3.e build 59.5003.e or later

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.
    Note: Citrix encourages the use of default syntax policies rather than classic policies.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0382647: The stat system -detail command does not display the number of CPUs.

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

  • Issue IDs 0417793, 0421214, 0421329, and 0423099: The NetScaler appliance stops sending TCP DUP ACKs when it receives out of order packets. This might result in latency between the client and the appliance, or the appliance and the server, with reduced throughput for some traffic patterns.

Web Interface

  • Issue ID 0397150: On a NetScaler appliance, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user tying to log on receives a 500 Internal Server Error message.

    Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later: bindservicegroup_state2 unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.


Build 120.13

Release version: Citrix NetScaler, version 10.1 build 120.13

Replaces build: None

Release date: September 2013

Release notes version: 8.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

Configuring Link Redundancy by using LACP channels

  • ENH ID 0346763: Link Redundancy by using LACP channels enables the NetScaler appliance to logically create sub channels from a LACP channel where one of the sub channel is active and the remaining sub channels stay in standby mode. If the active sub channel fails or does not meet a minimum threshold throughput, one of the standby sub channel takes over and becomes active.

    The NetScaler appliance forms a sub channels from links that are part of the LACP channel and are connected to a particular device. For example, for a LACP channel with four interfaces on a NetScaler appliance, where two of the interface is connected to device A, and the other two interfaces are connected to device B, then the NetScaler appliance logically creates two sub channels, one sub channel with two links to device A, and the other sub channel with the remaining two links to device B.

    The lrMinThroughput parameter is introduced for configuring link redundancy for a LACP channel. This parameter specifies the minimum throughput threshold to be met by the active sub channel of a LACP channel. When the throughput of the active channel falls below the lrMinThroughput , link failover occurs and one of the standby sub channels becomes active.

    For example, set channel la/1 -lrMinThroughput 2000

    Link redundancy for a LACP channel is disabled, which is also the default setting, when you set the lrMinThroughput parameter of the LACP channel to zero or when you unset this parameter.

    Note: In an HA configuration, if you want to configure throughput (throughput parameter) based HA failover and link redundancy ( lrMinThroughput parameter) on a LACP channel, you must set a lesser or equal value to the throughput parameter as compared to the lrMinThroughput parameter.

    For example, set channel la/1 throughput 2000 -lrMinThroughput 2000

    HA failover does not occur if any of the sub channels meets the lrMinThroughput parameter value even when the total throughput of the LACP channel does not meet the throughput parameter value.

    HA failover occurs only when the entire sub channels of the LACP channel does not meet the lrMinThroughput parameter value and the total throughput of the LACP channel does not meet the throughput parameter value.

DNS64

  • ENH ID 0318404: The NetScaler DNS64 feature responds with a synthesized DNS AAAA record to an IPv6 client sending an AAAA request for an IPv4-only domain. The DNS64 feature is used with the NAT64 feature to enable seamless communication between IPv6-only clients and IPv4-only servers. DNS64 enables discovery of the IPv4 domain by the IPV6 only clients, and NAT64 enables communication between the clients and servers.

    For synthesizing an AAAA record, the NetScaler appliance fetches a DNS A record from a DNS server. The DNS64 prefix is a 96-bit IPv6 prefix configured on the NetScaler appliance. The NetScaler appliance synthesizes the AAAA record by concatenation of the DNS64 Prefix (96 bits) and the IPv4 address (32 bits).

Setting Up NetScaler for XenApp/XenDesktop

  • ENH ID 0345912: The NetScaler now provides a wizard that simplifies the task of setting up a NetScaler appliance for a XenApp/XenDesktop deployment. For more information, see Setting Up NetScaler for XenApp/XenDesktop.

New Subnet Mask Field for the SNIP Address in the First-time Setup Wizard

  • ENH ID 0413542: The first-time setup wizard now has separate subnet mask fields for the NetScaler IP (NSIP) and subnet IP (SNIP) addresses.

Upgrade Progress

  • ENH ID 0346988: When you upgrade a NetScaler VPX instance on an SDX appliance, a new window, Upgrade Progress, shows the status of the upgrade operation, including any error messages. This feature is also available for SecureMatrixGSB and Websense Protector virtual machines.

Support for 8 Channels

  • ENH ID 0401113: The SDX SVM now allows you to configure 8 channels on a VPX instance.

Bug Fixes

AAA Application Traffic

  • Issue ID 0401000: When AAA is configured by authentication profile on a NetScaler appliance that has content switching enabled, users can use the Microsoft Internet Explorer or Mozilla Firefox browsers to log on, but might not be permitted to access all resources that they should be able to access. Users who log on using the Google Chrome browser do not experience this problem. The underlying cause was that authentication level is checked only once per connection rather than at each request.

Application Firewall

  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.

Configuration Utility

  • Issue ID 0361970: When a NetScaler session expires, a session expiry message appears in the graphical user interface, and the user has to manually enter the IP address or the domain name of the NetScaler appliance in the address bar to log back on.

Domain Name System

  • Issue ID 0401451: The NetScaler appliance, configured to function as DNS forwarder or DNS resolver, may becomes unresponsive whenever it receives UDP DNS truncated response from a name server.

Load Balancing

  • Issue ID 0390545 (nCore): A NetScaler nCore appliance uses multiple CPU cores (Packet Engines) for packet handling. Every session on the appliance is owned by a packet engine (PE). If the appliance receives a request for which a session does not already exist, a session is created, and one of the PEs is designated as the owner of that session. Subsequent requests that belong to that session might not always arrive at and be handled by the owner PE. During the time that the PE gets details about the session from the owner PE, the packet is corrupted.

  • Issue ID 0398327: You can now bind a StoreFront monitor to a service group. Each member of a service group is now monitored by using the member's IP address.

    The -hostname parameter is no longer required and is deprecated.

    To determine whether to use HTTP (the default) or HTTPS to send monitor probes, you must now use the -secure parameter. If your current StoreFront monitor configuration uses HTTP, you only have to remove the hostname parameter.

    To use HTTPS, set the -secure option to Yes.

    Example:
    add lb monitor storefront_ssl STOREFRONT -storename myStore -storefrontacctservice YES -secure yes
  • Issue ID 0409028: If you unbind a load balancing (LB) monitor from its service, all the connections to the configured destination IP address (destip) and port (destport) of the LB monitor are closed. In a typical L3 Direct Server Return (DSR) deployment mode, the destip and destport of the LB monitor are actually the IP address and port of the virtual server. Therefore, in a typical L3 DSR deployment, if you unbind an LB monitor from its service, all the existing connections to the virtual server are closed. The same behavior is observed if you delete a service.

