Release Notes for Build 59.1305.e of NetScaler 10.5 Release

Updated: March 23, 2016 | Release notes version: 2.0
This release notes document describes the enhancements and changes (what's new), lists the issues that are fixed, and specifies the issues that exist, for the NetScaler 10.5 Build 59.1305.e release. See Release history.
What's New?
The enhancements and changes that are available in Build 59.1305.e.
NetScaler SDX Appliance
  • Updated Encryption Method
    The management service now uses the SHA512 encryption method to encrypt the nsrecover passwords stored on the SDX appliance.
    [# 576379, 578112]
  • Option to Disable nsrecover Login Account
    Using the Management Service interface, you can now disable the nsrecover login account. To disable the nsrecover login account, navigate to "Configuration > System > Configure System Settings" and clear the "Enable nsrecover Login" check box.
    [# 576375]
  • Stateful Connection Failover Support for RNAT
    Connection failover helps prevent disruption of access to applications deployed in a distributed environment. The NetScaler appliance now supports stateful connection failover for connections related to RNAT rules in a NetScaler High Availability (HA) setup.
    In an HA setup, connection failover (or connection mirroring) refers to the process of keeping an established TCP or UDP connection active when a failover occurs. The primary appliance sends messages to the secondary appliance to synchronize current information about the RNAT connections. The secondary appliance uses this connection information only in the event of a failover. When a failover occurs, the new primary NetScaler appliance has information about the connections established before the failover and hence continues to serve those connections even after the failover. From the client's perspective this failover is transparent. During the transition period, the client and server may experience a brief disruption and retransmissions.
    Connection failover can be enabled per RNAT rule. For enabling connection failover on an RNAT rule, you enable the connFailover (Connection Failover) parameter of that specific RNAT rule by using either NetScaler command line or configuration utility. Also, you must disable the tcpproxy (TCP Proxy) parameter globally for all RNAT rules in order for connection failover to work properly for TCP connections.
    [# 457167]
  • Support for TLS Protocol Version 1.1 and 1.2 on the backend on the NetScaler MPX, MPX-FIPS, and SDX Appliances
    The NetScaler MPX appliance now supports TLS versions 1.1 and 1.2 on the backend.
    MPX-FIPS appliances running firmware version 2.2 also support TLS versions 1.1 and 1.2 on the backend.
    On an SDX appliance, TLS versions 1.1 and 1.2 are supported on the backend only if an SSL chip is assigned to the VPX instance.
    [# 494082, 566364]
  • Support for Configuring a Proxy Server to Install Licenses
    You no longer have to configure internet connectivity on the NetScaler appliance in order to use a hardware serial number or license activation code to allocate a NetScaler license. Instead, you can use a proxy server.
    On the NetScaler GUI, navigate to Configuration > System > Licenses > Manage Licenses > Add a New License, select the Connect through Proxy Server check box, and specify the IP address and port of your proxy server.
    [# 541474]
Fixed Issues
The issues that are addressed in Build 59.1305.e.
Application Firewall
  • In release 10.5.e (enhancement builds only) as well as in the 11.0 release builds, application firewall processing of the Cookie header was changed. In those releases, every cookie is evaluated individually, and if the length of any one cookie received in the Cookie header exceeds the configured BufferOverflowMaxCookieLength, the Buffer Overflow violation is triggered. As a result of this change, requests that were blocked in 10.5 and earlier release builds might be allowed, because the length of the entire cookie header is not calculated for determining the cookie length. In some situations, the total cookie size forwarded to the server might be larger than the accepted value, and the server might respond with "400 Bad Request".
    With this fix, the change has been reverted. The behavior is now similar to that of the non-enhancement builds of release 10.5. The entire raw Cookie header is now considered when calculating the length of the cookie. Surrounding spaces and the semicolon (;) characters separating the name-value pairs are also included in determining the cookie length.
    [# 614449]
  • The application firewall might experience a transient low-memory condition during a traffic surge if advanced security check protections (such as Form Field consistency, CSRF, form tagging and so on, which require rewriting the HTML forms in the response) are enabled for the profiles. This might result in a memory leak, and memory allocation failures might occur even after the traffic surge subsides.
    [# 598776, 597952]
NetScaler Gateway
  • If the new session entry points to the same memory that was used for the session entry earlier, then some of the values need to be reset. During session entry creation the values are reset.
    [# 608791]
NetScaler SDX Appliance
  • The management Service does not support provisioning or modifying a NetScaler instance with gateway IP address from a different subnet as that of the NetScaler IP (NSIP) address.
    [# 593158]
  • On an MPX-FIPS platform running firmware version 2.2, if you have configured SSL services at the back end, an attempt to download a file fails if its size is greater than 16KB.
    [# 578464, 582280, 599956]
Known Issues
The issues that exist in Build 59.1305.e.
Application Firewall
  • Deploying an application firewall Field Format rule from "Edit & Deploy" dialog box displays an error when recommended character-map is empty and the minimum and maximum lengths are zero.
    [# 528049]
  • (NetScaler Insight Center) If NetScaler Insight Center does not get a connection closure update for a particular connection ID, and the ID is reused, the IP data of the previous connection might be displayed.
    [# 549679]
  • (NetScaler Insight Center) If you set GUI access from HTTPS (the default) to HTTP, Insight Center and NITRO calls will fail to connect.
    Workaround: Select HTTPS as the GUI protocol.
    [# 555132]
  • (AppFlow) If you define an application in the CloudBridge application classifier that contains a colon (":") in the name, it is not exported correctly to the AppFlow collector.
    [# 561139]
  • (NetScaler Insight Center) If a CloudBridge session is inactive, the WAN Insight node of NetScaler Insight Center continues to display older data.
    Workaround: Disable Database Cache Settings
    1. On the Configuration tab, in the navigation pane, click the System and in the right pane click Change Database Cache Settings.
    2. To clear the cache, select Reset Database Cache .
    3. To enable the cache, select Enable Database Cache.
    4. Click OK.
    [# 549601]
  • If you upgrade the CloudBridge appliance to release 7.4.0, the page continues to display the text "Upgrade in progress."
    Workaround: Log onto the appliance by using a new tab or a new window.
    [# 550098]
CloudBridge appliances
  • RADIUS/TACACS remote server auditing does not work.
    [# 529380]
  • The cluster backplane cannot be modified for cluster nodes that are bound to nodegroups that have the "state" or "priority" parameter configured.
