This document describes the enhancements, fixed issues, and known issues in the maintenance releases of Citrix NetScaler, Citrix NetScaler SDX, and Citrix NetScaler Insight Center.
Release version: Citrix NetScaler, version 10.1 build 131.7
Replaces build: None
Release date: March 2015
Release Notes version: 2.0
Language supported: English (US)
SSL
AAA-TM
> add tm trafficAction testAction1 -InitiateLogout ON
> add tm trafficPolicy testPolicy1 <rule> testAction1
AppFlow
Application Firewall
Cache Redirection
> set ns param -httpport 80
> add cr vserver cr1 http * 80
> set cr vserver cr1 -listenpoliciy "client.ip.src.eq(1.1.1.1)"
Workarounds:
Add a listen policy when you add the cache redirection virtual server. For example:
set ns param -httpport 80
> add cr vserver cr1 -td 0 HTTP * 80 -range 1 -cacheType TRANSPARENT -Listenpolicy "CLIENT.IP.DST.EQ(4.4.4.10)"
OR:
Unset the httpport parameter. For example:
> unset ns param httpport
> add cr vserver cr1 http * 80
Command Line Interface
For example, NetScaler ADC fails to run the following command because the expected value is a string for uat argument that begins with a hyphen.
bind policy patset ps_adi_any_robots_deny -uat -index 1
Configuration Utility
Content Switching
1. Bind a policy to a content switching virtual server and specify a gotopriorityexpression.
2. Bind a filter or compression policy to another content switching virtual server without specifying a gotopriorityexpression.
3. Save the configuration and restart the appliance.
GSLB
-Last State Change
-Time since last state change
-Client and Server idle timeout
High Availability
Load Balancing
For example, spillover to a virtual server bound to the following policy might occur before the active transactions counter reaches a value of 10:
SYS.VSERVER("A').ACTIVETRANSACTION.GT(10) -action spillover
NetScaler Gateway
- Authoritative DNS
- DNS address record configured with the host name only
- DNS Suffix
Users are affected only if:
1. They use Windows full client for establishing the gateway session
AND
2. They have both Automatic Configuration script and Manual configuration for Proxy in their Internet Explorer settings
AND
3. The configured Automatic Proxy script file happens to be unreachable from the user's device (for example the Automatic Proxy script file address is an internal address and not reachable remotely).
NetScaler Insight Center
NetScaler SDX Appliance
Networking
Platform
- ESXi550-201410401-BG
- ESXi510-201410401-BG
Workaround: For more information, see http://support.citrix.com/article/CTX200278.
System
Workaround: Disable SDPY when integrated caching or front end optimization is enabled.
User Interface
WIonNS
add wi site /Citrix/new http://agee.citrix.com http://sta.citrix.com -agCallbackUrl http://callback.citrix.com
AAA-TM
Workaround: Remove the sessions manually by executing the "kill aaa sess" command. You might have to execute the command multiple times.
To force the ADC to use a SNIP (not the NSIP) as the source IP address in version 10.1 or later, you can set up a load balancing virtual server with an authentication service, and then configure that load balancing virtual server to perform the authentication.
Acceleration
AppFlow
--- The applications stop functioning, but are visible on the browser.
--- The Citrix Receiver displays a dialog box, with a message stating that the connection is disconnected.
--- When you click OK on the dialog box, the applications are not displayed anymore.
--- If you launch any fresh applications without re-login, all the previously launched applications will resume with the previous status.
Application Firewall
show appfw JSONContentType
If the default content type is configured, the command output is similar to the following example:
> show appfw JSONContentType
1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX
Done
If it is not, the screen shows only the following:
> show appfw JSONContentType
Done
To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:
add appfw JSONContentType ^application/json$ -isRegex REGEX
show appfw JSONContentType
Workaround: Use efficient regular expressions.
Workaround: Use the Adobe PDF browser plugin.
For example, if you had two sets of custom signatures, named "custom_signatures" and "custom_signatures_2", that were based on copies of the default signatures file, you would update the signatures on your NetScaler ADC by issuing the following commands:
> update appfw signatures "*Default Signatures"
> update appfw signatures "custom_signatures"
> update appfw signatures "custom_signatures_2"
Application firewall
Workaround: Turn off form field tagging and credit card checks.
CloudBridge Connector
Cluster
Command Line Interface
Configuration Utility
Workaround:
If you are using a Windows computer, do the following:
1. Right-click the shortcut icon that you use to open the Chrome browser, and select Properties from the pop-up menu.
2. In the Google Chrome Properties dialog box, click the Shortcut tab and, in the Target field, append the following value: --disable-hang-monitor
For example: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --disable-hang-monitor" http://www.google.com
3. Close all instances of the Chrome browser, and restart the Chrome browser.
If you are using a MAC computer, do the following:
1. Open the terminal.
2. Launch the Chrome browser from the terminal and append the --disable-hang-monitor value, as follows:
open -a /Applications/Google\ Chrome.app --args --disable-hang-monitor
Workaround: Manually refresh the tabs.
Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml
Workaround: Use the arrow keys on the keyboard to scroll the screen.
Workaround: Use the command line interface .
Workaround: Press F12 and set the Document Mode and Browser mode to Internet Explorer 9.
Workaround: In release 10.1, provide only the FIPS key. For example, rsa.key.
In release 10.5, you must specify the complete file path to the FIPS key. For example, nsconfig/ssl/folder1/folder2/rsa.key.
Content Switching
Content Switching/Load Balancing
DNS
- If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache, with the AA bit unset and TTL decremented.
- If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache, with the AA bit set and the original TTL.
GSLB
This feature works in all builds of the 9.3 and 10.5 releases.
Graphical user Interface
High Availability
To avoid this issue, use the following steps when upgrading the HA nodes:
1. Before upgrading, run the "set ns param -internaluserlogin DISABLED" command.
2. Upgrade the secondary HA node to NetScaler release 10.1 build 126.x.
3. Force failover to make the upgraded node the primary node.
4. Upgrade the other HA node to NetScaler release 10.1 build 126.x.
5. Reenable the "internaluserlogin" parameter with the "set ns param -internaluserlogin ENABLED" command.
6. Save the configurations.
Note: Before upgrading synchronize files between the HA nodes by using the "sync ha files all" command.
Workaround: After the HA pair is stabilized, perform a forced synchronization, on either the primary or the secondary node.
To perform a forced synchronization use the following command:
force ha sync
Integrated Caching
1. Client1 requests for an object that is not in cache.
2. While the NetScaler fetches the object from the backend server, client2 (a slow client) sends a request for the same object.
3. Client1 now decides to reset the connection.
4. When available, NetScaler serves the object to the client2.
However, since client2 is slow, large data is piled up on the NetScaler that needs to be forwarded to client2. When the NetScaler tries to send this large data to the client, the NetScaler can crash.
Load Balancing
1. The maximum number of clients (maxclients) for a service is set to a value less than the number of PEs in the system.
2. Connections to this service have a high degree of connection reuse, that is, multiple requests are sent on the same TCP connection.
3. Requests for connections to this service cause a surge queue buildup.
If the maxclient setting is less than the number of PEs, only some PEs can open connections. After the maxclient limit is reached, PEs that have open connections are not likely to close them, because they are using those connections to process the traffic generated by high connection reuse and the large surge queue. As a result, the other PEs might not be able to open new connections. They therefore have a lower level of CPU usage, because they cannot participate in processing the surge queue.
This is expected behavior and usually does not cause any issues. However, if some of the PEs have near 100% CPU usage while the other PEs have relatively low CPU usage, you might want to limit the maximum requests per connection by using the "set service <name> -maxReq <positive_integer>" command, so that the PEs close connections that have delivered the specified number of requests. This evens out the CPU usage, because it allows the other PEs to open connections to the service.
SureConnect
NetScaler Gateway
NetScaler Insight Center
-NetScaler ADCs that are configured for Network Address Translation (NAT) are added to the NetScaler Insight Center inventory.
-A NetScaler ADC and a NetScaler Insight Center virtual appliance are in different networks and are configured for NAT.
Workaround: To upgrade to build 120.13 or later, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same.
The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.
NetScaler SDX Appliance
Workaround: Use the Allowed VLAN feature which has the same functionality as Enforced VLAN.
Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
The best way to achieve the same is to create the required channel first and then provision the VPX with the LACP selected.
Workaround: Increase the default cache memory limit.
NetScaler VPX Appliance
Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).
Networking
Issue ID 371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the "sync HA files" command from the NetScaler command line or by using the Start HA files synchronization dialog box in the configuration utility.
Workaround: Add the following extended ACL on each node of the HA configuration:
> add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22
For example, for an HA configuration in which the primary node's NSIP address is 198.51.100.9 and the secondary node's NSIP address is 198.51.100.27, you would run the following commands:
On the primary node:
> add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22
On the secondary node:
> add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
Platform
- Intel CPU Vtt Power (Volts)
- Voltage Sensor2 (Volts)
- Temperature 0 (Celsius)
- Temperature 1 (Celsius)
This change affects the following platforms:
- MPX 11500/13500/14500/16500/18500/20500
- MPX 17550/19550/20550/21550
- MPX 8200/8400/8600
- MPX 5550/5650/5750
Workaround: If experiencing nic_err_rx_crc errors, perform a manual diagnostic check to rule out problems with SFPs, cables, and connectivity with the partner device ports.
Workaround: Reset the interface.
Policies
Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP.
!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)
Workaround: Use the CLI to define classic SSL policies.
Note: Citrix encourages the use of default syntax policies rather than classic policies.
Reporting
SSL
Workaround: Disable SSL session reuse on the SSL virtual servers on which you observe traffic loss.
For example,
> show ssl service svc1 -cipherDetails
ERROR: No such resource [serviceName, svc1]
System
Invalid response from the aggregator [Device not Configured]
Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.
User Interface
Workaround: If you are using a script to fetch the output for "show ns runningConfig" command, and the script has a placeholder for timeout value, modify the script to increase the timeout value to 500 seconds.
Web Interface
Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.
XML API
- bindservicegroup_state2
- unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.
Release version: Citrix NetScaler, version 10.1 build 130.13
Replaces build: 130.11
Release date: February 2015
Release Notes version: 3.0
Language supported: English (US)
Additions in Build 130.13: 532316
Additions in Build 130.11: 523321
AAA-TM
Action Analytics
Examples:
http://10.217.6.239/TesT/
http://10.217.6.239/TEST/
http://10.217.6.239/TEsT/
http://10.217.6.239/TeST/
Note post fix:
Stream analytics record creation will be case sensitive. For example, WWW.GOOGLE.COM and www.google.com will result in two seperate records.
If this is not desired, stream selector results should be converted to one case. Example:
add stream selector sel1 HTTP.REQ.hostname.to_lower
Application Firewall
Workaround: Edit the relaxation rule to replace "%20" with "\s*" for requests with percent encoded space characters.
Cache Redirection
With the fix, invalid HTTP requests are redirected to the origin server instead of the cache server.
CloudBridge Connector
Cluster
Note:
- If you have configured a cluster in an earlier build, the cluster will work with the separate cluster license file. No changes are required.
- When you configure a new cluster in Build 52.x and then downgrade to an earlier build, the cluster will not work as it now expects the separate cluster license file.
Configuration Utility
Workaround: Configure the content switching virtual server with a different IP address.
Workaround: Navigate to Traffic Management > SSL and, in the right pane, select SSL Policy Manager. Or click the refresh button on the top right corner to display the SSL policies.
Content Switching
To prevent this problem, the ADC closes the client connection when this situation arises.
DNS
Data Stream
GSLB
Graphical User Interface
Load Balancing
Workaround:
Check the output of the “show rpcnode” command. If it shows an asterisk (*) for the SRCIP parameter, run the “set rpcnode <remote NSIP> -scrip <local NSIP>” command.
Workaround: Run the “set lb group –persistenceType” command to reset the persistence on the virtual servers that are bound to the group.
a) The configuration is large (approximately 4MB).
b) The configuration includes a large number of "bind lb group" commands.
c) Configuration changes very frequently, resulting in frequent synchronization.
NITRO API
http://<NSIP>/nitro/v1/config/clioutput?args=command:"shell+nsconmsg+%2DK+%2Fvar%2Fnslog%2Fnewnslog+%2Dd+consmsg"
NetScaler Gateway
NetScaler Insight Center
NetScaler SDX Appliance
Workaround: Set the speed of the interface to 100 Mbps and disable auto-negotiation.
- NetScaler 10.1 Build 129.11 or earlier
- NetScaler 10.5 Build 52.11 or earlier
Networking
Platform
Policies
Policies
- Length is more than 1300 bytes (800 bytes for HTML_XML_SAFE).
- Has at least one unsafe character.
- A significant initial part of the string does not need encoding (or some smaller initial part of the string does not need encoding and there are lots of characters needing encoding)
- One of the following functions is used on the string in the expression:
* HTTP_URL_SAFE - unsafe characters are not allowed. Safe characters are: a-z, A-Z, 0-9, "-", "_", ".", "!", "~", "*", "'", "(", ")", ";", ":", "@", "?", "=", "$", "%", "&", "+", ",", "/".
* HTTP_HEADER_SAFE - new line ('\n') characters are unsafe.
* HTML_XML_SAFE - unsafe characters are '<', '>' and '&'.
* APPEND_QUERY_PARAMETER - same as HTTP_URL_SAFE
Workaround: As a workaround, remove uses of these functions from your expressions if strings can be long (or truncate the strings to 1300 bytes (800 bytes for HTML_XML_SAFE)). In a number of cases you can avoid using these functions if you concatenate the URL with some string constant to the left of it (for example "" + HTTP.REQ.URL) - if the input was encoded, so will be the result.
SSL
System
User Interface
Workaround: Use the command line to enable or disable support for these protocols on the virtual server.
AAA-TM
To force the ADC to use the SNIP (not the NSIP) as the source IP address in version 10.1 and subsequent versions, you can set up a load balancing virtual server with an authentication service, and then configure that load balancing virtual server to perform the authentication action.
AppFlow
--- The applications stop functioning, but are visible on the browser.
--- The Citrix Receiver displays a dialog box, with a message stating that the connection is disconnected.
--- When you click OK on the dialog box, the applications are not displayed anymore.
--- If you launch any fresh applications without re-login, all the previously launched applications will resume with the previous status.
Application Firewall
For example, if you had two sets of custom signatures, named "custom_signatures" and "custom_signatures_2", that were based on copies of the default signatures file, you would update the signatures on your NetScaler ADC by issuing the following commands:
> update appfw signatures "*Default Signatures"
> update appfw signatures "custom_signatures"
> update appfw signatures "custom_signatures_2"
show appfw JSONContentType
If the default content type is configured, the command output is similar to the following example:
> show appfw JSONContentType
1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX
Done
If it is not, the screen shows only the following:
> show appfw JSONContentType
Done
To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:
add appfw JSONContentType ^application/json$ -isRegex REGEX
show appfw JSONContentType
Workaround: Display the bindings in the command line interface, by using the "show system global" command.
Workaround: Use the Adobe PDF browser plugin.
The workaround is to turn off form field tagging and credit card checks.
Cache Redirection
set ns param -httpport 80
add cr vserver cr1 http * 80
set cr vserver cr1 -listenpoliciy "client.ip.src.eq(1.1.1.1)"
Workaround:
Add a listen policy when you add the cache redirection virtual server. For example:
set ns param -httpport 80
add cr vserver cr1 -td 0 HTTP * 80 -range 1 -cacheType TRANSPARENT -Listenpolicy "CLIENT.IP.DST.EQ(4.4.4.10)"
Or:
Unset the httpport parameter. For example:
unset ns param httpport
add cr vserver cr1 http * 80
Command Line Interface
Configuration Utility
Workaround: In release 10.1, provide only the FIPS key. For example, rsa.key.