Monitoring

  • Issue ID 0406391: If you bind monitors to services, and then bind a DoS or SureConnect policy to one of these services, save the configuration, and restart the appliance, you lose information about monitors bound to any services created after the service to which you bound the policy was created. Also, if you run the show ns runningConfig command before restarting the appliance, the monitor binding information does not appear.

Multipath TCP Support

  • Issue ID 0399708: Syncookie cannot be disabled on a TCP profile that has MPTCP enabled.

  • Issue ID 0399938: The NetScaler appliance might not respond when TCP buffering and MPTCP is enabled.

  • Issue ID 0400888: The NetScaler appliance does not respond when using client IP insertion with MPTCP.

  • Issue ID 0401105: MPTCP transactions of a TCP profile with Selective ACKnowledgement and window scaling might not respond.

NetScaler Insight Center

  • Issue ID 0369664: For an Active session, data is sent to the AppFlow collector even if the policy rule is changed to FALSE when the session is active.
  • Issue ID 0395022: On the Dashboard > HDX Insight > Users page, the Active Apps count is not updated instantly on the left pane.
  • Issue ID 0402458: If the memory usage on the NetScaler Insight Center reaches the maximum limit, the appliance fails to respond to further memory-allocation requests by other modules and becomes unresponsive.
  • Issue ID 0402727: If you have installed NetScaler Insight Center virtual appliance on ESX, then the console may display watchdog timeout errors or the Graphical User Interface (GUI) may freeze sometimes.
  • Issue ID 0402959: In certain situations, the NetScaler appliance incorrectly interprets the compression buffer size negotiation between the client and the server, and enabling AppFLow on the ICA connection causes the appliance to fail when the connection is used to launch an application or desktop. This problem most commonly occurs when a CloudBridge appliance or any WAN optimization device is placed between the client and the NetScaler appliance.
  • Issue ID 0405818/ 0405273: On the Dashboard > Users page, ICA RTT values displayed on the graph in the left panel do not match the values displayed below the graph, or there is a delay in the updating the values.
  • Issue ID 0408495: During installation of a virtual NetScaler Insight Center on VMware ESX, NetScaler Insight allocates only 14 GB of space in the var directory, even though the OVF file specifies 120 GB.
  • Issue ID 0411107: In a mixed XenApp/XenDesktop server farm, if the XenApp and XenDesktop versions are older than 6.5 and 5.0 respectively, the applications fail to launch because the NetScaler appliance incorrectly parses the ICA packets.
  • Issue ID 0413016/0414140 : NetScaler appliance may fail to respond when AppFlow is enabled on the NetScaler Insight Center and the user tries to access the XenApp/XenDesktop farm.
  • Issue ID 0414844: HDX Insight does not support XenApp versions earlier than 6.5.
  • Issue ID 0415812: If a CloudBridge appliance is placed between the client and a NetScaler appliance, and AppFlow is enabled for ICA traffic, the XenApp/XenDesktop applications fail to launch and the NetScaler appliance fails.
  • Issue ID 0413657: In some situations, the NetScaler appliance fails after parsing ICA traffic incorrectly.

NetScaler SDX Appliance

  • Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of NetScaler instance Modify NetScaler Wizard.

  • Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.

  • Issue ID 0405115: SSL certificate installation on a NetScaler instance from the SDX Management Service fails during validation if the SSL certificate does not have an associated key file.

  • Issue ID 0405921: The SVM restore operation of NetScaler instances fail as the SVM shuts down the NetScaler instances that are still being provisioned.

  • Issue ID 0410416: After the SDX appliance restarts, NetScaler VPX instances on the appliance cannot send packets tagged with VLAN IDs through an LACP channel.

Networking

  • Issue ID 0401303: When the conditions specified in an ACL rule includes the operator !=, the NetScaler appliance may not properly filter packets based on the ACL rule.

  • Issue ID 0402123: The NetScaler appliance might not send the received IPv6 fragments to the appropriate packet engine for processing, which might result in the NetScaler appliance becoming unresponsive.

  • Issue ID 0404861: If the NetScaler appliance has redundant L2 connectivity with a switch, the NetScaler appliance may mark its link-local IPv6 addresses as duplicate during the DAD (Duplicate address detection) process.

  • Issue ID 0405190: When IP fragments are received on a load balancing virtual server with client timeout parameter set to zero, the NetScaler appliance might dump core and then restart.

Platform

  • Issue ID 0409202: The NetScaler license is not processed if the configuration file (ns.conf) contains multiple instances of the host name, or if the host name in the ns.conf file is different from the host name in the rc.conf file. With this fix, if the ns.conf file contains multiple host names, only the name set by the set ns hostname command is used. Also, the host name in ns.conf no longer takes precedence over the host name in rc.conf.

Rewrite

  • Issue ID 0401455: Modifying the content with more than one callout results in incorrect computation of the content length. This issue is not observed if all the callouts use GET requests.

System

  • Issue ID 0353546: When you try to add a second name-based SNMP manager, you get an error message that says an SNMP manger with that name already exists.

  • Issue ID 0391632: The output of the stat commands specified with -fullValues option is aligned incorrectly.

  • Issue ID 0391754: On a NetScaler MPX system, the SNMP count for the system's hardware memory and the show system memory display are incorrect. The amount of memory shown is larger than the actual amount.

  • Issue ID 0401111: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.

  • Issue ID 0402677: The NetScaler appliance might fail to respond if an ICMP error occurs when TCP buffering and integrated caching are enabled on the appliance.

  • Issue ID 0407868: Remote monitoring of a high capacity appliance, such as a NetScaler MPX 22000, might indicate a drop in performance even though performance remains robust. The apparent problem is the result of a pause in the stream of monitoring data, not an actual drop in throughput.

  • Issue ID 0407974: A session is not freed when port allocation fails. The session is getting matched and the NetScaler fails when it tries to access other linked sessions which are NULL.

  • Issue ID 0423610: If, from a management computer, you run a command that forms a request size of more than 8000 bytes, the NetScaler ADC might not properly buffer this large request. As a result, the ADC terminates the connection to the management computer.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.

Application Firewall

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

  • Issue ID 0361793 (nCore and nCore VPX): The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.

  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.

  • Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.

  • Issue ID 0409605: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, the compression feature is not enabled on the appliance and for the service groups.

    Workaround: Enable compression on the appliance by using the enable ns feature CMP command. Also, enable compression for the service groups by using the set servicegroup <name> -CMP on command.