    Workaround: Do the following:
    1. Unbind the node from the nodegroup.
    2. Update the backplane of the cluster nodes.
    3. Bind the node to the nodegroup.
    [# 508828]
  • In a cluster nodegroup that has the "state" or "priority" parameter configured, the "show cluster nodegroup" command provides incorrect information about the active nodes and the backup nodes.
    [# 511918]
Configuration Utility
  • If you use the Safari browser on a MAC operating system to access an MPX-FIPS appliance, and then click Traffic Management > SSL > FIPS > ResetFIPS in the configuration utility, the configuration is saved but the appliance does not restart.
    Workaround: Use the NetScaler CLI to perform a warm restart. At the command prompt, type:
    reboot -f -w
    [# 533688, 533705]
  • You cannot update the FIPS firmware to version 2.2 by using the configuration utility.
    Workaround: Use the NetScaler command line to update the firmware.
    [# 557715]
  • In the configuration utility, if you select the Validate Credentials option while configuring a XenDesktop farm, the NetScaler ADC might display the following error message: "Username, password and ddc domain are required for Xen Desktop monitor."
    [# 528776]
  • In the NetScaler configuration utility, the page at System> Network > IPs does not display the Type for LSN NATIPs, and the value shown for Traffic Domain is incorrect.
    Workaround: Run the sh nsip command to display the values in the command line interface.
    [# 505121]
Large Scale NAT
  • The NetScaler ADC might not support a large number of passive FTP LSN sessions.
    [# 502875]
  • In an LSN deployment, FTP over Jumbo interfaces might not work.
    [# 503177]
  • After multiple failovers in a high availability LSN deployment, the current secondary node might retain stale LSN session entries that were created or processed when the node was in primary state.
    Workaround: After a manual failover, remove (flush) the LSN session entries from the secondary node before manually running the HA synchronization operation.
    [# 501440]
  • If a NetScaler ADC that has Endpoint Independent Mapping and Filtering configured has more than 200 million LSN sessions, it might become unresponsive if you run the clear config operation.
    [# 501304]
  • In an LSN deployment in high availability, with LSN FTP-ALG and LSN Session Synchronization options enabled, the NetScaler ADC might not synchronize LSN session information for an FTP connection to the secondary node. This issue might result in the connection getting terminated after a HA failover.
    [# 503511]
  • If the NetScaler ADC has more than 1 million LSN sessions, the configuration utility might become unresponsive if you refresh the LSN session display page.
    [# 502648]
Load Balancing
  • The NetScaler appliance ignores the replace_if_present_flag in the SMPP request (submit_sm) message. This flag is used if the submitted message should replace an existing message, so the appliance should forward the submitted message to the server to which an earlier message with the same criteria (same source, destination, and service type) was sent. Instead, the appliance forwards it to the server selected by the load balancing algorithm.
    [# 504085]
  • Azure's DNS server is marked DOWN when added as a UDP server. The problem does not occur if you specify TCP when adding the DNS server.
    [# 544030]
NetScaler Gateway
  • Two NetScalers rebooted themselves, one after another.
    The Error found in ns.log file is described as "Warm Reboot - unsetting partition ids in shared "mmy".
    [# 546122]
  • If you configure endpoint analysis policies on NetScaler Gateway, when users log on by using either Safari or Firefox web browsers and if Symantec Endpoint Protection is installed, the link to download the Endpoint Analysis Plug-in does not appear after the time expires. This only occurs when the setting Network Threat Protection in Symantec Endpoint Protection is enabled and if the Endpoint Analysis Plug-in is not previously installed. The failure is due to the Port Scan setting, which can be changed by using the instructions in the article "Built-in signatures for Symantec Endpoint Protection IPS" for Mac on Symantec's web site.
    [# 505075]
  • In a double hop deployment, STA server status on hop 1 does not go down when double hop is disabled in hop2, and the user still launch ICA apps.
    [# 539743]
  • In Android devices, when users click the RDP link to download the RDP file through the NetScaler Gateway, download fails and the users are unable to launch the remote desktop.
    [# 527621]
  • When "dynamicReceiveBuffering" is ENABLED in the default TCP profile, WorxHome may fail to connect to XenMobile server through NetScaler Gateway.
    Workaround: Disable dynamic receive buffering on the default TCP profile.
    [# 614726]
NetScaler Insight Center
  • If you upgrade NetScaler Insight Center release 10.5 build 55.8004e to release 10.5 build 8xxx.e, the columns names will not be displayed on the dashboard.
    Workaround: Click the Settings icon, and click "Go back to default."
    [# 553466]
NetScaler SDX Appliance
  • In an SDX appliance, if you have a cluster or HA setup that has L2 mode enabled, when a node fails, the upstream switch continues sending Layer 2 mode traffic to that node until its bridge table entry times out on the upstream switch (default 300 seconds).
    Workaround: Reduce the MAC-address table ageing time on the upstream switch.
    [# 519500]
  • The /var/core directory might not be available for core dumps in some circumstances.
    [# 523943]
  • In rare circumstances, a VPX instance can dump packet engine core after a warm restart.
    [# 559529]
  • The showtechsupport command reports permission errors while collecting debug information. The error messages can be ignored.
    [# 524176]
  • The MAC address of a VPX interface might change when a VPX instance in Azure Cloud is shut down and then restarted. Be sure to use the license utilities to obtain a Host ID when generating a license for VPX in Azure, rather than directly using the MAC address.
    [# 527117]
  • The /var/core directory might not be available for core dumps in some circumstances.
    [# 554865]
  • A VPN client does not receive a clean-up prompt when logging off.
    [# 541859]
  • When you create an LDAP action on the LDAP policy page, the GUI does not immediately include the action's name in the drop-down list.
    [# 540563]
  • Launching an application through CVPN mode with Receiver for HTML5 fails or takes a long time during some launches, and an attempt to launch through ICA proxy mode from an Internet Explorer browser fails.
    [# 559212]
  • The VIP address added when a virtual server is created is not removed when the virtual server is removed. The address continues to appear in the "show ip" command output. The same issue occurs with the "clear config extended" command.
    [# 539598]
  • High availability session propagation is not supported in Azure. The NetScaler HA nodes can't maintain sessions across failover, because Azure disallows promiscuous mode. A NetScaler node can send or receive packets at only the original assigned IP address.
    [# 542196]
  • In full VPN mode, user logon through a Chrome browser generates an error page after the logon process, before app enumeration.
    [# 539815]
  • A RADIUS response packet that a NetScaler ADC generates by applying a responder policy is limited to 1 NSB (1500 bytes). Therefore, jumbo packets are not supported for such responses.
    [# 521707]
  • FIPS keys that are created on firmware version 2.2 are lost after you downgrade to firmware version 1.1.