In release 10.5, you must specify the complete file path to the FIPS key. For example, nsconfig/ssl/folder1/folder2/rsa.key.
Workaround: Use the command line interface .
Workaround:
If you are using a Windows computer, do the following:
1. Right-click the shortcut icon that you use to open the Chrome browser, and select Properties from the pop-up menu.
2. In the Google Chrome Properties dialog box, click the Shortcut tab and, in the Target field, append the following value: --disable-hang-monitor
For example: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --disable-hang-monitor" http://www.google.com
3. Close all instances of the Chrome browser, and restart the Chrome browser.
If you are using a MAC computer, do the following:
1. Open the terminal.
2. Launch the Chrome browser from the terminal and append the --disable-hang-monitor value, as follows:
open -a /Applications/Google\ Chrome.app --args --disable-hang-monitor
Workaround: Use the arrow keys on the keyboard to scroll the screen.
Workaround: Manually refresh the tabs.
Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml
Workaround: Press F12 and set the Document Mode and Browser mode to Internet Explorer 9.
Content Switching/Load Balancing
DNS
- If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache with the AA bit unset and TTL decremented.
- If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache with the AA bit set and the original TTL.
GSLB
Graphical user Interface
HTTP Profiles
High Availability
To avoid this issue, use the following steps when upgrading the HA nodes:
1. Before upgrading, run the "set ns param -internaluserlogin DISABLED" command.
2. Upgrade the secondary HA node to NetScaler release 10.1 build 126.x.
3. Force failover to make the upgraded node the primary node.
4. Upgrade the other HA node to NetScaler release 10.1 build 126.x.
5. Reenable the "internaluserlogin" parameter with the "set ns param -internaluserlogin ENABLED" command.
6. Save the configurations.
Note: Before upgrading synchronize files between the HA nodes by using the "sync ha files all" command.
Integrated Caching
1. Client1 requests for an object that is not in cache.
2. While the NetScaler fetches the object from the backend server, client2 (a slow client) sends a request for the same object.
3. Client1 now decides to reset the connection.
4. When available, NetScaler serves the object to the client2.
However, since client2 is slow, large data is piled up on the NetScaler that needs to be forwarded to client2. When the NetScaler tries to send this large data to the client, the NetScaler can crash.
Load Balancing
This feature works in all releases of 9.3 and 10.5.
traffic might spill over to the virtual server bound to this policy even though the current value of the counter has not reached N. This is because these two expressions use an arbitrary number for comparison.
For example, spillover to a virtual server bound to the following policy might occur before the active transactions counter reaches a value of 10:
SYS.VSERVER("A').ACTIVETRANSACTION.GT(10) -action spillover
1. The maximum number of clients (maxclients) for a service is set to a value less than the number of PEs in the system.
2. Connections to this service have a high degree of connection reuse, that is, multiple requests are sent on the same TCP connection.
3. Requests for connections to this service cause a surge queue build up.
If the maxclient setting is less than the number of PEs, only some PEs can open connections. After the maxclient limit is reached, PEs that have open connections are not likely to close them, because they are using those connections to process the traffic generated by high connection reuse and the large surge queue. As a result, the other PEs might not be able to open new connections. They therefore have a lower level of CPU usage, because they cannot participate in processing the surge queue.
This is expected behavior and usually does not cause any issues. However, if some of the PEs have near 100% CPU usage while the other PEs have relatively low CPU usage, you might want to limit the maximum requests per connection by using the "set service <name> -maxReq <positive_integer>" command, so that the PEs close connections that have delivered the specified number of requests. This evens out the CPU usage,because it allows the other PEs to open connections to the service.
NS-Platform
NetScaler Gateway
NetScaler Insight Center
The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.
Workaround: To upgrade to build 120.13 or later build, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .
-NetScaler ADCs that are configured for Network Address Translation (NAT) are added to the NetScaler Insight Center inventory.
-A NetScaler ADC and a NetScaler Insight Center virtual appliance are in different networks and are configured for Network Address Translation (NAT.)
NetScaler SDX Appliance
Workaround: Use the Allowed VLAN feature which has the same functionality as Enforced VLAN.
Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
Workaround: Increase the default cache memory limit.
NetScaler VPX Appliance
Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).
Networking
Workaround: Add the following extended ACL on each node of the HA configuration:
> add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22
For example, for an HA configuration in which the primary node's NSIP address is 198.51.100.9 and the secondary node's NSIP address is 198.51.100.27, you would run the following commands:
On the primary node:
> add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22
On the secondary node:
> add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
Platform
- Intel CPU Vtt Power (Volts)
- Voltage Sensor2 (Volts)
- Temperature 0 (Celsius)
- Temperature 1 (Celsius)
This change affects the following platforms:
- MPX 11500/13500/14500/16500/18500/20500
- MPX 17550/19550/20550/21550
- MPX 8200/8400/8600
- MPX 5550/5650/5750
- ESXi550-201410401-BG
- ESXi510-201410401-BG
Workaround: For more information, see http://support.citrix.com/article/CTX200278.
Policies
Workaround: Use the CLI to define classic SSL policies.
Note: Citrix encourages the use of default syntax policies rather than classic policies.
Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP.
!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)
Reporting
SSL
For example,
> sh ssl service svc1 -cipherDetails
ERROR: No such resource [serviceName, svc1]
System
Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.
Invalid response from the aggregator [Device not Configured]
User Interface
Workaround: If you are using a script to fetch the output for "show ns runningConfig" command, and the script has a placeholder for timeout value, modify the script to increase the timeout value to 500 seconds.
Web Interface
Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.
XML API
- bindservicegroup_state2
- unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.
Release version: Citrix NetScaler , version 10.1 build 129.22
Replaces build: 129.11
Release date: October 2014
Release Notes version: 2.0
Language supported: English (US)
NetScaler Gateway
- Enable or disable client cleanup on the user device when Receiver is also running.
- Show or hide the NetScaler Gateway Plug-in icon even if it is integrated with Receiver.
To enable client cleanup:
Note: Enable client cleanup on NetScaler Gateway and then set the registry entry on the user device.
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client
Name: AllowCleanup
Type: REG_DWORD
Data: 1
To show the NetScaler Gateway Plug-in icon:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Secure Access Client
Name: DisableIconHide
Type: REG_DWORD
Data: 1
NetScaler SDX Appliance
Networking
Platform
Policies
Examples:
- CLIENT.ETHER.ETHERTYPE.EQ(IPv4)
- SERVER.ETHER.ETHERTYPE.EQ(IPv6)
SSL
Display HSM Model Number
The output of the "show fips" command now displays the HSM model number as shown below. This is especially helpful if you are conducting an audit of the FIPS card in a NetScaler appliance and cannot open the appliance without voiding the warranty.
> sh fips
FIPS HSM Info:
HSM Label : NetScaler FIPS
Initialization : FIPS-140-2 Level-2
HSM Serial Number : 2.1G1037-IC000253
HSM State : 2
HSM Model : NITROX XL CN1620-NFBE
Hardware Version : 2.0-G
Firmware Version : 1.1
Firmware Release Date : Jun04,2010
Max FIPS Key Memory : 3996
Free FIPS Key Memory : 3994
Total SRAM Memory : 467348
Free SRAM Memory : 62580
Total Crypto Cores : 3
Enabled Crypto Cores : 3
Done
AAA-TM
AppFlow
Application Firewall
Workaround: You can manually add the wildcard characters to the affected builds, or you can upgrade to the latest build.
Workaround: Export the updated signatures, and import them on the secondary ADC.
Cache Redirection
With the fix, invalid HTTP requests are redirected to the origin server instead of the cache server.
CloudBridge Connector
Cluster
Command Line Interface
Configuration Utility
With this fix, the ADC and NetScaler Gateway do not allow a remote attacker to execute arbitrary code.
Workaround: Configure the content switching virtual server with a different IP address.
DNS
DataStream
GSLB
High Availability
The fix ensures that the NetScaler IP (NSIP) address of the local box is always set as the source IP address in a HA setup.
Integrated Caching
Load Balancing
NetScaler Gateway
NetScaler Insight Center
NetScaler SDX Appliance
WorkAround:
SDX appliance should have same license as in the backed up SDX appliance.
Fix:
For instance restore operation, licence validation is done against no of NetScaler selected for restore instead of validating against all NetScaler instance in the backup files
Workaround: In such a situation, it is recommended to reboot the VPX.
Networking
• IPv6 encapsulation (41)
• Fragment Header for IPv6 (44)
• ICMP for IPv6 (58)
- The NetScaler ADC is not the GRE end point for this traffic.
- The NetScaler ADC creates a NAT session information for this traffic.
Policies
Platform
- NetScaler 9.3 Build 67.5 or earlier
- NetScaler 10.1 Build 129.11 or earlier
- NetScaler 10.5 Build 52.11 or earlier
SSL
System
- 'Accept: application/x-rtsp-tunnelled' request header
- 'Content-Type: application/x-rtsp-tunnelled' response header
Once the tunnel is detected, NetScaler stops HTTP tracking for that TCP connection and lets the RTSP flow go through. The "rtspTunnel" option is disabled by default.
Note: In a HA setup, this behavior is displayed even when you perform a force sync or a force failover operation.
XML
AAA-TM
Action Analytics
Examples:
http://10.217.6.239/TesT/
http://10.217.6.239/TEST/
http://10.217.6.239/TEsT/
http://10.217.6.239/TeST/
Note post fix:
Stream analytics record creation will be case sensitive. For example, WWW.GOOGLE.COM and www.google.com will result in two seperate records.
If this is not desired, stream selector results should be converted to one case. Example:
add stream selector sel1 HTTP.REQ.hostname.to_lower
AppFlow
--- The applications stop functioning, but are visible on the browser.
--- The Citrix Receiver displays a dialog box, with a message stating that the connection is disconnected.
--- When you click OK on the dialog box, the applications are not displayed anymore.
--- If you launch any fresh applications without re-login, all the previously launched applications will resume with the previous status.
Application Firewall
For example, if you had two sets of custom signatures, named "custom_signatures" and "custom_signatures_2", that were based on copies of the default signatures file, you would update the signatures on your NetScaler ADC by issuing the following commands:
> update appfw signatures "*Default Signatures"
> update appfw signatures "custom_signatures"
> update appfw signatures "custom_signatures_2"
Workaround: Use the Adobe PDF browser plugin.
The Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as "not set".
show appfw JSONContentType
If the default content type is configured, the command output is similar to the following example:
> show appfw JSONContentType
1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX
Done
If it is not, the screen shows only the following:
> show appfw JSONContentType
Done
To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:
add appfw JSONContentType ^application/json$ -isRegex REGEX
show appfw JSONContentType
Workaround: Display the bindings in the command line interface, by using the "show system global" command.
Content Switching
Preventive fix: There is a preventive fix that closes the client connection when this situation arises.
CloudBridge Connector
Configuration Utility
Workaround: Press F12 and set the Document Mode and Browser mode to Internet Explorer 9.
Workaround: Use the command line interface .
Workaround: Use the arrow keys on the keyboard to scroll the screen.
Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml
Workaround:
If you are using a Windows computer, do the following:
1. Right-click the shortcut icon that you use to open the Chrome browser, and select Properties from the pop-up menu.
2. In the Google Chrome Properties dialog box, click the Shortcut tab and, in the Target field, append the following value:
--disable-hang-monitor
For example: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe --disable-hang-monitor" http://www.google.com
3. Close all instances of the Chrome browser, and restart the Chrome browser.
If you are using a MAC computer, do the following:
1. Open the terminal.
2. Launch the Chrome browser from the terminal and append the --disable-hang-monitor value, as follows:
open –a /Applications/Google\ Chrome.app --args --disable-hang-monitor
Workaround: Navigate to Traffic Management > SSL and, in the right pane, select SSL Policy Manager. Or click the refresh button on the top right corner to display the SSL policies.
Workaround: In release 10.1, provide only the FIPS key.
In release 10.5, you must specify the complete file path to the FIPS key.
Workaround: Manually refresh the tabs.
Content Switching/Load Balancing
DNS
Workaround: Use the corresponding CLI command to add the DNS record.
- If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache with the AA bit unset and TTL decremented.
- If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache with the AA bit set and the original TTL.
GSLB
High Availability
To avoid this issue, use the following steps when upgrading the HA nodes:
1. Before upgrading, run the command: "set ns param -internaluserlogin DISABLED"
2. Upgrade the secondary HA node to NetScaler 10.1 Build 126.x release.
3. Force failover to make the upgraded node as the primary node.
4. Upgrade the other HA node to NetScaler 10.1 Build 126.x release.
5. Restore the previously disabled "internaluserlogin" parameter to enabled using the command: "set ns param -internaluserlogin ENABLED".
6. Save the configurations.
Note: Before upgrade sync files between the HA nodes by using CLI command: "sync ha files all".
Integrated Caching
1. Client1 requests for an object that is not in cache.
2. While the NetScaler fetches the object from the backend server, client2 (a slow client) sends a request for the same object.
3. Client1 now decides to reset the connection.
4. When available, NetScaler serves the object to the client2.
However, since client2 is slow, large data is piled up on the NetScaler that needs to be forwarded to client2. When the NetScaler tries to send this large data to the client, the NetScaler can crash.
Load Balancing
a) The configuration is large (approximately 4MB).
b) The configuration includes a large number of “bind lb group” commands.
c) Configuration changes very frequently, resulting in frequent synchronization.
Workaround: Run the “set lb group –persistenceType” command to reset the persistence on the virtual servers that are bound to the group.
Workaround:
Check the output of the “show rpcnode” command. If it shows an asterisk (*) for the SRCIP parameter, run the “set rpcnode <remote NSIP> -scrip <local NSIP>” command.
NetScaler Gateway
NetScaler Insight Center
When you launch XenApp through Citrix Receiver (standard edition), the app launch duration is not calculated and is shown as zero.
Workaround: To upgrade to build 120.13 or later build, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .
-NetScaler ADCs that are configured for Network Address Translation (NAT) are added to the NetScaler Insight Center inventory.
-A NetScaler ADC and a NetScaler Insight Center virtual appliance are in different networks and are configured for Network Address Translation (NAT.)
The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.
NetScaler SDX Appliance
Workaround: Use the Allowed VLAN feature which has the same functionality as Enforced VLAN.
Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
NetScaler VPX Appliance
Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).
Networking
Workaround: Add the following extended ACL on each node of the HA configuration:
> add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22
For example, for an HA configuration in which the primary nodes NSIP address is 198.51.100.9 and the secondary nodes NSIP address is 198.51.100.27, you would run the following commands:
On the primary node:
> add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22
On the secondary node:
> add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
Platform
- Intel CPU Vtt Power (Volts)
- Voltage Sensor2 (Volts)
- Temperature 0 (Celsius)
- Temperature 1 (Celsius)
This change affects the following platforms:
- MPX 11500/13500/14500/16500/18500/20500
- MPX 17550/19550/20550/21550
- MPX 8200/8400/8600
- MPX 5550/5650/5750
Policies
Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP.
!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)
Workaround: Use the CLI to define classic SSL policies.
Note: Citrix encourages the use of default syntax policies rather than classic policies.
Reporting
SSL
For example,
> sh ssl service svc1 -cipherDetails
ERROR: No such resource [serviceName, svc1]
System
Invalid response from the aggregator [Device not Configured]
Workaround: Set the speed of the interface to 100 Mbps and disable auto-negotiation.
Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.
User Interface
Workaround: Use the command line to enable or disable support for these protocols on the virtual server.
Workaround: If you are using a script to fetch the output for "show ns runningConfig" command, and the script has a placeholder for timeout value, modify the script to increase the timeout value to 500 seconds.
Web Interface
Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.
XML API
- bindservicegroup_state2
- unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.