  • Issue ID 0411152: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings results in the unavailability of applications/desktops on accessing StoreFront through VPN.

    Workaround: Do not apply the optimization settings.

  • Issue ID 0413087: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, if you configure XenDesktop and later edit the Xen Farm settings to have only XenApp, the XenDesktop bound to the Web Interface site of type Xenappservices in not modified. Therefore, published resources of both, XenApp and XenDesktop, are displayed when accessing the Web Interface site through Receivers.

  • Issue ID 0414361: When you click the Edit link to update the configurations specified in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, an error is displayed when you try to apply the optimization settings.

    Workaround: Edit the XenFarm section (no actual changes required), click Continue and then apply the optimization settings.

  • Issue ID 0414422: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.

  • Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.

    Workaround: Do not cancel the wizard during the first setup. If you want to change some configuration, go through the entire flow, click Done, and then return to the wizard and click the Edit link to update the required configuration.

  • Issue ID 0414760: When editing the Xen Farm settings in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, load balancing configuration is lost if you switch from XenApp or XenDesktop to Both or from Both to XenApp or XenDesktop. This issue is observed only when Web Interface on NetScaler is the integration point.

  • Issue ID 0414807: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, an error is displayed if:

    • More than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers.
    • More than one service is bound to the service group.
  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching/Load Balancing

  • Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Documentation

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.

    Workaround:
    1. Create a monitor of type CiTRIX-wi-EXTENDED.
    2. Set the script name.
    3. Set the site path.
    For example,
    add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
    set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
    set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp

Multipath TCP Support

  • Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.

  • Issue ID 0400819: MPTCP does not support FTP data connections.

  • Issue ID 0400861: Virtual servers to which a listen policy is bound accept connections from the first subflow only.

  • Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.

  • Issue ID 0401793: MPTCP does not support IPv6 addresses.

NetScaler Insight Center

  • Issue ID 0331944: When there are no devices added in the inventory, the welcome screen is displayed for the configuration tab along with the dashboard tab which makes it unable to perform any basic configurations.
  • Issue ID 0350977: When you enable Appflow from NetScaler Insight Center, complex policy expressions are not accepted. This issue occurs when you directly type the complex expression in the text box.

    Workaround: Copy and paste the expression from a notepad.

  • Issue ID 0368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
  • Issue ID 0388875: Only one page of load balancing virtual servers is displayed. For example, if you have selected a page size of 25, and the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, n-25 load balancing virtual servers are not displayed.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0403665: If the values for certain metrics are zero, the graphs display these values incorrectly.
  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405849: NetScaler entity names are case insensitive, but NetScaler Insight Center expects the virtual server names or policy names to be case sensitive.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405936: After the NetScaler upgrade or downgrade operation, NetScaler Insight Center does not report any data on the dashboard.

    Workaround: Restart the NetScaler Insight Center appliance.

  • Issue ID 0405951: The count of embedded objects displayed in the waterfall chart can be wrong for recurrent page requests if the NetScaler integrated cache or browser cache is enabled.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0409885: The report for desktop session count also includes the count of XenApp sessions, which are launched by the user.
  • Issue ID 0412129: The WAN jitter and DC jitter values are not displayed in the NetScaler Insight Center reports.
  • Issue ID 0424673: Upgrading NetScaler Insight Center on VMware ESX from build 118.7 or 119.7 to 120.13 is not supported.

    Workaround: To upgrade to build 120.13, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: After using the Management Service to create a channel, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.

  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

  • Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:

    • Release 10.1 starting build 112.15 or later

    • Release 10 build 74 or later

    • Release 9.3 build 62.4 or later

    • Release 9.3.e build 59.5003.e or later

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies rather than classic policies.

Reporting

  • Issue ID 0368982: After you import a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

  • Issue ID 0411613: The NetScaler appliance can crash when there are split ICA frames that span 2 CGP frames with other CGP packets in between.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2

    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.


Build 119.7

Release version: Citrix NetScaler, version 10.1 build 119.7

Replaces build: None

Release date: July 2013

Release notes version: 5.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

Multipath TCP Support

  • ENH ID 0320221: NetScaler appliances now support Multipath TCP (MPTCP). MPTCP is a TCP/IP protocol extension that identifies and uses multiple paths available between hosts to maintain the TCP session. You have to enable MPTCP on a TCP profile and bind it to a virtual server. When MPTCP is enabled, the virtual server functions as an MPTCP gateway and converts MPTCP connections with the clients to TCP connections that it maintains with the servers.

    For more information, see TCP Configurations.

Call Home Proxy Mode Support

  • ENH ID 0311623: Call Home can now upload your NetScaler appliance's data to the Citrix TaaS server through a proxy server.

    For more information, see Configuring Call Home.

Custom HTTP Headers Support using Web Server Logging

  • ENH ID 0329710: The NetScaler can now export values of custom HTTP headers to the NSWL client. You can configure up to a maximum of two HTTP request header names and two HTTP response header names.

    For more information, see Exporting Custom HTTP Headers.

Backing Up and Restoring a NetScaler Appliance

Checking Content Type of Responses

  • ENH ID 0236218: When configuring the Safe Commerce (credit card) check, you can now configure the application firewall to check the MIME/type of HTTP responses and skip responses that are not of the appropriate content type for Safe Commerce filtering. You can use this configuration option to prevent false positives.

    To enable MIME/type checking, at the NetScaler command line type the following command:

     bind appfw profile <name> -inspectResContentType <type>

    For <name>, substitute the name of the profile. For <type>, substitute a string that matches the MIME/type. For example, to check for and skip PDF content sent to the library profile, you would type the following:

     bind appfw profile library -inspectResContentType "text/PDF"

    To disable a MIME/type rule that you have previously enabled, use the unbind command:

     unbind appfw profile <name> -inspectResContentType <type>

Enterprise License Support for AppFlow

  • ENH ID 0395659: AppFlow can now export ICA records from NetScaler appliances that have enterprise licenses. This ensures that HDX insight reports for NetScaler appliances with enterprise licenses are now available on the NetScaler Insight Center.

New Metrics Support for NetScaler Insight Center

  • ENH ID 0400867: HDX Insight reports now include details about Client Side NS Latency, Server Side NS Latency and Host Delay.

Enabling or Disabling the Recursion Available Flag

  • ENH ID 0403114: An option Recursion Available is added for the load balancing virtual servers of type DNS and DNS TCP to control the RA (Recursion Available) flag in all the DNS responses from these virtual servers.