    Workaround: Export the FIPS keys before you downgrade the firmware. Import the FIPS keys after the downgrade.
    [# 559796]
  • If you upgrade the FIPS firmware on your appliance to version 2.2 an error message might appear on the command line. If you restart the appliance, the card might not be initialized.
    Workaround: Restart your appliance again.
    [# 539749]
  • In rare circumstances, the VPX instance can dump kernel core after a warm restart.
    [# 559176]
  • FTP connections through a TCP wildcard virtual server on the NetScaler appliance might fail for one of the following reasons:
    - A mismatch in TCP parameters is preventing the appliance from reusing the probe connection.
    - The server is sending data before the client-side TCP connection is established.
    [# 545858]
  • The initial client connection on the NetScaler appliance might fail if a wildcard virtual server is configured and the useProxyPort option is disabled globally on the appliance.
    [# 542776, 571357]
  • The Azure Portal reports a VPX instance remaining in the "installing extensions" stage if you leave the VM Extensions checkbox selected. The VPX instance is not affected. You can clear the VM extensions checkbox during provisioning.
    [# 559525]
What's New in Previous NetScaler 10.5 Releases
The enhancements and changes that were available in NetScaler 10.5.e releases prior to Build 59.1305.e. The build number provided below the issue description indicates the build in which this enhancement or change was provided.
  • The second factor user name field is now editable for SAML two-factor authentication. Previously, the user name was automatically filled in from the first factor, and could not be edited.
    [From Build 54.9009.e] [# 467330]
  • In a multi-domain AD environment, the NetScaler appliance is now able to detect an expired password and allows the user to change the expired password. You can do this without configuring LDAP referral.
    [From Build 57.7005.e] [# 563051]
  • RADIUS Responder Support
    The NetScaler ADC default expressions language now supports RADIUS expressions in Responder policies. You can use the new RADIUS expressions to construct simple responses, such as rejecting RADIUS requests from specific networks. Responder does not need to contact the RADIUS server to generate a response, so even if all RADIUS servers are down, it can send an error message to RADIUS requests instead of simply dropping those requests.
    For example, to create a Responder policy to block logins from the IP, you would type the following:
    > add responder action resp_act_radius_reject respondwith radius.new_accessreject
    > add responder policy resp_pol_radius_reject "radius.req.avp(4).value.eq(\"\")" resp_act_radius_reject
    > bind responder global resp_pol_radius_reject 102 END -type RADIUS_REQ_OVERRIDE
    To add a responder policy label for policies containing RADIUS expressions, you use "-policylabeltype RADIUS" as shown below:
    > add responder policylabel <name> -policylabeltype RADIUS
    For a more complete description of RADIUS policy expressions and how they can be used, see the NetScaler documentation on AppExpert.
    [From Build 51.1017.e] [# 406254]
  • RADIUS Rewrite Support
    The NetScaler ADC default expressions language now supports RADIUS expressions in Rewrite policies. You can add new RADIUS attribute-value pairs (AVPs), delete AVPs, and replace AVPs with different AVPs before forwarding a request to the RADIUS server or a response to the client. You can use the new RADIUS expressions to rewrite connections between users authenticating to AAA-TM and the RADIUS authentication server. Among other things, you can:
    * Remove the "domain\" portion of the username attribute before sending the authentication request to the RADIUS server:.
    * Insert vendor specific attributes, such as an MSISDN field used by a telephone company.
    * Rewrite RADIUS accounting values to fit a prescribed standard format, such as modifying the Calling-Stating-Id so that it consists of a leading "1" followed by the ten-digit MDN value.
    * Insert the RADIUS Accounting "Called-Station-Id" AVP into the received message. 
    The following types of Rewrite actions support RADIUS expressions:
    * DELETE
    You can use any RADIUS expression in a Rewrite policy. Rewrite policies that contain RADIUS expressions are supported in both the request and response flows. Request policies are evaluated after Content Switching and Responder policies.
    You can bind request-side Rewrite policies that contain RADIUS expressions to the RADIUS_REQ_OVERRIDE and RADIUS_REQ_DEFAULT bind points, and response-side policies to the RADIUS_RES_OVERRIDE and RADIUS_RES_DEFAULT bind points. You can use the new RADIUS_REQ and RADIUS_RES elements when creating Rewrite policy labels with RADIUS expressions.
    To add a Rewrite action and policy to insert the Called-Station-ID AVP into the received message, and bind the policy to the RADIUS request override bind point, you could type the following commands:
    > add rewrite action rw_act_insert_csid insert_before radius.req.avp_end "radius.new_avp(34, RADIUS.REQ.AVP(30).VALUE)"
    > add rewrite policy rw_pol_insert_csid "RADIUS.IS_SERVER" rw_act_insert_csid
    > bind rewrite global rw_pol_insert_csid 20 NEXT -type RADIUS_REQ_OVERRIDE
    For a more complete description of RADIUS policy expressions and how they can be used, see the NetScaler documentation on AppExpert.
    [From Build 51.1017.e] [# 406252]
Application Firewall
  • The application firewall now supports logging of the complete HTML request when a request time security check violation is detected. You can collect the trace for a specific profile and see the triggered log message in the corresponding trace record.
    [From Build 53.9010.e] [# 449486]
  • Support for ongoing learning for the currently deployed Field Formats has been added to the application firewall. Before this enhancement, if a form field has the deployed Field Format rule, the learning engine stops recommending new rules. After this enhancement, learning continues and new recommendations are suggested based on all the observed values for a particular form field. Deploying a learned field format rule from the configuration utility, overwrites any existing binding.
    [From Build 53.9010.e] [# 450326, 483677, 513927]
  • Citrix application firewall has now extended the protection capability to secure applications that use GWT. The application firewall understands and interprets GWT RPC requests, inspects the payload for security check violations, and takes specified actions. Web servers following GWT RPC mechanisms can now be secured by the Citrix application firewall without a need for any specific configuration to enable the GWT support.
    [From Build 53.9010.e] [# 447145]
  • Citrix application firewall uses the positive security logic to mitigate zero day attacks. In addition to recommending the configured Field Type, the learning engine now provides recommendations for a Character-Map, based on the observed traffic pattern. A Character-Map is a set of all characters that are allowed in the input field. The learned rules can be deployed either using the Field Type or the Character-Map for specifying the Field Format of a form field.
    [From Build 53.9010.e] [# 450323, 483668]
  • BridgeGroups are now supported in a NetScaler cluster deployment.