Release version: Citrix NetScaler , version 10.1 build 128.8
Replaces build: None
Release date: July 2014
Release Notes version: 1.0
Language supported: English (US)
AAA-TM
Issue ID 317157: AAA-TM now supports relative URLs as form Action URLs in forms-based SSO logon forms. You do not have to specify an absolute path to the web form when configuring forms-based SSO.
AppFlow
CloudBridge Connector
Issue ID 460193, 444265, 451886, 474654: The Internet Key Exchange Daemon (IKED) might fail after the NetScaler ADC is restarted.
DNS
Issue ID 462862: Statistics do not appear correctly for a DNS load balancing virtual server.
Issue ID 422509: CNAME Record Caching
NetScaler ADC when deployed in a proxy mode does not always send the query for an address record to the back-end server. This happens when for an answer to a query for an address record, a partial CNAME chain is present in the cache. Under few conditions, ADC caches the partial CNAME record and serves the query from the cache.
For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-tmg-dns-caching-cname-record-con.html
ICA AppFlow
Issue ID 458122: When appflow is enabled, Multi-Stream ICA connections do not work if an appflow policy is bound to a VPN virtual server and appflow logging is enabled on the VPN virtual server.
Integrated Caching
Issue ID 466452, 469584, 469588, 470925: While revalidating cached objects, the integrated caching feature performs some incorrect accounting of the cache size. This causes the NetScaler appliance to crash.
Load Balancing
Issue ID 478949: The NetScaler ADC fails if requests requiring IP fragmentation are forwarded to a virtual server that is configured for sessionless load balancing in IP mode.
NetScaler Gateway
Issue ID 485042: On a multi-core appliance, if session propagation to one core fails, NetScaler Gateway fails.
Issue ID 468145, 473867: Attempts to connect to the NetScaler Gateway from a Windows-based computer fails with the error 1008 when Transport Security Layer (TLS) block ciphers are configured and TLS 1.2 is enabled on NetScaler Gateway.
Issue ID 470059: If you disable authentication on NetScaler Gateway, endpoint analysis scan can occasionally be bypassed.
Issue ID 374296: If you configure load balancing virtual servers and the Secure Ticket Authority (STA) with the same fully qualified domain name (FQDN), attempts to bind the STA to the NetScaler Gateway virtual server fail.
Issue ID 464956, 470873, 471478, 474012: If the Domain Name Server (DNS) configuration is not available, users receive an "Internal error 500" message after successfully logging on to NetScaler Gateway.
Issue ID 461225: When users log on with clientless access and then open the Access Interface, the order of files that appear in Personal File Shares differs from the order of files on the file share server.
Issue ID 461279: When users upgrade the NetScaler Gateway Plug-in from Version 10.1.122.17 or later to the latest Version 10.1 Maintenance Release on a computer that includes an installation of Citrix Receiver, the automatic upgrade fails.
Issue ID 463871: If you bind SAML and LDAP authentication polices to the virtual server for two-factor authentication, after authenticating with SAML which is primary authentication type the LDAP user name populates automatically. If the first logon attempt to LDAP fails, user names are case-sensitive and must be entered again exactly as it appears after SAML authentication. For example, if the user name is populated as JohnDoe@xyzz.com and the user types johndoe@xyzz.com during the subsequent attempt, log on fails.
NetScaler Insight Center
Issue ID 474159, 475853: If you enable and then disable AppFlow on a NetScaler ADC, the ADC fails while sending the ICA AppFlow records.
Issue ID 459668: A memory corruption issue causes a NetScaler ADC with AppFlow for ICA enabled to fail.
Issue ID 482748: If you enable AppFlow for ICA traffic on a NetScaler ADC, the NetScaler ADC might fail because of an internal memory re-use and dependency issue.
NetScaler SDX Appliance
Issue ID 480054: The backup of an SDX appliance was failing with an error "username missing". The root cause for this was that the migration from 9.3.x was failing because of duplicate database entries. Going forward, the Management Service will remove the duplicate database entries resulting in a successful migration.
Issue ID 463820, 480347: Management Service gives an error when an SDX administrator tries to bind a management channel while provisioning or modifying a NetScaler instance.
Issue ID 436286: If a VPX is using an interface A and a channel is created on Management Service using interface A and interface B then this channel should also get added to the VPX. But if the Interface B is already shared to its maximum limit, that is no free VFs are left on interface B then that channel will not be added to the VPX.
Issue ID 480581: The NSIP modify action from the Management Service results in inconsistent state if the "Save Config" command from the Management Service to VPX takes a long time to respond. This happens because the connection might time-out. The issue has been fixed by increasing the time-out values.
Issue ID 481835: If a management channel modify request is sent through Nitro and a data interface is added in the member interface list, then the request succeeds and makes management channel inconsistent.
Issue ID 482603: For a case under the following conditions, when:
1. A VLAN is present on XenServer on management interfaces (normally ETH0 and ETH1 on most platforms)
2. A management channel created from Management Service is present on SDX, and
3. A VPX is using this management channel.
Then, If the management channel is deleted from Management Service, then post deletion the VPX may be seen with the VLAN present on its management interfaces.
Issue ID 482122: On creating a LACP channel, interface MAC address is altered and the new MAC address will be persistent even after the unbind operation.
Issue ID 483430: Set operation on a channel may lead to channel MAC address becoming zero on a VPX running on an SDX appliance.
Networking
Issue ID 414407, 485512: The default speed for an LACP channel is set to NONE instead of AUTO.
Issue ID 477507: If you have configured active FTP with random source port option enabled for an FTP virtual server, the NetScaler ADC might not handle data connections properly for this FTP server and (NetScaler) might become unresponsive.
SSL
Issue ID 474417, 474413: The version displayed in syslog is SSLv2.0 even though the session is negotiated using TLSv1.2.
Issue ID 414388, 345883, 349858, 428257, 428259: In rare cases, if the random number generated for the DH key exchange has a leading zero, DH negotiation fails because of a hardware limitation.
System
Issue ID 481442: When different TCP profiles are bound to a virtual server and to the services that are bound to that virtual server, and one of the profiles has window scaling as ENABLED and the other has it as DISABLED, NetScaler sometimes considers that window scaling is ENABLED. The expectation in such a case is that NetScaler considers window scaling as DISABLED.
Issue ID 478895: The "show ns runningConfig" command may produce partial output if invoked while another "show ns runningConfig" command, from the same or other admin session is in progress.
Issue ID 452240: The Monupload process monitors the power supply and sends a "show techsupport" bundle as soon as a power failure is observed. This behavior is now modified to upload the bundle only in case the power supply does not recover in a 1 minute.
AAA-TM
Issue ID 332831: The rule (expression) in a AAA-TM policy can be from one to 1434 characters in length. If you enter a longer rule, AAA-TM displays an "invalid rule" error.
AppFlow
Issue ID 327439: AppFlow records generated by the NetScaler appliance cannot be seen on SPLUNK.
Issue ID 396892: The AppFlow exporter might not export the correct information. Therefore, the client IP address shown on the NetScaler Insight Center dashboard might be incorrect.
Application Firewall
Issue ID 372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.
Workaround: Use the Adobe PDF browser plugin.
Issue ID 430014: During an upgrade of a NetScaler appliance from version 10.0 to version 10.1 (build 121.1 or subsequent), the default JSON content type is not automatically configured. The default JSON content type is configured when version 10.1 (build 121.1) is installed on new hardware or in a new VPX instance. To check whether your appliance or instance has the correct default setting, log onto the NetScaler command line and type the following command:
show appfw JSONContentType
If the default content type is configured, the command output is similar to the following example:
> show appfw JSONContentType
1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX
Done
If it is not, the screen shows only the following:
> show appfw JSONContentType
Done
To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:
add appfw JSONContentType ^application/json$ -isRegex REGEX
show appfw JSONContentType
Issue ID 283780: When you enable the sessionless URL closure feature, you must also enable the URL closure feature. If you do not enable URL closure, the sessionless URL closure feature does not work.
Issue ID 399596: When you update the application firewall signatures from the NetScaler command line, you must update the default signatures first, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.
For example, if you had two sets of custom signatures, named "custom_signatures" and "custom_signatures_2", that were based on copies of the default signatures file, you would update the signatures on your NetScaler ADC by issuing the following commands:
> update appfw signatures "*Default Signatures"
> update appfw signatures "custom_signatures"
> update appfw signatures "custom_signatures_2"
Issue ID 423150: The application firewall PCI-DSS report does not contain information on the "SQLInjectionCheckSQLWildChars" parameter.
Issue ID 427798: A NetScaler ADC that has the application firewall feature enabled might reset the connection after a protected web server issues an HTTP 204 response.
Issue ID 443673: Signature Bindings Not Shown in PCI-DSS Report
The Application Firewall PCI-DSS report does not display signature bindings. The Profile Settings section of the report shows bound signatures as "not set".
Issue ID 451014: On a NetScaler ADC that has the application firewall enabled and the HTML SQL injection feature configured to block, when the ADC detects an SQL violation on a page with a web form, a second violation might be generated for the Form Action URL. This is expected behavior. To avoid unexpected blocks, when you configure a relaxation for a web form, be sure to include a relaxation for the Form Action URL as well.
Issue ID 464641: If the application firewall receives a multipart POST request with a Content-Type header that contains a charset, it blocks that request as malformed.
Issue ID 466329: If the application firewall blocks a request because of a limiting policy, such as a maximum upload size limit on a web form, the blocking action is not logged. If a custom redirect page has been configured for that web page, the application firewall does not display it.
Issue ID 472476, 418036: When a user attempts to upload a file to a server that is protected by the application firewall, the file upload fails. The underlying cause is that the application firewall included an invalid character in the MIME boundary when encoding the file.
Issue ID 364134: In the configuration utility, when you perform the Show Bindings operation, globally bound auditing syslog policies do not appear under Application Firewall. This issue occurs only in a cluster setup.
Workaround: Display the bindings in the command line interface, by using the "show system global" command.
Issue ID 489691: If a user request triggers an application firewall policy that is bound to the APPFW_BYPASS profile, the application firewall might fail to generate an SNMP alarm.
Content Switching
CloudBridge Connector
Issue ID 440781: When the state of a cloudbridge connector tunnel is DOWN, there is a delay in displaying the related log messages (from the /tmp/iked.debug file) on the Create CloudBridge Connector page of the configuration utility.
Configuration Utility
Issue ID 388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.
Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml
Issue ID 414807: The Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, displays an error if more than one service group is bound to the virtual server that is used for load balancing the XenApp/XenDesktop servers, or if more than one service is bound to the service group.
Issue ID 353015: Load balancing virtual servers that are used by AppExpert applications are displayed in nodes other than the AppExpert node. For example, they are displayed in the Available Virtual Servers list in the "Create Persistency Group" dialog box (Load Balancing > Persistency Groups > Add and in the "Create Persistency Group" dialog box list that appears when you click the "Name" button in the list "Create Content Switching Action" dialog box "Content Switching > Actions > Add).
Issue ID 278002, 273176, 389874: If you use the configuration utility to enable or disable an extended ACL or ACL6, the utility does not warn you that the change does not take effect until you apply ACLs.
Issue ID 469755: If you open the NetScaler ADC configuration utility on multiple browser tabs, and if you disable a feature on one of the tabs, the other tabs are not automatically refreshed.
Workaround: Manually refresh the tabs.
Issue ID 374437: If, when using the configuration utility to configure the NetScaler appliance, you press "Alt+Tab" to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press "Alt+Tab" a second time.
Issue ID 375277, 322602, 334465, 396405, 412455, 419503, 438382, 438534, 438796, 441853, 446387, 448361: If a NetScaler connection from a client is closed without the client logging out, the session created for that connection remains active until the configured timeout period elapses. If this happens frequently, after about the 20th occurrence the user might get a "Connection limit to CFE exceeded" error message.
Issue ID 459703: In a high availability setup, if you run the "add ssl certkey" command on the primary node, and if the certificate and key files are not present on the secondary node, the command fails on the secondary node. However, an error message is not displayed in the configuration utility.
Issue ID 490130: When you use the configuration utility to create a FIPS key, the FIPS wizard fails to respond
Issue ID 389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.
Workaround: Use the arrow keys on the keyboard to scroll the screen.
Issue ID 483226: The key filename property of Import FIPS key (Configuration > Traffic Management > SSL > FIPS > FIPS keys >Action > Import > Key Filename) fails if you provide an incomplete filepath, folder1/folder2/rsa.key, where folder1 and folder2 are the folders within the nsconfig/ssl path.
Workaround: Provide the complete file path nsconfig/ssl/folder1/folder2/rsa.key, or provide only the file name, rsa.key.
Issue ID 414422: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.
Issue ID 456428: The IP Bindings tab on the Create VLAN and Configure VLAN pages does not display IP addresses that are in the same subnet as the management IP (NSIP) address.
Issue ID 470941: You cannot use the configuration utility to add signatures to an existing application firewall policy.
Workaround: Use the command line interface .
Content Switching/Load Balancing
Issue ID 399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.
DNS
Issue ID 458244: If DNS caching is enabled and the NetScaler ADC receives a query that is not cached, it forwards the query to the name server. It sends the response from the server to the client and also caches the records in the Answer, Authority, and Additional sections of the DNS response. The response from the server can have the AA bit set or unset.
- If the AA bit is set and a query is received for a record that was cached and a part of the Authority or Additional section, the ADC responds to the query from its cache with the AA bit unset and TTL decremented.
- If a subsequent query is received for a record that is cached and was part of the Answer section, the ADC responds to the query from its cache with the AA bit set and the original TTL.
Issue ID 458313: When NetScaler is configured as DNS proxy and it receives a DNSSEC query with Checking Disbaled (CD) bit set, it does not pass the bit as is to the server at the back end. It instead turns the bit off. This impacts deployments where the NetScaler is load balancing DNSSEC aware resolver. The impact is that the resolver will check the DNSSEC signatures even if the client had not requested to do so by setting the CD bit.
Documentation
Issue ID 407185: Live migration of a NetScaler virtual machine running on a Linux-KVM host is not supported.
High Availability
Issue ID 471294: When upgrading HA nodes that have Web Interface on NetScaler (WIonNS) to build 126.x, the updates made in the Webinterface.conf file are over-written by the previous version of the file. This is due to the rolling upgrade of HA nodes or due to the file sync operation between HA nodes.
To avoid this issue, use the following steps when upgrading the HA nodes:
1. Before upgrading, run the command: "set ns param -internaluserlogin DISABLED"
2. Upgrade the secondary HA node to NetScaler 10.1 Build 126.x release.
3. Force failover to make the upgraded node as the primary node.
4. Upgrade the other HA node to NetScaler 10.1 Build 126.x release.
5. Restore the previously disabled "internaluserlogin" parameter to enabled using the command: "set ns param -internaluserlogin ENABLED".
6. Save the configurations.
Note: Before upgrade sync files between the HA nodes by using CLI command: "sync ha files all".
Integrated Caching
Issue ID 440107, 440389: When a selector-based content group has been configured, the NetScaler ADC can fail when a policy associated with this content group is matched and the response status is "404 Not Found".
Load Balancing
Issue ID 455133: If the FQDN is not resolvable, you might notice high CPU utilization on the NetScaler ADC.
Issue ID 441776: The NetScaler ADC might fail or become unresponsive if the FTP virtual server name exceeds 32 characters and L2Conn is enabled on the virtual server.
Issue ID 460040: A Storefront service on a NetScaler ADC is not marked as DOWN even though all the storefront services bound to the StoreFront server are manually brought down.
Issue ID 464952: If a DNS autoscale service group is bound to a virtual server, the "show lb vserver" command output displays one extra service bound to the virtual server.