Bug Fixes

AAA Application Traffic

  • Issue ID 0387049: When importing a keytab while setting up a KCD account, AAA might fail to extract the SPN from the keytab, causing the import to fail.

Application Firewall

  • Issue ID 0403027: The application firewall includes an extraneous line break in the hidden field that it adds to forms as part of the form field consistency check. This line break is not javascript-compliant and can cause issues with javascript-enhanced forms.

Cache Redirection

  • Issue ID 0401148: The NetScaler cache fails to respond to a request in which an absolute URL does not include a slash (/) after the host name.

Configuration Utility

  • Issue ID 0372535: The pagination count on the page listing SSL policies that can be bound does not display the correct values.

Global Server Load Balancing

  • Issue ID 0385305: In a GSLB setup, if you perform auto synchronization and the configuration file in your local site contains the add locationFile command, the command is not synchronized to the remote location.

Load Balancing

  • Issue ID 0351870: If you change the load balancing group of a virtual server that has a large number of SSL sessions, the appliance might fail.

  • Issue ID 0383402: If a virtual server is UP because the service(s) are in Transition Out-Of-Service (TROFS) state, the clients do not respond due to requests being queued at the virtual server rather than at the services. Instead, the client must issue 503 or RST.

  • Issue ID 0401118: On a NetScaler appliance or VPX that is configured for load balancing in an environment that includes a Microsoft SQL server database, when a client sends a large number of long queries to the MSSQL database, the appliance or VPX might hang or crash.

Load Balancing/AAA-TM

  • Issue ID 0402472: If you attempt to create a KCD service account on a NetScaler appliance or virtual appliance that has AAA-TM enabled and integrated caching disabled, a buffer overflow might load the appliance or cause it to fail.

NetScaler Insight Center

  • Issue ID 0332854: Unable to add the IP address in the inventory which contains the number 255 in any quadrant.
  • Issue ID 0400545: The help page on the Graphical User Interface (GUI) displays incorrect information for enabling data collection.
  • Issue ID 0400665: The HDX Insight node is not displayed for Enterprise licenses of NetScaler appliances.
  • Issue ID 0400900: The load time and render time metrics are not displayed for standard or enterprise licenses of NetScaler appliances.
  • Issue ID 0405177: During an ICA session, the NetScaler appliance fails to respond when you access it's invalid memory space.
  • Issue ID 0403134/0403195: During an ICA session, the NetScaler appliance fails to respond due to a NULL pointer access.

NetScaler SDX Appliance

  • Issue ID 0400409: If you modify a NetScaler instance from the Management Service, binding 1/x and 10/x interfaces to an L2 VLAN fails.

  • Issue ID 0400607: If you create a static channel, you cannot use the Management Service to remove more than one member interface at a time from the channel.

Networking

  • Issue ID 0366321: The Network Visualizer does not display the bound IP addresses of a configured VLAN.

  • Issue ID 0402068: With Random source port selection for Active FTP enabled on the NetScaler appliance, when an FTP server initiates a connection from the standard TCP port number 20, the NetScaler appliance uses a random port instead of port 20 for the client side data connection.

  • Issue ID 0402123: The NetScaler appliance might not send the received IPv6 fragments to the appropriate packet engine for processing, which might result in the NetScaler appliance becoming unresponsive.

Policies

  • Issue ID 0391238: When an HTTP callout is configured with a virtual server that has a widcard port, the NetScaler appliance fails to respond the first time the callout is triggered.

SSL

  • Issue ID 0400084: An attempt to establish an HTTPS connection to a NetScaler FIPS appliance through a Chrome browser fails, because the browser sends a SPDY-NPN extension by default, and the NetScaler FIPS appliance does not support the NPN extension.

  • Issue ID 0400649: In the NetScaler configuration utility, the FipsKey parameter does not appear in the Install certificate dialog box. As a result, you cannot add a certificate-key pair on an MPX FIPS appliance by using the configuration utility.

System

  • Issue ID 0390257: SNMP returns incorrect values for the ifOutOctets and ifInOctets counters.

  • Issue ID 0394724: The SNMP module allocates memory for all OIDs in an SNMP request and queues them for further processing. With a large number of SNMP requests (each request with possibly hundreds of OIDs), the result can be a memory shortage that in turn leads to memory allocation failures.

  • Issue ID 0395735: The NetScaler appliance dumps a core when you create a cluster or a high availability setup on an appliance that has a TFTP load balancing virtual server.

  • Issue ID 0404094: If the SNMP service has the NSI_NS_SERVICE flag set, and you clear the configuration, the NetScaler appliance crashes.

Known Issues and Workarounds

AppFlow

  • Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:

    • The applications stop functioning but are visible in the browser.
    • Citrix Receiver displays a dialog box, stating that the connection is disconnected.
    • When you click OK in the dialog box, the applications disappear.
    • If you launch any fresh applications without logging off and then logging back on, all the previously launched applications resume with their previous status.

Application Firewall

  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.

  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:

    • update appfw signatures "*Default Signatures"
    • update appfw signatures "custom_signatures"
    • update appfw signatures "custom_signatures_2"

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.

  • Issue ID 0361793: (nCore and nCore VPX) The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing; Virtual Servers pane.

  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed. Workaround : Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For information, see http://www.java.com/en/download/faq/win8_faq.xml

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching

  • Issue ID 0399575: When configuring load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.

Documentation

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:

    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.

    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

    • Issue ID 0401451: The NetScaler appliance, configured to function as DNS forwarder or DNS resolver, may becomes unresponsive whenever it receives UDP DNS truncated response from a name server.

Load Balancing

  • Issue ID 0398327: Monitoring of StoreFront servers fails if they are part of a cluster and the StoreFront monitor is bound to the entire service group. The StoreFront monitor probe fails because individual members have different host names.

    Workaround: If the StoreFront servers are part of a cluster, Citrix recommends that you add them as individual services instead of as members of a service group.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.

  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.

    Workaround:
    1. Create a monitor of type CiTRIX-wi-EXTENDED.
    2. Set the script name.
    3. Set the site path.
    For example,
    add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
    set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
    set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp
  • Issue ID 0406391: If you bind monitors to services, and then bind a DoS or SureConnect policy to one of these services, save the configuration, and restart the appliance, you lose information about monitors bound to any services created after the service to which you bound the policy was created. Also, the monitor binding information does not appear if you run the show ns runningConfig command before restarting the appliance.

Multipath TCP Support

  • Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.

  • Issue ID 0399708: Syncookie cannot be disabled on a TCP profile that has MPTCP enabled.

  • Issue ID 0399938: The NetScaler appliance might not respond when TCP buffering and MPTCP is enabled.