    [From Build 52.1115.e] [# 494991]
  • Nodegroup for Datacenter Redundancy
    A cluster nodegroup can now be configured to provide datacenter redundancy. In this use case, nodegroups are created by logically grouping the cluster nodes. You must create active and spare nodegroups. When the active nodegroup goes down, the spare nodegroup which has the highest priority (the lower priority number) is made active and it starts serving traffic.
    For more information, see
    [From Build 52.1115.e] [# 495019]
  • Support to retain the Checking Disabled (CD) bit in a DNSSEC query
    If you configure the ADC as a DNS proxy to load balance DNSSEC aware resolvers (servers), you must set the Recursion Available option while configuring the DNS virtual server. If a DNSSEC query arrives with Checking Disabled (CD) bit set, the query is passed on to the server with the CD bit retained and the response from the server is not cached. In earlier releases, the ADC unset the CD bit before passing it to the server and also cached the server response.
    [From Build 53.9010.e] [# 458313]
  • Support for the IP geolocation databases from MaxMind
    The NetScaler ADC now includes an IP geolocation database, GeoLite2 (published by MaxMind). The database is available in a format supported by NetScaler ADC at: /var/netscaler/inbuilt_db/Citrix_Netscaler_InBuilt_GeoIP_DB.csv.
    You can use this IP geolocation database as the location file for the static proximity based GSLB method or in location based policies.
    Note: The ADC includes the GeoLite2 database available from
    [From Build 52.1115.e] [# 438615]
  • You can now clear the statistics of a GSLB virtual server and service. NetScaler ADC provides the following two options to clear the statistics:
    -Basic: Clears the statistics that are specific to the virtual server but retains the statistics that are contributed by the bound GLSB service.
    -Full: Clears both the virtual server and the bound GSLB service statistics.
    For more information, see
    [From Build 52.1115.e] [# 257670]
  • Viewing the configuration details of the entities bound to a GSLB domain
    You can now view the configuration details of the entities bound to a GSLB domain. The details include the configuration of the virtual servers, services, and the monitors bound to the GSLB domain. To view the details, you can use either the command line or the configuration utility.
    For more information, see
    [From Build 52.1115.e] [# 343525]
Large Scale NAT
  • Large Scale Network Address Translation
    The NetScaler ADC now supports NAT44 Large Scale NAT (LSN) and is compliant with RFC 6888, 5382, 5508, and 4787.
    The phenomenal growth of the internet has resulted in the shortage of public IPv4 addresses. CGN provides a solution to this issue by maximizing the use of available public IPv4 addresses by sharing few public IPv4 addresses among a large pool of Internet users. CGN is a collection of technologies and NAT44 is one of them.
    NAT44 LSN translates private IPv4 address in public IPv4 addresses. It includes network address and port translation methods to aggregate many private IP addresses into fewer public IPv4 addresses. NAT44 LSN is designed to handle NAT in large scale.
    The LSN feature of the NetScaler ADC is very useful for Internet Service Providers (ISPs), carriers, and in enterprise data centers, providing millions of translations to support a large number of users, and at very high bandwidth throughput.
    Note: Large Scale NAT is also called Carrier Grade NAT.
    The following are some of the sub-features of LSN on a NetScaler ADC:
    * Mapping: Support of Endpoint-independent mapping (EIM), Address-dependent mapping ( ADM), and Address-Port dependent mapping.
    * Filtering: Support of Endpoint-independent filtering (EIF), Address-dependent filtering, and Address-Port-dependent filtering.
    * Quotas: Configurable limits on number of ports and sessions per subscriber.
    * Static Mapping: Support of manually defining an LSN mapping.
    * Hairpin Flow: Support for communication between subscribers or internal hosts using public IP addresses.
    * ALGs: Support of application Layer Gateway (ALG) for FTP, ICMP, and TFTP protocols.
    * LSN Clients: Support for specifying or identifying subscribers for LSN NAT by using IPv4 addresses and extended ACL rules.
    * Deterministic/ Fixed NAT: Support for pre-allocation of block of ports to subscribers for minimizing logging.
    * Logging: Support for logging LSN session for law enforcement.
    [From Build 51.1017.e] [# 316909]
Load Balancing
  • Support for SMPP Load Balancing
    The NetScaler ADC now supports SMPP load balancing and provides optimal distribution of SMS requests across your servers, preventing poor performance and outages. To configure your ADC for SMPP load balancing, add an ESME as a user on the ADC, configure an SMPP load balancing virtual server and service, and specify a custom server ID in the service configuration.
    A new monitor of type SMPP is available to monitor SMPP servers. This monitor opens a TCP connection and sends an enquire_link packet to check the status of the server. Depending on the success or failure of the probe, the service is marked as UP or DOWN.
    [From Build 51.1017.e] [# 413106]
  • Support for SIP Load Balancing over TCP/TLS
    The NetScaler ADC now supports load balancing SIP traffic over TCP or TLS. To configure you ADC to load balance SIP requests to a group of SIP proxy servers, create a load balancing virtual server with the load balancing method and the type of persistence set to one of the following combinations:
    - Call-ID hash load balancing method with no persistence setting
    - Call-ID based persistence with least connection or round robin load balancing method
    - Rule based persistence with least connection or round robin load balancing method
    Also, a number of new default syntax expressions have been added that operate on SIP connections. These expressions can be bound only to SIP based (sip_udp, sip_tcp or sip_ssl) virtual servers, and to global bind points. You can use these expressions in content switching, rate limiting, responder, and rewrite policies.
    [From Build 51.1017.e] [# 413074, 246718, 501281]
  • New Trap for Spillover
    If you have configured spillover on a virtual server and also configured a trap listener on the appliance, an SNMP trap is now sent to the trap listener when the virtual server experiences spillover. The trap message displays the name of the virtual server that experienced the spillover, the spillover method, the spillover threshold, and the current spillover value. If the spillover is policy based, the rule causing it appears in the Spillover Threshold field. If the virtual server is DOWN or disabled, the status message "vserver not up" appears in the trap message.
    [From Build 53.9010.e] [# 486268, 475400]
NetScaler Gateway
  • Users can log on to NetScaler Gateway by using Risk-Based Authentication that is part of delegated forms authentication support in StoreFront.
    [From Build 51.1017.e] [# 448538, 477473]
  • Users can connect with single sign-on to Remote Desktop (RDP) connections through NetScaler Gateway.
    [From Build 51.1017.e] [# 422442]
  • You can configure content switching on the NetScaler Gateway appliance. When users connect, the appliance terminates SSL connections and then does content switching prior to honoring policies on NetScaler Gateway. For more information about content switching, see Content Switching in the NetScaler documentation.