Issue ID 277862: With a NetScaler Web 2.0 Push configuration in streaming mode, if the length of the response from the server is in the range of 10^n - 2^4n bytes, where n=1, 2, 3, and so on (for example, 1-15, 100-255, and 1000-4095 bytes), the push virtual server adds a byte to the response that it sends to the client. As a result, after the first response, subsequent updates sent on the same connection are lost.
NetScaler Gateway
Issue ID 392389: When users log on with the NetScaler Gateway Plug-in, when WiFi roaming occurs, intermittent ICMP requests time out and users cannot access network resources.
Issue ID 393357: If Pre-authentication scan is configured on NetScaler and users launch NetScaler Gateway plugin when browser is already opened then users intermittently get redirected to "Internal error" page.
Issue ID 411152: When you use the Set Up NetScaler for XenApp/XenDesktop wizard in NetScaler, apply optimization settings, and bind the cache policy globally, when users log on with the NetScaler Gateway Plug-in and open Citrix Receiver, the applications and desktops do not appear. The following message appears: There are no apps or desktops assigned to you at this time. Citrix recommends disabling the optimization settings.
Issue ID 411851: If you configure a NetScaler Gateway virtual server, enable ICA proxy and enable the Use Source IP (USIP) mode globally, when users connect and use StoreFront to open an application, NetScaler Gateway uses the client IP address as the source IP address when contacting the STA server and the application fails to open. If you disable USIP mode, the same behavior occurs unless you restart the NetScaler Gateway appliance. To avoid the issue, you need to configure a service on NetScaler for the STA server and disable USIP on that service.
Issue ID 400171: If you configure Group Extraction, you cannot bind an LDAP authentication policy to the virtual server. However, if an LDAP authentication policy was bound to the virtual server before configuring Group Extraction, you can enable authentication on the virtual server.
Issue ID 400050: The NetScaler Gateway Plug-in for Java does not compress network traffic even when compression is configured on the NetScaler Gateway.
Issue ID 397625: To configure two-factor authentication with SAML authentication, you must configure the secondary authentication policy in the primary cascade.
Issue ID 399405: Java Plug-in: Intranet Application fails to connect if AG VIP is running on non default port
Issue ID 398693: Installing and uninstalling the NetScaler Gateway Plug-in can take a long time. This is due to multiple entries of the Citrix Virtual Adapter in the registry.
Issue ID 346729: If you apply the Citrix Receiver theme to the NetScaler Gateway logon page, the layout appears garbled on computers running Windows XP Service Pack 3 with Internet Explorer 7 browsers.
Issue ID 368229: The running configuration does not include group extraction policies bound to the NetScaler Gateway virtual server.
Issue ID 376303, 394800: If you configure an intranet IP address, when users log on by using clientless access and then open SharePoint 2007, when they try to open a folder with Windows Explorer, a blank page appears.
Issue ID 385318: If you have configured a proxy server and you configure NetScaler Gateway to route traffic through the proxy server, when users log off from a clientless access session, a 403 error occurs.
Issue ID 384998: If you configure NetScaler Gateway as a high availability pair and if there is a failover from the primary to the secondary appliance, the ICA connection to published apps that are already open on the user device is reestablished. If users attempt to open more applications from the Web Interface, the applications fail to open and user receive an error message
Issue ID 373991: On an nCore appliances, when users attempt to access the subnet IP address through the VPN tunnel over HTTP, a 401 Access Denied error message appears. Connecting to the subnet IP address works if users make the attempt by using HTTPS.
Issue ID 374890: If you configure the appliance with NetScaler Gateway and Application Firewall, logon attempts by unauthorized users appear in the logs. When an authorized user logs on and then attempts to access a network resource to which users are explicitly denied, the access attempt does not appear in the logs and users receive a 403 error.
NetScaler Insight Center
Issue ID 385821: When an ICA session is initiated by launching XenDesktop, the user name is displayed along with the domain name "(user-id@domain-name)".
Issue ID 409634: All the metrics except bandwidth and hits display the average values.
Issue ID 414214: On the HDX Insight reports, a Y-axis value of 0 is sometimes shown at a location higher than the x axis.
Issue ID 424673: Upgrading NetScaler Insight Center on a VMware ESX server from build 118.7 or 119.7 to build 120.13 or later is not supported. However, upgrading from build 120.13 to later builds is supported.
Workaround: To upgrade to build 120.13 or later build, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .
Issue ID 414160: The following error message appears when NetScaler Insight Center installed on VMware ESX is powered on or off:
The VMware Tools power-on script did not run successfully in this virtual machine. If you have configured a custom power-on script in this virtual machine, make sure that it contains no errors. You can also submit a support request to report this issue.
Issue ID 446120: In some instances, the bar line on a graph appears outside the time points on the x-axis.
Issue ID 394526: In the Dashboard > Web Insight > Applications page, the values shown when you select "Response Time" from the drop-down list can be incorrect.
Issue ID 397236: On the Dashboard > HDX Insight > Users page, the report for user sessions displays incorrect values. The left pane displays the average values for the entire session, but, the right pane displays the values for the period selected from the drop-down list.
Issue ID 368967: In a graph that displays a very low number of data points, the time value displayed on the x-axis includes milliseconds. The value displayed for milliseconds has no significance.
Issue ID 399626: In transparent mode, after you initiate a session and launch an application through Citrix Receiver (Enterprise edition) from a Windows 8 client, the session terminates and resumes when you launch subsequent applications. Consequently, HDX Insight reports include session termination records.
Issue ID 386911: When launching n instances of an application, the NetScaler appliance sends n-1 termination records for the application. Consequently, the HDX Insight node displays only a single instance of this application as active.
Issue ID 379876, 424686, 437964: The time values on the graphs display overlapping values, mostly in the 5-minute-interval view.
Issue ID 486792: If you enable AppFlow for ICA traffic on a NetScaler ADC, and if there is a large number of sessions, the ADC might fail because of an internal memory re-use and dependency issue.
Issue ID 475981: A NetScaler ADC fails when it receives ICA traffic from metro receiver client.
Issue ID 504990: The NetScaler ADC fails, if AppFlow is enabled and it receives an ICA command whose length is more than 2048 bytes.The NetScaler ADC fails, if AppFlow is enabled and it receives an ICA command whose length is more than 2048 bytes.
NetScaler SDX Appliance
Issue ID 369650, 442942, 468381: Configuring of Enforced VLAN by providing VLAN number in the VLAN ID field is not supported on SDX Rome 1G port.
Workaround: Use the Allowed VLAN feature which has the same functionality as Enforced VLAN.
Issue ID 434687: If you use the Management Service to bind a new interface to an LACP channel or unbind an existing interface, all the member interfaces of the LACP channel are reset. This forces an HA failover.
Issue ID 384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.
Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
NetScaler VPX Appliance
Issue ID 405164: On a NetScaler VPX instance running on a Linux-KVM platform, dynamic routing protocols OSPF and ISIS fail to run on the platforms MacVTap interfaces.
Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).
Issue ID 405383, 360482: A NetScaler VPX instance might fail to restart on a Linux-KVM virtualization platform using processors that do not support the constant_tsc CPU feature.
Networking
Issue ID 383958, 411806: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
Issue ID 399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.
Issue ID 318684: In an HA configuration in INC mode where both the nodes run the OSPF routing protocol, the secondary node drops all the L3 traffic that has the destination that was advertised by the secondary node.
Issue ID 371613: In a high availability configuration with the network firewall mode set to BASIC on the current secondary node, synchronization of configuration files from the primary to secondary node fails, regardless of whether you run the "sync HA files" command from the NetScaler command line or by using the Start HA files synchronization dialog box in the configuration utility.
Workaround: Add the following extended ACL on each node of the HA configuration:
> add acl <aclname> -srcIP <NSIP of the peer node> -protocol TCP -destport 22
For example, for an HA configuration in which the primary nodes NSIP address is 198.51.100.9 and the secondary nodes NSIP address is 198.51.100.27, you would run the following commands:
On the primary node:
> add acl ACL-example -srcIP 198.51.100.27 -protocol TCP -destport 22
On the secondary node:
> add acl ACL-example -srcIP 198.51.100.9 -protocol TCP -destport 22
Platform
- Intel CPU Vtt Power (Volts)
- Voltage Sensor2 (Volts)
- Temperature 0 (Celsius)
- Temperature 1 (Celsius)
This change affects the following platforms:
- MPX 11500/13500/14500/16500/18500/20500
- MPX 17550/19550/20550/21550
- MPX 8200/8400/8600
- MPX 5550/5650/5750
Policies
Issue ID 422967: If a wildcard virtual server (** IP address and port values) that accepts both IPv4 and IPv6 packets uses a listen policy of CLIENT.IP.PROTOCOL.EQ(ICMP) to capture ICMP traffic, it also captures IPv6 packets in which the second byte of the source IPv6 address has a value of 01).
Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP.
!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)
Issue ID 390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.
Workaround: Use the CLI to define classic SSL policies.
Note: Citrix encourages the use of default syntax policies rather than classic policies.
Issue ID 425465: After changing the time zone on a NetScaler appliance, you must restart the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.
Reporting
Issue ID 368982: After you import a custom data source, the charts for the counters under "System entities statistics" are inaccurate, because of issues in the third party charting engine.
SDX
Issue ID 432899, 435206: If you create channels on SDX and use these channels in VPXs and then take a backup of the appliance to restore either the complete appliance or selected instances, then channels are not restored and instances may fail.
SSL
Issue ID 455821: An SSL chip is disabled at the third reinitialization attempt. That is, the maximum reinitialization limit is 2. Earlier, this limit was 5.
Issue ID 402423: In a cluster setup, if you include the "cipherdetails" option in the "show ssl service" or "show ssl vserver" command, an incorrect message appears. This is only a display issue.
For example,
> sh ssl service svc1 -cipherDetails
ERROR: No such resource [serviceName, svc1]
Issue ID 343395: On a NetScaler MPX or SDX appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
System
Issue ID 377618, 341460, 351127, 364015: When the management CPU is running at close to 100% of capacity, the aggregator might not be able to process some of the statistics requests from clients, such as requests from the configuration utility, the CLI, and SNMP. If the aggregator fails to respond within the timeout period, the client returns following error:
Invalid response from the aggregator [Device not Configured]
Issue ID 449234, 457629: In deployments with large configurations (in the order of 2 MB), when the load on the management CPU is high, the execution of the "show ns runningConfig" command can take a large amount of time.
Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.
Web Interface
Issue ID 397150: On a NetScaler ADC, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user trying to log on receives a 500 Internal Server Error message.
Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.
XML API
Issue ID 363145: The following APIs are not available in version 10.1 or later:
- bindservicegroup_state2
- unsetnslimitidentifier_selectorname. Use unsetnslimitidentifier_selector instead.
Release version: Citrix NetScaler , version 10.1 build 127.10
Replaces build: None
Release date: June 2014
Release Notes version: 1.0
Language supported: English (US)
The NetScaler ADC now supports AlwaysOn Availability group deployment in database specific load balancing for MSSQL 2012.
For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-5-map/ns-dbproxy-db-specific-lb-for-mssql-2012-tsk.html.
A user can delete such channels (made out of data interfaces and used for VPX management) from SVM which will leave the VPX in unmanageable state.
> update appfw signatures "*Default Signatures"
> update appfw signatures "custom_signatures"
> update appfw signatures "custom_signatures_2"
Workaround: Use the Adobe PDF browser plugin.
show appfw JSONContentTypeIf the default content type is configured, the command output is similar to the following example:
> show appfw JSONContentType
1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX
Done
If it is not, the screen shows only the following:
> show appfw JSONContentType
Done
To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line, and then type the following commands to configure the default content type and verify the configuration:
add appfw JSONContentType ^application/json$ -isRegex REGEX
show appfw JSONContentType
Workaround: Use the arrow keys on the keyboard to scroll the screen.
Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml
Workaround: Provide the complete file path nsconfig/ssl/folder1/folder2/rsa.key, or provide only the file name, rsa.key.
Workaround: Use the mouse to click the OK button instead of pressing the ENTER key on the keyboard.
Workaround: Manually refresh the tabs.
Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
Workaround: Use the Allowed VLAN feature which has the same functionality as Enforced VLAN.
Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP.!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)
Workaround: Use the CLI to define classic SSL policies.
Invalid response from the aggregator [Device not Configured]
Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.
Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.
Release version: Citrix NetScaler , version 10.1 build 126.12
Replaces build: None
Release date: May 2014
Release Notes version: 1.0
Language supported: English (US)
At the command prompt, type:
add dbProfile <name> –conMultiplex DISABLED -enableCachingConMuxOFF ENABLED
or
set dbProfile <name> -enableCachingConMuxOFF ENABLED
In the configuration utility, select "Enable caching when connection multiplexing OFF".
The LCD has a neon backlight. Normally, the backlight glows steadily. When there is an active alert, it blinks rapidly. When the appliance shuts down, the backlight remains on for one minute and then automatically turns off.
Note: The LCD screen on a NetScaler SDX appliance displays the base model number for that platform. To view the licensed model number of the appliance, log on to the Management Service and check the licensed model number on the top left corner of the screen. For example, if you have purchased an SDX 11515 license, the LCD screen displays SDX 11500, and the Management Service screen displays NetScaler SDX (11515).
On some SDX platforms, the LCD backlight might not work. Therefore, the display might not be clear.
sysctl netscaler.ns_vpx_halt_method=2
Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
sysctl netscaler.ns_vpx_halt_method=2
Workaround: Use the Adobe PDF browser plugin.
show appfw JSONContentType
If the default content type is configured, the command output
is similar to the following example:
> show appfw JSONContentType
1)
JSONContenttypevalue: "^application/json$" IsRegex: REGEX
Done
If
it is not, the screen shows only the following:
> show appfw JSONContentType
Done
To add the default content type to the configuration, after upgrading to
10.1 (121.1), log onto the NetScaler command line, and then type the following
commands to configure the default content type and verify the
configuration:
add appfw JSONContentType ^application/json$ -isRegex REGEX
show appfw JSONContentType
Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.
Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml.
Workaround: Use the arrow keys on the keyboard to scroll the screen.
Workaround: Do not apply the optimization settings.
Workaround: To upgrade to build 120.13 or later build, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .
Workaround: Restart the appliance by running the following command on the command line interface:
#/etc/rc.d/analyticsd restart
Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.
Workaround: Copy and paste the expression from a Notepad.
--- The applications stop functioning, but are visible on the browser.
--- The Citrix Receiver displays a dialog box, with a message stating that the connection is disconnected.
--- When you click OK on the dialog box, the applications are not displayed anymore.
--- If you launch any fresh applications without re-login, all the previously launched applications will resume with the previous status.
" Object does not support this property or method."
Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP. ‘!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)’ .
Workaround: Use the command line to enable SIM. For more information, see http://support.citrix.com/proddocs/topic/netscaler-traffic-management-10-1-map/ns-tmg-fips-configure-fips-ha-tsk.html.
/nsconfig/ns.conf
/nsconfig/Zebos.conf
/nsconfig/rc.netscaler
/nsconfig/snmpd.conf
/var/log/wicmd.log
/nsconfig/nsbefore.sh
/nsconfig/nsafter.sh
Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.
Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).
sysctl netscaler.ns_vpx_halt_method=2
Perform a warm reboot for the above change to take effect. To have the new setting automatically applied every time the virtual appliance starts, add the following command to the /nsconfig/nsbefore.sh file:
sysctl netscaler.ns_vpx_halt_method=2
Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.
Release version: Citrix NetScaler, version 10.1 build 125.9
Replaces build: 125.8
Release date: April 2014
Release notes version: 5.0
Language supported: English (US)
set ssl parameter -cryptodevDisableLimit
A chip is marked disabled after the third failed reinitialization attempt.
ERROR: The backup vserver of the target vserver is not compatible with the CS vserver.
Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:
Workaround: Display the bindings in the command line interface, by using the show system global command.