  • Issue ID 0400819: MPTCP does not support FTP data connections.

  • Issue ID 0400861: Virtual servers with listenPolicy specified, accept connections from the first subflow only.

  • Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.

  • Issue ID 0400888: The NetScaler appliance does not respond when using client IP insertion with MPTCP.

  • Issue ID 0401105: MPTCP transactions of a TCP profile with Selective ACKnowledgement and window scaling might not respond.

  • Issue ID 0401793: MPTCP does not support IPv6 addresses.

NetScaler Insight Center

  • Issue ID 0331944: When there are no devices added in the inventory, the welcome screen is displayed for the configuration tab along with the dashboard tab which makes it unable to perform any basic configurations.
  • Issue ID 0369664: In HDX Insight mode, data is sent to the AppFlow collector even if the policy rule is set to FALSE.

    Workaround: Start the session again.

  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: In transparent mode, when you launch XenApp through Citrix Receiver (standard edition), the app launch duration is shown as zero.
  • Issue ID 0388875: If the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, and the page size is set to 25, only the first 25 virtual servers are shown. The list does not continue on another page.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0395022: On the Dashboard > HDX Insight > Users page, the Active Apps count is not updated instantly on the left pane.

    Workaround: The correct value is displayed in the Dashboard > HDX Insight > Applications page.

  • Issue ID 0397236 :On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports display session termination records.
  • Issue ID 0401514: On an HTTP virtual server, after you enable AppFlow by selecting the expression TRUE and the HTML Injection box, if you change the policy expression and disable HTML injection, the rewrite and responder policies are still bound to the load balancing virtual server.
  • Issue ID 0404204: NetScaler 10 appliances do not support clearing AppFlow configurations from a virtual server.
  • Issue ID 402105: The following error may occur when you access NetScaler Insight Center appliance from XenDexktop 5.6 or XenApp 6.5 using IE8 browser:

    Object does not support this property or method.

  • Issue ID 0402458: If the analytics decoding process requires more than 100% of RAM memory, the system fails to respond to further memory-allocation requests by other modules.
  • Issue ID 0402727: If you have installed NetScaler Insight Center virtual appliance on ESX, then the console may display watchdog timeout errors or the Graphical User Interface (GUI) may freeze sometimes.
  • Issue ID 0403665: If the values for certain metrics are zero, the graphs display these values incorrectly.
  • Issue ID 0404477: If you use Internet Explorer to open Desktop Director on an RDP machine, the graph displays extra dotted lines even though everything works fine functionally.
  • Issue ID 0405953: The waterfall chart displays a blank tooltip when you hover over the blank space between the x-axis and the y-axis.
  • Issue ID 0405818/ 0405273: On the Dashboard > Users page, ICA RTT values displayed on the graph in the left panel do not match the values displayed below the graph, or there is a delay in the updating the values.
  • Issue ID 0404100: The VPN option on the View drop-down list is available for NetScaler 10.0 appliances.
  • Issue ID 0405849: Sometimes, the commands used in the NetScaler Insight Center command line interface are case sensitive.
  • Issue ID 0405853: If AppFlow is enabled for a virtual server on more than one NetScaler Insight Center virtual appliance, then the clear AppFlow configurations (select Configuration > Inventory > <ipaddress> > Application List > <ipaddress> >Action > Clear AppFlow Configuration) does not work on the virtual server having the least priority.
  • Issue ID 0405936 : If the NetScaler Insight Center virtual appliance remains inactive for a longer duration, the data will not be logged.

    Workaround: Restart the appliance by running the following command on the command line interface:

    #/etc/rc.d/analyticsd restart
  • Issue ID 0408495: During installation of a virtual NetScaler Insight Center on VMware ESX, NetScaler Insight allocates only 14 GB of space in the var directory, even though the OVF file specifies 120 GB.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).

    Workaround: After creating a channel by using the Management Service, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable on the network.

  • Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.

  • Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of the NetScaler instance's Modify wizard.

    Workaround: Modify the NetScaler instance and remove the nonexistent channel from the VLAN settings page.

  • Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.

  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while configuring an extended ACL by using the configuration utility, you set the port parameter to $, no error message appears, but the ACL is not configured.

  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.

Platform

  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.

    Workaround: Use the CLI to define classic SSL policies.

    Note: Citrix encourages the use of default syntax policies over classic policies.

Reporting

  • Issue ID 0368982: After you have imported a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.

  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.

System

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.

    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2

    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.


Build 118.7

Release version: Citrix NetScaler, version 10.1 build 118.7

Replaces build: None

Release date: June 2013

Release notes version: 3.0

Language supported: English (US)

Note: Unless stated otherwise, an issue applies to all NetScaler build types (nCore and nCore VPX).

Enhancements

NetScaler VPX Support on Microsoft Hyper-V and VMware ESX virtualization platforms

The NetScaler VPX virtual appliance is supported on Microsoft Hyper-V Server 2012 and VMware ESX 5.1 virtualization platforms.

Oracle Monitor Support

ENH ID 0364085: You can now create a load balancing monitor for an Oracle DBMS server by using the new Oracle-ECV monitor type. The supported data types are BINARY_DOUBLE, BINARY_FLOAT, CHAR, DATE, INTERVALDS, INTERVALYM, NUMBER, NVARCHAR, TIMESTAMP, TIMESTAMP_WITH_LOCAL_TIME_ZONE, and TIMESTAMP_WITH_TIME_ZONE.

You can configure the monitor by using the NetScaler command line or the configuration utility.

To create and configure an Oracle-ECV monitor at the command line, type:
 add lb monitor <monitorName> oracle-ecv [ parameters... ]
Example:
add lb monitor oracle-monitor5 ORACLE-ECV -userName hr -database xe -sqlQuery 
"select Name from testlb" -evalRule "ORACLE.RES.ATLEAST_ROWS_COUNT(1)"
Where:
  • username is the name of the database user.
  • database is the database for query
  • sqlQuery is the query to be sent to server
  • evalrule is the rule to be evaluated against the response
Note: Database user has to be configured using add db user hr -password passwd

To create or configure an Oracle-ECV monitor by using the configuration utility, navigate to Traffic Management => Load Balancing => Monitors, and then click Add to create the monitor or select an existing monitor and then click Open to configure the monitor.