    The following example contains the general steps for configuring content switching with NetScaler Gateway:
    1. Configure the NetScaler Gateway virtual server.
    2. Configure internal load balancing virtual servers for any traffic that is being content switched.
    3. Define the services over which connections communicate and then bind the services to the load balancer. For example, you can use the following commands:
    > add service artemis-xm HTTP 443
    > add service sharefile_server HTTP 443
    > bind lb_vserver lb_appc artemis_xm
    > bind lb_vserver lb_sharefile sharefile_service
    4. Define the URLs with specific patterns to go to one of the two internal load balancers. All other network traffic goes to NetScaler Gateway. For example, you can use the following commands:
    > add csaction appc_cs -targetLbVserver lb-appc
    > add csaction sharefile_cs -targetLBVserver lb-sharefile
    > add policy patset cs_list
    > bind patset cs_list "/zdm/"
    > bind patset cs_list "/devicecheck"
    > add cspolicy appc_cs -rule "http.req.uri.contains_any(cs_list)" -action appc_cs
    > bind vpn vserver artemis_ng -policy appc_cs -priority 10
    > add cspolicy sharefile_cs "http.req.url.startswith('/sharefile')...
    > bind vpn vserver argemis_ng -policy sharefile-cs -priorit 11
    [From Build 51.1017.e] [# 438365]
  • If users are logged on with Citrix Reciever, if the server running the Secure Ticket Authority (STA) becomes unavailable, the STA ticket does not refresh and session reliability fails. To fix this problem, upgrade NetScaler Gateway to Version 10.5 Build 51.10xx.e. This release supports configuring multiple STA servers on NetScaler Gateway.
    [From Build 51.1017.e] [# 404522]
  • Upgrading EPA libraries from NetScaler configuration utility
    The NetScaler configuration utility now provides a one-click wizard for upgrading EPA libraries. This wizard helps the admin upgrade EPA libraries without upgrading or even rebooting the appliance.
    How to upgrade:
    1. Download the latest EPA library package from the Citrix Download website on a machine where you have access to NetScaler configuration utility.
    2. On the NetScaler configuration utility, navigate to NetScaler Gateway > Upgrade EPA libraries.
    3. Click Browse and select downloaded EPA library package from machine and click Upgrade. This will start upgrade process.
    4. After the upgrade is complete, the screen will be accessible again and it will show the updated library version.
    5. To view and configure EPA scans of newer Library, refresh the configuration page. After page refresh, the Opswat EPA wizard will show newer EPA scans which can be configured right away.
    Effect of EPA library upgrade on user (client) systems:
    - Windows: If windows user does EPA for first time after EPA libraries upgrade, EPA (or VPN) plugin will download newer windows EPA library in background and cache it. As EPA library download happens in background users will not notice anything during EPA scan.
    - Mac: In case of Mac, as part EPA libraries upgrade EPA and VPN plugin on NetScaler gets upgraded. So, if Mac user does EPA for first time after EPA libraries upgrade, EPA or/and VPN plugin will get upgraded.
    So user will see download prompt in case of EPA plugin and/or auto-upgradation of VPN plugin.
    Once plugin is upgraded, going forward, EPA will work normally.
    [From Build 52.1115.e] [# 504584]
  • Disconnecting ICA Connections
    You can end ICA connections by using the NetScaler Gateway configuration utility or the command-line interface.
    [From Build 52.1115.e] [# 377266]
  • In addition to the logon page with the user name and password fields, the NetScaler ADC now offers an advanced logon page with support for dynamic form providers for interactive authentication. The dynamic form providers on the advanced logon page can be invoked if you use the Citrix default syntax to configure authentication policies.
    [From Build 52.1115.e] [# 477616]
  • NetScaler Gateway does not support single sign-on (SSO) to public servers unless single sign-on is enabled in a traffic profile or if split tunneling is enabled.
    [From Build 53.9010.e] [# 518414]
  • NetScaler Gateway now honors the PresharedKey setting in the RDP server profile, and uses this key to encrypt data sent to the STA server, in a dual gateway RDP proxy deployment.
    [From Build 54.9009.e] [# 537854]
  • NetScaler AAA module now supports SRV-REC look ups for LDAP server referrals.
    [From Build 54.9009.e] [# 465887]
  • Enhancing the RDP Proxy messages to include information concerning the controls that are in place at connection.
    [From Build 58.1108.e] [# 593412]
  • The RDP Proxy feature on NetScaler Gateway now requires special licensing, and needs to be explicitly enabled using the 'enable feature rdpproxy' command. In addition, the 'psk' attribute, used to protect the user information sent to the STA server, is now mandatory whenever a rdpserverprofile is configured.
    [From Build 58.1108.e] [# 543064, 518094, 527616]
  • NetScaler Gateway provides an RDP enforcement feature. NetScaler administrators can disable RDP capabilities through the NetScaler Gateway configuration.
    The following are configurable as part of the RDP client profile.
    - Redirection of ClipBoard
    - Redirection of Printers
    - Redirection of Disk Drives
    [From Build 58.1108.e] [# 581578]
NetScaler Insight Center
  • You can now configure NetScaler Insight Center to display HTTP header metrics. Each set of metrics that you specify appears in a separate node in the Web Insight report on the dashboard.
    To enable HTTP header report setting:
    1. On the Configuration tab, click System.
    2. In the System Settings group, click Change HTTP Header Report Settings, and select the reports to display.
    [From Build 52.1115.e] [# 465733]
NetScaler SDX Appliance
  • Resource Allocation using NetScaler SDX Administrative Domains
    NetScaler SDX administrative domains provides you with the capability to create multiple administrative domains. Creating domains allows the administrator to segregate resources based on their departments in the organization. This provides a better control over resources and how they are distributed among various domains for optimal use.
    [From Build 51.1017.e] [# 250235]
  • SDX Bandwidth Metering
    Bandwidth metering provides the flexibility to dynamically allocate the bandwidth among various NetScaler instances. Dynamic bandwidth allocation helps in distributing unused bandwidth of an instance to other instances and at the same time ensuring that each instance always gets the minimum allocated bandwidth.
    Bandwidth metering also allows an administrator to monetize available bandwidth on the NetScaler SDX through a consumption based usage model. The enhancement also includes logging and reporting of bandwidth usage, in addition to allocation of bandwidth. The bandwidth usage can be viewed using various graphs.
    [From Build 51.1017.e] [# 418076]
  • NetScaler SDX now provides support for two data interfaces for Trend Micro IWSVA virtual machine. It also provides support for configuring VLAN on data interfaces.