Workaround: Use the Adobe PDF browser plugin.
update appfw signatures "*Default Signatures"
update appfw signatures "custom_signatures"
update appfw signatures "custom_signatures_2"
show appfw JSONContentType
> show appfw JSONContentType
1) JSONContenttypevalue: "^application/json$"
IsRegex: REGEX
Done
> show appfw JSONContentType
Done
add appfw JSONContentType ^application/json$ -isRegex
REGEX
show appfw JSONContentType
Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.
Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml.
Workaround: Use the arrow keys on the keyboard to scroll the screen.
Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.
Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.
Workaround: Do not apply the optimization settings.
#/etc/rc.d/analyticsd restart
Workaround: Refresh the screen. If AppFlow is enabled, the check box in the Insight column is selected.
Workaround: Copy and paste the expression from a Notepad.
Object does not support this property or method.
Workaround: To upgrade to 120.13 or later builds, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same.
Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
sysctl netscaler.ns_vpx_halt_method=2
sysctl netscaler.ns_vpx_halt_method=2
Workaround: Enable promiscuous mode on these MacVTap interfaces, using either the Linux-KVM graphical interface (Virt-Manager) or the Linux-KVM command line interface (virsh).
Workaround: First use an expression that filters the IPv4 traffic, and then use an expression that reads the protocol value from the filtered IPv4 packets and checks for a protocol value of ICMP. ‘!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)’
Invalid response from the aggregator [Device not Configured]
Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.
Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.
Use unsetnslimitidentifier_selector instead.
Release version: Citrix NetScaler, version 10.1 build 124.13
Replaces build: None
Release date: February 2014
Release notes version: 5.0
Language supported: English (US)
For more information, see Citrix NetScaler MPX 11515, MPX 11520, MPX 11530, MPX 11540, and MPX 11542.
For more information, see Citrix NetScaler SDX 11515, SDX 11520, SDX 11530, SDX 11540, and SDX 11542.
Workaround: Create a Rewrite action and policy to strip off the "%00" string, and bind it to global. If you configure the gotoPriorityExpr for the policy to NEXT, and bind the policy with a priority of 1, it will run first, strip the null string from the end of all redirect URLs, and then continue policy evaluation with the next policy. This configuration should work without creating any problems with your existing policy evaluation flow.
To create the necessary action and policy, and bind them to global, from the NetScaler command line you can type the following commands:
add rewrite action act_stripFinalNull DELETE "HTTP.RES.HEADER(\"Location\").VALUE(\"%00\")"
add rewrite policy pol_stripFinalNull "HTTP.RES.IS_VALID" act_stripFinalNull norewrite
bind rewrite global pol_stripFinalNull 1 NEXT
Workaround: Add the following expression to the policy that invokes the application firewall:
"HTTP.REQ.URL.REGEX_MATCH(re#.mp4$#).NOT"
For example, to exempt URLs that contain the string ".mp4" from the policy pol_media.example.com, which calls the profile prfl_media.example.com, you would type the following command:
add appfw policy pol_media-example.com "HTTP.REQ.URL.REGEX_MATCH(re#.mp4$#).NOT" prfl_media.example.com
Issue ID 0405303: A large ns.conf file can make the configuration utility slow to respond. The large file also slows processing of the following commands:
Issue IDs 0441162 and 0439300: A pluggable authentication request causes the handshake to fail. A NetScaler ADC does not support pluggable authentication requests.
Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:
On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.
The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.
Workaround: Log on to the Netscaler instance and execute the following command on the interface that is shown as Error-disabled: enable interface <interface_id> (eg.. enable interface 1/1)
To work around this issue, you must remove the namespace prefixes definition, as described in this URL:
Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:
Workaround: The bindings are visible in the command line interface by using the show system global command.
Workaround: Use the Adobe PDF browser plugin.
show appfw JSONContentType
If your NetScaler appliance has the default content type set, you should see the following response or something similar to it:
> show appfw JSONContentType
1) JSONContenttypevalue: "^application/json$" IsRegex: REGEX
Done
If it does not, you will see the following response:
> show appfw JSONContentType
Done
To add the default content type to the configuration, after upgrading to 10.1 (121.1), log onto the NetScaler command line and issue the following commands to configure the default content type, and then verify the configuration:
add appfw JSONContentType ^application/json$ -isRegex REGEX
show appfw JSONContentType
Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.
Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.
Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.
Workaround: Do not apply the optimization settings.
#/etc/rc.d/analyticsd restart
Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.
Workaround: Copy and paste the expression from a notepad.
Object does not support this property or method.
Workaround: To upgrade to 120.13 or later builds, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .
sysctl netscaler.ns_vpx_halt_method=2
sysctl netscaler.ns_vpx_halt_method=2
Workaround: First use an expression that filters the IPv4 traffic and then use an expression that reads the protocol value from the filtered IPv4 packets and checks if the protocol value matches ICMP.
'!CLIENT.IP.SRC.IS_IPV6 && CLIENT.IP.PROTOCOL.EQ(ICMP)'
Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.
Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.
Use unsetnslimitidentifier_selector instead.
Release version: Citrix NetScaler, version 10.1 build 123.11
Replaces build: 123.9
Release date: March 2014
Release notes version: 7.0
Language supported: English (US)
For more information, see Citrix NetScaler MPX 8005, MPX 8015, MPX 8200, MPX 8400, MPX 8600, and MPX 8800 and Citrix NetScaler SDX 8015, SDX 8400, and SDX 8600.
For more information, see "Citrix NetScaler Data Sheet" and Citrix NetScaler MPX 5550 and MPX 5650.
For more information, see LCD Display.
The host Linux operating system must be installed on suitable hardware by using virtualization tools such as KVM Module and QEMU. The number of virtual machines (VMs) that can be deployed on the hypervisor depends on the application requirement and the chosen hardware. After you provision a NetScaler virtual appliance, you can add additional interfaces.
For more information, see Installing NetScaler Virtual Appliances on Linux-KVM Platform
In such conditions, when NetScaler received a query for the same domain, it replied with a partil response. Going forward, NetScaler will not cache partial response and in such conditions the queries are directed to the back end server.
Workaround: Remove the namespace prefixes definition, as described in this URL:
Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:
Workaround: Use the Adobe PDF browser plugin.
Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.
Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml
Workaround: Use the arrow keys on the keyboard to scroll the screen.
Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.
Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.
Workaround: Do not apply the optimization settings.
Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:
On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.
The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.
#/etc/rc.d/analyticsd restart
Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.
Workaround: Copy and paste the expression from a notepad.
Object does not support this property or method.
Workaround: To upgrade to 120.13 or later builds, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .
Workaround: Log on to the Netscaler instance and execute the following command on the interface that is shown as Error-disabled: enable interface <interface_id> (eg.. enable interface 1/1)
Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
sysctl netscaler.ns_vpx_halt_method=2
sysctl netscaler.ns_vpx_halt_method=2
Workaround: Use the CLI to define classic SSL policies.
Workaround: If you're executing the command manually, then there is no workaround. However, if you are using a script to fetch the the output of the "show ns runningConfig" command, and if the script has a timeout, then modify the script to increase timeout to 500 seconds. The command could be executed within that time period.
Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.
Release version: Citrix NetScaler, version 10.1 build 122.17
Replaces build: 122.11
Release date: November 2013
Release notes version: 5.0
Language supported: English (US)
ENH ID 0427155: NetScaler MPX appliances now support Cisco QSPF+ cables (part number L45593-D178-C30).
For more information, see Ports.
ENH ID 0439509: The NetScaler VPX virtual appliance now supports XenServer version 6.2 only on a non-SDX appliance. On the NetScaler SDX appliance, only the XenServer versions available for download on www.citrix.com under NetScaler downloads are supported. XenServer 6.1.1 is the latest supported version on the NetScaler SDX appliance.
ENH ID 0353415: The SDX 22040/22060/22080/22100/22120 platform now supports NetScaler release 10.1 build 122.x.
For more information, see Citrix NetScaler SDX 22040, SDX 22060, SDX 22080, SDX 22100, and SDX 22120.
ENH ID 0353415: NetScaler SDX platform supports a Redundant Array of Independent Disks (RAID) controller, which can support up to eight physical disks.
For more information, see RAID.
ENH ID 0413839: Management Service now supports assigning interfaces explicitly for high availability and service along with the management for BlueCat DNS/DHCP Server virtual machines.
ENH ID 0418196: The top-right corner of the page now displays a percentile icon, which you can click to display percentile values and the highest and lowest values for a selected metric.
ENH ID 0392016: HDX Insight reports now include details about session reconnects, client-side retransmissions, and server-side retransmissions.
ENH ID 0398322: HDX Insight now provides a report about active sessions, grouped by server IP and gateway IP address.
ENH ID 0423207: You can now select which columns to show in the tables in the NetScaler Insight Center graphical user interface (GUI), and you can rearrange the columns. Each user can make his or her changes persistent across his or her sessions.
Issue ID 0430591: A Nitro call used by NetScaler Insight Center to fetch the license information from a NetScaler appliance affects the performance of the appliance.
Issue IDs 0391317 and 0423289: On a NetScaler appliance with both the application firewall and integrated caching enabled, a memory leak might occur.
Issue ID 0422639: On a NetScaler appliance with the application firewall enabled, web forms submitted with URL-encoded double-byte character (Chinese, Japanese, or Korean) inputs might generate a Form Field consistency check violation. The reason is that the application firewall counts bytes instead of characters when validating web form input, causing some double-byte input to exceed the form field maxlength attribute.
Issue IDs 0422919 and 0423289: On a NetScaler appliance with the application firewall enabled and configured, if a protected web site contains a multipart web form, a memory leak causes a small amount of memory to be consumed and not released each time the application firewall processes the web form. Repeated processing of requests and responses can gradually consume available memory.
Issue ID 0420596: After a user logs on to a NetScaler appliance through the CLI, the set cli mode-disabledFeatureAction NONE command is automatically executed, and the following error message appears:
ERROR: Not authorized to execute this command.
Issue ID 0426594: The NetScaler configuration utility is not compatible with JRE version 7.45.
Issue ID 0429652: If a SureConnect policy is bound to a virtual server and you upgrade the NetScaler appliance to version 10.1, build 120.13, the policy is not displayed when you navigate to
> <virtual server name>.Issue ID 0430094: When you navigate to Utilities, click TraceRoute and Run, the utility uses the default value for Packet Length(44) and displays the error message:
and, underPacket length must be greater than 47.
Issue ID 0431045: When you use the configuration utility to add a new NetScaler IP address or subnet mask, the qwerty keyboard does not allow you to enter a value greater than 249 for the last octet.
Issue ID 0394856: If a content switching virtual server with a large number of existing connections is removed, flushing all the PCBs takes time. If any traffic destined for the virtual server is received during this time, the appliance fails.
Issue ID 0370607: The configuration utility procedures in the NetScaler 10.1 documentation have not been updated to reflect the new top-level nodes.
Issue IDs 0420089 and 0425486: The synchronization of files in an HA setup stops working after the nsinternal user is disabled.
Issue ID 0417274: The NetScaler appliance fails while processing ICA traffic if you have disabled AppFlow logging on the VPN virtual server (set vpn vserver -appflowlog disable).
Issue IDs 0393613 and 0427971: If the first octet of the IP address of a service has a value of 6 (6.x.x.x), and the service is bound to a virtual server that is configured for persistence, the NetScaler appliance fails when it tries to direct a request to that service.
Issue IDs 0399446 and 0416718: In some cases, if you configure a domain-based IPv6 service on the NetScaler appliance, the appliance might become unresponsive.
Issue ID 0417630: In a high availability setup, after you upgrade the secondary node and make it the new primary, the process of file synchronization from the new secondary (old primary) node with the new primary node overwrites some of the updated data on the new primary. Specifically, the new monitoring scripts delivered as part of the upgrade on the new primary node are overwritten. As a result, the monitoring scripts might fail.
Issue ID 0424780: The stat servicegroup command incorrectly displays the svrttfb (server-time-to-first-byte) value as zero.
Issue ID 0426421: On a NetScaler SDX with AAA and SAML enabled and configured, occasionally the NetScaler appliance crashes and generates a core dump during SAML authentication.
Issue ID 0431206: On a NetScaler appliance with AAA enabled and configured, a user whose account is bound to over 100 groups might be unable to execute NetScaler commands at the command line despite having the appropriate permissions to do so. To work around this issue, do not bind a single user account to more than 99 groups.
Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.
Issue ID 0414851: The format of the APPFW CSRF TAG syslog message is not in the expected format. As a result, Command Center displays incorrect values, under AppFirewall Recent Logs, in some fields for this type of AppFirewall syslog message.
Issue ID 0424588: If a NetScaler instance is created with a Management VLAN using the 0/1 or 0/2 interface, the guest VMs fail to start after provisioning, because the guest VMs use the VLAN networks instead of physical network while assigning the interface.
Issue ID 0420630: The SNMP responses are not as specified by the RFC 4001.
Issue ID 0416941: After unbinding a netprofile from a NetScaler Gateway virtual server, the netprofile cannot be removed from the NetScaler appliance.
Issue ID 0410624: When a filter policy is globally bound to a NetScaler, application firewall or compression or authorization policies that are bound to a content switching virtual server are not saved in the running configuration. However, these bindings are displayed when you run the show cs vserver command.
Issue ID 0429232: After upgrading to NetScaler 10.1, policies that were globally bound to the NetScaler are also being bound at a virtual server level.
Issue ID 0418252: On a NetScaler appliance with Rewrite enabled and configured, a newly-created Rewrite policy that is bound to a content-switching virtual server might not be saved either in the running configuration or in the saved configuration.
Issue IDs 0413733, 0413871, and 0421055: SNMPD fails to respond if it receives a packet with a NULL community string.
Issue IDs 0406948 and 0429211: The NetScaler appliance sometimes fails when a TCP connection is closed from a SPDY client while some streams are still active.
Issue IDs 0417793, 0421214, 0421329, and 0423099: The NetScaler appliance stops sending TCP DUP ACKs when it receives out of order packets. This might result in latency between the client and the appliance, or the appliance and the server, with reduced throughput for some traffic patterns.
Issue ID 0419553: When the NetScaler appliance receives invalid Selective Acknowledgment (SACK) blocks from the client, it attempts to send old data that has already been cleared. As a result, the appliance stops responding.
Issue ID 0420781: The NetScaler appliance does not forward the complete request to the server if the request requires more than one packet. As a result, the transaction fails.
Issue ID 0430176: The NetScaler appliance intermittently resets TCP connections that originate from the NetScaler FreeBSD shell and are destined for NetScaler-owned IP addresses (for example, a SNIP or VIP address). The resets affect applications such as LDAP.
Issue ID 0423905: If a malformed packet is received from a client, the NetScaler appliance closes the connection and releases the resources used for that connection to the common pool. In some cases, some of these resources are not cleaned before returning to the pool and a bad resource might be reused for a future request. In such cases, the SSL handshake for that future request fails.
Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:
Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.
Workaround: Use the Adobe PDF browser plugin.
Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.
Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing & Virtual Servers pane.
Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.
Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.
Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.
Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml
Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.
Workaround: Use the arrow keys on the keyboard to scroll the screen.
Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.
Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.
Issue ID 0411152: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings results in the unavailability of applications/desktops on accessing StoreFront through VPN.
Workaround: Do not apply the optimization settings.
Issue ID 0414422: When using the
wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.
Workaround: Do not cancel the wizard during the first setup. If you want to change some configuration, go through the entire flow, click Done, and then return to the wizard and click the Edit link to update the required configuration.
Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.
Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.
Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.
Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:
On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.
The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.
Issue ID 0416573: On the secondary node of a high availability (HA) configuration, if the HA propagation and HA synchronization options are disabled and Stay secondary is enabled, you cannot disable the Stay secondary option after upgrading the node.