The new expressions that support the Oracle-ECV monitor are as follows:
  • ORACLE.RES.ATLEAST_ROWS_COUNT(n) Determines whether the query response contains at least the specified number of rows.
  • ORACLE.RES.ROW(i).NUM_ELEM(j).eq(n) Determines whether the value located at the specified row and column is equal to the specified number. You can substitute other valid numeric operations for "eq". ORACLE.RES.ROW(i).IS_NULL_ELEM(j) Determines whether the value located at the specified row and column is NULL.
  • ORACLE.RES.ROW(i).TEXT_ELEM(j).eq("pattern") Determines whether the value located at the specified row and column matches the specified pattern. You can substitute other valid text operations for "eq".

NetScaler and XenMobile Solution for Enterprise Mobility

ENH ID 0365382: Citrix NetScaler deployed with XenMobile Mobile Device Management (MDM) provides the ability to scale, ensure high availability for apps, and maintain security.

Use the XenMobile MDM Setup wizard on the NetScaler configuration utility to configure the following two deployment scenarios:
  • Load balance XenMobile Device Managers (MDM servers): In this scenario, the NetScaler appliance sits between the client and the XenMobile MDM servers to load balance encrypted data from mobile devices to the XDM servers.
  • Load balance MS Exchange servers with email filtering: In this scenario, the NetScaler appliance sits between the client and the XNC and CAS servers. All requests from the client devices go to the NetScaler appliance, which then communicates with the XNC to retrieve information about the device. Based on the response from the XNC, the NetScaler either forwards the request from a whitelisted device to the backend server, or drops the connection from a blacklisted device.

For more information, see the "NetScaler and XenMobile Solution for Enterprise Mobility" deployment guide.

Low Encryption Licenses for Russia

ENH ID 0349674: A NetScaler MPX appliance for customers in Russia initially ships with a low encryption license. After proper authorization from the Russian agency, customers can upgrade to a Standard, Enterprise, or Platinum software edition, which enables high-encryption SSL performance on the appliance.

First Time User Wizard Changes

The look and feel of the first time user wizard has changed.

Provisioning Third-Party Instances on a NetScaler SDX Appliance

You can now provision the following third-party virtual machines (instances):
  • ENH ID 0329072: SECUREMATRIX® GSB—Provides a highly secure password system that eliminates the need to carry any token devices.
  • ENH ID 0329072: Websense® Protector—Allows enterprises to deploy a data loss prevention (DLP) solution to protect sensitive enterprise information.
  • ENH ID 0349549: BlueCat DNS/DHCP Server—Provides a DNS, DHCP, and IP Address Management software solution for enterprises.
Important: You must upgrade to XenServer version 6.1.0 before provisioning a third-party instance on the SDX appliance.

Upgrading the XenServer Software

ENH ID 0322368: You must upgrade the NetScaler SDX appliance to XenServer version 6.1.0 to enable functionality of some features, such as LACP and third-party virtual machines. The process of upgrading the XenServer software involves uploading the build file of the target build to the Management Service, and then upgrading the XenServer software.

Configure Link Aggregation from the Management Service

ENH ID 0257892: You can now configure link aggregation from the Management Service at the time of provisioning a NetScaler instance, or later by modifying an instance. An aggregated link is also known as a channel. The interfaces that form part of a channel are not listed in the Network Settings view shown when you add or modify a NetScaler instance. Instead of the interfaces, the channels are listed.

NetScaler Insight Center

  • ENH ID 0341904: NetScaler Insight Center supports clearing AppFlow configurations from a virtual server.
  • ENH ID 0381072: NetScaler Insight Center supports sending syslog messages to an external syslog server.
  • ENH ID 0388409: On the Dashboard > HDX Insight > Users > <user name> page, the application and gateway reports display the active applications by default.
  • ENH ID 0392732: The HTML Injection feature is now available for Web Insight data collection on platinum licenses of NetScaler 10.0 appliances and on all licenses of NetScaler 10.1 appliances.

Changes and Fixes

AAA Application Traffic

  • Issue ID 0372362: When KCD is configured with a content switching virtual server, the NetScaler appliance might hang or crash. The cause is a GET request with multiple authorization headers. (Only one authorization header is expected.)
  • Issue ID 0387076: On a NetScaler appliance with AAA enabled and KCD single sign-on configured, after several single sign-on requests are successfully authenticated, the virtual server principle can unexpectedly become blank. When this happens, subsequent authentication requests fail.
  • Issue ID 0390037: After authentication, if AAA generates the URL redirect, it rewrites the query portions of certain URLs into base 8 ASCII string equivalents instead of passing on the original strings.
  • Issue ID 0391105: A NetScaler appliance that has AAA-TM configured for authentication with a RADIUS Server might generate intermittent logon failures with the error message HTTP/1.1 Internal Server Error 6.

Application Firewall

  • Issue ID 0351544: The application firewall now supports sessionless cookie proxying on NetScaler cluster configurations that do not use the spotted VIP feature.

Application Firewall Signatures

  • Issue ID 0376437: To improve performance, when processing buffer overflow signatures the application firewall now evaluates PCRE regular expressions only when the minLength parameter is set.
  • Issue ID 0384103: You can now configure the JSON content types for your application firewall in the Manage JSON Content Types dialog box in the global settings. The dialog box is nearly identical to the Manage XML Content Types dialog box.
  • Issue ID 0390804: If you configure an application firewall profile but do not bind any signatures to it, the NetScaler appliance becomes unresponsive or fails if a user sends a request with a JSON body to a web site protected by that profile.

Cluster

  • Issue ID 0370814: A newly added node cannot synchronize the cluster configuration, because it cannot establish a connection to the cluster configuration coordinator. This issue might arise if the configuration coordinator rpcNode password on the new node is not the same as that on the configuration coordinator.

Configuration Utility

  • Issue ID 0360163: You cannot configure a GSLB service for which a server is not configured on the NetScaler appliance. The configuration utility displays the message Server must be specified.
  • Issue ID 0369583: If you use the configuration utility to view a Responder action, the Responder Actions page is reloaded.
  • Issue ID 0369900: When search results do not fit onto one page, duplicate records might appear on the second and subsequent pages.
  • Issue ID 0387554: On NetScaler appliances that run the cluster OS, user-defined control policies are not listed in the control flow and therefore do not appear in the Policy Manager. After these policies are bound to Global or an appropriate bind point, they are listed in the data flow.

Content Switching

  • Issue ID 0397673: When you configure a content switching rule that is evaluated before the user authenticates with AAA-TM, and the rule is supposed to redirect users to a specific virtual server on the basis of the user name, the rule fails.

Documentation

  • Issue IDs 0395277 and 0395282: The PDF format of NetScaler product documentation is no longer packaged with the NetScaler MPX, VPX, and SDX software. NetScaler product documentation is available in HTML format on the eDocs product library web site. You can generate a PDF for any topic from eDocs.