    [From Build 56.1505.e] [# 558146]
  • The NetScaler ADC now supports Network Interface Card (NIC) bundling in a high availability configuration. With this enhancement, a single IP address and MAC address can be shared by a primary and a secondary interface. For example, as long as the primary interface is up, all the traffic flows through it. If the primary interface goes down, or if its priority changes such that the secondary interface has a higher priority, the secondary interface takes over and uses the same IP address and MAC address.
    [From Build 52.1115.e] [# 355237, 186503, 249551]
  • You can now configure the dead interval parameter of hello messages for sending VRRP advertisements.
    [From Build 53.9010.e] [# 512845]
  • You can now set the value by which the VRRP priority of a vrID parameter is decremented or incremented when the status of an interface goes down or up respectively.
    [From Build 53.9010.e] [# 512848]
  • You can now configure the hello interval parameter for sending VRRP (Virtual Router Redundancy Protocol) advertisements.
    [From Build 53.9010.e] [# 512843]
  • Support for Thales nShield(R) HSM
    All NetScaler MPX, SDX, and VPX appliances except the MPX 9700/10500/12500/15500 appliances now support the Thales nShield(R) Connect external Hardware Security Module (HSM). With a Thales HSM, the keys are securely stored as application key tokens on a remote file server and can be reconstituted only inside the Thales HSM. Thales HSMs comply with FIPS 140-2 Level 3 specifications.
    Note: Thales integration with the ADC is currently supported for TLS version 1.0.
    [From Build 52.1115.e] [# 440351, 477544]
  • Support for TLS protocol version 1.1 and 1.2 on MPX 9700/10500/12500/15500 FIPS Appliances
    FIPS firmware version 2.2 supports TLS protocol versions 1.1 and 1.2. From the command line, you can update the firmware version of the FIPS card of a NetScaler MPX 9700/10500/12500/15500 FIPS appliance from version 1.1 to version 2.2.
    For successful SIM key propagation from primary to secondary in a high availability (HA) pair, the Cavium firmware version on each appliance should be identical. Perform the firmware update on the secondary appliance first. If executed on the primary appliance first, the long-running update process causes a failover.
    - Secure renegotiation is supported only on SSL virtual servers and front-end SSL services.
    - Creating a certificate signing request by using a key that was created on firmware version 1.1 and updated to firmware version 2.2 fails.
    - You cannot create a 1024-bit RSA key on firmware version 2.2. However, if you have imported or created a 1024-bit FIPS key on firmware version 1.1 and you then update to firmware version 2.2, you can use that FIPS key on firmware version 2.2.
    - Secure renegotiation using SSLv3 protocol is not supported.
    For more details about this update, see
    [From Build 58.1108.e] [# 461099, 329027]
  • The RADIUS accounting ID is now logged as an ASCII string instead of as a binary value in the NetScaler auditlog records.
    [From Build 54.9009.e] [# 534257]
Fixed Issues in Previous NetScaler 10.5 Releases
The issues that were addressed in NetScaler 10.5.e releases prior to Build 59.1305.e. The build number provided below the issue description indicates the build in which this issue was addressed.
  • The NetScaler appliance can crash if there is an authentication failure in 401-based authentication when web authentication is used.
    [From Build 55.8007.e] [# 527131]
  • Applications might fail to launch if you enable AppFlow for ICA on a NetScaler appliance and TCP options are present in the ICA packets.
    [From Build 55.8007.e] [# 511618, 527169, 536450, 542715]
  • The NetScaler Insight Center dashboard displays the WAN latency value as zero until the CloudBridge appliance acquires a number of traffic samples.
    [From Build 58.1108.e] [# 553170]
Application Firewall
  • If the NetScaler application firewall receives a request with percent-encoded space character, such as "login%20name" for a form field login name, the deployed learned rule containing the encoded character (%20) fails to work as relaxation rule. With this fix, relaxation rules with percent encoded characters work as expected.
    [From Build 53.9010.e] [# 315183]
  • If a user-created signature has an uppercase character in the name, the application firewall profile bound to the signature is not saved in the configuration during an upgrade from a release 10.1 build to a release 10.5 build. If a user creates a signature name with uppercase characters, release 10.1 stores it that way. But in release 10.5, the signature name is converted to a lowercase string in the database. As a result of the database mismatch, the command to add the application firewall profile fails during an upgrade to a release 10.5 build.
    [From Build 53.9010.e] [# 511657, 512129]
  • For accurate handling of International characters, the appropriate default charset must be configured for the application firewall profile to process requests that do not have the charset specifications.
    [From Build 53.9010.e] [# 524231]
  • During upgrade from release 10 to 10.1, the names of the application firewall learning database files with uppercase or mixed case characters get converted to all lowercase characters. This results in two sets of database files and breaks the learned rule functionality. With this fix, learning data can be successfully retrieved after upgrade for profiles with names in mixed case characters.
    [From Build 53.9010.e] [# 446134, 483207]
  • If a response contains href links that include query parameters, the NetScaler application firewall triggers false positives for CSRF and form field consistency violations if these links are accessed. With this fix, if CSRF or Field Consistency checks are enabled, the URLs in the hrefs are added to the URL Closure table even if startURL Closure is not enabled.
    [From Build 53.9010.e] [# 488369]
  • "Operation timed out" error is displayed in the CLI and the configuration utility while viewing learned rules. This error is only seen intermittently.
    [From Build 54.9009.e] [# 527190]
  • When performing the SQL Injection inspection or the Cross Site Scripting violation inspection, the NetScaler application firewall transforms the target characters in the name as well as the value part of the form field. However, when the streaming code is engaged, the transform operation is carried out only for the submitted values, not for the form Field names. With this fix, the field names are also evaluated for the transform operation in streaming mode. Special SQL characters or Cross Site Scripting tags are now transformed in the form field names as well as the form field values in both streaming and non-streaming mode.
    [From Build 54.9009.e] [# 496526]
  • When any form protection check is enabled and the default request content-type parameter of the application firewall profile is not configured, an incoming request without a content-type header is treated as a form, even if it is not a form. The transfer-encoding header gets deleted, and a content-length header gets added, but the request is forwarded to the server as a chunked request. The server is unable to process the chunked data and determines it to be a bad request. With this fix, the form analysis is carried out only when "multipart/form-data", or "application/x-www-form-urlencoded" content type is either specified in the request or set as the default request content type in the profile that is applied when the content-type is not specified in the request.
    [From Build 56.1505.e] [# 559348]
  • During binding a signature to an application firewall profile, the NetScaler appliance might fail when it is under memory pressure.