Workaround: Open the /etc/syslog.conf file and change the line *.err;kern.debug;auth.notice;mail.crit/dev/console to kern.err;kern.debug;auth.notice;mail.crit/dev/console
Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.
#/etc/rc.d/analyticsd restart
Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.
Workaround: Copy and paste the expression from a notepad.
Object does not support this property or method.
Workaround: Restart the NetScaler Insight Center appliance.
Workaround: To upgrade to 120.13 or later builds, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same .
Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).
Workaround: After using the Management Service to create a channel, restart the SDX appliance.
Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.
Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
Issue ID 0396252: If you specify secure-only access on a NetScaler instance, single sign-on to that instance from the Management Service user interface is not successful.
Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.
Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.
Issue ID 0423068: The Management Service allows deleting a channel that is part of an NSVLAN on any NetScaler instance. If you delete such a channel, the NetScaler instance is not reachable over the management network.
Issue ID 0424630: If you create an LACP channel with more than 8 member interfaces, or a static channel with more that 16 member interfaces, the following error message appears: "Channel Interface String Length: 185 is greater than maximum allowed length:128".
Issue ID 0430121: The Management Service intermittently dumps a stat core when BlueCat VMs are provisioned on the SDX appliance.
Issue ID 0430449: Even after you configure a short message service (SMS) server, you do not receive an SMS message when an alert is generated.
Issue ID 0431243: If a management channel exists on a NetScaler instance, you cannot trace the route of a packet from the Management Service to a NetScaler instance.
Issue ID 0431463: If you apply a license after modifying the SVM host name, the license application might fail.
Workaround: Reboot the Management Service after changing the host name, and then try applying the license again.
Issue ID 0433054: Deletion of a management channel from the Management Service might not always succeed.
Workaround: Try deleting the management channel again from Management Service.
sysctl netscaler.ns_vpx_halt_method=2
sysctl netscaler.ns_vpx_halt_method=2
Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.
Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.
Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.
Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:
Release 10.1 starting build 112.15 or later
Release 10 build 74 or later
Release 9.3 build 62.4 or later
Release 9.3.e build 59.5003.e or later
Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.
Issue ID 0425465: After changing the time zone on a NetScaler appliance, you must reboot the appliance so that policies referencing the LOCAL system use the new time zone instead of the old one. Otherwise, policies that should match do not, and policies that should not match do.
Issue ID 0368982: After you import a custom data source, the charts for the counters under the System entities statistics are inaccurate, because of issues in the third party charting engine.
Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.
Issue ID 0382647: The stat system -detail command does not display the number of CPUs.
Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.
Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.
Issue ID 0397150: On a NetScaler appliance, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user tying to log on receives a 500 Internal Server Error message.
Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.
Release version: Citrix NetScaler, version 10.1 build 121.10
Replaces build: None
Release date: October 2013
Release notes version: 4.0
Language supported: English (US)
ENH ID 0311561: NetScaler release 10.1 build 121.x is supported on the MPX 22040/22060/22080/22100/22120 platform.
For more information, see Citrix NetScaler MPX 22040, MPX 22060, MPX 22080, MPX 22100, and MPX 22120.
Because of its smaller key size, Elliptic Curve Cryptography (ECC) is especially useful in a mobile (wireless) environment and in an interactive voice response environment, where every millisecond is important. Smaller key sizes result in power, memory, bandwidth, and computational cost savings.
The following ECC curves are supported:
By default all four curves are bound to an SSL virtual server.
ENH ID 0361257: The AAA-TM Kerberos functionality now supports single sign-on (SSO) with all supported authentication mechanisms. The CAC (Smart Card) and SAML SSO mechanisms are supported in all cases, regardless of the authentication method that the client uses to log onto the NetScaler appliance. The HTTP-Basic, HTTP-Digest, Forms-based, and NTLM (versions 1 and 2) SSO mechanisms are also supported if the client uses either HTTP-Basic or Forms-Based authentication to log onto the NetScaler appliance.
You can configure Kerberos SSO to work in one of two ways: by impersonation or by delegation. To configure Kerberos SSO by impersonation, you must have the user's password or client certificate. To configure impersonation using a client certificate, the user must also have a properly-configured version of the Citrix Receiver installed on his or her personal computer. To configure Kerberos SSO by delegation, you must have the delegated user's credentials in one of the following formats: the user's password, the keytab configuration that includes an encrypted password, or the client cert and the matching CA certificate.
To configure Kerberos SSO, first configure your NetScaler appliance to manage traffic to the web application servers that users will access through SSO. Next, configure AAA-TM for your preferred authentication method. Verify that the NetScaler appliance can communicate with your LDAP Active Directory (AD) server and your Kerberos server.
What you do next depends on whether you want to configure Kerberos SSO by Impersonation or by Delegation. Follow the instructions in the appropriate section below.
To configure Kerberos SSO by Impersonation, enable integrated authentication on each web application server. After you have done this, create and configure the NetScaler KCD account that will impersonate users.
To create the KCD account for SSO by impersonation with a password
add aaa kcdaccount <accountname> -realmStr <realm>
add aaa kcdAccount kcdaccount1 -realmStr EXAMPLE.COM
To create the KCD account for SSO by impersonation with a client certificate
add aaa kcdAccount <accountname> -cacert <cacert>
add aaa kcdAccount kcdaccount1 -cacert <path to certificate>
After you configure the NetScaler account on AD, enable integrated authentication on each web application server. Finally, create and configure the NetScaler KCD account that will serve as the delegated user.
To create the KCD account for SSO by delegation with a password
add aaa kcdaccount <accountname> -delegatedUser root -kcdPassword <password> - realmStr <realm>
Example (UPN format):
add aaa kcdaccount kcdaccount1 -delegatedUser root -kcdPassword passsword1 -realmStr EXAMPLE.COM
add aaa kcdAccount kcdaccount1 -realmStr EXAMPLE.COM -delegatedUser "host/kcdvserver.example.com" -kcdPassword password1
To create the KCD account for SSO by delegation with a keytab file
First, on the AD server, use the ktpass utility to create the appropriate keytab file. Next, use the file transfer utility of your choice to copy the keytab file from the AD server to the NetScaler appliance, and put it in /nsconfig/krb under the filename kcdvserver.keytab.
add aaa kcdaccount <accountname> -keytab <keytab>
add aaa kcdaccount kcdaccount1 -keytab kcdvserver.keytab
Finally, verify that the new KCD account has the proper keytab file and virtual server principle associated with it:
sh kcdAccount <accountname>
To create the KCD account for SSO by delegation with a client cert
add aaa kcdaccount <accountname> -realmStr <realm> -delegatedUser <spnuser> -usercert <cert> -cacert <cacert>
add aaa kcdaccount kcdaccount1 -realmStr EXAMPLE.COM -delegatedUser "host/kcdvserver.example.com" -usercert /certs/usercert -cacert /cacerts/cacert
Granular Data |
Time to purge |
7 seconds data |
6 min |
5 minutes data |
65 minutes |
Hourly data |
25 hours |
Daily data |
8 days |
Weekly data |
5 weeks |
Issue ID 0418200: On a NetScaler appliance that has AAA configured with SSL certificate set to "optional" and at least one authentication policy, when Android users attempt to authenticate, the Android Receiver client generates the following error: "invalid server certificate". This error is caused by improper cookie handling by the Android Receiver client.
Issue ID 0416714: When the NetScaler appliance sends large amounts of input data to the application firewall at once, the appliance can hang or crash. The appliance has now been programmed to send input data in batches limited to sizes that do not cause hangs or crashes to occur.
Issue ID 0379234: The show ns runningConfig command displays the current time instead of the time at which the configuration was last modified.
Issue IDs 0361970, 0387024, 0397473, and 0400307: When a NetScaler session expires, a session expiry message appears in the graphical user interface, and the user has to manually enter the IP address or the domain name of the NetScaler appliance in the address bar to log back on.
Issue ID 0409605: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, the compression feature is not enabled on the appliance and for the service groups.
Issue ID 0413087: When using the Xen Farm settings to have only XenApp, the XenDesktop bound to the Web Interface site of type Xenappservices in not modified. Therefore, published resources of both, XenApp and XenDesktop, are displayed when accessing the Web Interface site through Receivers.
wizard, if you configure XenDesktop and later edit theIssue ID 0414361: When you click the Edit link to update the configurations specified in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, an error is displayed when you try to apply the optimization settings.
Issue ID 0414760: When editing the Xen Farm settings in the wizard, load balancing configuration is lost if you switch from XenApp or XenDesktop to Both or from Both to XenApp or XenDesktop. This issue is observed only when Web Interface on NetScaler is the integration point.
Issue ID 0414807: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, an error is displayed if:
Issue ID 0420349: Unable to access ICA connections through the graphical user interface
Issue ID 0408374: If a configuration has a large number of GSLB services and add location file command is used to add the location database, then not all the services may be assigned a location from the database.
Issue ID 0421837: When GSLB vserver is configured with RTT or Static Proximity as load balancing method or SOURCEIPHASH as the persistence type, the NetScaler appliance might restart because of invalid memory access.
Issue IDs 0357841 and 0408502: In an high availability configuration, for a connection to an FTP virtual server with stateful connection failover option enabled, if the FTP control connection is closed before the passive mode FTP data connection is opened, the secondary node may become unresponsive.
Issue ID 0409055: If you run a custom health monitoring script that does not require an argument, the NetScaler appliance sends an incorrect timeout to the script. As a result, the script continues to run for longer than expected. After some time, the maximum limit for the number of scripts allowed on the appliance is reached and new scripts cannot be run.
Issue ID 0417101 (MPX 9500): Oracle database monitor fills the console window with DONE and DEEP_FLD_LEN messages.
Issue ID 0410711: When diameter traffic hits a diameter load balancing virtual server which has persistency enabled, and that single packet contains multiple full requests and a partial request, the NetScaler fails to recognize the partial request and therefore sends the partial request to the server. This results in an invalid packet being sent to the server and the NetScaler sends 5XXX code to the client.
Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.
Issue ID 0401793: MPTCP does not support IPv6 addresses.
Issue ID 0409426: The NetScaler appliances does not acknowledge the subflow FIN when it comes with the MPTCP DATA_FIN.
Issue ID 0412833: While using MPTCP, the NetScaler cannot adequately handle overlapping data sequence maps.
Issue ID 0414182: The NetScaler appliance must not send MPTCP control signals such as DATA_FIN or FAST_CLOSE when the NetScaler has already sent a subflow FIN.
Issue ID 0419184: While using MPTCP, the NetScaler appliance crashes when trying to free an already freed TCP session.
Issue ID 0413123: When you display the running configuration of a NetScaler instance in the Service Management interface, the double quotation marks (") are replaced with HTML code (;quot &).
Issue ID 0404849: The NetScaler appliance might restart if it receives a duplicate IPv6 fragment within a very short time after receiving the original fragment.
Issue ID 0413733, 0413871, and 0421055: SNMPD fails to respond if it receives a packet with a NULL community string.
Issue ID 0408393: If any entity is added as part of user interactive process on command line for SSL Certificates and the operation is aborted in between using CTRL+C, then again carrying out the same operation causes the NetScaler command line to crash.
Issue IDs 0216272 and 0358540: In an high availability setup, after a forced failover, the sync operation fails to sync the -establishClientConnection parameter setting.
Issue IDs 0375425, 0399769, 0401111, 0408648, 0413721, and 0414273: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
Issue ID 0401526: On a NetScaler appliance, an invalid HTTP range request results in a large amount of memory usage and the following error appears: "ERROR: Communication error with the packet engine."
Issue ID 0405532 :TCP buffering bypasses as the calculated 'usable system memory' is less than the configured threshold value.
Issue ID 0411613: The NetScaler appliance can crash when there are split ICA frames that span 2 CGP frames with other CGP packets in between.
Issue ID 0412681: If changes are made in the nsconfig/resolv.conf file, the appliance fails to override the default DNS configurations.
Issue ID 0415623: If you specify an invalid IPv4 address in a command that can accept either IPv4 or IPv6 address, the NetScaler shell exits automatically due to memory corruption.
Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:
Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.
Workaround: Use the Adobe PDF browser plugin.
Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.
Issue ID 0361793: The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the
pane.Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.
Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.
Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.
Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml.
Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.
Workaround: Use the arrow keys on the keyboard to scroll the screen.
Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.
Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.
Issue ID 0411152: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings results in the unavailability of applications/desktops on accessing StoreFront through VPN.
Workaround: Do not apply the optimization settings.
Issue ID 0414422: When using the
wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.
Workaround: Do not cancel the wizard during the first setup. If you want to change some configuration, go through the entire flow, click Done, and then return to the wizard and click the Edit link to update the required configuration.
Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.
Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.
Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.
Issue ID 0370607: The configuration utility procedures in the NetScaler 10.1 documentation have not been updated to reflect the new top-level nodes. See http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-1-map/ns-rn-changes-gui-10-1-con.html, for information about the new node structure.
Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:
On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.
The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.
Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.
Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.
Issue ID 0400819: MPTCP does not support FTP data connections.
Issue ID 0400861: Virtual servers to which a listen policy is bound accept connections from the first subflow only.
Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.
Workaround: Refresh the screen. If appflow is enabled, the check box in the Insight column is selected.
Workaround: Copy and paste the expression from a notepad.
Object does not support this property or method.
Workaround: Restart the NetScaler Insight Center appliance.
Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).
Workaround: After using the Management Service to create a channel, restart the SDX appliance.
Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.
Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.
Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.
Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.
Issue ID 0424588: If a NetScaler instance is created with a Management VLAN using the 0/1 or 0/2 interface, the guest VMs fail to start post provisioning, because the guest VMs use the VLAN networks instead of physical network while assigning the interface.
Remove the NetScaler instances whose management ports are in tagged VLAN.
Logon to the XenServer shell prompt and remove all the VLAN networks.
Create the guest VM instances first, and then create the NetScaler instances.
sysctl netscaler.ns_vpx_halt_method=2
sysctl netscaler.ns_vpx_halt_method=2
Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.
Issue ID 0381000: On some NetScaler appliances, the following four sensor readings are no longer available. The stat system -detail command displays a value of 0.
This change affects the following platforms:
Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.
Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:
Release 10.1 starting build 112.15 or later
Release 10 build 74 or later
Release 9.3 build 62.4 or later
Release 9.3.e build 59.5003.e or later
Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.
Issue ID 0368982: After you import a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.
Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.
Issue ID 0382647: The stat system -detail command does not display the number of CPUs.
Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.
Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.
Issue IDs 0417793, 0421214, 0421329, and 0423099: The NetScaler appliance stops sending TCP DUP ACKs when it receives out of order packets. This might result in latency between the client and the appliance, or the appliance and the server, with reduced throughput for some traffic patterns.
Issue ID 0397150: On a NetScaler appliance, if WIHome is configured to point to an IPv6 load balancing virtual server that points to the IPv6 StoreFront services, a user tying to log on receives a 500 Internal Server Error message.
Workaround: Remove the IPv6 load balancing virtual server configuration and configure WIHome to point directly to the StoreFront server URL.
Issue ID 0363145: The following APIs are not available in version 10.1 or later: bindservicegroup_state2 unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.
Release version: Citrix NetScaler, version 10.1 build 120.13
Replaces build: None
Release date: September 2013
Release notes version: 8.0
Language supported: English (US)
ENH ID 0346763: Link Redundancy by using LACP channels enables the NetScaler appliance to logically create sub channels from a LACP channel where one of the sub channel is active and the remaining sub channels stay in standby mode. If the active sub channel fails or does not meet a minimum threshold throughput, one of the standby sub channel takes over and becomes active.
The NetScaler appliance forms a sub channels from links that are part of the LACP channel and are connected to a particular device. For example, for a LACP channel with four interfaces on a NetScaler appliance, where two of the interface is connected to device A, and the other two interfaces are connected to device B, then the NetScaler appliance logically creates two sub channels, one sub channel with two links to device A, and the other sub channel with the remaining two links to device B.