    To access NetScaler documentation on eDocs, see http://support.citrix.com/proddocs/topic/netscaler/ns-gen-netscaler-wrapper-con.html.

Global Server Load Balancing

  • Issue ID 0394328: On a NetScaler appliance that has both a monitor and a GSLB view bound to a GSLB service, occasionally the view binding is not visible from the CLI and is not saved in ns.conf although the GSLB service is properly configured and UP.

Load Balancing

  • Issue ID 0376173: If two NetScaler appliances in a high-availability configuration have TCPB mode enabled globally, and you create a DNS TCP service, the service might be successfully created on the primary NetScaler appliance but fail on the secondary appliance.
  • Issue ID 0387253: When you create a new load balancing server on the configuration utility, occasionally a series of error messages appear indicating that the Load Balancing feature is not licensed, and you are unable to create the virtual server.
  • Issue ID 0391273: When you add a new server to an existing service group, the services in the group might be designated as DOWN even though monitoring probes succeed. To enable the services, unset the virtual server spillover method. They are then correctly designated as UP.

NetScaler Insight Center

  • Issue IDs 0377737 and 0365977: NetScaler Insight Center appliance fails to respond.
  • Issue ID 0378044: On the Configuration > Inventory > Application List page, the values for number of applications displayed and total number of applications can be incorrect.
  • Issue ID 0378652: The Page analysis button is in the wrong place and not functional on the Dashboard > Web Insight > URL page.
  • Issue ID 0381522: On the Dashboard > HDX Insight > Applications page, the Total Session Launch count displays an incorrect number of sessions launched.
  • Issue ID 0385895: The graph of user applications, which appears when you navigate to Dashboard > HDX Insight > Users <username> > <sessionID> >Applications > More <application name>, is incorrectly plotted.
  • Issue ID 0386543: No graph is plotted for users on the page that appears when you click the Dashboard > HDX Insight > Users <username> > <SessionID> > Applications > More button.
  • Issue ID 0387257: The introduction that appears when you log on to a new NetScaler Insight Center appliance provides only Web Insight information. It does not provide information about HDX Insight.
  • Issue ID 0388093: When the Dashboard tab displays reports, the text that appears when you on click the orange icon beside a metric does not accurately describe the licensing issue.
  • Issue ID 0388453: On the Configuration > Inventory > Application List page, after you right-click a VPN application and select Enable AppFlow, then clear the ICA check-box and click Enable AppFlow, AppFlow is shown enabled, but no data is collected and therefore no reports are displayed on the Dashboard > HDX Insight page.
  • Issue ID 0388650: NetScaler appliance crashes when AppFlow is enabled on the virtual servers from Netscaler Insight Center appliance.
  • Issue ID 0390581: On the Dashboard tab, in some cases, the breadcrumb navigation does not display any text for labels.
  • Issue ID 0391336: The HDX Insight node appears even if all NetScaler appliances have only standard licenses. The node is supposed to appear only when at least one appliance has an Enterprise or Platinum license.
  • Issue ID 0391477: You cannot enable Appflow on a VPN application for which you have specified an expression from the drop-down list.
  • Issue ID 0392515: Data collection cannot be enabled on virtual servers (load balancing, content switching, or VPN) that have space characters in their names.

NetScaler SDX Appliance

  • Issue ID 0385037: If the /var/mps/policy/mps_policy_backup.xml file is empty or corrupted, the appliance performs a core dump and the Management Service user interface is blank.

Networking

  • Issue ID 0359348: For an IPv6 load balancing virtual server that belongs to a traffic domain, and for which the persistence is set as cookieinsert, the NetScaler appliance does not insert the correct cookie in its response.

Platform

  • Issue ID 0360223: In certain cases, error messages on the console of an MPX 5550/5650 or MPX 8200/8400/8600 appliance continuously scroll if the physical registers are not correctly read.
  • Issue ID 0373125: The NetScaler hardware might sometimes report incorrect values for system health counters. The health counters are read over the SMBus, which is prone to reporting wrong or zero values.

SNMP

  • Issue ID 0246215: A new SNMP alarm, vridStateChange, indicates the change of the state of a VRID from backup to master in an active-active configuration. The NetScaler appliance in which the state of a VRID changes to master sends a trap message for each VIP address bound to that VRID to the configured SNMP managers, indicating that the NetScaler appliance is currently serving traffic for a particular VIP address bound to that VRID. If no VIP addresses are bound to that VRID, the appliance does not send any trap messages.

SSL

  • Issue ID 0392683: In some cases, parsing an incorrectly formatted client certificate might take more than a few seconds. The delay can trigger the monitoring logic to terminate the process and restart the appliance.

System

  • Issue ID 0384153: When selective acknowledgement (SACK) and partial buffering are enabled on the appliance, acknowledgements with incorrect TCP checksum are forwarded to the server.
  • Issue ID 0392293: The NetScaler wrongly advertises TCP buffer size to the client side when dynamic windows management is enabled and the service-side buffer size is greater than 40k. This issue is observed when two different TCP profiles are bound to the virtual server (buffer size is 8k) and the service (buffer size > 40k) and causes failure when the NetScaler is uploading files.

Known Issues and Workarounds

Application Firewall

  • Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.
  • Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.

    Workaround: Use the Adobe PDF browser plugin.

  • Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.

    For example, if you have two sets of custom signatures named custom_signatures and custom_signatures_2 that are based on copies of the default signatures file, you would update the signatures on your NetScaler appliance by issuing the following commands:

    update appfw signatures "*Default Signatures"
    update appfw signatures "custom_signatures"
    update appfw signatures "custom_signatures_2"

Cluster

  • Issue ID 0395735: The NetScaler appliance dumps a core when creating a cluster or a high availability setup on an appliance that has a TFTP load balancing virtual server.

    Workaround: Make sure you delete existing TFTP load balancing virtual servers before creating the cluster or high availability setup.

Configuration Utility

  • Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.
  • Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.
  • Issue ID 0372535: The pagination count on the page listing SSL policies that can be bound does not display the correct values.
  • Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.

    Workaround: Use the mouse to click the OK button instead of pressing the ENTER key on the keyboard.

  • Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
  • Issue ID 0387135: If you access the NetScaler configuration utility through Internet Explorer 8, an attempt to view more than 25 load balancing virtual servers per page results in an alert message about an unresponsive script.

    Workaround: Do not change the default pagination value (25). If you change the default pagination value and the appliance prompts you to stop running the script, choose to continue.

  • Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.

    Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins in the Start screen, and therefore Java cannot run in the Start screen. For information, see http://www.java.com/en/download/faq/win8_faq.xml.

  • Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.

    Workaround: Use the arrow keys on the keyboard to scroll the screen.

  • Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.

    Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.

Content Switching

  • Issue ID 0399575: When configuring load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you have a load balancing virtual server with a service type of HTTP, and assign a backup virtual server with a service type of TCP to it, any content switching action bound to it fails.

Documentation

  • Issue ID 0370607: The configuration utility procedures in the NetScaler 10.1 documentation have not been updated to reflect the new top-level nodes.

    See Configuration Utility Changes, for information on the new node structure.

Domain Name System

  • Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:
    • On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.
    • The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.

Global Server Load Balancing

  • Issue ID 0385305: In a GSLB setup, if you perform auto synchronization and the configuration file in your local site contains the add locationFile command, the command is not synchronized to the remote location.

Load Balancing

  • Issue ID 0383402: If a virtual server is UP by virtue of the service(s) being in Transition Out-Of-Service State (TROFS), the clients do not respond (instead of issuing 503 or RST) due to requests being queued at the virtual server rather than at the services.

Monitoring

  • Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.
  • Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path argument are not explicitly set.
    Workaround:
    1. Create a monitor of type CiTRIX-wi-EXTENDED.
    2. Set the script name.
    3. Set the site path.
    For example,
    add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
    set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
    set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp

NetScaler Insight Center

  • Issue ID 0369664: In HDX Insight mode, data is sent to the AppFlow collector even when the policy rule is set to FALSE.

    Workaround: Start the session again.

  • Issue ID 0379876: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
  • Issue ID 0385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name (user-id@domain-name).
  • Issue ID 0386911: While launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
  • Issue ID 0388096: In transparent mode, when you launch XenApp through Citrix Receiver (standard edition), the app launch duration is shown as zero.
  • Issue ID 0388875: If the number of load balancing virtual servers (including those associated with content switching virtual servers) exceeds 25, and the page size is set to 25, only the first 25 virtual servers are shown. The list does not continue on another page.
  • Issue ID 0394526: On the Dashboard > Web Insight > Applications page, the values shown when you select Response Time from the drop-down list can be incorrect.
  • Issue ID 0394613: The Total App Launch Count is not displayed when you navigate to Dashboard > HDX Insight > Gateways and view the summary for a particular user.
  • Issue ID 0395022: On the Dashboard > HDX Insight > Users page, the Active Apps count is not updated instantly on the left pane.

    Workaround: The correct value is displayed in the Dashboard > HDX Insight > Applications page.

  • Issue ID 0397236 :On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
  • Issue ID 0397258: On the Dashboard > HDX Insight > Users page, the line graph plots might not add up to the summary shown to the left of the line graph for average bandwidth.
  • Issue ID 0398844: On the Dashboard > HDX Insight > Users page, the report for a specific user does not display data for Total Application Launch count.
  • Issue ID 0399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports display session termination records.
  • Issue ID 0400545: The help page on the Graphical User Interface (GUI) displays incorrect information for enabling data collection.

    Workaround: To view the details, click the help icon in the graphical user interface when the help page opens, click on the TOC tab and navigate to NetScaler Insight Center 10.1 > Enabling Data Collection.

  • Issue ID 0400665: The HDX Insight node is not displayed for Enterprise licenses of NetScaler appliances.
  • Issue ID 0400900: The load time and render time metrics are not displayed for Standard Licenses of NetScaler appliances.
  • Issue ID 0402727: If you have installed NetScaler Insight Center virtual appliance on ESX, then the console may display watchdog timeout errors or the Graphical User Interface (GUI) may freeze sometimes.
  • Issue ID 0408495: During installation of a virtual NetScaler Insight Center on VMware ESX, NetScaler Insight allocates only 14 GB of space in the var directory, even though the OVF file specifies 120 GB.

NetScaler SDX Appliance

  • Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the status of the member interfaces might appear as Error-Disabled (in the command line) or DOWN (in the configuration utility) of the NetScaler instance.

    Workaround: After creating a channel by using the Management Service, restart the SDX appliance.

  • Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.

    Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.

  • Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable on the network.
  • Issue ID 0399630: If a new interface is bound to an LACP channel by using the Management Service, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.
  • Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of the NetScaler instance modify wizard.

    Workaround: Modify the NetScaler instance and remove the non-existent channel from the VLAN settings page.

  • Issue ID 0400409: While modifying a NetScaler instance from the Management Service, binding 1/x and 10/x interfaces to an L2 VLAN fails.

    Workaround: Provision the NetScaler instance again.

  • Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.
  • Issue ID 0400607: If you create a static channel, you cannot use the Management Service to remove more than one member interface at a time from the channel.
  • Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on this channel, the third-party instance is not reachable on the network.

NetScaler VPX Appliance

  • Issue ID 0326388: In sparse traffic conditions on a NetScaler VPX virtual appliance installed on VMware ESX, some latency might be observed in releases after 9.3 as compared to release 9.2. If this latency is not acceptable, you can change a setting on the appliance. At the shell prompt, type:
    sysctl netscaler.ns_vpx_halt_method=2
    Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
    sysctl netscaler.ns_vpx_halt_method=2

Networking

  • Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while configuring an extended ACL by using the configuration utility, you set the port parameter to $, no error message appears, but the ACL is not configured.
  • Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 error message that match a forwarding-session rule.

Platform

  • Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.

Policies

  • Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. You must use the CLI. However, you can use the configuration utility to bind and unbind classic SSL policies.

SSL

  • Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
  • Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.
  • Issue ID 0400084: An attempt to establish an HTTPS connection to a NetScaler FIPS appliance through a Chrome browser fails, because the browser sends a SPDY-NPN extension by default, and the NetScaler FIPS appliance does not support the NPN extension.

    Workaround: Disable SPDY in the Chrome browser.

  • Issue ID 0400649: In the NetScaler configuration utility, the FipsKey parameter does not appear in the Install Certificate dialog box. As a result, you cannot add a certificate-key pair on an MPX FIPS appliance by using the configuration utility.

    Workaround: Use the command line interface.

System

  • Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.
    Note: The same error occurs if you try to set the time for one of these alarms.

    Workaround: Before upgrading to 10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.

  • Issue ID 0390257: SNMP returns incorrect values for the ifOutOctets and ifInOctets counters.

XML API

  • Issue ID 0363145: The following APIs are not available in version 10.1 or later:
    • bindservicegroup_state2
    • unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.