    [From Build 56.1505.e] [# 559060]
  • When cookie consistency check is deployed in the proxing mode, the application firewall does not expire the cookies as expected. This occurs when the server sends the Set-cookie header without the domain information. Protected resources are vulnerable to access through reuse of these cookies after the session has expired.
    [From Build 56.1505.e] [# 548577]
  • If a large number of long standing sessions expire and are freed during application firewall processing, a tight-loop condition might occur, causing the NetScaler appliance to fail.
    [From Build 56.1505.e] [# 550657]
  • The NetScaler appliance might become unresponsive when processing a request, because of an interoperability issue between the application firewall, SSL, and the responder module. The issue arises under the following set of circumstances:
    The configuration includes an application firewall profile protecting an SSL virtual server.
    A responder policy is configured to reset the connection, and this policy is bound either globally or to the virtual server that receives the request.
    [From Build 58.1108.e] [# 592429]
  • IPv6 management access was blocked when it arrived on an accelerated bridge.
    [From Build 56.1505.e] [# 558960]
CloudBridge Connector
  • Memory leak might occur on NetScaler ADCs of a CloudBridge Connector tunnel when monitor probes of a service, which is bound to a HTTP or SSH load balancing virtual server, are sent through the tunnel.
    [From Build 52.1115.e] [# 512191, 513775]
Command Line Interface
  • The user monitor scripts that use SOAP::Lite might not work.
    [From Build 53.9010.e] [# 503214]
  • Support for the IP geolocation databases from MaxMind
    The NetScaler ADC now includes an IP geolocation database, GeoLite2 (published by MaxMind). The database is available in a format supported by NetScaler ADC at: /var/netscaler/inbuilt_db/Citrix_Netscaler_InBuilt_GeoIP_DB.csv.
    You can use this IP geolocation database as the location file for the static proximity based GSLB method or in location based policies.
    Note: The ADC includes the GeoLite2 database available from
    [From Build 55.8007.e] [# 438615]
Large Scale NAT
  • LSN Statistics are not available in the configuration utility or the dashboard utility.
    [From Build 52.1115.e] [# 502655]
  • In a high availability LSN deployment with LSN port block Allocation and LSN session synchronization options enabled, the NetScaler ADC might not synchronize LSN sessions information to the secondary node if the information is related to subscribers that are being allocated a NAT port block.
    [From Build 52.1115.e] [# 504450]
  • In a high availability LSN deployment, with LSN port block size set for an LSN group, the secondary node might become unresponsive.
    [From Build 52.1115.e] [# 506377]
Load Balancing
  • The following SIP parameters cannot be configured from the NetScaler configuration utility (that is, from Traffic Management > Load Balancing > Change SIP Settings):
    - RNAT secure source port
    - RNAT secure destination port
    Workaround: These parameters can be set by using the "set lb sipParameters -rnatsecuresrcport <port> -rnatsecuredstport <port>" command.
    [From Build 52.1115.e] [# 504856]
  • The NetScaler ADC does not forward a queued alert_notification message to an ESME even after the ESME becomes available.
    [From Build 52.1115.e] [# 501658]
  • If the NetScaler appliance sends a trap indicating spillover on a virtual server whose name is longer than 114 characters, the trap listener (destination) logs a "bad type returned" message, but the message in the ns.log file is correct.
    [From Build 54.9009.e] [# 528559]
  • The output of the "show lb vserver -format text" command shows parameters even that are not applicable for a virtual server type.
    [From Build 56.1505.e] [# 550177]
  • In a load balancing group configuration, the "sh run" command sometimes runs in a loop, which exponentially increases the size of the temporary configuration file. As a result, saving the configuration and synchronizing the nodes in a high availability setup might fail.
    [From Build 58.1108.e] [# 587812, 598499, 601918]
  • In an IPSec tunnel, the NetScaler appliance might remove sessions between client and server before encrypting (IPSec) DNS response packets, resulting in the loss of these DNS packets in the tunnel.
    [From Build 58.1108.e] [# 587718]
NetScaler Gateway
  • NetScaler Gateway can crash at ns_handle_free_sta_resources () function in certain cases when multiple users are performing RDP launches/logoffs while STA server goes down and comes back up. This issue is related to STA handling specifically for RDP Proxy functionality
    [From Build 54.9009.e] [# 533923]
  • In releases earlier than version 4.18.9, the Citrix DNE LWF driver can send spurious packets that have random MAC addresses. As a result, a switch port configured to allow only one MAC address might shut down.
    [From Build 54.9009.e] [# 460915]
  • NetScalers experienced a NSPPE crash. The crash happens due to the combination of the following features: AccessGateway processing DNS packets from the AG client when IntranetIP (IIP) is configured, Software ReceiveSideScaling (RSS) and Core2Core (C2C) system overload.
    [From Build 54.9009.e] [# 540393]
  • NetScalers experienced NSPPE crashes due to the presence of stale grp_names pointer in dummy_session.
    [From Build 54.9009.e] [# 539015]
  • For JRE (Java run tine environment) 7 update 51 or later: These JRE versions display a security warning, or the plugin launch is blocked when the NetScaler Gateway for Java is launched.
    [From Build 54.9009.e] [# 491076, 535339]
  • When using the Internet Explorer proxy setting, and auto-proxy scripts are configured, at the time of VPN establishment the auto-proxy URL is unreachable. The VPN plugin uses the proxy server from the manual proxy server setting; even if, it is disabled.
    [From Build 54.9009.e] [# 531520]
  • After the VPN tunnel is established, external websites fail to load intermittently under the following conditions:
    - If enable_vpn_dnstruncate_fix nsapimgr flag is set on NetScaler.
    - DNS servers on NetScaler are configured to send negative DNS response for external DNS query.
    - Split DNS is set to both
    [From Build 54.9009.e] [# 524028]
  • For two-factor authentication, when changing the second factor username from the username provided for the first factor, the authentication fails in an nCore system.
    [From Build 54.9009.e] [# 540234]
  • NetScaler Gatway ignores the PresharedKey attribute configured in the RDP Server Profile, while sending data to the STA server in a dual gateway RDP Proxy deployment.
    [From Build 54.9009.e] [# 533655, 534113]
  • NetScaler Gateway now applies Authorization policies to RDP traffic flowing through the gateway.
    [From Build 54.9009.e] [# 533645]
  • The RDP file is not generated if that STA server is DOWN because the StateLess RDPProxy logic always uses the 1st bound STA server.