The lrMinThroughput parameter is introduced for configuring link redundancy for a LACP channel. This parameter specifies the minimum throughput threshold to be met by the active sub channel of a LACP channel. When the throughput of the active channel falls below the lrMinThroughput , link failover occurs and one of the standby sub channels becomes active.
For example, set channel la/1 -lrMinThroughput 2000
Link redundancy for a LACP channel is disabled, which is also the default setting, when you set the lrMinThroughput parameter of the LACP channel to zero or when you unset this parameter.
For example, set channel la/1 throughput 2000 -lrMinThroughput 2000
HA failover does not occur if any of the sub channels meets the lrMinThroughput parameter value even when the total throughput of the LACP channel does not meet the throughput parameter value.
HA failover occurs only when the entire sub channels of the LACP channel does not meet the lrMinThroughput parameter value and the total throughput of the LACP channel does not meet the throughput parameter value.
ENH ID 0318404: The NetScaler DNS64 feature responds with a synthesized DNS AAAA record to an IPv6 client sending an AAAA request for an IPv4-only domain. The DNS64 feature is used with the NAT64 feature to enable seamless communication between IPv6-only clients and IPv4-only servers. DNS64 enables discovery of the IPv4 domain by the IPV6 only clients, and NAT64 enables communication between the clients and servers.
For synthesizing an AAAA record, the NetScaler appliance fetches a DNS A record from a DNS server. The DNS64 prefix is a 96-bit IPv6 prefix configured on the NetScaler appliance. The NetScaler appliance synthesizes the AAAA record by concatenation of the DNS64 Prefix (96 bits) and the IPv4 address (32 bits).
ENH ID 0345912: The NetScaler now provides a wizard that simplifies the task of setting up a NetScaler appliance for a XenApp/XenDesktop deployment. For more information, see Setting Up NetScaler for XenApp/XenDesktop.
ENH ID 0413542: The first-time setup wizard now has separate subnet mask fields for the NetScaler IP (NSIP) and subnet IP (SNIP) addresses.
ENH ID 0346988: When you upgrade a NetScaler VPX instance on an SDX appliance, a new window, Upgrade Progress, shows the status of the upgrade operation, including any error messages. This feature is also available for SecureMatrixGSB and Websense Protector virtual machines.
ENH ID 0401113: The SDX SVM now allows you to configure 8 channels on a VPX instance.
Issue ID 0401000: When AAA is configured by authentication profile on a NetScaler appliance that has content switching enabled, users can use the Microsoft Internet Explorer or Mozilla Firefox browsers to log on, but might not be permitted to access all resources that they should be able to access. Users who log on using the Google Chrome browser do not experience this problem. The underlying cause was that authentication level is checked only once per connection rather than at each request.
Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.
Issue ID 0361970: When a NetScaler session expires, a session expiry message appears in the graphical user interface, and the user has to manually enter the IP address or the domain name of the NetScaler appliance in the address bar to log back on.
Issue ID 0401451: The NetScaler appliance, configured to function as DNS forwarder or DNS resolver, may becomes unresponsive whenever it receives UDP DNS truncated response from a name server.
Issue ID 0390545 (nCore): A NetScaler nCore appliance uses multiple CPU cores (Packet Engines) for packet handling. Every session on the appliance is owned by a packet engine (PE). If the appliance receives a request for which a session does not already exist, a session is created, and one of the PEs is designated as the owner of that session. Subsequent requests that belong to that session might not always arrive at and be handled by the owner PE. During the time that the PE gets details about the session from the owner PE, the packet is corrupted.
Issue ID 0398327: You can now bind a StoreFront monitor to a service group. Each member of a service group is now monitored by using the member's IP address.
The -hostname parameter is no longer required and is deprecated.
To determine whether to use HTTP (the default) or HTTPS to send monitor probes, you must now use the -secure parameter. If your current StoreFront monitor configuration uses HTTP, you only have to remove the hostname parameter.
To use HTTPS, set the -secure option to Yes.
add lb monitor storefront_ssl STOREFRONT -storename myStore -storefrontacctservice YES -secure yes
Issue ID 0409028: If you unbind a load balancing (LB) monitor from its service, all the connections to the configured destination IP address (destip) and port (destport) of the LB monitor are closed. In a typical L3 Direct Server Return (DSR) deployment mode, the destip and destport of the LB monitor are actually the IP address and port of the virtual server. Therefore, in a typical L3 DSR deployment, if you unbind an LB monitor from its service, all the existing connections to the virtual server are closed. The same behavior is observed if you delete a service.
Issue ID 0406391: If you bind monitors to services, and then bind a DoS or SureConnect policy to one of these services, save the configuration, and restart the appliance, you lose information about monitors bound to any services created after the service to which you bound the policy was created. Also, if you run the show ns runningConfig command before restarting the appliance, the monitor binding information does not appear.
Issue ID 0399708: Syncookie cannot be disabled on a TCP profile that has MPTCP enabled.
Issue ID 0399938: The NetScaler appliance might not respond when TCP buffering and MPTCP is enabled.
Issue ID 0400888: The NetScaler appliance does not respond when using client IP insertion with MPTCP.
Issue ID 0401105: MPTCP transactions of a TCP profile with Selective ACKnowledgement and window scaling might not respond.
Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of NetScaler instance Modify NetScaler Wizard.
Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.
Issue ID 0405115: SSL certificate installation on a NetScaler instance from the SDX Management Service fails during validation if the SSL certificate does not have an associated key file.
Issue ID 0405921: The SVM restore operation of NetScaler instances fail as the SVM shuts down the NetScaler instances that are still being provisioned.
Issue ID 0410416: After the SDX appliance restarts, NetScaler VPX instances on the appliance cannot send packets tagged with VLAN IDs through an LACP channel.
Issue ID 0401303: When the conditions specified in an ACL rule includes the operator !=, the NetScaler appliance may not properly filter packets based on the ACL rule.
Issue ID 0402123: The NetScaler appliance might not send the received IPv6 fragments to the appropriate packet engine for processing, which might result in the NetScaler appliance becoming unresponsive.
Issue ID 0404861: If the NetScaler appliance has redundant L2 connectivity with a switch, the NetScaler appliance may mark its link-local IPv6 addresses as duplicate during the DAD (Duplicate address detection) process.
Issue ID 0405190: When IP fragments are received on a load balancing virtual server with client timeout parameter set to zero, the NetScaler appliance might dump core and then restart.
Issue ID 0409202: The NetScaler license is not processed if the configuration file (ns.conf) contains multiple instances of the host name, or if the host name in the ns.conf file is different from the host name in the rc.conf file. With this fix, if the ns.conf file contains multiple host names, only the name set by the set ns hostname command is used. Also, the host name in ns.conf no longer takes precedence over the host name in rc.conf.
Issue ID 0401455: Modifying the content with more than one callout results in incorrect computation of the content length. This issue is not observed if all the callouts use GET requests.
Issue ID 0353546: When you try to add a second name-based SNMP manager, you get an error message that says an SNMP manger with that name already exists.
Issue ID 0391632: The output of the stat commands specified with -fullValues option is aligned incorrectly.
Issue ID 0391754: On a NetScaler MPX system, the SNMP count for the system's hardware memory and the show system memory display are incorrect. The amount of memory shown is larger than the actual amount.
Issue ID 0401111: If TCP buffering or caching is enabled on a NetScaler appliance receiving an ACK packet that has ACK_NO at the left edge of the SACK block, the packet engine enters a loop while processing the packet.
Issue ID 0402677: The NetScaler appliance might fail to respond if an ICMP error occurs when TCP buffering and integrated caching are enabled on the appliance.
Issue ID 0407868: Remote monitoring of a high capacity appliance, such as a NetScaler MPX 22000, might indicate a drop in performance even though performance remains robust. The apparent problem is the result of a pause in the stream of monitoring data, not an actual drop in throughput.
Issue ID 0407974: A session is not freed when port allocation fails. The session is getting matched and the NetScaler fails when it tries to access other linked sessions which are NULL.
Issue ID 0423610: If, from a management computer, you run a command that forms a request size of more than 8000 bytes, the NetScaler ADC might not properly buffer this large request. As a result, the ADC terminates the connection to the management computer.
Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:
Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.
Workaround: Use the Adobe PDF browser plugin.
Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.
Issue ID 0361793 (nCore and nCore VPX): The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing > Virtual Servers pane.
Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.
Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.
Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed.
Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For more information, see http://www.java.com/en/download/faq/win8_faq.xml
Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.
Workaround: Use the arrow keys on the keyboard to scroll the screen.
Issue ID 0403766: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the application firewall policies through the Security settings will result in erroneous condition.
Issue ID 0409057: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, you get a distorted view of the published resources when you apply the application firewall settings in the Security section.
Issue ID 0409605: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, the compression feature is not enabled on the appliance and for the service groups.
Workaround: Enable compression on the appliance by using the enable ns feature CMP command. Also, enable compression for the service groups by using the set servicegroup <name> -CMP on command.
Issue ID 0411152: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, applying the Optimization settings results in the unavailability of applications/desktops on accessing StoreFront through VPN.
Workaround: Do not apply the optimization settings.
Issue ID 0413087: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, if you configure XenDesktop and later edit the Xen Farm settings to have only XenApp, the XenDesktop bound to the Web Interface site of type Xenappservices in not modified. Therefore, published resources of both, XenApp and XenDesktop, are displayed when accessing the Web Interface site through Receivers.
Issue ID 0414361: When you click the Edit link to update the configurations specified in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, an error is displayed when you try to apply the optimization settings.
Workaround: Edit the XenFarm section (no actual changes required), click Continue and then apply the optimization settings.
Issue ID 0414422: When using the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, Web Interface on NetScaler does not publish XenDesktop applications if the load balancing virtual server is configured to listen on two XenDesktop servers.
Issue ID 0414431: When using the Traffic Management > Load Balancing > Set Up NetScaler for XenApp/XenDesktop wizard for the first time, if you cancel the operation, the configurations that you performed are not cleared and you cannot access the wizard again.
Workaround: Do not cancel the wizard during the first setup. If you want to change some configuration, go through the entire flow, click Done, and then return to the wizard and click the Edit link to update the required configuration.
Issue ID 0414760: When editing the Xen Farm settings in the Traffic Management > Load balancing > Set Up NetScaler for XenApp/XenDesktop wizard, load balancing configuration is lost if you switch from XenApp or XenDesktop to Both or from Both to XenApp or XenDesktop. This issue is observed only when Web Interface on NetScaler is the integration point.
Issue ID 0414807: When using the Traffic Management > Load Balancing > Set up NetScaler for XenApp/XenDesktop wizard, an error is displayed if:
Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.
Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.
Issue ID 0399575: When you configure load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.
Issue ID 0370607: The configuration utility procedures in the NetScaler 10.1 documentation have not been updated to reflect the new top-level nodes. See http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-1-map/ns-rn-changes-gui-10-1-con.html, for information about the new node structure.
Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:
On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.
The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.
Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.
Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.
add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp
Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.
Issue ID 0400819: MPTCP does not support FTP data connections.
Issue ID 0400861: Virtual servers to which a listen policy is bound accept connections from the first subflow only.
Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.
Issue ID 0401793: MPTCP does not support IPv6 addresses.
Workaround: Copy and paste the expression from a notepad.
Object does not support this property or method.
Workaround: Restart the NetScaler Insight Center appliance.
Workaround: To upgrade to build 120.13, perform a fresh installation. To retain your existing configurations, make sure that the IP address of the NetScaler appliance and the IP address of NetScaler Insight Center remain the same.
Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).
Workaround: After using the Management Service to create a channel, restart the SDX appliance.
Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.
Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable through the network.
Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.
Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.
sysctl netscaler.ns_vpx_halt_method=2
sysctl netscaler.ns_vpx_halt_method=2
Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while using the configuration utility to configure an extended ACL, you set the port parameter to $, no error message appears, but the ACL is not configured.
Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.
Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.
Issue ID 0410251: With recent versions of the ixgbe driver, the dmesg.boot file and the show interface command report that the FTLX1471D3BCV-I3 LR SFP+ port is unsupported. This issue occurs with the following releases and builds:
Release 10.1 starting build 112.15 or later
Release 10 build 74 or later
Release 9.3 build 62.4 or later
Release 9.3.e build 59.5003.e or later
Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.
Workaround: Use the CLI to define classic SSL policies.
Issue ID 0368982: After you import a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.
Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.
Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.
Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.
Issue ID 0411613: The NetScaler appliance can crash when there are split ICA frames that span 2 CGP frames with other CGP packets in between.
bindservicegroup_state2
unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.
Release version: Citrix NetScaler, version 10.1 build 119.7
Replaces build: None
Release date: July 2013
Release notes version: 5.0
Language supported: English (US)
ENH ID 0320221: NetScaler appliances now support Multipath TCP (MPTCP). MPTCP is a TCP/IP protocol extension that identifies and uses multiple paths available between hosts to maintain the TCP session. You have to enable MPTCP on a TCP profile and bind it to a virtual server. When MPTCP is enabled, the virtual server functions as an MPTCP gateway and converts MPTCP connections with the clients to TCP connections that it maintains with the servers.
For more information, see TCP Configurations.
ENH ID 0311623: Call Home can now upload your NetScaler appliance's data to the Citrix TaaS server through a proxy server.
For more information, see Configuring Call Home.
ENH ID 0329710: The NetScaler can now export values of custom HTTP headers to the NSWL client. You can configure up to a maximum of two HTTP request header names and two HTTP response header names.
For more information, see Exporting Custom HTTP Headers.
ENH ID 0367021: You can now back up the NetScaler appliance at any time and then use the backup to restore the same appliance to that state.
For more information, see Backing Up and Restoring the NetScaler Appliance.
ENH ID 0236218: When configuring the Safe Commerce (credit card) check, you can now configure the application firewall to check the MIME/type of HTTP responses and skip responses that are not of the appropriate content type for Safe Commerce filtering. You can use this configuration option to prevent false positives.
To enable MIME/type checking, at the NetScaler command line type the following command:
bind appfw profile <name> -inspectResContentType <type>
For <name>, substitute the name of the profile. For <type>, substitute a string that matches the MIME/type. For example, to check for and skip PDF content sent to the library profile, you would type the following:
bind appfw profile library -inspectResContentType "text/PDF"
To disable a MIME/type rule that you have previously enabled, use the unbind command:
unbind appfw profile <name> -inspectResContentType <type>
ENH ID 0395659: AppFlow can now export ICA records from NetScaler appliances that have enterprise licenses. This ensures that HDX insight reports for NetScaler appliances with enterprise licenses are now available on the NetScaler Insight Center.
ENH ID 0403114: An option Recursion Available is added for the load balancing virtual servers of type DNS and DNS TCP to control the RA (Recursion Available) flag in all the DNS responses from these virtual servers.
Issue ID 0387049: When importing a keytab while setting up a KCD account, AAA might fail to extract the SPN from the keytab, causing the import to fail.
Issue ID 0403027: The application firewall includes an extraneous line break in the hidden field that it adds to forms as part of the form field consistency check. This line break is not javascript-compliant and can cause issues with javascript-enhanced forms.
Issue ID 0401148: The NetScaler cache fails to respond to a request in which an absolute URL does not include a slash (/) after the host name.
Issue ID 0372535: The pagination count on the page listing SSL policies that can be bound does not display the correct values.
Issue ID 0385305: In a GSLB setup, if you perform auto synchronization and the configuration file in your local site contains the add locationFile command, the command is not synchronized to the remote location.
Issue ID 0351870: If you change the load balancing group of a virtual server that has a large number of SSL sessions, the appliance might fail.
Issue ID 0383402: If a virtual server is UP because the service(s) are in Transition Out-Of-Service (TROFS) state, the clients do not respond due to requests being queued at the virtual server rather than at the services. Instead, the client must issue 503 or RST.