    [From Build 54.9009.e] [# 531742]
  • When the NetScaler Gateway is used to secure RDP access, the RDP client connection to the backend server can timeout if the server is accessed via FQDN.
    [From Build 54.9009.e] [# 532543]
  • In a high-availabiltity (HA) configuration, the secondary appliance may fail occasionally due to a duplicate free-attempt of a AAA context.
    [From Build 54.9009.e] [# 531956, 538937]
  • When NetScaler Gateway is used for RDP access, authentication to the backend RDP server fails for some users.
    [From Build 54.9009.e] [# 532331]
  • Delegated Forms Authentication (DFA) does not work. The DFA server responds with 400 bad request when DFA is attempted by Netscaler Gateway. This is a regression. The build works fine.
    [From Build 54.9009.e] [# 525626]
  • In a high availability deployment, if the NetScaler Gateway virtual server is missing on the secondary appliance, NetScaler Gateway fails during session propagation.
    [From Build 54.9009.e] [# 481889, 486176, 501408, 533390]
  • After installing Microsoft Security Bulletin MS14-080 (KB3025390) for Internet Explorer 11, when users attempt to log on to a NetScaler Gateway virtual IP with endpoint analysis, either as pre-authentication or post-authentication check, the endpoint analysis fails and the buttons Download or Skip Check appear in the browser.
    [From Build 54.9009.e] [# 527757]
  • Once a RDP server profile has been set on a Gateway virtual server, a subsequent set operation to modify the RDP server profile is not effective.
    [From Build 55.8007.e] [# 538551]
  • The NetScaler Gateway appliance may fail under the following conditions:
    - FQDN based access is enabled for launching the apps/Desktop
    - sta redundancy is enabled.
    This issue is fixed now.
    [From Build 55.8007.e] [# 534300, 539947]
  • When the NetScaler Gateway appliance is configured for RDP proxy functionality, if one of the gateway virtual servers has a RDP server profile configured, all subsequently added gateway virtual servers automatically inherit that profile; even if, they are not meant to provide RDP proxy functionality. Additionally, the gateway virtual servers that have inherited the RDP server profiles are lost when the appliance is rebooted.
    Workaround: First, add gateway virtual servers that do not need an RDP server profile. Then, add the gateway virtual servers that need an RDP server profile.
    [From Build 55.8007.e] [# 538560]
  • The NetScaler appliance crashed because of the (radius) User Accounting feature. Connections opened to the AAAd by this feature. The (radius) User Accounting feature did not activate a flag during connection termination. This resulted in a crash.
    [From Build 55.8007.e] [# 547177]
  • If a RDP client attempts to connect to a NetScaler Gateway IP using the CREDSSP mechanism, and the port is not configured to accept RDP connections; the NetScaler Gateway appliance may crash. This issue is now fixed..
    [From Build 56.1505.e] [# 571744, 571095]
  • The NetScaler appliance requires an internet connection for publisher verification. This is for the NetScaler Gateway plug-in for Windows. The internet connection is essential when downloading the plug-in from the NetScaler appliance to verify that the following error occurred: "Publisher AGEE_setup.exe couldn't be verified".
    [From Build 57.7005.e] [# 553463, 558963]
NetScaler Insight Center
  • /var/mps/system_health directory is not created for Insight Center. Because of this the techsupport files are not created for Insight Center.
    Workaround: You can manually create the system_health directory after which the techsupport would work as intended.
    [From Build 55.8007.e] [# 494666]
NetScaler SDX Appliance
  • When you reset management or data interface from Management Service, the interface will not advertise all the supported speeds to the peer devices.
    [From Build 54.9009.e] [# 520882, 517190]
  • When multiple SSH connections are opened to multiple VPXs from management service, sometimes the management service fails. This happens because of the open multi-threading issue present with libssh2 library version 1.2.7. This problem has been resolved with an upgraded of libssh2 library and the corresponding changes are available from NetScaler's 10.5 56.x release.
    [From Build 55.8007.e] [# 541523, 550041]
  • The NetScaler SDX GUI is not accessible.
    Workaround: Logon to the SSH shell using "nsrecover" user credentials and reboot the SVM.
    [From Build 56.1505.e] [# 524563]
  • Performing SNMP walk using the EMC SMART tool is slow.
    [From Build 58.1108.e] [# 588451]
NetScaler SDX and CloudBridge appliances.
  • The NetScaler SVM and the CloudBridge management server had a memory leak that could eventually cause failures.
    [From Build 56.1505.e] [# 565742, 573215]
  • An ACL6 rule might not get evaluated for a series of TCP packets.
    [From Build 54.9009.e] [# 528554]
  • The NetScaler appliance might not properly process packets related to forwarding session entries configured on the appliance.
    [From Build 57.7005.e] [# 565475, 582155]
  • If you try to create a FIPS key of fewer than 2048 bits on firmware version 2.2, an error message appears. However, if you have imported or created a 1024-bit FIPS key on firmware version 1.1 and you then update to firmware version 2.2, you can use that FIPS key on firmware version 2.2.
    [From Build 55.8007.e] [# 519822]
  • If you are running FIPS firmware 2.2 on your appliance, some commands might fail after 9 days.
    [From Build 58.1108.e] [# 600267]
  • If you restart a NetScaler appliance that has FIPS firmware version 2.2, the FIPS key might be temporarily unavailable.
    [From Build 58.1108.e] [# 572645, 563418, 576719, 594569]
  • An MPX-FIPS appliance might not restart if you attempt a warm reboot.
    Workaround: Perform a full reboot. That is, do not use the -warm option when restarting the appliance.
    [From Build 58.1108.e] [# 597101]
  • If you upgrade the FIPS firmware on your appliance to version 2.2 and then restart it, you might notice some loss in the configuration.
    [From Build 58.1108.e] [# 597313]
  • When trying to log on to the NetScaler using the GUI or the NITRO API, external users (from LDAP, TACACS, and so on) get the following error message: 'User does not exist'.
    [From Build 52.1115.e] [# 498221, 501681]
  • When Html injection, client-side-measurements, and integrated caching are enabled and the mainpage gets cached with the prebody and postbody javascripts embedded in it, then, if we disable client-side-measurements and access the mainpage, the NetScaler crashes while updating the javascripts.
    [From Build 53.9010.e] [# 511986]
Release history
For details of a specific release, refer to the corresponding release notes.

© 1999-2015 Citrix Systems, Inc. All rights reserved. | Terms of use.
Useful links

On this page

What's New? (5)
Fixed Issues (5)
Known Issues (46)
What's New in Previous 10.5 Builds (42)
Fixed Issues in Previous 10.5 Builds (66)