Issue ID 0401118: On a NetScaler appliance or VPX that is configured for load balancing in an environment that includes a Microsoft SQL server database, when a client sends a large number of long queries to the MSSQL database, the appliance or VPX might hang or crash.
Issue ID 0402472: If you attempt to create a KCD service account on a NetScaler appliance or virtual appliance that has AAA-TM enabled and integrated caching disabled, a buffer overflow might load the appliance or cause it to fail.
Issue ID 0400409: If you modify a NetScaler instance from the Management Service, binding 1/x and 10/x interfaces to an L2 VLAN fails.
Issue ID 0400607: If you create a static channel, you cannot use the Management Service to remove more than one member interface at a time from the channel.
Issue ID 0366321: The Network Visualizer does not display the bound IP addresses of a configured VLAN.
Issue ID 0402068: With Random source port selection for Active FTP enabled on the NetScaler appliance, when an FTP server initiates a connection from the standard TCP port number 20, the NetScaler appliance uses a random port instead of port 20 for the client side data connection.
Issue ID 0402123: The NetScaler appliance might not send the received IPv6 fragments to the appropriate packet engine for processing, which might result in the NetScaler appliance becoming unresponsive.
Issue ID 0391238: When an HTTP callout is configured with a virtual server that has a widcard port, the NetScaler appliance fails to respond the first time the callout is triggered.
Issue ID 0400084: An attempt to establish an HTTPS connection to a NetScaler FIPS appliance through a Chrome browser fails, because the browser sends a SPDY-NPN extension by default, and the NetScaler FIPS appliance does not support the NPN extension.
Issue ID 0400649: In the NetScaler configuration utility, the FipsKey parameter does not appear in the Install certificate dialog box. As a result, you cannot add a certificate-key pair on an MPX FIPS appliance by using the configuration utility.
Issue ID 0390257: SNMP returns incorrect values for the ifOutOctets and ifInOctets counters.
Issue ID 0394724: The SNMP module allocates memory for all OIDs in an SNMP request and queues them for further processing. With a large number of SNMP requests (each request with possibly hundreds of OIDs), the result can be a memory shortage that in turn leads to memory allocation failures.
Issue ID 0395735: The NetScaler appliance dumps a core when you create a cluster or a high availability setup on an appliance that has a TFTP load balancing virtual server.
Issue ID 0404094: If the SNMP service has the NSI_NS_SERVICE flag set, and you clear the configuration, the NetScaler appliance crashes.
Issue ID 0388563: The following behavior occurs during a high availability failover on a NetScaler appliance that has active ICA session applications launched:
Issue ID 0303060: Application firewall statistics are not supported for NetScaler classic policies. If you need to see numbers of policy hits and other statistics, you must use NetScaler default syntax policies.
Issue ID 0372768: If you use the default browser PDF plugin to view an application firewall report, embedded links might be inactive.
Workaround: Use the Adobe PDF browser plugin.
Issue ID 0399596: When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files. For example, if you had two sets of custom signatures, named custom_signatures and custom_signatures_2, that were based on copies of the default signature file, you would update the signatures on your NetScaler appliance by issuing the following commands:
Issue ID 0323213: In a cluster setup, globally bound DNS policies are listed multiple times in the Bind/Unbind DNS Policy(s) to Global dialog box.
Issue ID 0361793: (nCore and nCore VPX) The count of the number of load balancing virtual servers, which is shown in the configuration summary, includes the load balancing virtual server that is created during the configuration of EdgeSight Monitoring, even though that load balancing virtual server is not displayed in the Load Balancing; Virtual Servers pane.
Issue ID 0374304: If you access the configuration utility through Internet Explorer 9 or 10 and rename a virtual server, a No such resource error message appears, even if the rename operation is successful.
Workaround: Use the mouse to click the OK button, instead of pressing the ENTER key on the keyboard.
Issue ID 0374437: If, when using the configuration utility to configure the NetScaler appliance, you press Alt+Tab to switch between programs, the current dialog box might disappear, hidden behind the main configuration utility screen. To reach the dialog box, press Alt+Tab a second time.
Issue ID 0388534: If you access the NetScaler configuration utility from the Start screen on a Windows 8 machine, the Java based configuration views are not displayed. Workaround : Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins on the Start screen, and therefore Java cannot run on the Start screen. For information, see http://www.java.com/en/download/faq/win8_faq.xml
Issue ID 0389328: If you use the Google Chrome browser to access the NetScaler configuration utility, and the monitor resolution is low, you might not be able to use the mouse to scroll the screen.
Workaround: Use the arrow keys on the keyboard to scroll the screen.
Issue ID 0438216: In the NetScaler configuration utility, virtual servers whose names begin with "APP_" or "app_" are not displayed.
Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.
Issue ID 0399575: When configuring load balancing virtual servers in a content switched environment, the service types of primary and backup virtual servers must be the same. If you assign a backup virtual server with a service type of TCP to a load balancing virtual server with a service type of HTTP, any content switching action bound to the load balancing virtual server fails.
Issue ID 0370607: The configuration utility procedures in the NetScaler 10.1 documentation have not been updated to reflect the new top-level nodes. See http://support.citrix.com/proddocs/topic/ns-rn-main-release-10-1-map/ns-rn-changes-gui-10-1-con.html, for information about the new node structure.
Issue ID 0376662: The NetScaler appliance might fail in the following set of circumstances:
On the appliance, you have configured DNSSEC offload and enabled NSEC record generation for a zone.
The appliance receives a DNS NODATA/NXDOMAIN query for that zone, over TCP, and the DNSSEC OK bit in the query is set.
Issue ID 0401451: The NetScaler appliance, configured to function as DNS forwarder or DNS resolver, may becomes unresponsive whenever it receives UDP DNS truncated response from a name server.
Issue ID 0398327: Monitoring of StoreFront servers fails if they are part of a cluster and the StoreFront monitor is bound to the entire service group. The StoreFront monitor probe fails because individual members have different host names.
Workaround: If the StoreFront servers are part of a cluster, Citrix recommends that you add them as individual services instead of as members of a service group.
Issue ID 0369946: If you bind an FTP user monitor to an IPv6 service, the state of the service is shown as DOWN.
Issue ID 0383812: A monitor of type CiTRIX-wi-EXTENDED fails if the script name and site path arguments are not explicitly set.
add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp
Issue ID 0406391: If you bind monitors to services, and then bind a DoS or SureConnect policy to one of these services, save the configuration, and restart the appliance, you lose information about monitors bound to any services created after the service to which you bound the policy was created. Also, the monitor binding information does not appear if you run the show ns runningConfig command before restarting the appliance.
Issue ID 0331338: With USIP enabled, MPTCP requests do not go through.
Issue ID 0399708: Syncookie cannot be disabled on a TCP profile that has MPTCP enabled.
Issue ID 0399938: The NetScaler appliance might not respond when TCP buffering and MPTCP is enabled.
Issue ID 0400819: MPTCP does not support FTP data connections.
Issue ID 0400861: Virtual servers with listenPolicy specified, accept connections from the first subflow only.
Issue ID 0400875: Multiple spillover persistence sessions are created for a single MPTCP transaction.
Issue ID 0400888: The NetScaler appliance does not respond when using client IP insertion with MPTCP.
Issue ID 0401105: MPTCP transactions of a TCP profile with Selective ACKnowledgement and window scaling might not respond.
Issue ID 0401793: MPTCP does not support IPv6 addresses.
Workaround: Start the session again.
Workaround: The correct value is displayed in the
page.Object does not support this property or method.
Workaround: Restart the appliance by running the following command on the command line interface:
#/etc/rc.d/analyticsd restart
Issue ID 0370574: After you create a channel on 1/x or 10/x interfaces, the NetScaler instance might show the status of the member interfaces as Error-Disabled (in the command line) or DOWN (in the configuration utility).
Workaround: After creating a channel by using the Management Service, restart the SDX appliance.
Issue ID 0384909: If you disable an interface of an LA channel configured on a NetScaler instance running on a NetScaler SDX appliance, the SDX appliance does not notify the peer device that the interface is disabled. Therefore, the peer device might send traffic to the disabled interface.
Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
Issue ID 0399057: If, when provisioning a SECUREMATRIX GSB instance, you configure the management IP address on a 1/x or 10/x interface, the instance is not reachable on the network.
Issue ID 0399630: If you use the Management Service to bind a new interface to an LACP channel, the member interfaces of the channel are reset. As a result, the traffic is not evenly distributed among the interfaces in the channel.
Issue ID 0399972: If you use the Management Service to delete a channel on which an L2 VLAN was created, the L2 VLAN setting on the NetScaler instance is not cleared. Therefore, the channel continues to be listed on the VLAN Settings page of the NetScaler instance's Modify wizard.
Workaround: Modify the NetScaler instance and remove the nonexistent channel from the VLAN settings page.
Issue ID 0400502: If, when provisioning or modifying a NetScaler instance, you configure an L2 VLAN on a channel that was created by using the Management Service, the configuration fails.
Issue ID 0400651: If you create a channel on interfaces 0/1 and 0/2 by using the Management Service, and then provision a third-party instance and configure the management network for that instance on the newly created channel, the third-party instance is not reachable on the network.
sysctl netscaler.ns_vpx_halt_method=2
sysctl netscaler.ns_vpx_halt_method=2
Issue ID 0383958: $ is an invalid value for the port parameter of any extended ACL, but no error message appears if you specify this value. If, while configuring an extended ACL by using the configuration utility, you set the port parameter to $, no error message appears, but the ACL is not configured.
Issue ID 0399436: The NetScaler appliance does not create session entries for ICMPv6 packets that match a forwarding-session rule.
Issue ID 0385217: On the MPX 8200/8400/8600 and MPX 5550/5650 platforms, if a 1G data port is connected but disabled, the status of the peer port on the switch might be shown as UP after the MPX appliance restarts.
Issue ID 0390584: You cannot use the configuration utility to define classic SSL policies. However, you can use the configuration utility to bind and unbind classic SSL policies.
Workaround: Use the CLI to define classic SSL policies.
Issue ID 0368982: After you have imported a custom data source, the charts for the counters under System entities statistics are inaccurate, because of issues in the third party charting engine.
Issue ID 0343395: On the NetScaler appliance, TLS protocol version 1.2 does not support a client certificate with an RSA 4096-bit key.
Issue ID 0345883: On the NetScaler appliance, TLS protocol version 1.2 does not support ephemeral Diffie-Hellman cipher suites.
Issue ID 0388481: When upgrading from release 9.3 to 10.1, the following SNMP alarms throw a time argument error: IP-CONFLICT, HA-LICENSE-MISMATCH, and HA-PROP-FAILURE. This issue occurs because, in version 10 and later, the time parameter is deprecated for these SNMP alarms.
Workaround: Before upgrading to release10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.
bindservicegroup_state2
unsetnslimitidentifier_selectorname. Instead use unsetnslimitidentifier_selector.
Release version: Citrix NetScaler, version 10.1 build 118.7
Replaces build: None
Release date: June 2013
Release notes version: 3.0
Language supported: English (US)
The NetScaler VPX virtual appliance is supported on Microsoft Hyper-V Server 2012 and VMware ESX 5.1 virtualization platforms.
ENH ID 0364085: You can now create a load balancing monitor for an Oracle DBMS server by using the new Oracle-ECV monitor type. The supported data types are BINARY_DOUBLE, BINARY_FLOAT, CHAR, DATE, INTERVALDS, INTERVALYM, NUMBER, NVARCHAR, TIMESTAMP, TIMESTAMP_WITH_LOCAL_TIME_ZONE, and TIMESTAMP_WITH_TIME_ZONE.
You can configure the monitor by using the NetScaler command line or the configuration utility.
add lb monitor <monitorName> oracle-ecv [ parameters... ]
add lb monitor oracle-monitor5 ORACLE-ECV -userName hr -database xe -sqlQuery
"select Name from testlb" -evalRule "ORACLE.RES.ATLEAST_ROWS_COUNT(1)"
To create or configure an Oracle-ECV monitor by using the configuration utility, navigate to Traffic Management => Load Balancing => Monitors, and then click Add to create the monitor or select an existing monitor and then click Open to configure the monitor.
ENH ID 0365382: Citrix NetScaler deployed with XenMobile Mobile Device Management (MDM) provides the ability to scale, ensure high availability for apps, and maintain security.
For more information, see the "NetScaler and XenMobile Solution for Enterprise Mobility" deployment guide.
ENH ID 0349674: A NetScaler MPX appliance for customers in Russia initially ships with a low encryption license. After proper authorization from the Russian agency, customers can upgrade to a Standard, Enterprise, or Platinum software edition, which enables high-encryption SSL performance on the appliance.
The look and feel of the first time user wizard has changed.
ENH ID 0322368: You must upgrade the NetScaler SDX appliance to XenServer version 6.1.0 to enable functionality of some features, such as LACP and third-party virtual machines. The process of upgrading the XenServer software involves uploading the build file of the target build to the Management Service, and then upgrading the XenServer software.
ENH ID 0257892: You can now configure link aggregation from the Management Service at the time of provisioning a NetScaler instance, or later by modifying an instance. An aggregated link is also known as a channel. The interfaces that form part of a channel are not listed in the Network Settings view shown when you add or modify a NetScaler instance. Instead of the interfaces, the channels are listed.
To access NetScaler documentation on eDocs, see http://support.citrix.com/proddocs/topic/netscaler/ns-gen-netscaler-wrapper-con.html.
Workaround: Use the Adobe PDF browser plugin.
For example, if you have two sets of custom signatures named custom_signatures and custom_signatures_2 that are based on copies of the default signatures file, you would update the signatures on your NetScaler appliance by issuing the following commands:
update appfw signatures "*Default Signatures"
update appfw signatures "custom_signatures"
update appfw signatures "custom_signatures_2"
Workaround: Make sure you delete existing TFTP load balancing virtual servers before creating the cluster or high availability setup.
Workaround: Use the mouse to click the OK button instead of pressing the ENTER key on the keyboard.
Workaround: Do not change the default pagination value (25). If you change the default pagination value and the appliance prompts you to stop running the script, choose to continue.
Workaround: Switch to the Desktop screen to display Java based configuration views. Microsoft Windows 8 does not support plug-ins in the Start screen, and therefore Java cannot run in the Start screen. For information, see http://www.java.com/en/download/faq/win8_faq.xml.
Workaround: Use the arrow keys on the keyboard to scroll the screen.
Workaround: Search for the virtual server names with the expressions "*" or "app" by using the search utility.
See Configuration Utility Changes, for information on the new node structure.
add monitor wi-mon CiTRIX-wi-EXTENDED -userName administrator -password freebsd -domain xendt -sitePath "/Citrix/XenApp
set monitor wi-mon CiTRIX-wi-EXTENDED -scriptname "nswi.pl"
set monitor wi-mon CiTRIX-wi-EXTENDED -sitePath "/Citrix/XenApp
Workaround: Start the session again.
Workaround: The correct value is displayed in the
page.Workaround: To view the details, click the help icon in the graphical user interface when the help page opens, click on the TOC tab and navigate to NetScaler Insight Center 10.1 > Enabling Data Collection.
Workaround: After creating a channel by using the Management Service, restart the SDX appliance.
Workaround: Disable the interface of the peer device so that it does not send traffic to the disabled interface of the SDX appliance.
Workaround: Modify the NetScaler instance and remove the non-existent channel from the VLAN settings page.
Workaround: Provision the NetScaler instance again.
sysctl netscaler.ns_vpx_halt_method=2
sysctl netscaler.ns_vpx_halt_method=2
Workaround: Disable SPDY in the Chrome browser.
Workaround: Use the command line interface.
Workaround: Before upgrading to 10.1, update the ns.conf file by removing the time parameter for these three alarms from the set snmp alarm command.